DISCLOSURE ON PERSONAL DATA PROCESSING
Within the meaning and for the purposes of Art. 13 of the New European Regulation 2016/679 related to the protection of natural persons with respect to the processing of personal data (GENERAL DATA PROTECTION REGULATION – GDPR).
As required by the General Data Protection Regulation of the European Union (GDPR 2016/679, Article 13), before proceeding to the processing, the Person concerned (user of the website www.mimimilano.com) is informed that the personal data gathered through the website is subject to processing by the Company through technologies of information and/or telecommunications, for the purposes indicated in the present disclosure.
To that end, the person concerned is submitted the Privacy Disclosure devised by Lurich srl (below also “LURICH” or “the Company” or “the Data Controller”) designer and promoter of the activities available on the website www.lurich.com.
The personal data processing controller is LURICH SRL., with registered office in Piazza Ponti 2, angolo Via Trombini - 21013 - Gallarate (VA) - IT, VAT Number: 11058280964.
The party can be contacted for clarifications and questions related to the personal data processing at the address: email@example.com.
For further information related to the rights of the person concerned, please examine the Paragraph referred to as “Rights of the persons concerned” of this disclosure.
Information about the processing
The personal data subject to processing is gathered directly either by Lurich srl or by third parties explicitly authorised by the former, or transmitted by the Company to such third parties for the general purposes described below.
Legal basis and purpose of the processing
The personal data provided by the user during the navigation on the website www.mimimilano.com is processed by the Controller in accordance with the current legislation on the Protection of personal data.
The processing’s legal basis lies in the provision of services by the Company, the operation and facilitation of the website, as well as in the constituency, execution and eventual resolution of the online sale contract concluded between the parties and in the duties correlated to and/or derived directly and/or indirectly from the same contract.
The processing of personal data by LURICH is aimed at pursuing the following purposes:
1) SUBSCRIPTION TO THE NEWSLETTER BY MIMIMILANO.COM: if the user decides to subscribe to the “MIMI Newsletter”, only after a potential and specific consent, the personal data will be processed by the Data controller to send commercial or promotional communications, of updates concerning, for example, latest trends, new arrivals, exclusive offers, special events, and offers. To cancel your subscription to the newsletter, just click on the unsubscription link found at the bottom of the e-mail received or write to the address firstname.lastname@example.org.
The Controller, in order to compare and potentially improve the results of such communications, uses systems to send newsletters and advertising communications equipped with a reporting mechanism, thanks to which the Controller will be able to know, for example: the number of readers, of openings and clicks; the type of device used to read the communication (desktop, mobile); the number of pending users who still haven’t confirmed the subscription; the number of e-mails sent per date/hour/minute; the detail of the e-mails received compared to those sent; the list of users who unsubscribed from the newsletter; the e-mail openings and the clicks on single links; the issues displaying the message; the link tracking (that is, the number of clicks on the message links); the click tracking (which links have been clicked on). All this data is used with the purpose to compare, and potentially improve, the results of the communication.
2) REGISTRATION ON MIMIMILANO.COM: if the user decides to register to the website www.mimimilano.com, their personal data will be processed by the Data controller for the purpose of such registration on www.mimimilano.com, only after a discretionary and specific consent. Particularly, upon providing their name, family name, e-mail address and setting up a password for access, these will be processed for the creation of a personal account, to accelerate the purchasing procedure, to allow the user to view the state of their orders and receive updates on any purchase made, to modify personal settings and update the account, to view the history of any returns.
3) ONLINE SHOPPING ACTIVITY: the personal data provided will be used for the purpose to establish, manage, execute and/or terminate the contract of online sale. The data provided will be processed by the Data controller to the purpose of the management of the purchase order, in reference, by way of example, to the activity of payment, shipping, taking charge of any potential returns, for customer support, to perform the administrative-accounting purposes related to the order’s management, to fulfil the duties required by the current legislation. In the case of payment with credit card, the information essential to complete the transaction (credit/debit card number, expiry date, security code) will be processed by PayPal, Stripe, Klarna or, potentially, by companies entrusted with the anti-fraud controls through encrypted protocol and without any third party being able to access such information in any way. Moreover, such information will never be viewed nor stored by the seller (Lurich srl).
4) PROFILING OF THE NATURAL PERSON: only after a discretionary and explicit consent, can the personal data provided be processed by the Data controller for profiling activity, that is, analysis of preferences aimed at the creation of personalised contents and offers.
Nature of the processing
For the purposes indicated on point 1) of the previous paragraph, the provision of personal data and consent to their processing is optional. Any discretionary lack of consent makes it impossible for Lurich srl to allow the subscription to the “MIMI Newsletter”, send commercial or advertising communications, or updates related, for example, to latest trends, new arrivals, exclusive offers, special events and offers.
For the purposes indicated on point 2) of the previous paragraph, the provision of personal data and consent to their processing is compulsory. The discretionary lack of consent makes it impossible for Lurich srl to allow the registration on www.mimimilano.com, the creation of the personal account, the acceleration of the purchase procedure, the viewing of the state of orders and the reception of updates on purchases made, the possibility for users to modify personal settings and update the account, view the history of returns and the requests to exchange goods.
For the purposes indicated on point 3) of the previous paragraph, the provision of personal data and consent to their processing is compulsory. The discretionary lack of consent makes it impossible for Lurich srl to proceed to the instalment, management, execution and/or conclusion of the online purchase contract, that is, the impossibility to perform, by way of example, the activities related to payment, shipping, taking charge of any potential returns, the activities of customer support, to perform the administrative-accounting purposes related to the order’s management, and to fulfil the duties required by the current legislation.
For the purposes indicated on point 4) of the previous paragraph, the provision of personal data and consent to their processing is optional.
The discretionary lack of consent makes it impossible for Lurich srl to perform profiling activities, or to perform analysis of the preferences aimed at the creation of personalised contents and offers.
Personal data processed
The personal data subject to processing by the Controller is what provided by the user upon navigation on the website www.mimimilano.com, upon potential registration/accession to services/programmes provided to Lurich and/or potential purchase of products provided to Lurich, such as, by way of example: name, family name and e-mail address, as well as the data necessary to provide the online sale service such as for example, those functional to the payment and to the shipping/exchange of the purchased products.
Method of Data Processing and Retention
The processing of personal data is executed by the Controller in compliance with the requirements of the current legislation on the matter of Privacy. The Controller performs the processing of personal data through instruments of information and/or telecommunication technology and with organisational and logical methods strictly aimed to pursue the purposes indicated in the present disclosure, as well as adopting the appropriate security measures with the purpose of preventing unauthorized access, disclosure, modification or destruction of the personal data, their loss and their illicit and inappropriate use. However, the Company cannot guarantee to users that the measures adopted for the security of the website and of the transmission of data and information on the website will be able to limit or exclude any risk whatsoever of unauthorised access or of data leakage by devices under the responsibility of the user. For this reason, we suggest that users of the website ensure that their computer is provided with appropriate software for the protection of online data transmission (for example up to date antivirus) and that their Internet Provider has adopted appropriate measures for the security of data transmission online. Moreover, the Company commits to processing data according to the principles of lawfulness, fairness and transparency, to gather them in the exact and necessary measure for processing and to allow their use only to staff for the authorised purposes. The management and storage of the personal data acquired will take place in archives or servers located within the European Union, property of the Controller and/or third party companies elected as External People in Charge of the processing and, regardless, currently located in Italy.
With respect to the different purposes for which they are gathered, personal data will be stored for the time that is strictly necessary to attain those same purposes, and, regardless, according to the current legislation on the matter.
In any event, the Company will ensure to avoid the permanent use of data by periodically and appropriately verifying the effective continued interest of the subject to whom such data refers.
Processing Recipients and Supervisors
The data gathered will not be released in any way, instead it will be processed within the limitations and for the purposes described by the employees of the Company according to adequate operating instructions (for instance, administrative, commercial, marketing, or legal staff, system administrators, etc.). Additionally, some data processing can be performed by third parties, elected as External People in Charge of the Processing, on which the Controller relies or can rely in the management of the contract relationship, of the provision of the services offered and for their activity’s organisational needs. Namely, the data can be forwarded to:
a) public and private bodies, who can access the data by virtue of legal provision, regulation or community legislation, within the limit required by such legislation;
b) bodies who need to access the data for purposes related to the contractual relationship existing between the parties, within the limits strictly necessary to perform the auxiliary tasks (such as, for example, banks and credit institutions, providers of technical services, hosting provider, IT societies, communication agencies, postal couriers and shipping societies);
c) consultants, within the limits necessary to perform their professional task.
Transfer of data abroad
The management and storage of the personal data will take place on a server property of the Controller and/or third party societies appropriately appointed as External People in Charge of the processing located within the European Union.
The personal data can be transferred abroad, according to what required by the current legislation, as well as to Countries non-members of the European Union. The transfer to Non-EU Countries, aside from cases where such is granted by Adequacy Decisions of the Commission, happens in such a way to provide the appropriate and suitable Guarantees according to the artt. 46 or 47 or 49 of the Regulations.
Rights of the Persons concerned
As the Person concerned, the user can exercise at any moment the rights established by the articles 15, 16, 17, 18, 20 and 21 of the GDPR which confer, particularly, the faculty to:
a) obtain by the Data controller, as per Article 15, the confirmation of whether a processing of own personal data is occurring and, in such a case, obtain access to the same data and to information such as: (i) the purpose of the processing; (ii) the categories of personal data; (iii) the recipients or categories of recipients to whom the personal data has been or will be transmitted, particularly if such recipients are located in Third Countries or International Organisations; (iv) when possible, the personal data’s period of retention expected or, if not possible, the criteria used to determine such period;
b) obtain by the Data controller, as per Article 16, the amendment of any inaccurate personal data pertaining them without any unjustified delay; considering the purpose of the processing, the person concerned has the right to obtain the supplementation of incomplete personal data, also by providing a supplementary statement.
c) obtain by the Data controller, as per the Article 17, the cancellation of personal data pertaining them without any unjustified delay. The Controller has the duty do cancel, without any unjustified delay, the personal data if any of the reasons indicated at the clause 1 of the Article 17 applies;
d) obtain by the Data Controller, as per the Art. 18, the limitation of the processing if one of the hypothesis governed by clause 1 of the Article 18 occurs;
e) obtain by the Data controller, as per Article 20, the data portability, that is, receive the personal data pertaining them provided to a Data controller in a format that is structured, of common use and readable by an automatic device. Moreover, the Person concerned has the right to transmit such data to another Data controller without any hindrance by the first Controller to which they provided them, if the conditions indicated at the Article 20 clause 1 occur. Finally, the Person concerned has the right to obtain the direct transmission of personal data from one Data controller to the other, if technically feasible;
f) oppose, entirely or partially, as per Article 21, the processing of personal data pertaining them.
To exercise their rights, the user can submit their requests to email@example.com..
Moreover, it is noted that the Person concerned has the right to revoke consent in any moment without prejudice to the lawfulness of the processing based on consent provided before revoking, notwithstanding the above indicated consequences of a discretionary refusal to provide such personal data. Moreover, the Person concerned has the right to submit a complaint to a Supervising Authority.
To place your requests concerning the exercise of such rights, you can contact the address: firstname.lastname@example.org.
Lurich srl. commits to answering the requests by the Person concerned within the term of one month, except for cases of particular complexity for which a maximum of three months can be employed. In any case, the Data controller will provide evidence of the reason for the wait to the Person concerned within one month from the request. The outcome of the request will be provided in writing on an electronic format. In the case of a request of correction, cancellation as well as limitation of the processing, the Data Controller commits to communicating the outcome of the requests received by the Person concerned to each of the recipients of their data, except when it is impossible or entails a disproportionate effort.
The Company specifies that a potential contribution can be requested of the Person concerned if the questions appear clearly unfounded, excessive or repetitive; to this end the Data Controller will be equipped with a registry to trace the intervention requests.
Amendments to the present disclosure
For any request related to your personal data as mentioned in this disclosure, and to exercise your rights, you can contact the Controller or the DPO free of charge at the addresses listed under “Data controller”.
Lurich reserves the right to modify the present privacy disclosure at any time. The version published on the website is the one currently in effect