INFORMATION ON PERSONAL DATA PROCESSING

This information on personal data processing (hereinafter, “Information”) is given in accordance with Regulation (EU)/2016/679 (hereinafter, “GDPR”) and concerns the processing of personal data performed by Dr. Vranjes Firenze S.p.A., with registered office at Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI), Italia, VAT n. 01648260519, privacy@drvranjes.it (hereinafter, the “Controller”).

  1. Identity and contact of the Controller

The Controller is Dr. Vranjes Firenze S.p.A. As the Controller is established in the EU territory, the Controller has not appointed a representative.

  1. Identity and contact of DPO

The Controller has appointed a Data Protection Officer (hereinafter, the “DPO”) in compliance with art. 37 GDPR. The DPO can be contacted at the following email address: dpo@drvranjes.it.

  1. Purposes and legal basis of the processing, consent and consequences of the lack of consent

Personal data will be processed for the following purposes:

  1. for contractual purposes and, in particular, to allow the purchase of goods within the E-commerce. In this, case the obligation to fulfill the contractual purposes constitutes the legal basis. The communication of the data constitutes an obligation; in the lack of such data, it will not be possible to proceed perform the contract.
  2. for direct marketing communications, newsletters, advertising material, market research, by means of traditional contact systems and automated computer systems, CRM, databases, including commercial or promotional communications by email, messaging systems, SMS, or telephone communications. In this case, your express consent constitutes the legal basis. The communication of data, therefore, is entirely optional and does not constitute a contractual obligation for you. In the absence of such data, it will not be possible to send newsletters.
  3. to determine your habits and preferences through profiling, to provide you with a personalized service. The legal basis is your consent, expressed in accordance with the Information. In relation to the personal data processed, the disclosure of personal data is not a contractual obligation. You have the option to provide personal data. If you fail to provide such data, the Controller will not be able to provide you with a personalized service;
  4. for purposes related to relevant legal obligations where processing is carried out for the purposes referred to in point a). In this case, the legal basis is the legal obligation of the Controller to process such personal data in accordance with applicable national legislation; in the absence of such data, it will not be possible to proceed with the conclusion of the contract.

  1. Method of consent expression

The consent to the processing of personal data may be expressed by clicking a specific flagbox.

  1. Methods of processing data, logics and safeguards
  • In relation to personal data processed and stored for the purposes under point a), number 4 of the present information notice (contractual purposes) and point d) (legal obligation), data processing will be carried out through automated decision-making logics and use of CRM software that will enable better management of fulfillment of the contractual obligations;
  • In relation to personal data processed for the purposes under point b), number 4 of the present information notice (marketing purposes), data processing will be carried out by means of traditional contact systems and automated computer systems, with the aim of offering direct marketing communications.
  • In relation to personal data processed for the purposes of point c) number 2 (profiling), the Processing will take place by means of CRM software that allows to define tastes and preferences to offer you personalized services and communications. For further details, see the next point of the Information.
  1. Automated decision-making process and profiling

If you consent to the Processing of your personal data to benefit from personalized services through profiling, your personal data may be subject to an automated decision-making process, with a specific algorithm that will decide which communications are best suited to your profile or which may be of most interest to you. The Processing carried out in this way has, as expected consequences, by way of example, the sending of highly profiled commercial communications, the sending of discounts, the sending of invitations to events deemed of interest, etc.

In accordance with Article 22 GDPR, you have the right to:

- obtain human intervention in the decision-making process by the Controller; 

- express your opinion;

- obtain an explanation of the decision reached by the Controller.

- challenge the decision itself. 

  1. Source from which personal data originate

Only personal data provided in compliance with the present information notice will be processed. In relation to the processing of personal data for the purposes of providing highly targeted services through profiling, such data may be correlated for deriving further profiled information. Data collected from public sources will be not processed.

  1. Recipients or categories of recipients of your personal data

The following may be recipients of the personal data:

  • The communication companies that provide commercial communication activities on behalf of the Controller, which are responsible for the processing, if consent has been given for marketing purposes;
  • Companies belonging to the information society, such as those providing web hosting services;
  • Companies performing statistic and market inquiries, if consent has been given for marketing purposes;
  • Companies that perform account services;
  • Partner companies of the Controller;
  • Companies offering shipping services of the products acquired by means of the Controller’s E-commerce;
  • All persons to whom the right of access to such data is recognized under regulatory measures.

  1. Categories of personal data

The Controller will process only personal data from you. There will be no handling of special categories of personal data under Article 9 of the GDPR. 

  1. Transfer of personal data

The Controller may intend to transfer personal data to a third country or an international organization, such as:

  • Communication agencies conducting activities on behalf of the Controller;
  • Companies offering information society services, including, in particular, those offering hosting services;
  • Service providers of the communication company.

The transfer of personal data to the aforesaid subjects is subject to an adequacy decision made by the European Commission after deciding that the third country or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection of personal data and your rights. However, if the Controller deems it appropriate to proceed with the transfer of personal data despite the lack of any adequacy decisions, the Controller reserves the right to conclude separate agreements with those subjects, requiring them to adopt adequate technical and organizational security measures to safeguard the transferred personal data, with particular regard to the protection of rights and freedoms of the concerned subjects. Your personal data may be transferred to the United States of America.

To obtain a copy of the transferred personal data or to be informed on where personal data have been transferred to, you shall send the Controller a written request to the following addresses: Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI) or email address: privacy@drvranjes.it

  1. Personal data retention period
  • Personal data processed and stored for the purposes under point a) number 3 are processed for no longer than 10 years starting from the termination of the contractual effects, in case of conclusion of the contract, unless otherwise required by law;
  • Personal data processed and stored for the purposes under point b) number 3 (marketing purposes) are processed and stored until when you request the erasure and/or revoke consent;
  • Personal data processed and stored for the purposes under point d) number 3 (fulfilment of legal obligations) are processed and stored for a period no longer than 10 years following the termination of the contractual effects, in case of conclusion of the contract, as well as for a period no longer than 10 years following the termination of the negotiations, unless otherwise required by law.
  • Personal Data processed for the purposes set forth in point c) number 2 (preference determination purposes) are processed and stored by Company for a period not exceeding 12 months from collection.

The Controller reserves the right, in any case, to request you to renew his/her consent to the processing and/or to verify the consents already expressed.

  1. Data subjects’ rights

12.1 Right to object

  • You have the right to object to the processing of personal data concerning your pursuant to Article 6, sub-section 1, letter (e) or (f) of the GDPR, at any time and on grounds relating to your particular situation. The Controller shall refrain from any further processing of your personal data unless the Controller proves that there are compelling legitimate grounds for the processing which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of a right in court.
  • If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
  • If you object on the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. It is specified that your right to object on the processing of his/her personal data for the aforesaid purposes may be exercised even partially, i.e. by opposing, for example, only on sending promotional communications by automated and/or digital means, or on sending paper communications and/or receiving telephone communications.
  • Where personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR, you have the right to object on the processing of his/her personal data for reasons related to his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.

12.2 Other rights

The Controller also wishes to inform You of the existence of the following rights:

  • Right to access: You have the right to obtain from the Controller confirmation as to whether or not Your personal data are being processed and, if so, to obtain access to the personal data and specific information, in accordance with article 15 of the GDPR;
  • Right to rectification: You have the right to obtain from the Controller the rectification of inaccurate personal data without undue delay. Taking into account the processing purposes, you have the right to obtain supplementing of incomplete personal data, including by providing a supplementary statement, in accordance with art. 16 of the GDPR;
  • Right to erasure of data, including the right to revoke consent: You have the right to obtain from the Controller the erasure of the personal data without undue delay or to revoke consent. The Controller has the obligation to erase Your personal data without undue delay, if the reasons set out in art. 17 of the GDPR exist. With regard to the right to revocation, You also have the right to revoke consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to revocation;
  • Right to restriction of processing: You have the right to obtain from the Controller the restriction of processing when the conditions set out in art. 18 of the GDPR exist;
  • Right to data portability: You have the right to receive Your personal data provided to the Controller in a structured format, commonly used and readable by automatic devices. You have the right to send such data to another controller without any impediment by the Controller in the cases and at the conditions specified in art.20 of the GDPR;
  • Contractor’s right to object on commercial communications: You, as a contractor, have the right to object at any time, free of charge, on the receipt of commercial communications.
  • Right to lodge a complaint with the Supervisory Authority: you have the right to lodge a complaint the the Supervisory Authority for the Protection of personal data, if you consider that the processing of your personal data infringes the GDPR or data protection dispositions, in accordance with art. 77 GDPR.

The applications to exercise the rights indicated in this privacy notice must be addressed directly to the Controller at the e-mail address: privacy@drvranjes.it. Alternatively, You can exercise said rights by sending a registered letter with recorded delivery to Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (FI), Italia.

You may lodge a complaint with the Italian Supervisory Authority for the Protection of personal data according to the provided instructions in the official website, which are available at the following URL:

https://www.garanteprivacy.it/reclamo

  1. Accessibility of privacy notice

The privacy notice is accessible on our website [https://drvranjes.com/eu/privacy-policy], and at the Controller. If so expressly requested, the information can also be provided orally, as long as the identity of the applicant is proven, by means of a phone call request to the addresses of the Controller.

DATA PROCESSING BY DR. VRANJES FIRENZE S.P.A. FOR MARKETING AND PROFILING PURPOSES

 

This statement regulates the handling of personal data when using the website at https://drvranjes.com/eu/privacy-policy, Dr. Vranjes Firenze S.p.A., with head offices in Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (Florence), Italy, VAT no. 06511260488, email dpo@drvranjes.it, (herein “Holder”), in compliance with current rules governing data protection, including, in particular, the EU Regulation 2016/679 (herein “GDPR”).

 

 1.  Identity and contact details of the data holder

Data Holder is Dr. Vranjes Firenze S.p.A. No representative has been appointed as the Holder is based in Italy.

 

 2.  Contact details of the person in charge of the data protection

The Holder has placed Simone Bonavita in charge of data protection and can be contacted at the holder’s head offices or via e-mail at dpo@drvranjes.it

 

3.  Data handling methods 

3.1 Cookie and environmental data 

TECHNICAL COOKIES

 

  • Navigation, functional and session cookies: allow the site to work properly. Use of so called session cookies (that are not stored permanently on the device in question and are automatically deleted when the browser is shut down) is strictly limited to the transmission of identification codes for the individual sessions and is employed for the safe and efficient use of the site. They can be divided into:

-  activities strictly required for operational purposes: cookies used to save the User session and carry out other activities solely required to operate the application, for example in relation to the distribution of traffic;
 
-  saving preferences, optimisation and statistics activities: cookies used to save the browsing preferences and optimise the User’s browsing experience. These Cookies include, for example, those for language setting and the assessment or management of statistics by the site's Holder.

 

 

  

  • Statistical cookies: the site uses statistical cookies created directly by the data holder, as first party, or supplied by third parties. In the latter case, suitable measures have been adopted to reduce identification power, via the masking of significant parts of the IP addresses handled. Furthermore, the use of these third party statistical cookies is dependent on contractual limitations that commit the third party to use them exclusively for providing the service, storing them separately and not “enriching them” or “intersecting them” with other information that they are in possession of. As far as the Google Analytics cookies are specifically concerned, the information that can be retrieved from the cookies on the use of the site by users will be transmitted by the browser of the person in question to Google Inc. based in 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States and stored in the company’s servers.

 

The Google privacy regulations that we would ask you to read can be found at the following address:

http://www.google.com/intl/it/privacy/privacy-policy.html

 

The privacy statement relative to Google Analytics services can be found at the following address:

http://www.google.com/intl/en/analytics/privacyoverview.html

 

 

  • Browsing data and environmental variables: The computing systems and procedures designated to operating the site, automatically acquire certain personal data about the browsing of the person in question, during regular operations, including environmental variables. Some examples of the data in this category include:

 

  • IP addresses of the computers employed by the user availing themselves of the service;
  • number of accesses;
  • pages viewed;
  • date and time when access was made;
  • URL where the browser was before displaying this page;
  • browser type;
  • operational system used.

 

 

NON-TECHNICAL COOKIES

  

  • Profiling cookies: the site uses profiling cookies supplied by third parties. In detail, the following are used:

-  interaction with social networks and external platforms: this kind of service allows you to interact with social networks, or with other external platforms, directly from this application’s pages. The interaction and information acquired by this application is, in any case, subject to the User's privacy settings specific to each social network.

If an interaction service with the social networks is installed, it is possible that, even if Users do not use the service, traffic data will still be collected regarding the pages where it is installed.

AddThis (Addthis Inc.): is a service provided by Clearspring Technologies Inc. that displays a widget that allows for interaction with social networks and external platforms and sharing the contents of this application. Depending on the configuration, this service can show widgets belonging to third parties, for example, handlers of social networks on which to share the interactions. In this case, even third parties that distribute widgets will be informed of the interaction made and the data used relative to the pages on which this service is installed.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy.

Re-marketing and behavioural targeting: allows this application and its partners to communicate, optimise and provide adverts based on past use made of this Application by the User. This activity is performed by tracing the data used and the use of cookies, information that is transferred to partners with whom the activity of re-marketing and behavioural targeting is linked. In addition to the possibilities of carrying out opt-outs offered by the services given below, the User can opt to exclude receipt of cookies linked to a third party service, by visiting the Network Advertising Initiative opt-out page.

 

Facebook Re-marketing (Facebook, Inc.): is a Re-marketing and Behavioural Targeting service provided by Facebook, Inc. that links the activity of this Application to the Facebook advertising network.

 

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy Opt Out.

 

AdWords Re-marketing (Google, Inc.): is a Re-marketing and Behavioural Targeting service provided by Google Inc. that links the activity of this Application to the AdWords advertising network and Doubleclick Cookie.

 

Personal Data collected: Cookies and Data used. 

Data handling location: USA – Privacy Policy Opt Out.

-  Statistics: the services contained in this section allow the Data Holder to monitor and analyse the traffic data and are used to keep track of the User’s behaviour.

 

Google Analytics with anonymised IP (Google Inc.): is a web analysis service provided by Google Inc. (“Google”). Google uses the Personal Data collected to track and examine the use of this Application as well as fill in reports and share them with other services developed by Google. Google could use the Personal Data to contextualise and personalise the adverts on its own advertising network. This Google Analytics integration makes your IP address anonymous. Anonymisation works by abbreviating the User’s IP address within the confines of EU member states or other countries adhering to the European Economic Space agreement. Only in exceptional cases will the IP address be sent to Google servers and abbreviated in the United States. Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy Opt Out

 

Monitoring of Facebook Ads conversions (Facebook, Inc.): is a service of statistics provided by Facebook, Inc. that links the data from the network of Facebook adverts with the actions carried out within this Application.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy

 

 

Delete or deactivate cookies

As cookies are normal text files, they can be accessed using word processor programs.

In any case, you can set your browser to prevent it handling cookies.

Delete/deactivate cookies with Firefox:

http://support.mozilla.com/it/kb/Eliminare%20i%20cookie

Delete/deactivate cookies with Edge:

https://support.microsoft.com/it-it/help/4027947/windows-delete-cookies

 Delete/deactivate cookies with Chrome:

http://support.google.com/chrome/bin/answer.py?hl=it&answer=95647

 

3.2 Data provided voluntarily by the person in question

The optional data freely provided by the person in question by sending an e-mail to the addresses on the site can be acquired for the ends indicated in point 4.

In particular, as well as the e-mail address needed to reply to the sender, other personal data contained in the relative communication will be handled.

 

4. Handling purposes and juridical basis for handling

In order to send direct marketing communications, newsletters, advertising, via traditional contact systems and automated IT systems, including sales or advertising communications via e-mail or SMS, or for market research and analysis. In this case, it is the consensus, expressed in compliance with this statement, that represents a juridical foundation.

For profiling activity and to establish habits and preferences. In this case, it is the consensus, expressed in compliance with this statement, that represents a juridical foundation.

 

5. Means for expressing consensus

Consensus to handle personal data via non-technical cookies can be expressed:

  • By clicking a specific box in a banner.

 

6. Source from where personal data originates

Only data provided by the person in question will be handled, in compliance with this regulation, collected from the website.

 

 7.  Recipients and possible categories of personal data recipients 

Recipients of the person in question’s personal data could be:

  • communication firms that carry out commercial communication and profiling work on behalf of the Holder and appointed to handle the data;
  • firms that offer IT company services, in particular, those that offer hosting services.

 

8. Data categories

The personal data of the person in question will be handled.

 

 

9. Data transfer

The Holder's intention is to transfer personal data to a third party Country or international organisation. These subjects could be represented, for example, by 

  • communication firms that perform communication work for the Holder;
  • firms that offer IT company services, including, in particular, those that offer hosting services;
  • communication firm service suppliers.

 

Transfer of personal data to these subjects, if settled in a third party Country or international organisation, is done in the presence of an adequacy decision from the European Commission that has assessed how the third party Country, territory or one or more specific sectors within the third party Country, or international organisation in question, guarantee a suitable level of protection of its rights. In any case, the Holder – should they see fit – reserves the right to finalise specific separate agreements that oblige these subjects to adopt adequate safety measures, including organisational safety measures, aimed at providing appropriated guarantees of their rights. In particular, Google Inc. is contractually bound to guarantee suitable protection of the rights of the person in question. The data could, therefore, be transferred to the following countries: UK and United States of America. In order to receive a copy of this data or the place where it has been made available, just send a request to the following e-mail privacy@drvranjes.it.

 

 

10. Storage period of personal data

The personal data handled for marketing purposes is handled and stored until the person in question revokes consensus or requests its deletion.

Personal data handled for the purpose of establishing preferences is handled and stored for a period no longer than 12 months from when it was collected.

The Holder reserves the right, in any case, to request that the party in question renew their consensus for data handling and/or checks the consensus already expressed.

 

11. Option to provide consensus and consequences of denied consensus

With regard to handling personal data for marketing purposes, the communication of personal data is not a contractual requirement. Providing personal data is optional; however, if this data is not communicated, no marketing activities will be possible;

With regard to handling personal data for profiling purposes, the communication of personal data is not a contractual requirement. Providing personal data is optional; however, if this data is not communicated, no profiling activities will be possible.

 

12.  Rights of the person in question 

12.1 Right to oppose

With regard to the personal data handled via technical cookies in order to allow for the website to work properly, communication of personal data is not a contractual obligation, but one founded on the Holder's legitimate interest, in as much as, without consensus to handle the data, it will not be possible to provide a perfectly functioning website.

Consensus should be considered optional in relation to non-technical cookies. In the latter case, failed communication of this data will only result in the impossibility to provide a personalised service. In relation to data provide voluntarily via e-mail, consensus should be considered optional. However, failure to communicate this data will make it impossible to reply to the person in question;

In relation to the data communicated for contractual and pre-contractual purposes, the communication of personal data is a contractual obligation and a requirement for carrying out the pre-contractual negotiations and to finalise the contract. The person in question has the option to provide personal data; however, in the absence of this data being communicated, it will not be possible to finalise any contract or carry out any contractual negotiations;

With regard to data provided voluntarily via e-mail, failure to communicate this will make it impossible to reply to the person in question.

 

 

12.2 Other rights

 The Holder also intends to inform the person in question of the existence of the following rights in his/her favour:

  • Right of access by the person in question: the person in question has the right to obtain confirmation from the Holder that personal data regarding him/her is being handled and, if this is the case, to obtain access to the personal data and specific information, in compliance with art. 15 of the GDPR.
  • Amendment right: the person in question has the right to obtain an amendment of inaccurate personal data that regards him/her without undue delay. Having taken into account the purposes of handling the data, the person in question has the right to obtain the integration of incomplete personal data, by even providing a supplementary declaration, in compliance with art. 16 of the GDPR.
  • Right to data deletion, including the right to withdraw consensus: the person in question has the right to have his/her personal data deleted by the Holder without undue delay and the Holder is obliged to delete this personal data without undue delay, or to withdraw consensus, if the reasons defined in art. 17 of the GDPR are present. As far as the right to withdrawal is concerned, the person in question also has the right to withdraw consensus at any time without compromising the legitimacy of the handling based on the consensus presented prior to withdrawal. 
  • Right of data handling limitation: the person in question has the right to obtain a limitation from the Holder on the handling of the data when the circumstances set out in art. 18 of the GDPR are resorted to.
  • Right to data portability: the person in question has the right to receive the data regarding them in a structured format, for common use and legible from automatic devices, provided by the Holder and has the right to transmit this data to another holder without impediments from the Holder in the cases, and under the conditions, specified in art. 20 of the GDPR.

 

 

13. Exercising ones rights

Requests to exercise one’s rights indicated in this statement, including, in particular, the right to deletion and withdrawal of consensus given, should be addressed to the Holder at the following e-mail privacy@drvranjes.it. Alternatively, it is possible to exercise one’s rights by sending relative communication by registered return post letter to Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (Florence).

  

14. Statement accessibility

The statement can be accessed at https://drvranjes.com/eu/privacy-policy, as well as from the Holder. If expressly requested by the person in question, the information can also be verbally communicated over the phone to the Holder, as long as the identity of the person in question has been established.