INFORMATION ON PERSONAL DATA PROCESSING
This information on personal data processing (hereinafter, “Information”) is given in accordance with Regulation (EU)/2016/679 (hereinafter, “GDPR”) and concerns the processing of personal data performed by Dr. Vranjes Firenze S.p.A., with registered office at Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI), Italia, VAT n. 01648260519, firstname.lastname@example.org (hereinafter, the “Controller”).
- Identity and contact of the Controller
The Controller is Dr. Vranjes Firenze S.p.A. As the Controller is established in the EU territory, the Controller has not appointed a representative.
- Identity and contact of DPO
The Controller has appointed a Data Protection Officer (hereinafter, the “DPO”) in compliance with art. 37 GDPR. The DPO can be contacted at the following email address: email@example.com.
- Purposes and legal basis of the processing, consent and consequences of the lack of consent
Personal data will be processed for the following purposes:
- for contractual purposes and, in particular, to allow the purchase of goods within the E-commerce. In this, case the obligation to fulfill the contractual purposes constitutes the legal basis. The communication of the data constitutes an obligation; in the lack of such data, it will not be possible to proceed perform the contract.
- for direct marketing communications, newsletters, advertising material, market research, by means of traditional contact systems and automated computer systems, CRM, databases, including commercial or promotional communications by email, messaging systems, SMS, or telephone communications. In this case, your express consent constitutes the legal basis. The communication of data, therefore, is entirely optional and does not constitute a contractual obligation for you. In the absence of such data, it will not be possible to send newsletters.
- to determine your habits and preferences through profiling, to provide you with a personalized service. The legal basis is your consent, expressed in accordance with the Information. In relation to the personal data processed, the disclosure of personal data is not a contractual obligation. You have the option to provide personal data. If you fail to provide such data, the Controller will not be able to provide you with a personalized service;
- for purposes related to relevant legal obligations where processing is carried out for the purposes referred to in point a). In this case, the legal basis is the legal obligation of the Controller to process such personal data in accordance with applicable national legislation; in the absence of such data, it will not be possible to proceed with the conclusion of the contract.
- Method of consent expression
The consent to the processing of personal data may be expressed by clicking a specific flagbox.
- Methods of processing data, logics and safeguards
- In relation to personal data processed and stored for the purposes under point a), number 4 of the present information notice (contractual purposes) and point d) (legal obligation), data processing will be carried out through automated decision-making logics and use of CRM software that will enable better management of fulfillment of the contractual obligations;
- In relation to personal data processed for the purposes under point b), number 4 of the present information notice (marketing purposes), data processing will be carried out by means of traditional contact systems and automated computer systems, with the aim of offering direct marketing communications.
- In relation to personal data processed for the purposes of point c) number 2 (profiling), the Processing will take place by means of CRM software that allows to define tastes and preferences to offer you personalized services and communications. For further details, see the next point of the Information.
- Automated decision-making process and profiling
If you consent to the Processing of your personal data to benefit from personalized services through profiling, your personal data may be subject to an automated decision-making process, with a specific algorithm that will decide which communications are best suited to your profile or which may be of most interest to you. The Processing carried out in this way has, as expected consequences, by way of example, the sending of highly profiled commercial communications, the sending of discounts, the sending of invitations to events deemed of interest, etc.
In accordance with Article 22 GDPR, you have the right to:
- obtain human intervention in the decision-making process by the Controller;
- express your opinion;
- obtain an explanation of the decision reached by the Controller.
- challenge the decision itself.
- Source from which personal data originate
Only personal data provided in compliance with the present information notice will be processed. In relation to the processing of personal data for the purposes of providing highly targeted services through profiling, such data may be correlated for deriving further profiled information. Data collected from public sources will be not processed.
- Recipients or categories of recipients of your personal data
The following may be recipients of the personal data:
- The communication companies that provide commercial communication activities on behalf of the Controller, which are responsible for the processing, if consent has been given for marketing purposes;
- Companies belonging to the information society, such as those providing web hosting services;
- Companies performing statistic and market inquiries, if consent has been given for marketing purposes;
- Companies that perform account services;
- Partner companies of the Controller;
- Companies offering shipping services of the products acquired by means of the Controller’s E-commerce;
- All persons to whom the right of access to such data is recognized under regulatory measures.
- Categories of personal data
The Controller will process only personal data from you. There will be no handling of special categories of personal data under Article 9 of the GDPR.
- Transfer of personal data
The Controller may intend to transfer personal data to a third country or an international organization, such as:
- Communication agencies conducting activities on behalf of the Controller;
- Companies offering information society services, including, in particular, those offering hosting services;
- Service providers of the communication company.
The transfer of personal data to the aforesaid subjects is subject to an adequacy decision made by the European Commission after deciding that the third country or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection of personal data and your rights. However, if the Controller deems it appropriate to proceed with the transfer of personal data despite the lack of any adequacy decisions, the Controller reserves the right to conclude separate agreements with those subjects, requiring them to adopt adequate technical and organizational security measures to safeguard the transferred personal data, with particular regard to the protection of rights and freedoms of the concerned subjects. Your personal data may be transferred to the United States of America.
To obtain a copy of the transferred personal data or to be informed on where personal data have been transferred to, you shall send the Controller a written request to the following addresses: Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI) or email address: firstname.lastname@example.org
- Personal data retention period
- Personal data processed and stored for the purposes under point a) number 3 are processed for no longer than 10 years starting from the termination of the contractual effects, in case of conclusion of the contract, unless otherwise required by law;
- Personal data processed and stored for the purposes under point b) number 3 (marketing purposes) are processed and stored until when you request the erasure and/or revoke consent;
- Personal data processed and stored for the purposes under point d) number 3 (fulfilment of legal obligations) are processed and stored for a period no longer than 10 years following the termination of the contractual effects, in case of conclusion of the contract, as well as for a period no longer than 10 years following the termination of the negotiations, unless otherwise required by law.
- Personal Data processed for the purposes set forth in point c) number 2 (preference determination purposes) are processed and stored by Company for a period not exceeding 12 months from collection.
The Controller reserves the right, in any case, to request you to renew his/her consent to the processing and/or to verify the consents already expressed.
- Data subjects’ rights
12.1 Right to object
- You have the right to object to the processing of personal data concerning your pursuant to Article 6, sub-section 1, letter (e) or (f) of the GDPR, at any time and on grounds relating to your particular situation. The Controller shall refrain from any further processing of your personal data unless the Controller proves that there are compelling legitimate grounds for the processing which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of a right in court.
- If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
- If you object on the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. It is specified that your right to object on the processing of his/her personal data for the aforesaid purposes may be exercised even partially, i.e. by opposing, for example, only on sending promotional communications by automated and/or digital means, or on sending paper communications and/or receiving telephone communications.
- Where personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR, you have the right to object on the processing of his/her personal data for reasons related to his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.
12.2 Other rights
The Controller also wishes to inform You of the existence of the following rights:
- Right to access: You have the right to obtain from the Controller confirmation as to whether or not Your personal data are being processed and, if so, to obtain access to the personal data and specific information, in accordance with article 15 of the GDPR;
- Right to rectification: You have the right to obtain from the Controller the rectification of inaccurate personal data without undue delay. Taking into account the processing purposes, you have the right to obtain supplementing of incomplete personal data, including by providing a supplementary statement, in accordance with art. 16 of the GDPR;
- Right to erasure of data, including the right to revoke consent: You have the right to obtain from the Controller the erasure of the personal data without undue delay or to revoke consent. The Controller has the obligation to erase Your personal data without undue delay, if the reasons set out in art. 17 of the GDPR exist. With regard to the right to revocation, You also have the right to revoke consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to revocation;
- Right to restriction of processing: You have the right to obtain from the Controller the restriction of processing when the conditions set out in art. 18 of the GDPR exist;
- Right to data portability: You have the right to receive Your personal data provided to the Controller in a structured format, commonly used and readable by automatic devices. You have the right to send such data to another controller without any impediment by the Controller in the cases and at the conditions specified in art.20 of the GDPR;
- Contractor’s right to object on commercial communications: You, as a contractor, have the right to object at any time, free of charge, on the receipt of commercial communications.
- Right to lodge a complaint with the Supervisory Authority: you have the right to lodge a complaint the the Supervisory Authority for the Protection of personal data, if you consider that the processing of your personal data infringes the GDPR or data protection dispositions, in accordance with art. 77 GDPR.
The applications to exercise the rights indicated in this privacy notice must be addressed directly to the Controller at the e-mail address: email@example.com. Alternatively, You can exercise said rights by sending a registered letter with recorded delivery to Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI), Italia.
You may lodge a complaint with the Italian Supervisory Authority for the Protection of personal data according to the provided instructions in the official website, which are available at the following URL:
- Accessibility of privacy notice
The privacy notice is accessible on our website [https://drvranjes.com/eu/privacy-policy], and at the Controller. If so expressly requested, the information can also be provided orally, as long as the identity of the applicant is proven, by means of a phone call request to the addresses of the Controller.