INFORMATION ON THE PROCESSING OF PERSONAL DATA
of users who visit the website of Officina Profumo Farmaceutica di Santa Maria Novella S.p.A.
(pursuant to Article 13 of Regulation 2016/679/EU).
Effective date: 25 May 2018
WHY PROVIDE THIS INFORMATION?
Pursuant to (EU) Regulation 2016/679 (hereinafter "the Regulation"), this page describes the processing of the personal data of users who visit the website of Officina Profumo Farmaceutica di Santa Maria Novella S.p.A., accessible electronically at the following address:
This page describes the methods for managing the site in reference to the processing of the personal data of users who consult it.
After visiting the site buy.smnovella.eu, data relating to identified or identifiable physical persons may be processed.
The Data Controller is Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. (hereinafter the Company) whose registered office is in via della Scala no. 16 - 50123 Florence, VAT No. 00459370482 (email: email@example.com; Tel.: 055 4368315).
RECIPIENTS OF THE DATA AND EXTERNAL DATA PROCESSOR
The data collected as a result of browsing and visiting the website buy.smnovella.eu will not be disclosed in any way.
They may be the subject of communication to third parties for the purpose of performing operations linked to the order placed by the user-customer on the site buy.smnovella.eu and its delivery (for example they may be communicated to our IT consultants for the web platform in order to ensure in particular the sending of email messages that you have chosen to receive or to our partners for shipments, or to banks and credit institutions to manage payments, professionals and consultants for the tax and accounting management of the sales contract).
In particular, in relation to the personal data collected and processed via this website, the Data Controller has expressly appointed as external the company Valori Aziendali S.p.A. As Data Processer as supplier of development and maintenance of the web platform services - as supplier of development services involving the provision and operational management of the technological platforms used.
The appointment of this Processer is kept at the Controller’s premises and is available to the user concerned upon request to be submitted to the following email address: firstname.lastname@example.org.
LEGAL BASIS AND PURPOSE OF THE PROCESSING
The personal data provided by the user when browsing the website buy.smnovella.eu are processed by the Controller in accordance with the current regulations on the protection of personal data.
The legal basis for the processing is the provision of its services by the Company, the management and facilitation of the website, as well as the constitution, execution and possible termination of the online sales contract concluded between the parties and the obligations related to the contract and/or directly and/or indirectly arising therefrom.
In particular, the processing of personal data by the Company is aimed at pursuing the following objectives:
1) Subscribing to the Company’s newsletter: in the case where the user decides to subscribe to the newsletter, only as a result of any specific consent, the personal data will be processed by the Data Controller for the sending of commercial or promotional communications, updates relating for example to the latest trends, new arrivals, exclusive offers, special events and promotions.
To unsubscribe to the newsletter just click on the unsubscribe link, shown at the bottom of emails received or write to us at the address email@example.com.
2) Registration on the Company’s website: if the user decides to register on the website buy.smnovella.eu, only as a result of any specific consent, their personal data will be processed by the Data Controller for the purposes of registration and to manage the account created by means of registration. In particular, once their first name, last name and email address have been provided for registration and an access password set, they will be processed to create a personal account to expedite the purchase process, to allow the user to view the status of orders and receive updates on purchases, change personal settings and update the account, view their history of returns and goods change requests and save their favourite items in the wish list.
3) Online shopping activities: the personal data supplied by you will be used for the purposes of the establishment, management, implementation and/or conclusion of the online sales contract. The data provided will be processed by the Data Controller only for the purposes of managing the purchase order, completing operations linked to payments made by the customer, the shipment of goods ordered on the site, taking care of any returns, for customer service, the execution of the administrative/accounting/tax purpose related to managing the purchase order, and finally, to fulfil the obligations provided for by the legislation in force. If payment is made by credit card, the information necessary to perform the transaction (credit/debit card number, date and expiry date, security code) will be processed by Intesa Sanpaolo S.p.A. and Mercury Payment Services S.p.A., or possibly by fraud control companies via an encrypted protocol and without third parties being able to access it in any way. This information will not be however ever be viewed or saved by the Data Controller.
PROTECTION OF MINORS
The protection of minors online represents a fundamental element of the Data Controller’s corporate policy. Therefore, the Data Controller does not accept subscription, registration or orders sent by minors of 18 years and will not proceed with the knowledgeable collection and processing of the personal data of such persons. By purchasing on the site or by registering the customer declares having reached adult age according to the legislation in their country of residence.
TRANSFER OF DATA ABROAD
The management and storage of personal data acquired will take place in archives or on servers located in Canada owned by the Data Controller and/or third-party companies appointed as External Data Processors. The European Commission, with Decision 2002/2/EC stated the adequacy of the protection provided by Canadian law on the safeguarding and protection of personal data.
TYPES OF DATA PROCESSED
For example personal information provided by customers when subscribing to our newsletter (contact details, email address, telephone number, home address if expected to be issued in the newsletter) or during registration to the site to create their personal account (authentication and identification information such as name, address and password); data of any transactions carried out on the site when making online purchases; data provided voluntarily by the user (the optional, explicit and voluntary sending of email to the address indicated on this site involves the subsequent acquisition of the user’s address, necessary to respond to requests, as well as other personal data voluntarily included in the message).
The customer-user is not obliged to provide the afore-mentioned personal data. The provision of personal data by the customer (in particular personal details, email address, postal address, credit/debit card numbers and telephone number) is necessary for us to process the order for the purchase of products on the website for the provision of other services on our website at the request of the customer or to fulfil the obligations provided for by laws or regulations. The refusal by the customer to provide the data necessary to achieve the afore-mentioned aims can make it impossible for us to process the order for the purchase of products for sale on our website or fulfil the obligations provided for by laws or regulations. The provision of personal data may therefore constitute, in some cases, a legitimate reason and justification for failure to process the order for the purchase of the products on sale on the website or failure to provide services on the Website.
In normal operation, the computer systems and software procedures involved in the operation of this website acquire some personal data which are implicitly transmitted when using Internet communication protocols.
This category of data includes the IP addresses or domain names of the computers and terminals used by users, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (completed, error, etc.) and other parameters related to the user’s operating system and computer environment.
These data are necessary for the use of the web services, they are also processed to:
obtain statistical information on the use of the services (most visited pages, number of visitors per time band or daily, geographical areas of origin, etc.);
check the correct operation of the services offered.
Browsing data are not kept for more than 365 days and are immediately deleted after aggregation (subject to any requirement to investigate offences by the judicial authority).
Like virtually all websites, the site buy.smnovella.eu also uses some cookies. They now represent fundamental tools as they enable modern sites to operate optimally, allowing maximum personalisation, interaction and fluidity when browsing. Precisely because of these possibilities they can also be used to track customer/user browsing of the site and to send messages that respond to the browsing performed.
DATA PROCESSING AND STORAGE PROCEDURES
The personal data collected on this site are processed with computer storage media and are protected by adequate security measures suitable to ensure their confidentiality and integrity.
The Data Controller attaches great importance to the security of all personal data relating to users of the site and the adoption of safety measures to prevent accidental or illegal destruction, accidental loss, alteration, unauthorised disclosure or access to data represents a fundamental element of the Data Controller’s corporate policy.
However, the Data Controller cannot guarantee users that the security measures adopted for the protection of the site and the transmission of the data and information on the site are able to limit or exclude any risk of unauthorised access or leakage of data by devices belonging to the user. For this reason, it is suggested that users of the site make sure that devices are protected. For example, the user must make sure that their computer has appropriate software to protect them from the network transmission of data (such as an updated antivirus) and that their Internet Provider has adopted appropriate measures for the security of the transmission of data over a network (such as a firewall and anti-spam filters). The Data Controller also undertakes to process the data according to the principles of correctness, lawfulness and transparency, to collect them in so far as is necessary and correct for processing and to only permit their use by personnel for the purpose authorised.
As regards the storing the customer’s personal data, the Data Controller’s general approach is to only retain these data until necessary to achieve the purposes for which the data were collected. In particular, we store personal data for 36 months from the conclusion date of the relationship with the customer-user or from the last contact with them. In some cases, personal data can be stored for longer periods where necessary to allow the Data Controller to fulfil statutory obligations (e.g. to fulfil mandatory storage for accounting-tax purposes or to prevent tax fraud). Finally, the Data Controller may also keep the personal data of customers-users for longer periods so as to have accurate documentation of negotiations which have taken place, in the case of complaints and/or disputes.
In any case, the Data Controller will take care to avoid the use of data for an indefinite time regularly suitably checking whether there is still an interest in the subject they relate to.
DATA SUBJECT'S RIGHTS
Data subjects have the right to obtain the following from the Data Controller, in the cases provided for by Articles 15-22 of Regulation:
access to their personal data
the correction of their personal data
the deletion of their personal data
the limitation of the processing of their personal data
object to the processing of their personal data
To exercise these rights provided for in Articles 15-22 of Regulation in the cases provided for in it you can send an email to this address: firstname.lastname@example.org. You will receive a response within a maximum period of 1 month from the date of receipt of the request. In the case in which the issue is extremely complex you will receive an email that will indicate the response times when it is more than one month.
Right to complain
Data subjects who consider that the processing of the personal data related to them carried out via this website takes place in breach of the requirements of the Regulation have the right to submit a complaint to the Data Protection Authority, as laid down in Art. 77 of the same Regulation, or to complain to the appropriate courts (Art. 79 of Regulation).
Right to withdraw consent
The customer has the right to withdraw their consent at any time. For example, if the customer wishes to cancel their subscription for the electronic receipt of marketing/promotional communications, they will be able to edit the settings of their account on the Website or use the “unsubscribe to the newsletter” link provided in our emails or otherwise contact us directly so we can stop sending communications at the following address: email@example.com. You can also edit consent in relation to profiling cookies (see Cookies Policy below)