1. DEFINITIONS
    1. Controller – the entity specified in the Terms and Conditions;
    2. Personal Data – all information about an identified or identifiable natural person through one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the device IP number, location data, internet identifier and information collected through cookies and other similar technology;
    3. Policy – this Privacy Policy;
    4. GDPR – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
    5. User – a natural person with full capacity to perform legal actions using the Website and, with the consent of a statutory representative, a minor or a person without the full capacity to perform legal actions using the Website;
  1. PURPOSE OF DATA PROCESSING
    1. The Data, including User personal data, is collected and processed for the purpose of:
      1. using the Website,
      2. placing and processing Orders;
      3. conducting marketing activities, including contextual and behavioural advertising;
      4. direct marketing, if the User has consented to this type of marketing.
    2. Personal data of all persons using the Website (including IP addresses and information collected through cookie files or other similar technologies) shall be processed by the Controller:
      1. in order to provide services electronically on the Website (Article 6 (1)(b) of the GDPR);
      2. for the purpose of handling orders placed on the Website, including the transfer of orders to the Seller (Article 6 (1)(b) of the GDPR);
      3. for the handling of claims by the Seller (Article 6 (1)(b) of the GDPR);
      4. for analytical and statistical purposes (Article 6 (1)(f) of the GDPR);
      5. for contextual marketing (Article 6 (1)(f) of the GDPR);
      6. for technical purposes (Article 6 (1)(f) of the GDPR).
    3. The placing of an Order by the Website’s User means that the User’s personal data shall be processed. The provision of data marked as mandatory is necessary for the Order to be accepted and processed. When the User places an Order, the User’s personal data necessary for the Order to be processed shall be made available to the Seller for the purposes of executing the contract. Personal data shall be processed:
      1. for the purpose of carrying out the Order placed (Article 6 (1) (b) of the GDPR;
      2. in order to fulfil the statutory obligations incumbent on the Controller and the Seller (Article 6 (1) (c) of the GDPR);
      3. for analytical and statistical purposes (Article 6 (1) (f) of the GDPR);
      4. for the purposes of redress (Article 6 (1) (f) of the GDPR);
      5. for the purposes of undertaking satisfaction surveys (Article 6 (1) (f) of the GDPR).
    4. The Controller shall process User personal data in order to carry out marketing activities, which may consist in:
      1. displaying marketing content to the Users that is not tailored to their preferences (Article 6 (1) (f) of the GDPR);
      2. sending email or text message notifications with offers or content, which may contain commercial information within the scope of the consent given (Article 6 (1) (f) of the GDPR).
  1. COOKIES
    1. Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that makes it easier to use the Website, for example, by remembering User visits to the Website and User actions.
    2. The Data Controller uses the so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. For this reason, the Data Controller and other entities providing analytical and statistical services to the Data Controller use cookies to store information or to access information already stored in the User’s device (computer, telephone, tablet, etc.). Cookies used for this purpose include:
      1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
      2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
      3. cookies used to ensure safety, for example, used to detect fraud in authentication procedures (user centric security cookies);
      4. multimedia player session cookies (e.g. flash cookies), for the duration of the session ( multimedia player session cookies);
      5. cookies used to monitor website traffic.
    3. The Data Controller also uses cookies for marketing purposes. Therefore, the Data Controller stores information or gains access to information already stored in the User’s telecommunications device (computer, phone, tablet, etc.). The use of cookies collected through this technology for marketing purposes, in particular, to promote the services and goods of third parties, shall require the User’s consent. This consent may be expressed through the appropriate configuration of the browser and can be withdrawn at any time, in particular, by clearing the history of cookies and disabling cookies in the browser settings.
  1. PERIOD OF DATA PROCESSING
    1. The data shall be processed for the duration of the provision of the service or the performance of the Order, until the withdrawal of the consent given, or until an effective objection is raised against the processing of the data in cases where the legal basis for data processing is the legitimate interest of the Controller.
    2. The duration of data processing may be extended if the processing is necessary for the establishment and investigation of possible claims and defence against them, and after this period only in the case and to the extent required by law. After the end of the processing period, the data are irreversibly deleted or anonymised.
  1. USER RIGHTS
    1. Right to information about the processing of personal data – on this basis, the person making such a request shall be provided by the Controller with information about the processing of personal data, including, in particular, the purpose and legal grounds for the processing, the scope of the data held, the entities to which the personal data are disclosed and the planned date of their deletion.
    2. Right to obtain a copy of the data – on this basis, the Controller provides a copy of the data processed relating to the person making the request.
    3. Right to rectification – on this basis, the Controller removes any inconsistencies or errors regarding the personal data processed, and completes or updates it if it is incomplete or has been modified.
    4. Right to erasure – on this basis, it is possible to request the erasure of data whose processing is no longer necessary for any of the purposes for which they were collected.
    5. Right to restriction of processing – on this basis, the Controller ceases to carry out operations on personal data, with the exception of operations  to which the data subject consents and their storage, in accordance with the retention rules adopted, or until the reasons for restricting the processing cease to exist (e.g. a decision of the supervisory authority authorising further processing is issued).
    6. Right to data portability – on this basis, insofar as the data are processed in connection with a contract concluded or consent given, the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that this data be sent to another entity, provided, however, that the technical capacity exists for the above on the part of both the Controller and the other entity.
    7. Right to object to data processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes.
    8. Right to object to data processing for satisfaction survey purposes – the data subject may object at any time to the processing of personal data for satisfaction survey purposes.
    9. Right to object to other purposes of processing – the data subject may object at any time to the processing of personal data on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons relating to property protection). An objection in this respect shall contain a statement of reasons, and it shall be subject to the Controller’s assessment.
    10. Right to withdraw consent – where data is processed on the basis of a consent, the data subject has the right to withdraw such consent at any time, but this shall not affect the lawfulness of the processing carried out before the withdrawal of that consent.
    11. Right to lodge a complaint – if the processing of personal data is considered to be in breach of the GDPR or other data protection legislation, the data subject may lodge a complaint with the competent national authority.
    12. A request for the exercise of rights must be submitted to the Controller’s address indicated in the Terms and Conditions.
  1. DATA TRANSMISSION AND SECURITY
    1. In order to fulfil the purposes described above, personal data may be disclosed to external entities, including, in particular, entities such as banks and payment operators, entities providing accounting, legal, transport and marketing services and entities associated with the Controller. If an Order is placed, the User’s data shall be disclosed to the Seller in order to enter into and perform the Sales Contract.
    2. Users’ personal data shall not be transferred outside the EEA.
    3. The Controller shall conduct a risk analysis on an ongoing basis in order to ensure that personal data is processed securely, ensuring in particular that only authorised persons have access to the data and only to the extent necessary for the performance of their tasks. The Controller shall ensure that all operations on personal data are recorded and performed only by authorised employees and associates.
    4. The Controller shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.
  1. FINAL PROVISIONS
    1. The Data Controller reserves the right to amend this Policy.
    2. Subject to generally applicable law, the law applicable to this Policy shall be the law applicable to the registered office of the Data Controller.