(Version updated to 30 March 2020)
1. Data Controller
Data Controller of the data provided by the user is the company ERRECOM S.p.A., with registered office in 25030 Corzano (BS), Via Industriale, no. 14, Italy Taxpayer’s/VAT number: 02179230988, Tel. (+39) 030 9719096, Email: firstname.lastname@example.org
2. Type of data collected
a) Browsing Date
The computer systems and programs used to operate the Site collect certain personal data the transmission of which is implicit in the use of Internet communication protocols. This information, even though not collected to be associated with identified data subjects, could, by its nature, through processing and association with data held by third parties, make possible the identification of users. This category of data includes IP addresses or domain names of the computers used by users who connect to the Site, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and computer environment of the user.
b) Data provided voluntarily by the user (art. 4 par. 1 EU Regulation)
b.1) Payment management
The payment management services enable the Site to process payments by credit card,
3. Legal basis and purposes of processing
The legal basis for the processing of browsing data (par. 2, letter a) is to pursue the legitimate interests of the Data Controller in relation to the Site management. Said data will be used by the Data Controller for the following purposes:
– to make it possible to access and browse the Site;
– to collect data and information in an exclusively aggregated and anonymous form to verify the correct functioning of the Site;
– to collect data and information in order to protect the security of the Site (spam filters, firewall, virus detection) and users;
– to obtain anonymous statistical information on the Site use.
In the event of computer crimes committed to the detriment of the Site, browsing data may also be used to ascertain liability.
The legal basis for the processing of data provided voluntarily by the user through registration in the “Register” section (par. 2 letter b) is the legitimate interest of the Data Controller to comply with the request for registration in the “Register” section in order to:
a) provide services dedicated to registered users (e.g., save user’s data and contact details, access all information relating to user’s orders and returned goods, provide assistance on services and products);
Furthermore, following the explicit consent of the User, the latter’s data provided through the “Register” section will be processed:
to enable the Data Controller to send newsletters and any other informative and promotional material;
to carry out marketing activities;
to carry out profiling activities: the personal data provided may be profiled by the Data Controller only internally for statistical/comparative purposes, for the better management of the provided services, or for the creation of commercial profiles and/or for the analysis of the preferences of registered users. The processing of personal data for profiling purposes will be carried out using appropriate tools and methods and in accordance with the requirements of the EU Regulation, also in order to protect the rights, freedoms and legitimate interests of the data subject.
The personal data requested from the user by the Data Controller in the areas of the Site called “Information >Shipment >Payment” (accessible from the “Shopping Cart“) (par. 2 letter b) as well as requests made to the user to process and manage payments by third party suppliers (par. 2 letter b.1) are necessary for the conclusion and execution of the
contract which the user intends entering into with the Data Controller for the purchase of products on the SITE and may be processed for the following purposes:
e) activities prior to the conclusion of the contract;
f) activities related to the execution of the contract, such as processing, operational and management requirements – within the limits established by laws and regulations – necessary for the operational and administrative activity of the Data Controller, or legal requirements related to civil, fiscal and accounting regulations, administrative management of the relationship, fulfilment of any contractual obligations, support and technical information about the products covered by the agreement;
g) requirements of a fiscal nature, payment of the supplied service/product and application of laws and regulations in general.
Furthermore, subject to the explicit consent of the User, the data provided by the latter through the areas of the Site called “Information >Shipment >Payment” will be processed:
h) to enable the Data Controller to send newsletters and any other informative and promotional material;
i) for the performance of marketing activities;
j) to carry out profiling activities: In case of explicit consent by the User, the personal data provided may be profiled by the Data Controller only internally for statistical/comparative purposes, for the better management of the services provided, or for the creation of commercial profiles and/or to analyse user preferences. The processing of personal data for profiling purposes will be carried out using appropriate tools and methods and in accordance with the requirements of the EU Regulation, also in order to protect the rights, freedoms and legitimate interests of the data subject.
4. Consequences of failure to provide personal data
The browsing data collected in the context of this processing (par. 2, letter a) are mandatory as they are strictly functional to the computerised management of the Site.
The provision of personal data for the purposes referred to in par. 3 letter a) is mandatory in order to proceed with the required registration, so that, in case of failure to provide such data, the user will not be allowed to register in the “Register” section.
Failure to provide personal data for the purposes referred to in par. 3 letter b), c), d) will not prevent the user from registering in the “Register” section but will not enable the Data Controller to achieve the indicated purposes.
Failure to provide the data for the purposes referred to in letters e), f), g) will make it impossible to enter into and execute the sales contract between the user and the Data Controller.
Failure to provide personal data for the purposes referred to in par. h), i), j) will not prevent the user from entering into the sales contract with the Data Controller but will not enable the latter to achieve the indicated purposes.
Data processing methods
The processing, carried out only by personnel directly authorised by the Data Controller, is done according to principles of fairness, lawfulness, transparency, with or without the aid of electronic or automated tools. Such processing will include all the operations provided for by art. 4, no. 2 EU Regulation (collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data) necessary for the processing in question, including communication to the entities listed in the following “Data communication” paragraph.
The data will be recorded and stored in both paper and computer files, according to principles of fairness, lawfulness, transparency, using organisational systems related to the processing purposes. Moreover, in order to protect data from destruction or loss (including accidental) as well as to ensure their integrity and confidentiality (including against unauthorised access or disclosure) and in general to ensure the rights of the data subject, the Data Controller has taken technical and organisational security measures, in accordance with the provisions of the EU Regulation (with particular reference to articles 24, 32, and 35).
The personal data supplied by the user may be communicated:
within the company, to persons authorised to process data pursuant to art. 29 EU Regulation, according to their respective profiles of competences and for the purposes of the processing itself (e.g., administrative, commercial, marketing, legal staff, system administrators, etc.). These entities include the employees and/or collaborators of the Data Controller regardless of the work relationship in place (e.g., administrators, interns, etc.) who, in order to carry out their duties, need to process personal data;
An updated list of Data Processors is available by contacting the Data Controller.
to entities which need to access the data for purposes ancillary to the relationship between the user and the Data Controller, within the limits strictly necessary to perform the auxiliary tasks (such as, for example, banks and credit institutions, technical service providers, IT companies, communication agencies, postal couriers and shipping companies);
to entities able to access the data in accordance with the provisions of the Law or Regulations, within the limits provided for by such rules.
7. Data dissemination
The personal data collected for the indicated purposes will not be disseminated.
8. Period for which the personal data will be stored
Browsing data (par. 2, letter a) and data provided voluntarily by the user (par. 2, letter b) will be stored for a period of time not exceeding that necessary to achieve the purposes for which they are processed, without prejudice to the need to store them for a longer period in compliance with applicable legislation. Where processing is based on the explicit consent of the data subject, the latter may withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Place of storage of collected personal data
Personal data will be stored at the Data Controller’s operational headquarters and in any case within the European Union.
10. User’s rights
The User to whom the personal data refer has the right to request and obtain, at any time, from the Data Controller access (art. 15 EU Regulation), rectification (art. 16 EU Regulation) and erasure (‘right to be forgotten’) (art. 17 EU Regulation) of his or her personal data. The User shall also have the right to obtain restriction of personal data processing (art. 18 EU Regulation), the right to data portability (art. 20 EU Regulation) and the right to object, for legitimate reasons, to their processing (art. 21 EU Regulation).
Where the processing of data is based on the explicit consent of the data subject, the latter has the right to withdraw his or her consent at any time, The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
In any case, the user has the right to lodge a complaint with the Supervisory Authority, as provided for by art. 77 EU Regulation, or to bring an action before the appropriate courts pursuant to art. 79, EU Regulation if he or she considers that the processing of the personal data referring to him or her has been carried out in breach of the provisions of the EU Regulation
11. How to exercise rights
The user can exercise his or her rights at any time by sending an email message to email@example.com or a registered letter with recorded delivery to the address: ERRECOM S.p.A., Via Industriale, n. 14, 25030 Corzano (BS) – Italy.