(EUROPEAN REGULATION 2016/679)
personal data collected pursuant to Article 13 GDPR
Cosmetica srl, in the person of its legal representative pro-tempore, based in Milan (MI) at via Brera n. 6, VAT no. 09198410962, hereinafter referred to as the DATA CONTROLLER, in his capacity of Data Controller, hereby informs you that, pursuant to Art. 13 of EU Regulation no. 2016/679, hereinafter referred to as GDPR, your data will be processed in the manner and for the purposes listed below:
- Personal details of the data controller and data protection officer
The data controller of the website www.diegodallapalma.com is Cosmetica srl, in the person of its legal representative pro-tempore, based in Milan (MI) at via Brera n. 6, VAT no. 09198410962, available via certified email at email@example.com and/or by telephone +39 0542 670911. You may also contact the Data Protection Officer, DPO, Attorney Enrica Vasini, tax code VSNNRC78M45C573E, available via e-mail at firstname.lastname@example.org or by telephone 0541 27868. You may contact the data controller and the DPO to exercise the rights recognized by the GDPR and to obtain the updated list of all data processors, both internal and external, sub-processors and any other processors.
- Data undergoing processing
To access and browse the website no registration is required, except for the use of some technical cookies which will be specified later in point 13 of this policy. Access to the reserved area involves the provision and use of an email and a password chosen by the user, which can be remembered through the use of a technical cookie, after having obtained the consent by the user. The geolocation of the user's position, in order to know the point of sale nearest to the user, is activated only after the user's explicit consent. The provision of personal data to purchase the products and services of the data controller through "online shopping" involves the provision of personal data as well as data relating to where to deliver the purchased goods. The provision of data is optional but failure to provide the data results in the impossibility for the data controller to accept and deliver the orders placed.
- Purposes of the processing and legal basis
Your personal data will be processed:
A) without your explicit consent pursuant to Art. 6 lett. b) of the GDPR for the following sales or service purposes:
For the execution of a contract to which the data subject is party or in order to implement any pre-contractual measures adopted at the request of the data subject.
It is the case in which the data subject proceeds to purchase the products or services offered by the Data Controller by browsing the website www.diegodallapalma.com and by accessing the reserved area to shop online. The same applies to data relating to where to deliver the purchased goods, for the conclusion of the contract between the parties (execution by the Data Controller).
- to fulfil any pre-contractual, contractual and tax obligations deriving from the relationship with you
- to fulfil obligations laid down by Italian law, regulations, European Community legislation or any order of Authorities (e.g. anti-money laundering)
- to exercise the rights of the Data Controller, e.g. the right to defence in court.
B) Only with your explicit and specific consent (Art. 6 letter a) of the GDPR), that you may at any time withdraw, without affecting the lawfulness of processing based on consent before its withdrawal, for the following marketing purposes:
- to contact you via e-mails, mail and/or text messages, and/or by telephone and to send you newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller, and surveys on customer satisfaction by subscribing to the newsletter via the website www.diegodallapalma.com
C) Only with your explicit and specific consent (Art. 6 letter a) of the GDPR), that you may at any time withdraw, without affecting the lawfulness of processing based on consent before its withdrawal, for the following marketing purposes: to ensure better use of the offers and services provided by the Data Controller's commercial network, via geolocation of the data subject’s position to know in real time the point of sale nearest to the data subject.
D) Only with your explicit and specific consent (Art. 6 letter a) of the GDPR), that you may at any time withdraw, without affecting the lawfulness of processing based on consent before its withdrawal, for the following marketing purposes through the participation to the initiative called "DDP BEAUTY CARD", see the specific section to know more about its regulation:
to collect in a limited period of time the purchases made by the data subject in order to earn bonuses for discounts on further purchases when certain goals, specified in the regulation of the initiative, are achieved.
E) For a legitimate interest of the Data Controller, for statistical purposes or for a better navigation experience on the website www.diegodallapalma.com. With regard to the statistical purposes, this website uses Google Analytics, with IP anonymisation always turned on. The IP address sent from the user’s browser is not associated with any other data held by Google. The legal basis for the data processing is assured by Art. 6, paragraph 1, letter F) of the GDPR.
- Processing methods
Your personal data shall be processed pursuant to Art. 4 n. 2 GDPR, and the processing shall entail: collection, registration, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of provision, comparison, interconnection, restriction, deletion, destruction, portability upon request. The processing of your personal data is carried out by printed, electronic and/or automated means. All personal data are processed through automated means for the time strictly necessary to achieve the purposes for which they were collected. In accordance with your rights, the data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the same or which significantly affects their person, unless the automated decision is necessary to conclude or perform the contract between the interested party and a Data Controller or unless the interested party gives explicit consent. Specific security measures are adopted to prevent any data loss, illegal or incorrect use thereof and unauthorised access.
- Potential recipients or categories of recipients of the personal data
The collected data may be used only to fulfil the services requested by the user, such as accessing reserved areas to use the services and to purchase goods online, geolocation to know the point of sale nearest to the data subject, or for the collection, management and shipment of the order that the customer intends to place online. The data provided on these occasions by the user shall not be disclosed to any other third parties without the explicit consent, with the exception of people or companies authorised by the Data Controller (internal or external processors, sub processors, or any other processors). For the purposes set forth in Art. 3 A) of this policy, the Data Controller may, without your explicit consent, disclose your personal data to Supervisory Bodies, Legal Authorities and any other entities to whom data must be disclosed by law and for the aforesaid purposes. Said entities shall process the data in their capacity as independent Data Controllers. The data may be transferred to a non-EU third country to third parties for the purposes indicated above only and in full compliance with the processing expressed by the user. The data processor Extera srl is based in a non-EU country as indicated in the website's personal data. In order to protect the right considered fundamental by the European Union, it is necessary that the data collected within the European territory be transferred to international organisations or non-EU countries in compliance with the rules established by Chapter V of the EU Regulation: the transfer shall be done in accordance with the underlying principles of proper processing and with sufficient and appropriate safeguards to protect all interested parties. Pursuant to Art. 46 and 48 of EU Regulation 2016/679, the Data Controller guarantees that the transfer to third parties based in non-EU countries will take place in compliance with these rules, in particular with the provisions of Art. 46 paragraph 3 letter A) of the GDPR.
- Data storage period
The Data Controller shall process the personal data for the time provided for by the applicable legislation, pursuant to Art. 13 of the GDPR: fiscal, accounting and civil documents and data have a retention period of 10 years, for the data referred to in 3)A. As for data processed for marketing purposes referred to in 3)B, they shall be retained in accordance with the principle of proportionality or at least until the purpose for their processing is fulfilled, unless the interested parties withdraw their consent to the processing of such data. Data referred to in point 3)C shall be stored for the duration of the browsing session through a technical cookie. Data referred to in point 3)D shall be stored until the data subject withdraws consent or until the end of the initiative.
- Rights of the data subject
The interested party has the right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
- Consent and withdrawal of consent
If you have given consent to the processing of your personal data for one or more specific purposes, pursuant to Art. 6 paragraph 1 letter A) or explicit consent, pursuant to Art. 9 paragraph 2 letter A), for one or more specified purposes, please note that you have the right to withdraw your consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority
The Data Controller hereby informs you that, were you to notice any unlawful, incorrect or non transparent processing of your data, or any other irregularities pursuant to GDPR, you have the right to lodge a complaint with a supervisory authority (Data Protection Authority) or take legal action.
- Providing personal data and consequences of any refusal to do so
The provision of personal data is optional, unless there is a legal obligation. Any refusal to provide such data will make it impossible to conclude the supply and service contract and to purchase the Data Controller’s goods as in point 3 A) of this policy.
The Controller hereby informs you that your personal data will not be subject to decisions based solely on automated processing (including profiling) without your explicit consent.
- Further processing for other purposes
The Data Controller hereby informs you that your data shall be processed only for the purposes for which they were collected. Further processing for different purposes shall be carried out only with the interested party’s consent.
Third-party cookies are managed by third parties that may collect and track certain browsing data. This website uses Google Analytics with the anonymisation option turned on.
The time that elapses from opening the Internet browser and closing it is called a browsing session. Session cookies are stored on your computer or other device only during a browsing session, and are deleted from the user’s device when the browser is closed.
First-party cookies are directly saved to your computer or device. They may include cookies such as session cookies and persistent cookies (further described below). We use proprietary first-party cookies to track users' movements when they visit one of our websites, for example for analysis purposes.
Third-party cookies are managed by third parties that may collect and track certain browsing data. This website uses Google Analytics (described in browsing and statistical data collected by third parties).
Persistent cookies are stored in the visitor’s computer or other device during a browsing session, but remain on the computer or device when the web browser is closed (e.g. password registration). Persistent cookies allow our websites to recognise your computer or device when you access one of our websites again, after the end of a browsing session and at the beginning of a new one, to help you quickly reconnect to our website.
In compliance with the regulation issued by the Italian data protection authority on 8 May 2014, cookies have been divided into two macro categories:
Technical cookies are used for the sole purpose of "carrying out the transmission of a communication over an electronic communication network, or as strictly necessary for the provider of a company information service explicitly requested by the subscriber or user to provide this service".
They are not used for other purposes and are normally installed directly by the website's owner or operator. They can be divided into browsing or session cookies, which ensure normal browsing and use of the website (e.g. to purchase items online or to authenticate themselves to access restricted areas); analytics cookies, assimilated to technical cookies when used directly by the website operator to collect aggregated information on the number of users and how they use the site; functional cookies, which allow the user to browse based on a set of selected criteria (e.g. language, products selected for purchase) so as to improve the service provided.
The Italian legislation on cookies provides that “storing information, or accessing information that is already stored, in the terminal equipment of a contracting party or user shall only be permitted on condition that the contracting party or user has given his/her consent after being informed in accordance with the simplified arrangements”.
This site uses only technical cookies and third-party cookies.
Navigation and statistical data collected by third parties.
The tools belonging to third parties used on this website are the following: - Google Analytics (provided by: Google Inc. 1600 Amphitheater Parkway - Mountain View, CA 94043, USA.
Please send any enquiry about the processing of your data to the Controller (Google Inc.).