pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter "GDPR" or "Regulation"), we hereby inform you that your personal data (hereinafter also "the Data") will be processed by AD Milano S.r.l., with registered office in Via Savona n. 97 – 20144 Milano, as Data Controller (hereinafter also “Controller” or "Data Controller").
Categories of personal data
The Data collected and processed by the Controller are as follows:
- Identification data (First name, last name, birthdate);
- Location data (Address, city);
- Contact details (e-mail; telephone number;);
- C. and/or VAT number;
- Bank data (credit card number)
Purpose and methods of data processing
In consideration of the activity carried out by the Controller, the collection and processing of your Data have as purposes:
- 1) the execution of the obligations deriving from the contractual relations of sale or the performance of pre-contractual activities;
- 2) the management of customers and/or the customers’ orders;
- 3) the fulfilment of accounting and tax obligations or other legal obligations;
- 4) the management of legal disputes;
- 5) the creation of the utilities for access to the e-commerce;
- 6) the sending of commercial communications in order to keep you informed about our products similar to those you have purchased and/or other promotional or marketing activities;
- 7) the sending of commercial communications about our products and services and/or other promotional or marketing activities customized on the basis of customers' tastes, interests, purchases.
Your Data will be processed by authorized personnel in accordance with article 29 of GDPR. The processing of the Data for said purposes will take place by computer, telematic, manual and paper means, according to logical criteria compatible and functional to the purposes for which the Data was collected, in compliance with the rules of confidentiality and security provided for by law and by the internal company regulations and security measures of GDPR. Your Data may also be subject to processing involving automated decision-making processes, including profiling.
Legal basis of the processing
The legal bases for achieving the above purposes are as follows:
- with regard to the purposes set out in points 1, and 2 to execution of the obligations deriving from the contractual relations of sale or the performance of pre-contractual activities (Article 6(1)(b) of the GDPR);
- with regard to the purpose set out in point 3 in the the fulfilment legal obligations (Article 6(1)(c) of the GDPR);
- with regard to the purpose set out in point 4 in the legitimate interest of the Controller (Article 6(1)(f) of the GDPR);
- with regard to the purposes set out in points 6 and 7 in the consent spontaneously given by the dat asuject (Customer or visitor) by flag a check-box or registering for a specific service (Article 6(1)(a) of the GDPR;
- with regard to the purposes set out in point in the legitimate interest of the Controller to offer its Customers products similar to those purchased (Article 6(1)(b) of the GDPR). The Customer may always object to such processing.
Categories of Data recipients and Data transfer to third countries
The Controller, in the fulfilment of the purposes indicated above, may communicate and transfer your Data to third parties in charge of carrying out or providing specific services strictly functional to the execution of the contractual relationship and inevitably connected to it, such as:
- to Public Bodies or Offices or Public Administrations in accordance with legal obligations;
- to subjects whose right to access the Data is recognized by provisions of law and secondary legislation or by provisions issued by authorities legitimated by law;
- professionals, external debt collection companies and auditing companies;
- banks and credit institutions;
- companies that manage IT systems, including those aimed at managing company relations;
- companies that provide call center services.
Personal Data are not transferred outside the European Union or the European Economic Area.
Data Retention Period
The Personal Data collected will be kept for the period of time necessary to pursue the purposes indicated; subsequently, such Data will be kept for a period of ten years in order to comply with legal obligations and, among these, the obligations under Article 2220 of the Italian Civil Code. Any further storage of Data or part of the Data may be arranged to enforce or defend our rights in any venue and, in particular, in court. For the purpose n. 6, the Data will be processed and stored by the Controller for the entire period during which the newsletter service will be active, except in case of revocation of consent or the exercise of the rights of opposition and cancellation of the Data by you. For the purpose 7 the Data will be processed and stored by the Controller for the period of time necessary to pursue the indicated purpose taking into account the nature of the related service, except in a case where you revoke your consent or exercise your rights to oppose and cancel the Data.
Data subject's rights
With regard to your personal data, we inform you that you can exercise your rights under art. 15 et seq. of Regulation (EU) 2016/679, set out below:
Right of Access; Right to rectification; Right to cancellation or "right to be forgotten"; Right to limitation of processing; Right to receive notification in case of rectification or cancellation of personal data or limitation of processing; Right to Data Portability; Right to Opposition to processing. You have also the right to lodge a complaint with a supervisory authority if you consider that your rights have not been granted to you.
To enforce the rights reserved to you, please contact the Data Controller, sending a letter to AD Milano S.r.l., Via Savona n. 97 – 20144 Milano or sending an email to firstname.lastname@example.org. If you think that the processing of your personal data by the data controller has infringed the provision of the GDPR, you can lodge a complaint with a Supervisory Authority.
Compulsory or optional nature of the provision of Data
The provision of Data to the Controller is mandatory only for those Data for which there is a regulatory obligation (i.e. established by laws, regulations, provisions of Public Authorities, etc.). In all other cases, you are free to provide your Personal Data or not, as long as part of your Data is strictly necessary for the pursuit of contractual purposes, failure to provide such Data may not allow the provision of services requested by you.
Consequences in case of refusal to provide the Data
In the presence of a regulatory or contractual obligation to provide your Personal Data, the refusal to provide your Personal Data does not allow the Controller to perform the operations that presuppose the processing of such Data and this with all the consequences and damage at your expense. Therefore, if the Data are necessary or strictly instrumental to the performance of the contractual relationship, the refusal to provide them may make it impossible to carry out the operations connected to such Data (or in any case may cause delays in the performance of such operations). Any refusal to provide Personal Data functional to the activities of the Controller, other than those necessary or strictly instrumental to the execution of the contractual relationship (for example, personal data that can be processed only on the basis of your consent) precludes the conduct of such further activities but does not interfere with the performance of the current contractual relationship.