1. General provisions
1.1 Introduction
Marchesini Group (“Company”) is accordingly
committed to protecting personal data collected through use of its website www.beauty.marchesini.com
(“Website”), according to any national legislation in force on personal data
protection (“National Data Protection Laws”) and the EU General Data Protection
Regulation 2016/679 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data and repealing
the Directive 95/46/EC (“GDPR”). This Privacy Policy explains how information
and data identifying individuals (“Personal Data”) received by Company through
its Website are processed.
1.2 Controller
Company processes Personal Data as a Controller (or
Joint Controller, as the case may be), as defined in the National Data Protection
Laws and in the GDPR. The identity and contact details of Company are specified
in the Website.
1.3 Amendments
The Controller reserves the right to amend and
update the Privacy Policy as a result of any further
new or revised provisions of any national and EU laws and regulations on
personal data protection. The Privacy Policy shall be published on the Website
and marked with progressive identification numbers and month of publication.
Any new release of the Privacy Policy shall be published on the Website as a
replacement of the previous version and shall be valid and enforceable from the
publication date, unless otherwise specified.
1.4 Applicable rules
The Controller processes Personal Data in
accordance with:
1. provisions of the GDPR and, in particular, with the principles set forth
in the same, such as, inter alia, lawfulness, fairness and transparency,
purpose limitation, data adequacy and minimisation,
accountability, accuracy, and – prior to any processing activity – the
principles of privacy by design and privacy by default;
2. provisions of National Data Protection Laws in force as of the date of
the Privacy Policy;
3. guidelines and decisions issued by the competent supervisory authority
(“Supervisory Authority”).
2. Data subjects and scope of application
2.1 Data subjects
Company processing activities relate to
1. any individual visiting the Website (“Visitors”); and
2. any individual/entity with which Company establishes relationships, when
registering for Company events and/or signing up for information, informational
materials, newsletters and other communications
(“Users”).
For the purposes of this Privacy Policy, Visitors
and/or Users are to be intended as Data Subjects, as defined in the GDPR and in
the National Data Protection Laws.
2.2 Scope of application
The Privacy Policy shall be applicable to Visitors
and/or Users, provided that Company, in its capacity
as Controller, is only liable for the processing of Personal Data, which are
under its own powers, duties and liabilities. The Privacy Policy shall not be
deemed valid and enforceable for any processing activity made by third parties
whose websites may be reached by the Website.
3. Types and source of processed Personal Data
3.1 Source
Company processes:
1. in its capacity as Controller, the Users’ Personal Data – as hereinafter
specified – provided by Users;
2. in its capacity as Controller, the Visitors’ Personal Data – as
hereinafter specified – as well as any data connected to cookies, used through
its Website, according to the Cookie Policy published on the Website.
3.2 Identification data
Company processes Visitors’ and Users’ Personal
Data, that consist of common Personal Data; sensitive and/or judicial data (as
defined in the National Data Protection Laws in force) and/or special
categories of personal data as well as personal data concerning health as
defined in the GDPR are expressly excluded from the Company processing
activities under the scope of this Privacy Policy (all these types of personal
data are hereinafter jointly referred to as “Special Data”). The Personal Data
provided by Visitors and Users data may include:
1. Navigation data, such as IP addresses, domain names of the computers
used by any Visitor connecting with the Website, the URI (Uniform Resource
Identifier) addresses of requested resources, the time of request, the server
query method, the answered file dimension, the server status code (good, error
etc.), other parameters related to the Visitors’ operating system and
informatics environment; these data, however, will only be used to extract
anonymous statistical information on the Website and its functionalities and
will be immediately cancelled at the end of the respective processing activity;
2. Personal Data provided voluntarily by Users, such as first name and
surname (including first name and surname of the legal representative of the
Company/entity for which Users are working), tax and VAT code numbers,
location/domicile (also for tax purposes), contact details (including mobile
numbers, facsimile numbers and/or other identification numbers), postal and
email addresses (including business email addresses of employees/collaborators
of Users and, where applicable, certified email addresses), postal code
numbers, bank accounts details and/or data referred to payments etc.
3.3 Special Data
The activities that may be carried out through the
Website do not require any provision of Special Data, so that Data Subjects are
requested to not supply and/or anyway make available to Company any Special
Data. Unless expressly agreed in writing, Special Data inadvertently provided
by Data Subjects, shall be cancelled and/or removed or however anonymized by
the Controller.
4. Legal basis for and purposes of processing the
Personal Data. Period of data retention
4.1 Legal basis
The legal basis for the processing of Personal Data
is: (i) the Data Subjects’ consent; (ii) the
legitimate interest of Company, in particular when the processing of Personal
Data is necessary for the purposes of preventing fraud or where the processing
activity is carried out to accomplish formalities required by law or for direct
marketing purposes, subject however to the GDPR requirements.
4.2 Purposes
The Controller processes Personal Data for the
following purposes, as specified in the table here in below, in which is
furthermore highlighted
1. if an express consent to processing of Personal Data is needed (or not)
as well as
2. the period of data retention:
A
Purposes: Allow Marchesini Group to accomplish all formalities
required by law, including those of administrative and tax/fiscal nature
Consent: Not required
Data retention: 20 years
B
Purposes: Improve the Website by analyzing how Visitors and/or Users
navigate and/or use the Website
Consent: Not required
Data retention: Not applicable (aggregate or anonymous data)
C
Purposes: Send communications and reply to queries concerning the Company
Activities
Consent: Required
Data retention: 20 years
D
Purposes: Send newsletters of a general informational, promotional
and advertising nature and/or other materials for marketing communication
purposes, in relation to the Website’s functionalities, to Marchesini Group and
Company Activities
Consent: Required for newsletters, other materials for advertising or
direct e-marketing communication purposes (i.e.: marketing communications sent
over electronic communication channels, such as e-mail, facsimile, SMS and MMS-type messages), questionnaires and surveys. Not
required for postal and/or email marketing communications sent to clients,
according to applicable laws
Data retention: Until the withdrawal of consent or the denial has been communicated
E
Purposes: Communicate Personal Data to Marchesini Group
companies in order to receive commercial information,
newsletters and/or materials above (under letters C and D)
Consent: Required
Data retention: Until the withdrawal of consent
F
Purposes: Process Personal Data for statistical analysis purposes
Consent: Not required
Data retention: Not applicable (aggregate or anonymous data)
4.3 Optional supply of Personal Data
Subject to what specified above as to navigation
data, the provision of Personal Data is fully optional and free. However,
failure to provide Personal Data may entail failure to be provided with the
communications and/or replies and/or activities requested.
4.4 Consent declaration and withdrawal
In relation to the purposes specified under the
letters C), D) and E) of the Table above, Data Subjects express their consent
to processing activities by addressing queries or communications to Company or
ticking the appropriate box following the procedures and instructions given on
the Website. Data Subjects may revoke their consent by informing Company by any
means and in written form; however, having particular regard to the purpose
specified under letter D), in order to facilitate accomplishment of all
relevant formalities, related to the request concerned, including the
cancellation and removal of the email address from the mailing list, Data
Subjects are invited to follow the instructions specified in every newsletter.
If Data Subjects revoke their consent in relation to the purposes specified
under letters C), D) and E) of the Table above, the relevant Company processing
activities will be interrupted.
5. Persons in charge of the processing and
processors
5.1 Controller and persons in charge of the processing
As specified above, Company processes Personal Data
collected from Visitors and/or Users through the Website. Directors, shareholders and independent collaborators (independently
from the contractual relationship concerned) of the Company may process
Personal Data in their capacity as persons in charge of the processing,
according to National Data Protection Laws and to art. 29 of the GDPR. The
persons in charge of the processing are duly trained and empowered to allow
access to Personal Data according to the Privacy Policy and subject to their
tasks being performed and assignments.
5.2 Joint controllers and processors
The Controller may designate as processors internal
and external entities/individuals, including but not limited to (legal and tax)
advisors and third companies (in particular, internet service providers and
service providers, also using cloud platforms). The complete list of all
processors may be required by Data Subjects to the Controller, by sending an
email to the Controller email address specified in article 8.1. of the Privacy
Policy.
5.3 Limitations
Persons in charge of processing activities and
processors – where appointed – shall be appropriately trained and duly
empowered to allow access to and use of Personal Data, subject to the specific
duties and tasks assigned to them and in compliance with the Privacy Policy.
6. Processing of hidden Personal Data (of Website
navigation)
6.1 Navigation data
The Controller processes hidden Personal Data
collected during navigation in accordance with the Cookie Policy.
6.2 Link
The Website may include hypertext links to other
websites that are not managed or otherwise associated to Company. The
Controller hasn’t any kind of access to or control of such websites. Data
Subjects are requested by Controller to read the privacy policies of such third
parties websites to which Data Subjects may access
from the Website, in order to know the personal data collection and processing
methods.
6.3 Access data to the newsletter
The analysis of the newsletter opening
and consultation Personal Data is carried out for statistical analysis purposes
in order to provide Company with information on the use of the same, which may
be useful to amend its contents and formats.
7. Method of processing, storage of Personal Data
and security measures
7.1 Methods of processing
The Personal Data of Data Subjects are processed
almost exclusively through automated procedures, by using computerized systems
and software or, in a limited number of cases, through manual means (e.g. on
paper), provided however that in any event such Personal Data are processed
adopting methods which are strictly related to the purposes for which such data
have been collected and anyway to ensure their security, in accordance with the
GDPR and the National Data Protection Laws.
7.2 Place of automated data processing
Processing of Personal Data is made in the
headquarters of the Controller and/or – if appointed – of the processors and/or
joint controllers. Personal Data are stored in the headquartersof
the Controller where the physical servers are and in some cases on servers of
third parties, which may provide cloud services to allow storage of Personal
Data.
7.3 Transfer of Personal Data
Personal Data exclusively consisting in e-mail
address may be transferred for organizational and/or commercial purposes only
to Marchesini Group S.p.a. or to other Marchesini
Group companies, whether they are located in EU or in third countries outside
the EU, provided however that in the latter case, the transfer of Personal Data
as above specified shall be made subject to the Controller’s assessment of full
compliance with the provisions of the GDPR and in particular with articles 44
and 45 of the same.
7.4 Place of manual data processing
When Personal Data are collected offline (e.g. on
paper), all documents where said data are contained, are stored in the head
offices of the Controller or of the processors and service providers, where
appointed, and inserted in appropriate archives.
7.5 Personal Data storage period
Personal Data will not be disseminated. Personal
Data may be communicated to external processors and/or service providers (e.g.
welfare providers) or – subject to limitations set out in art. 7.3 above – to
Marchesini Group S.p.a. or Group companies.
7.6 Dissemination of Personal Data
Personal Data will not be disseminated.
8. Data Subjects’ rights
8.1 Rights
Data Subjects, when they are individual/natural
persons, may directly address to the Controller or the processor/s designated
by the same Controller in order to enforce their rights according to provisions
of National Data Protection Laws and to the GDPR (articles 15 and subsequent
articles), and, in particular, to have access to their own Personal Data,
obtain updating and rectification or erasure of the same, restriction of
processing, object on legitimate grounds to processing of their Personal Data
(with the effects provided for in the Privacy Policy) as well as obtain data
portability by sending an email to the email address privacy@marchesini.com
8.2 Complaint
The above notwithstanding, according to articles 13
and 15 of the GDPR, Data Subjects, when they are individual/natural persons,
may lodge a complaint with the competent Supervisory Authority, in order to enforce their rights, as specified above.