Roman SAS di Michele e Maurizio Roman & C., with registered office at Via Salute, 1, 36028 Rossano Veneto (VI), c.f. 02755250244, p.iva 02755250244, ("Company"), in compliance with art. 13 EU Reg. 2016/679 ("GDPR") and in relation to personal data ("Data") collected through the website https://gioielleriaroman.it ("Site"), hereby informs you of the following.
1 - Data Controller and Data Protection Officer
1.1 The Data Controller ("Controller") is the Company, in the person of its legal representative pro tempore, domiciled for this purpose at the Company's registered office.
1.2 The Data Controller has not appointed a Data Protection Officer ("DPO") and the legal conditions for the mandatory appointment of a DPO do not exist.
2 - Types of Data processed
- Browsing Data, acquired automatically by computer systems and software implemented on the Site during their normal operation, the transmission of which is implicit in the use of Internet communication protocols. This category includes the IP addresses or domain names of the computers used by the users who connect to the Site, the date and time of access, the duration of the visit, the operating system and the functions used, the URI (Uniform Resource Identifier) addresses of the resources requested, the method used to forward the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), other parameters relating to the user's operating system and computer environment.
- Data provided by the user (i) through registration on the Site and the creation, by the user, of his/her own reserved area, (ii) during the purchase of one or more products, (iii) by sending e-mails, WhatsApp messages and/or filling in the contact request form. This category includes first name, last name, gender, date of birth, telephone number, e-mail address, home and shipping address, VAT number and any other information provided voluntarily by the user through the above-mentioned channels. Failure to provide such Data may make it impossible to (i) complete the registration procedure and the creation, by the user, of his/her reserved area, (ii) complete the purchase of one or more products and allow their shipment, (iii) forward requests and/or receive feedback.
- Personal preferences indicated by the user through the insertion of products in the Wishlist, within his own reserved area ("Preferences").
3 - Purpose of processing
3.1 Surfing Data are processed in order to
- ensure the technical operation of the Site and the use of its contents
- obtain anonymous statistical information on the use of the Site (most visited pages, number of hourly or daily visitors, geographical areas of origin, etc.).
The Data provided by the user are processed in order to
- allow the user to create his/her own reserved area on the Site
- process contact requests, respond to requests for information, quotations or any other type of request and/or execute further pre-contractual measures
- execute obligations arising from the conclusion of a contract of sale and purchase
- comply with any legal obligation imposed on the Company (hereinafter collectively referred to as the 'Primary Purposes').
3.2. The Data provided by the User and the Preferences are also processed for commercial, promotional, statistical purposes. The Data provided by the user and the Preferences allow the Data Controller, or its employees and/or collaborators and/or other persons expressly designated by the Data Controller, to contact the user to remind him/her of the products left in the shopping cart and not purchased, to send him/her service communications related to his/her order, to check his/her appreciation of the products, to propose commercial offers, information on news and promotions by ordinary mail, by mobile phone and by e-mail (hereinafter, overall, "Marketing Purposes").
3.3. The Data provided by the User and the Preferences are also processed, also in automated form, for the processing of consumption preferences, purchasing habits, behaviours and interests through the detection of the type and frequency of purchases made on the Site, in order to send information and/or advertising material of specific interest to the User and to optimise the choice of products sold by the Company (hereinafter, collectively, "Profiling Purposes").
3.4. The Data provided by the User and the Preferences may be transferred and/or assigned to external professionals, third party companies and/or other entities, which shall process them as autonomous data controllers ("Commercial Purposes").
3.5 The User may in any case freely choose not to consent to the processing of Data for Marketing Purposes, Profiling Purposes and Commercial Purposes.
4 - Processing methods
The Data are processed by means of computerised and electronic instruments, also in automated form, and on paper, in compliance with the principles of correctness, lawfulness, transparency and protection of confidentiality. Appropriate security measures are also adopted to prevent unauthorised access, disclosure, modification or destruction of the Data. The Data are also processed through the creation of a centralised database.
5 - Legal basis of the processing
5.1 The Controller processes the Data lawfully where the processing
- is necessary for the performance of a contract to which the user is party or the execution of pre-contractual measures
- is necessary for the pursuit of the legitimate interest of the Controller
- is necessary to fulfil a legal obligation incumbent on the Controller;
- the user has expressed consent, with reference to activities related to Marketing Purposes, Profiling Purposes and Commercial Purposes.
5.2 The user's express consent is not required when the processing concerns the preparation and performance of activities related to the Primary Purposes.
6 - Storage
6.1 Data processed for the Primary Purposes shall be kept for the time necessary to achieve the said Purposes. Pursuant to art. 13 paragraph 2 letter a) GDPR, the Data Controller, not being able to determine with precision the period of retention of such Data, undertakes to base its processing on the principles of adequacy, relevance and minimisation, periodically assessing the need for retention.
6.2 Data processed for Marketing Purposes, for Profiling Purposes and for Commercial Purposes, collected on the basis of the User's consent, are kept until such consent is revoked.
6.3 Data may be kept for a longer period of time where necessary to comply with legal obligations or to ascertain, exercise or defend rights in court.
7 - Communication of Data
7.1 Data may be communicated to:
a) external professionals, third party companies or other entities that provide services functional to the achievement of the Primary Purposes, Marketing Purposes, Profiling Purposes and/or Commercial Purposes, which - if the legal conditions exist - are appointed as external data processors;
b) external professionals, third party companies or other entities that provide services functional to the achievement of the Primary Purposes, Marketing Purposes, Profiling Purposes and/or Commercial Purposes, who - if the legal conditions exist - are appointed as independent data controllers
c) employees, collaborators and assistants of the Data Controller, in their capacity as persons in charge and/or internal processors and/or system administrators;
d) subjects who process the Data in performance of specific legal obligations.
7.2 The Data Controller may communicate the Data to an address management and e-mail message sending service.
7.3 The Data Controller may transfer the Data to external professionals, third party companies and/or other subjects who process them as autonomous data controllers, for their own purposes.
7.4 Payment management services allow the Controller to process payments by credit card, bank transfer or other instruments. The data used for payment are acquired directly by the operator of the payment service requested without being processed in any way by the Controller.
Some of these services may also allow messages to be sent to the user on a scheduled basis, such as e-mails containing invoices or payment notifications.
7.5 The Data Controller uses management software owned by Oir s.r.l., which processes the Data as an independent data controller, according to the relevant privacy policy (https://oiritaly.it/privacy-policy).
7.6 With the user's consent, the Preferences may be communicated to third parties who make an express request to the Data Controller.
8 - Transfer
8.1 The Data are stored on servers located at the Data Controller's premises, as well as on web/cloud platforms and in any other place where the parties involved in the processing are located.
8.2 Without prejudice to communications and disclosures made in performance of legal obligations, Data may be transferred abroad if this is necessary for Primary Purposes, Marketing Purposes, Profiling Purposes and/or Commercial Purposes.
8.3 Should the Data be transferred to a third country or to an international organisation, the Data Controller shall take appropriate measures to ensure adequate protection of the Data, in compliance with the applicable legal guarantees.
9 - Rights of the data subject
Among the rights granted to the user by the GDPR are those of:
- to request from the data controller access to your Data and information relating thereto; the rectification of inaccurate Data or the integration of incomplete Data; the deletion of Data relating to you (upon the occurrence of one of the conditions indicated in Article 17(1) of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article); the restriction of the processing of your Data (upon the occurrence of one of the cases indicated in Article 18(1) of the GDPR);
- requesting and obtaining from the data controller - where the legal basis of the processing is a contract or consent, and the processing is carried out by automated means - your Data in a structured, machine-readable format, also for the purpose of communicating such data to another data controller (the so-called right to Data portability)
- object at any time to the processing of your Data in the event of special situations concerning you;
- withdraw consent at any time, limited to cases where processing is based on consent for one or more specific purposes and concerns common personal data or particular categories of Data. Processing based on consent and carried out prior to revocation shall, however, retain its lawfulness;
- to lodge a complaint with a supervisory authority (Data Protection Authority - www.garanteprivacy.it).
10 - Procedures for exercising rights
Users may exercise their rights at any time by sending
- a registered letter with advice of receipt to the Company's registered office, as indicated above
- an e-mail to the PEC e-mail address: roman@pec.it
