INFORMATION ON PERSONAL DATA PROCESSING EU CITIZENS
This information on personal data processing (hereinafter, “Information”) is given in accordance with Regulation (EU)/2016/679 (hereinafter, “GDPR”) and concerns the processing of personal data performed by Perris Group SAM, headquartered in 3, Avenue des Citronniers – MC 98000, Principauté de Monaco, email firstname.lastname@example.org, registered email email@example.com (hereinafter, the “Controller”).
1. IDENTITY AND CONTACT OF THE CONTROLLER
The Controller is Perris Group SAM. As the Controller is located outside the EU territory, Perris Store S.r.l., with registered office in Via Boccaccio n. 3 - 20832 DESIO (MB), Italy, VAT number 08196150968, email address firstname.lastname@example.org, registered email email@example.com, has been appointed as representative pursuant Article 27 GDPR (hereinafter, “Representative”).
2. IDENTITY AND CONTACT OF DPO
The Controller has not appointed a Data Protection Officer.
3. PURPOSES AND LEGAL BASIS OF THE PROCESSING, CONSENT OF THE DATA SUBJECT AND CONSEQUENCES OF A LACK OF CONSENT
Personal data will be processed for the following purposes:
a) for contractual purposes and, in particular, to allow the purchase of goods within the E-commerce. In this, case the obligation to fulfill the contractual purposes constitutes the legal basis. The communication of the data constitutes an obligation for the data subject; in the lack of such data, it will not be possible to proceed with the conclusion of the contract.
b) for direct marketing communications, newsletters, advertising material, market research, by means of traditional contact systems and automated computer systems, CRM, databases, including commercial or promotional communications by email, messaging systems, SMS, or telephone communications. In this case the express consent of the data subject constitutes legal basis. The communication of data, therefore, is entirely optional and does not constitute contractual obligation for the data subject. In the absence of such data, it will not be possible to send newsletters.
c) For determining the habits and preferences of the data subjects through profiling. In this case, the legal basis is the consent of the data subject, expressed in accordance with this information notice. In relation to the personal data processed, the communication of personal data is not an obligation of a contractual nature. The data subject has the right to provide personal data; however, if such data is not provided, it will not be possible to carry out any profiling activity;
d) For purposes related to relevant legal obligations where processing is carried out for the purposes referred to in point a). In this case, the legal basis is the legal obligation of the Controller to process such personal data in accordance with applicable national legislation; in the absence of such data, it will not be possible to proceed with the conclusion of the contract.
4. METHOD OF CONSENT EXPRESSION
The consent to the processing of personal data may be expressed by clicking a specific flagbox.
5. METHODS OF PROCESSING DATA, LOGICS AND SAFEGUARDS
- In relation to personal data processed and stored for the purposes under point a), number 4 of the present information notice (contractual purposes) and point d) (legal obligation), data processing will be carried out through automated decision-making logics and use of CRM software that will enable better management of fulfillment of the contractual obligations;
- In relation to personal data processed for the purposes under point b), number 4 of the present information notice (marketing purposes), data processing will be carried out by means of traditional contact systems and automated computer systems, with the aim of offering direct marketing communications.
- In relation to the personal data processed for the purposes under point c) number 4 of the present information notice (determining the habits and preferences), data processing will be carried out through CRM which will allow for defining habits and preferences, with the aim of providing targeted services and communications. For further specifications, please refer to the following section.
It should be noted, in any case, that the data processing will take place in the Principality of Monaco, where the Controller is headquartered. The Principality of Monaco, to date, is not subject to an adequacy decision of the European Commission and does not present the adequate guarantees required by the GDPR. In the Principality, in any case, there is a specific legislation for the protection of personal data, which is available for data subjects at the following link: [https://www.legimonaco.mc/305/legismclois.nsf/db3b0488a44ebcf9c12574c7002a8e84/28a1a1d90812e249c125773f003beebb!OpenDocument]. Besides, in the Principality there is a Data Protection Authority for the protection of personal data, whose official website is available by clicking on the following link: [https://www.ccin.mc/fr/].
6. AUTOMATED DECISION-MAKING PROCESSING AND PROFILING
Whether data subject consents to the processing of personal data for profiling purposes, said personal data may be subject to an automated decision-making process, by means of a specific algorithm that will decide which communications are best suited to his/her profile or which may be of greater interest to him/her. The data processed carried out in this way has, as expected consequences, by way of example, the sending of highly profiled commercial communications, sending discounts, sending invitations to events considered of interest, etc. The data subject has, in any case, the right to obtain human intervention in the decision-making process by the Controller, to express its opinion, to obtain an explanation of the decision reached and to challenge the decision itself, in accordance with Article 22 GDPR.
7. SOURCE FROM WHICH PERSONAL DATA ORIGINATE
Only personal data provided in compliance with the present information notice will be processed. In relation to the processing of personal data for the purposes of providing highly targeted services through profiling, such data may be correlated for deriving further profiled information. Data collected from public sources will be not processed.
8. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE DATA SUBJECT’S PERSONAL DATA
The following may be recipients of the personal data:
- The communication companies that provide commercial communication activities on behalf of the Controller, which are responsible for the processing, if consent has been given for marketing purposes;
- Companies belonging to the information society, such as those providing web hosting services;
- Companies performing statistic and market inquiries, if consent has been given for marketing purposes;
- Companies that perform account services;
- Partner companies of the Controller;
- Companies offering shipping services of the products acquired by means of the Controller’s E-commerce;
- All persons to whom the right of access to such data is recognized under regulatory measures.
The Controller will process only personal data from the data subject. There will be no handling of special categories of personal data under Article 9 of the GDPR.
10. TRANSFER OF PERSONAL DATA
The Controller may intend to transfer personal data to a third country or an international organization, such as:
- Communication agencies conducting activities on behalf of the Controller;
- Companies offering information society services, including, in particular, those offering hosting services;
- Service providers of the communication company.
The transfer of personal data to the aforesaid subjects is subject to an adequacy decision made by the European Commission after deciding that the third country or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection of personal data and data subjects’ rights. However, if the Controller deems it appropriate to proceed with the transfer of personal data despite the lack of any adequacy decisions, he reserves the right to conclude separate agreements with those subjects, requiring them to adopt adequate technical and organizational security measures to safeguard the transferred personal data, with particular regard to the protection of rights and freedoms of the concerned subjects.
Personal data of the data subject may be transferred to the United States of America; Principality of Monaco. To obtain a copy of the transferred personal data or to be informed on where personal data have been transferred to, the data subject shall send the Controller a written request to the addresses indicated in the epigraph.
11. PERSONAL DATA RETENTION PERIOD
- Personal data processed and stored for the purposes under point a) number 3 are processed for no longer than 10 years starting from the termination of the contractual effects, in case of conclusion of the contract, unless otherwise required by law;
- Personal data processed and stored for the purposes under point b) number 3 (marketing purposes) are processed and stored until when the data subject requests the erasure and/or revokes consent;
- Personal data processed for the purposes under point c) number 3 (determining preferences) are processed and stored for a period no longer than 12 months following the collection;
- Personal data processed and stored for the purposes under point d) number 3 (fulfilment of legal obligations) are processed and stored for a period no longer than 10 years following the termination of the contractual effects, in case of conclusion of the contract, as well as for a period no longer than 10 years following the termination of the negotiations, unless otherwise required by law.
The Controller reserves the right, in any case, to request the data subject to renew his/her consent to the processing and/or to verify the consents already expressed.
12. DATA SUBJECTS’ RIGHTS
12.1 RIGHT TO OBJECT
- The data subject has the right to object at any time on grounds relating to the data subject’s particular situation, to the processing of personal data concerning the data subject pursuant to Article 6, sub-section 1, letter (e) or (f) of the GDPR, including profiling on the basis of these provisions. The Controller shall refrain from any further processing of the personal data unless it proves that there are compelling legitimate grounds for the processing which take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a right in court.
- If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
- If you object on the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. It is specified that the right of the data subject to object on the processing of his/her personal data for the aforesaid purposes may be exercised even partially, i.e. by opposing, for example, only on sending promotional communications by automated and/or digital means, or on sending paper communications and/or receiving telephone communications.
- Where personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR, the data subject has the right to object on the processing of his/her personal data for reasons related to his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.
12.2 OTHER RIGHTS
The Controller also wishes to inform data subjects of the existence of the following rights:
- Right to access:the data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning the data subject are being processed and, if so, to obtain access to the personal data and specific information, in accordance with article 15 of the GDPR;
- Right to rectification: the data subject has the right to obtain from the Controller the rectification of inaccurate personal data concerning the data subject without undue delay. Taking into account the processing purposes, the data subject has the right to obtain supplementing of incomplete personal data, including by providing a supplementary statement, in accordance with art. 16 of the GDPR;
- Right to erasure of data, including the right to revoke consent: the data subject has the right to obtain from the Controller the erasure of the personal data concerning the data subject without undue delay and the Controller has the obligation to erase the personal data without undue delay, or to revoke consent, if the reasons set out in art. 17 of the GDPR exists. With regard to the right to revocation, the data subject also has the right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to revocation;
- Right to restriction of processing: the data subject has the right to obtain from the Controller the restriction of processing when the conditions set out in art. 18 of the GDPR exist;
- Right to data portability:the data subject has the right to receive in a structured format, commonly used and readable by automatic devices, the personal data concerning the data subject provided to the Controller and has the right to send such data to another controller without any impediment by the Controller in the cases and at the conditions specified in art.20 of the GDPR;
- Contractor's right to object on commercial communications: the contractor has the right to object at any time, free of charge, on the receipt of commercial communications.
The applications to exercise the rights indicated in this privacy notice must be addressed directly to the Controller at the e-mail address: firstname.lastname@example.org
Alternatively, such rights can be exercised by sending a registered letter with recorded delivery to 3, Avenue des Citronniers – MC 98000, Principauté de Monaco.
13. ACCESSIBILITY OF PRIVACY NOTICE
The privacy notice is accessible on our website www.perris-store.com, and c/o the Controller. If so expressly requested, the information can also be provided orally, as long as the identity of the applicant is proven, by means of a phone call request to the addresses of the Controller.
The data subject declares that he/she has received adequate information and gives his/her explicit and unequivocal consent to the purposes of the processing, as expressed in point 3, letters b) and c) of this privacy information for the processing of data: to send marketing communications, by means of automated computer systems, including commercial or promotional communications by email or messaging services, or for market research and analysis to determine habits and preferences through profiling of non-particular data