* * *
The processing of your personal data will be based on the principles of fairness, lawfulness, transparency, purpose and storage limitation, minimisation, accuracy, integrity, and confidentiality, as well as on the principle of accountability pursuant to art. 5 of the GDPR.
Processing of personal data means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is Missoni S.p.A, in the person of its pro tempore legal representative, with registered office in Via Luigi Rossi 52, 21040, Sumirago (VA), which can be reached at firstname.lastname@example.org.
The Data Protection Officer of Missoni may be contacted at the Data Controller's registered office at the above address, by writing “to the attention of the Data Protection Officer”, and/or by email at: email@example.com.
2. PERSONAL DATA BEING PROCESSED
We inform you that the personal data being processed may consist of an identifier such as your name, identification number, location data, online identifier or one or more characteristics relating to your physical, physiological, psychological, economic, cultural, or social identity that are capable of identifying you or of making you identifiable depending on the type of services requested by you (hereinafter only “personal data”).
The personal data processed through the Website are as follows:
a. Navigation data
The management of the Website involves the use of computer systems and software procedures that are used to operate the Website, which during their normal operation, acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.
This information includes various parameters relating to the operating system and computer environment of the user connecting to the Website, including the IP address, the location (country), the computer domain names, the URI (Uniform Resource Identifier) addresses of the resources requested on the Website, the time of the requests, the method used to send the requests to the server, the size of the file obtained in response to a request, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user's operating system and computer environment.
These data are used solely for the purpose of obtaining anonymous statistical information on the use of the Website as well as to verify its correct functioning and identify any malfunctioning and/or abuse of the Website. The data is deleted after processing, unless it is necessary to identify those responsible in the event of a hypothetical cybercrime against the Website or third parties.
b. Data voluntarily provided by the user
c. Data processed for the provision of online services
- creation of your personal account and access to the personal area of the Website, in the context of which your personal data (in particular, your first name, surname, date of birth), contact data (e-mail address and telephone number) and, if provided, information relating to the catalogue of your preference will be processed. During registration and access to your personal area, personal data are provided directly by you or transmitted to the Controller by third parties as autonomous data controllers. In particular, it should be noted that following your choice to create an account on the Website by linking it with your pre-existing social network account (e.g. Google, Facebook) and using the log-in button on the log-in form, these third parties, as autonomous data controllers, provide the Controller with the personal data strictly necessary for your identification (personal data and contact details). Within your personal area, in addition to the above-mentioned data, the Data Controller will also process further personal data, such as the shipping addresses you have given for purchases, information relating to the history of purchases you have made, and information relating to the payment methods you have chosen;
- conclusion and execution of purchase and/or pre-order contracts (including the sending of service communications such as, email confirmation of purchase or receipt of the pre-order proposal, shipping updates, updates on the availability of products at the boutique selected for collection, management of product warranties and related accounting, payment processing, administrative and after-sales services), both as a registered user and as a guest user, whereby your personal data, contact details, details relating to the products purchased, shipping addresses of the products purchased, invoicing data and any other information relating to your purchasing experience will be processed, including also information relating to the payment methods, the data of the credit/debit card possibly used for payment and the information relating to the transaction carried out through the payment method selected by you among those available from time to time. In this regard, we inform you that pursuant to art. 14 of the GDPR, following your choice to use one of the above payment methods, the bank, PayPal, Apple and/or Google, as autonomous data controllers, will only communicate to Missoni the information relative to the fact that the payment has been made.
- order status verification service, in which your order number and the e-mail address linked to your order will be processed;
- return service, in which your personal details, contact details, the address where you wish to collect the returned products, the order number and information relating to the purchase and the products being returned will be processed, as well as any information relating to your purchase and return experience. The return service also includes the sending, of service communications by Missoni such as, the e-mail confirming receipt of your request for return, the e-mail accepting the return, or, if there is a decrease in the value of the returned products, the communication of the amount deducted from the refund;
- the "Book an appointment" function, in which you will be asked to enter your personal information, in particular your personal and contact details, as well as possibly formulating a message for the staff which may contain additional personal data in order to arrange appointments in our boutiques;
- “Wishlist" service, through which you can add items to your wish list in your personal area;
- “Click & reserve" service for online booking of products to pick up from the selected boutique, where your personal data, contact details and information regarding the products booked and the selected boutique will be processed. This service also includes the sending of an email by Missoni to update you on the availability of products at the selected boutique.
Moreover, the Data Controller shall process any other information relating to your purchase, such as the type of product purchased, the date of purchase, the amount spent, information relating to the products you have placed in the Website's "virtual shopping cart" which may be processed subject to your consent in order to send you a reminder e-mail of the products placed in the cart for which the "checkout" process has not been completed (so-called "abandoned cart e-mail") as well as, in general, your purchasing choices, and your preferences for the purposes indicated below. The Data Controller will also process the information deriving from your choices to personalize the contents of the newsletter.
d. Third-party data voluntarily provided by the user
The use of the Website services may involve the processing of personal data of third parties that you have communicated to Missoni (for example, in the case of data provided in the contact form; in the personalized message that you may have inserted in the greeting card when selecting the "gift" option during purchase; etc.). With respect to these scenarios, you act as autonomous data controller, assuming all the obligations and responsibilities of the law. In this sense, you grant the widest indemnity on this point with respect to any dispute, claim, request for compensation for damages from processing, etc. that may be received by the Data Controller from third parties whose personal data have been processed through your use of the Website services in violation of the applicable data protection regulations. In any case, should you provide or otherwise process personal data of third parties in the use of the Website, you warrant as of now - assuming all related liability - that this particular hypothesis of processing is, where necessary, based on the prior acquisition - on your part - of the third party's consent to the processing of information concerning him/her.
e. Data processed for sending products/gifts to subjects other than the Website user
The personal data processed, in particular, are personal data (first name, last name) and contact data (e.g. telephone number, shipping address).
f. Cookies and other tracking technologies
Information on the cookies served by the Website can be found here.
3. PURPOSE OF PROCESSING, LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING
Your personal data will be processed with your consent, where necessary for the following purposes:
a) to allow navigation through the Website, the registration in the personal area as well as the provision of all the other services made available by the Data Controller (such as, by way of example, the online sales service, returns, the 'Wishlist' service, 'Click & Reserve', the 'Book an appointment' function, the order status check, as well as contractual and administrative-accounting relations and after-sales services, etc.), including the management of the security of the Website;
b) to respond to specific requests made to the Data Controller, also in relation to post-sales, including customer service and information requests submitted by filling out the relative forms on the Website;
c) to subscribe to the newsletter (the contents of which you will be able to personalise) to receive communications and information of a commercial, promotional and direct marketing nature by e-mail regarding Missoni’s services, products and offers;
e) to analyze your data for profiling purposes by Missoni S.p.A, including profiling related to the sending of offers, discounts and any other benefits and promotional initiatives modelled based on your interests, purchasing behavior and propensities (e.g. purchase volumes, consumption habits and choices), including data collected online through trackers (e.g. cookies, pixel, tags, etc.) on the Missoni Website or third party websites to personalize marketing communications based on your profile, interests and purchasing propensities;
f) to send advertising material and commercial communications by e-mail and/or posted mail in relation to products or services similar to those purchased by you, pursuant to art. 130, par. 4 of the Privacy Code as well as the Decision of the Italian Supervisory Authority of June 19, 2008, unless you expressly refuse to receive such communications, which you may express when registering on the Website or on subsequent occasions;
g) to fulfil any obligations under applicable laws, regulations or EU legislation, or to comply with requests from the authorities;
h) to meet any defence requirements, both in and out of court.
The legal basis for the processing of personal data for the purposes referred to in section a) and b) is art. 6, par. 1, letter b) of the GDPR ([...] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing operations are necessary for the provision of the services. The provision of personal data for these purposes is optional, but failure to do so would make it impossible to access the services requested.
The processing operations carried out for the marketing purposes referred to in section c), d) and e) are based on the granting of your consent pursuant to art. 6, par. 1, letter a) ([...] the data subject has given consent to the processing of his or her personal data for one or more specific purposes) and art. 22, par. 2, letter c) of the GDPR.
It should be noted that with reference to the sending of e-mails relating to the abandoned shopping cart, such processing may be carried out by the Data Controller only in the presence of the consents previously given by you for the purpose of receiving commercial and promotional communications by e-mail referred to in letters c) or d) above, and for the purpose of profiling referred to in letter e) above.
With reference to the purpose referred to in section f), it should be noted that if the Data Controller uses the e-mail or posted mail details provided by the data subject for the purpose of direct sales of its products or services, pursuant to Section 130, par. 4 of the Privacy Code, the Data Controller does not need to request consent, provided that the products or services in question are similar to those being sold and that the data subject, having been adequately informed, does not refuse such use, either initially or in connection with subsequent communications.
The purpose referred to in section g) constitutes lawful processing of personal data within the meaning of art. 6, per. 1, let. c) of the GDPR ([...]processing is necessary for compliance with a legal obligation to which the controller is subject). Once the personal data has been provided, in fact, the processing is indeed necessary to comply with legal obligations to which the Controller is subject.
The processing referred to in section h) is carried out for the purpose of pursuing the legitimate interest of the Controller pursuant to art. 6, par. 1, letter f) and 9, par. 2, letter f) of the GDPR, since once personal data has been provided, the relevant processing may become necessary in order to establish, exercise or defend a right in court or whenever the judicial authorities exercise their functions.
4. RECIPIENTS OF PERSONAL DATA
1. persons authorised by the Data Controller to process personal data pursuant to art. 29 of the GDPR and art. 2-quaterdecies of the Privacy Code (e.g. sales, administration and accounting staff, after-sales service, CRM, information systems management, etc.);
3. subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders of the authorities;
4. companies of the Missoni business group, as autonomous data controllers, for administrative-accounting purposes on the basis of our legitimate interest pursuant to art. 6, par. 1, let. f) and recitals 47 and 48 of the GDPR.
These subjects are hereinafter collectively referred to as "Recipients".
5. TRANSFERS OF PERSONAL DATA
The personal data provided through the Website will be processed and stored in the Data Controller's information systems, whose servers are located within the European Economic Area. However, some of your personal data may be shared with Recipients located outside the European Economic Area. In such cases, the transfer will take place in compliance with the conditions indicated in articles 44-49 of the GDPR, such as, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of subjects adhering to international commitments for the free movement of data or operating in countries considered adequate by the European Commission in compliance with Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.
6. STORAGE OF PERSONAL DATA
Your personal data will be collected and stored in accordance with the principles of minimisation and storage limitation as referred to in art. 5.1.c) and e) of the GDPR, also while guaranteeing the necessary security measures to prevent data loss, illegal or incorrect use and unauthorised access.
For the purposes of direct marketing referred to in sections c) and d) of paragraph 3 of this Policy, your personal contact data will be processed until you object or withdraw your consent. Please also note that your personal data processed for profiling purposes as referred to in section e) of paragraph 3 of this Policy and personal data relating to your profile processed for the purpose of sending personalized commercial and promotional communications will be kept for these purposes for a period of time not exceeding seven years from their collection and/or registration, after which the Company automatically deletes your personal data, or transforms them into anonymous data in a permanent and non-reversible manner, unless you withdraw consent or object to the processing before the expiry of this period.
In general, the Data Controller reserves the right, in any case, to keep your data for the time necessary to comply with any regulatory obligation to which it is subject or to meet any defensive needs. Specific security measures are observed to prevent loss of data, unlawful or incorrect use and unauthorised access.
7. AUTOMATED DECISION-MAKING PROCESSING
8. RIGHTS OF THE DATA SUBJECT
In particular, you may at any time exercise the following rights:
- right to withdraw any consent given (art. 7 of the GDPR) - You have the right to withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
- right of access (art. 15 of the GDPR) - You have the right to obtain confirmation as to whether or not personal data relating to you are being processed, as well as the right to receive any information relating to such processing;
- right to rectification (art. 16 of the GDPR) - You have the right to obtain the rectification of your personal data, should they be incomplete or inaccurate; it should be noted that with respect to personal data collected through audio and video recording systems, the right to rectification cannot be exercised in practice in view of the intrinsic nature of the data collected which relate to an objective and determined fact;
- right to erasure (art. 17 GDPR) - in certain circumstances, you have the right to obtain the erasure of your personal data in our archives;
- right to restriction of processing (art. 18 GDPR) - under certain circumstances, you have the right to obtain the restriction of the processing of your personal data;
- the right to portability (art. 20 of the GDPR) - you have the right to obtain the transfer of your personal data to a different data controller as well as the right to obtain in a structured, commonly used and machine-readable format the data concerning you;
- the right to object (art. 21 of the GDPR) - You have the right to make a request to object to the processing of your personal data in which you give evidence of the reasons justifying the objection; the Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate grounds for processing that override your interests, rights and freedoms. You also have the right to object, at any time and without justification, to the sending of commercial, promotional and direct marketing communications, including newsletters, market surveys, invitations to events through automated and non-automated contact systems, including profiling insofar as it is related to such direct marketing. With regard to this type of communication, this is without prejudice to the possibility of exercising this right also in part, i.e. by opposing, for example, only the sending of promotional communications by automated means. We also inform you that you have the right to object to profiling at any time and without justification;
- the right to lodge a complaint with the Supervisory Authority (art. 77 of the GDPR) - in accordance with the procedures indicated in the paragraph below, if you believe that the processing concerning you is in breach of data protection legislation, you may lodge a complaint with the Supervisory Authority of the Member State in which you habitually reside or work, or of the place where the alleged breach occurred;
- the right to take appropriate legal action (art. 79 of the GDPR).