PRIVACY information pursuant to art. 13 of Regulation (EU) 679/2016 (“GDPR”)
Parlux S.p.A. Protects the privacy of personal data and guarantees it the protection necessary from all events that might put it at risk of violations.
As envisaged in Regulation (EU) 679/2016 ( “GDPR”), and in art. 13 in particular, the required information about the processing of the personal data of users (“interested parties”) is provided below.
A. Who are we and why are we giving you this document?
Parlux S.p.A., in the person of its legal representative for the time being, with registered offices at Via Goldoni 10/12, 20090 – Trezzano sul Naviglio (Milan) – Italy, has long considered protection of the personal data of its current and/or potential customers and users to be of fundamental importance, guaranteeing that the processing of their personal data using any means, both automated and manual, is carried out in full compliance with the safeguards and rights recognised in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the “Regulation”) and in the other regulations applying to the protection of personal data.
The term “personal data” is defined in article 4, point 1), of the Regulation as, “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter, “ Personal Data”).
The Regulation envisages that, before processing Personal Data - with the meaning of the term “processing” defined in article 4, point 2), of the Regulation as, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter, “Processing”) - the person to whom that Personal Data belongs must be informed about the reasons for which that data is requested and how it will be used.
In this regard, the purpose of this document is to give you, in a simple and intuitive manner, all necessary and useful information so that you can provide your Personal Data in an aware and informed manner and, at any time, request and obtain clarification and/or corrections.
This information has therefore been prepared on a transparent basis, covering all the elements specified in article 13 of the Regulation. It is organised into sections (hereinafter “Sections” or “Section” if just one), each of which covers a specific topic for quick and easy reading in a readily understandable manner (hereinafter, “Information”).
If necessary, this Information may be accompanied by a specific form for giving consent, as envisaged in article 7 of the Regulation. The wording of this form depends on the type of additional use we would like to make of your Personal Data.
B. Who will process your Personal Data?
The following company, in its role as the data controller, will process your Personal Data for the principal reason described in Section D of this Information:
Parlux S.p.A. with registered offices at Via Goldoni 10/12, 20090 – Trezzano sul Naviglio (Milan) – Italy, Milan Companies Register, Tax Code and VAT no. 03790230159 (hereinafter, the “Data Controller”), which is committed to:
determining the reasons and methods adopted for the Processing of your Personal Data;
determining, in a clear and transparent manner, the procedures for providing you with a timely response should you decide to exercise your rights, as envisaged in articles 15, 16, 17, 18 and 21 of the Regulation, as well as in the cases of data portability envisaged in article 20 of the Regulation, as described better in Section I of this Information.
C. Who can you contact?
For any clarification, questions or needs relating to your privacy and the processing of your personal data, you can make contact at any time by writing to Parlux S.p.A., Via Goldoni 10/12, 20090 – Trezzano sul Naviglio (Milan); sending an e-mail request to email@example.com, or calling +39 02 48402600.
Without prejudice to any other administrative or court action, the Interest Party can lodge a complaint with the supervisory authority competent for Italy (Garante - Privacy Ombudsman) or the body that performs its duties and exercises its powers in the member State in which the infringement of the GDPR took place.
All updates to this Information will be notified on a timely basis using suitable means. In addition, Interested Parties will be informed beforehand if the Data Controller wishes to process their Personal Data for purposes other than those addressed in this Information; such processing will only take place after the Interested Party concerned has given the related consent, if this is necessary.
D. What is the principal reason for processing your personal data?
In order to allow the Data Controller to carry out Processing activities for the reasons given above, it is necessary to provide the Personal Data marked by the * symbol. In the absence of even just one of the marked details, it will not be possible to Process your Personal Data and, accordingly, you will not be allowed to complete your registration with the Websites and/or benefit from the services provided by them that require the provision of Personal Data.
The Personal Data that you will be asked to provide for the above reasons will be specified on the registration and/or contact form and include, without limitation: name, surname, username, date of birth, domicile/residential address, e-mail address, land and/or mobile telephone numbers, tax code, gender.
Should you decide to access the Websites via a social media profile (e.g. your Facebook, Google, Twitter profile), if envisaged, your Personal Data will be obtained by the Data Controller from third parties, being the administrator of the platform that you used to access the Websites. In that case, you will be able to read this Information in the Privacy section of each of the Websites (e.g. Privacy section of www.parlux.it etc.).
E. Additional purposes
Subject to your express, free and unequivocal consent pursuant to article 6, para. 1, point a), of the Regulation, the Data Controller may ask you, in addition to the above data, for further Personal Data such as, but not limited, to data about your tastes, preferences, habits, consumer needs and decisions, for the following purposes:
(e1) Marketing purposes: meaning the wish of the Data Controller to contact you for promotional and/or marketing reasons, either directly or on behalf of third parties. This category includes all activities carried out to promote products and services sold and/or provided by the Data Controller and/or by third parties with which the Data Controller maintains contractual relations without, in this case, any communication of data.
The Processing of your Personal Data for the purposes indicated in point (e1) requires obtaining your consent, which must necessarily comply with the conditions specified in article 7 of the Regulation, thus establishing the lawfulness of the Processing of your Personal Data.
The contact methods used for the above marketing activities may be automated (e-mail, text message, mms, fax, recorded voice message) or take a traditional form (operator telephone call, post). In each case, as specified better in Section H, you can always revoke your consent, in whole or in part, by for example giving consent solely for traditional forms of contact.
With regard to those forms of contact that envisage use of your telephone numbers, please note that the Data Controller will only contact you for marketing purposes after checking if you are listed on the Objections Register established pursuant and consequent to Presidential Decree 178 dated 7 September 2010 and subsequent amendments.
F. To which parties might your Personal Data be communicated?
Your Personal Data may be communicated to specific parties deemed recipients of that data. In particular, article 4, point 9), of the Regulation defines a recipient of Personal Data as, “a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not” (hereinafter, the “Recipients”).
In this light, in order to perform properly all the Processing activities necessary for the reasons addressed in this Information, the following Recipients may find themselves in a position to process your Personal Data:
third parties that perform part of the Processing activities and/or activities related and relevant to them on behalf of the Data Controller. These parties are appointed as data processors, which article 4, point 8), of the Regulation defines in the singular as, “a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller” (hereinafter, “Data Processor”);
Individuals, employees and/or collaborators of the Data Controller who have been authorised to carry out specific and/or multiple Processing activities using your Personal Data. These individuals have been given specific instructions on the subjects of security and the proper use of Personal Data and, pursuant to article 4, point 10), of the Regulation as, “persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process Personal Data” (hereinafter, the “Authorised Persons”).
Where required by law or to prevent or impede the commitment of an offence, your Personal Data may be communicated to public bodies or to the judicial authorities, without them being defined as Recipients. In particular, article 4, point 9), of the Regulation states that, “public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients”.
G. How long will your Personal Data be retained?
One of the principles applicable to the Processing of your Personal Data relates to limitation of the period of retention. This is governed by article 5, para. 1, point e), of the Regulation, which states that, “Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject”.
Given that principle, your Personal Data will only be processed by the Data Controller to the extent necessary to achieve the purposes indicated in Section D of this Information. In particular, your Personal Data will be processed for the minimum necessary period of time, as indicated in Recital 39 of the Regulation, being until termination of the contractual relationship existing between you and the Data Controller, without prejudice to any additional period of retention that may be imposed by law, as envisaged for example in Recital 65 of the Regulation.
With regard to processing carried out for the purposes indicated in Section E of this Information, the Data Controller may lawfully process your Personal Data until you communicate, in one of the ways envisaged in this Information, your wish to revoke the consent given for one or all of the purposes for which you were requested to give such consent. Any revocation of consent will, in fact, require the Data Controller to cease the Processing of your Personal Data for the purposes concerned.
H. Can consent be revoked once given and how?
As envisaged in the Regulation, if you have given your consent for the Processing of your Personal Data for one or more of the requested purposes, you may at any time revoke it, in whole or in part, without prejudice to the lawfulness of the Processing based on the consent given prior to its revocation.
The ways to revoke consent are very simple and intuitive, you just need to contact the Data Controller using the contact channels indicated in Sections C and I of this Information.
In addition to the above and for simplicity, if you receive advertising e-mail messages from the Data Controller that are no longer of interest to you, it will be sufficient to click on the “Unsubscribe” button at the foot of the message to cease receipt of all communications, including via any additional contact channels for which your consent was previously obtained (text messages, mms, post, fax, telephone calls).
I. What are your rights?
As envisaged in article 15 of the Regulation, you may access your Personal Data, request its rectification and update, if incomplete or erroneous, request its erasure if collected in violation of any law or regulations, or object to its Processing for specific reasons that are legitimate.
In particular, all the rights that you can exercise at any time in relation to the Data Controller are listed below:
Right of access: pursuant to article 15, para. 1, of the Regulation, you are entitled to obtain confirmation from the Data Controller about whether or not your Personal Data is being processed and, in that case, to obtain access to that Personal Data and the following information: a) the purposes of the Processing;
b) the categories of Personal Data concerned; c) the Recipients or categories of Recipient to whom the Personal Data has been or will be disclosed, in particular Recipients in third countries or international organisations; d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data about you or to object to such Processing; f) the right to lodge a complaint with a supervisory authority; g) where the Personal Data is not collected from you, any available information as to its source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences for you of such Processing. You can find all the above information within this Information document, which will always be available to you within the Privacy section of each of the Websites.
Right to rectification: pursuant to article 16 of the Regulation, you may obtain the rectification of your Personal Data that is inexact. Having regard for the purposes of Processing, you can also obtain the completion of any incomplete Personal Data, including by the provision of a supplementary statement.
Right to erasure: pursuant to article 17, para. 1, of the Regulation you may obtain the erasure of your Personal Data without undue delay and the Data Controller shall have the obligation to erase your Personal Data where even just one of the following grounds applies: a) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; b) you have withdrawn the consent on which the Processing of your Personal Data is based and there is no other legal ground for its Processing; c) you have objected to the Processing pursuant to Article 21(1) or (2) of the Regulation and there are no overriding legitimate grounds for the Processing of your Personal Data; d) the Personal Data has been unlawfully processed; e) the Personal Data has to be erased for compliance with a legal obligation in Union or Member State law. In certain cases, as envisaged in article 17, para. 3, of the Regulation, the Data Controller can justifiably avoid erasing your Personal Data if its Processing is necessary, for example, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing: pursuant to article 18 of the Regulation, you may obtain the restriction of Processing where one of the following applies: a) you have contested the accuracy of your Personal Data (restriction for the period needed by the Data Controller to verify the accuracy of the Personal Data); b) the Processing is unlawful but you have opposed the erasure of your Personal Data and requested the restriction of its use instead; c) the Data Controller no longer needs the Personal Data for the purposes of the Processing, but it is required for the establishment, exercise or defence of legal claims; d) you have objected to Processing pursuant to Article 21(1) of the Regulation pending verification of whether the legitimate grounds of the Data Controller override yours. If Processing restricted, except with regard to its conservation, your Personal Data will only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for significant reasons of public interest. In all cases, you will be informed before the above restriction is revoked.
Right to data portability: pursuant to article 20, para. 1, of the Regulation, you may at any time request and receive all your Personal Data processed by the Data Controller in a structured, commonly used and machine-readable format, or you may request its transmission to another data controller without hindrance. In this case, you are responsible for giving us exact and complete details of the new data controller to which you intend to transfer your Personal Data, together with a written authority.
Right to object: pursuant to article 21, para. 2, of the Regulation and as confirmed in Recital 70, you may object at any time to the Processing of your Personal Data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with the supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Privacy Ombudsman (Garante) if you consider that the Processing of your Personal Data by the Data Controller infringes the Regulation and/or applicable laws.
To exercise all the rights identified above, it is sufficient to contact the Data Controller by:
writing to Parlux S.p.A., Via Goldoni 10/12, 20090 Trezzano S/N (Milan);
sending an e-mail to firstname.lastname@example.org;
calling this telephone number +39 02 48402600.
J. Where will your Personal Data be processed?
Your Personal Data will be processed by the Data Controller within the territory of the European Union.
Should it be necessary for technical and/or operational reasons to make use of parties located outside of the European Union, you are hereby informed that those parties will be appointed as Data Processors pursuant and consequent to article 28 of the Regulation, and the transfer of your Personal Data to those parties, solely in order to carry out specific Processing activities, will be governed in compliance with the provisions of Chapter 5 of the Regulation. Accordingly, all necessary precautions will be taken to ensure the most complete protection of your Personal Data, basing such transfers on: (a) decisions regarding the adequacy of the recipient third countries expressed by the European Commission; (b) adequate guarantees given by the recipient third party pursuant to article 46 of the Regulation; (c) the adoption of corporate binding rules.
If your Personal Data has been processed outside of the European Union you may, in all cases, request additional details from the Data Controller, including evidence of the specific guarantees obtained.
*** Version: 25 May 2018