1. DATA CONTROLLER AND USE OF PERSONAL DATA
2. CATEGORY OF PERSONAL DATA PROCESSED
2.1 Data automatically acquired by the Site
When consulting and/or visiting the pages of our Site, your personal data will be automatically acquired and specifically:
Purpose of collection and use
Navigation data acquired by Etro
Log files of traffic acquired by Etro
Log files of traffic generated on the network by Etro's computer systems (e.g., relating to the registration and management of your personal account, wish list management; purchase history).
Data voluntarily provided by you to Etro
To allow you to use the various services offered by the Site, we will ask you to provide us with your personal data, such as biographical data, contact details (telephone contacts, e-mail account, home or residence address and password), payment method data, information on purchases and transactions.
Data voluntarily provided by you to Etro to register and set up your account on the Site.
In order to allow you to create your personal account, the following personal data provided by you directly will be processed: name, surname, address, telephone numbers, e-mail addresses, date of birth and password. Etro may, however, process the following data collected through IT tools and company application services used by the company traffic log files generated on the network by Etro's IT systems (for example: registration and management of your personal account).
Data voluntarily provided by you to Etro in connection with your purchase of Etro Products through the Site
The personal data provided by you directly when registering on the Site and/or filling in the purchase order form will be processed, including, name, surname, address, telephone numbers, e-mail addresses, tax code, VAT number, credit card, bank details, date of birth, password, including, without limitation, all information necessary to process such purchase order ((for example: order management, sale and delivery of products, including booking an appointment at the Etro boutiques to collect Etro products purchased through the Etro website, management of returns and guarantees and other activities accompanying the sale of products).
Data voluntarily provided by you to Etro when you subscribe to Etro’s newsletter
Email address which will be used to send you send you periodic newsletters and commercial and/or promotional information communications.
Sale Data acquired by Etro
Etro product sales data: purchase method, type, quantity and price of Etro products purchased through the Site.
Personal data of third parties provided by you to Etro
Should Etro process personal data of third parties disclosed directly by you (for example, if you have purchased a product to be delivered to a different person or if the person paying the price for the purchase of the product is different from the person for whom the product is intended, or if you intend to recommend a service on the Site to a friend), you acknowledge that in this case you are the data controller of the personal data of the abovementioned third parties. Therefore, by providing such personal data of third parties to Etro, you guarantee that: (a) the personal data that may be disclosed by you to Etro have been processed by you in compliance with the provisions of the Relevant Privacy Legislation in force and (b) the abovementioned third parties have been previously and duly informed by you of the methods and purposes of processing and have authorised such processing. You will therefore remain the one and only person liable for the communication of information and data relating to third parties without their consent or for their possible incorrect or unlawful use.
3. PURPOSES AND LEGAL BASIS OF THE PROCESSING
Whenever we acquire and process your personal data, this will be done exclusively in accordance with the principles of lawfulness provided for by law, in order to:
- establish, perform, manage the contractual relationship and/or to provide the services connected to the contractual relationship itself (i.e., issuing invoices and credit notes; management of customer records; processing and shipping of purchase orders; IT assistance on the use of the Site; request to be contacted and after-sales service: management of returns and any complaints; contact with customer service) as well as for the possible assessment of liability in the event of hypothetical computer crimes or to assert a right in court. In this case, the legal basis for the processing of personal data for the abovementioned purposes is the contractual relationship to which you are a party.
- allow you to register on the Site and ensure that you navigate the areas of the Site correctly. In this case, the legal basis for the processing of personal data for the abovementioned purposes is the contractual relationship to which you are a party.
- conduct marketing activities. In this case the legal basis for the processing is your prior explicit consent. Marketing activities can be performed through the sending of newsletters, promotions, discounts, discounts, commercial information and other dedicated services, through paper mail, calls with operators, direct sales, or through e-mail, pre-registered calls and SMS/MMS/smart messages. In this context, we may also process your personal data in order to invite you to participate in events and shows, to involve you in market research or to inform you about special initiatives dedicated to Etro customers, using the methods and periods we deem most effective according to the various initiatives mentioned. If you have also given your consent to the processing of your personal data for marketing purposes, this will allow us to send you promotions and/or invitations to initiatives more in line with your profile, your preferences and your expectations
- conduct profiling activities. In this case, the legal basis for the processing is Etro's legitimate interest in knowing your preferences to better customise its offers and therefore offer you products and services that better meet your needs and desires. Etro points out that, following the outcome of the balancing test on legitimate interests, it has assessed that its legitimate interest does not outweigh any interest or fundamental rights and freedoms of the data subject. It is understood that you may at any time request information from Etro regarding the balancing test performed, following the procedures indicated in Section 9 "Contacts for the exercise of the rights of the data subject and for further information". Profiling activities can take the form of the creation of profiles by analysing information regarding your interests and preferences concerning our products and services and your consumption choices, for example by identifying the type and frequency of purchases made by you on the Site both through your personal account and in "guest" mode and/or at Etro boutiques, to guarantee you a personalised service for your future purchases.
- comply with Etro's legal obligations under applicable laws. In this case, the legal basis for the processing is the legal obligation.
4. PROCESSING METHODS
The processing will be conducted with the help of electronic, paper and computerised tools; this processing will be based on the principles of lawfulness, fairness and transparency and protection of your rights and your privacy. Specifically, your data may be processed, for profiling purposes as well, using automated tools, for example through the comparison and comparative analysis of your purchase choices (type, quantity, frequency, etc.), during a given period and/or season and through the analysis of the type and number of your requests for information on products made in a predetermined time horizon. In this regard, user and customer behaviour will be studied in a way that is not invasive of the personal sphere.
Your personal data will be processed specifically through Etro's Customer Relationship Management ("Etro CRM") whose servers are located in the EU. Entering your personal data in the Etro CRM for the marketing purposes referred to in paragraph 3(iii) above is optional and occurs only if you give your consent to the pursuit of this purpose. For the pursuit of further purposes, entering your data in the Etro CRM will be automatic and necessary to allow the Data Controller to correctly manage and perform the contractual relationship to which you are a party as well as to best meet your needs and desires. Once your personal data have been entered in the Etro CRM, they may be read, modified and updated by employees of Etro offices and by employees of Etro stores in Italy and abroad, who have been expressly appointed as data processors.
The data will be processed in such a way as to minimize the risks of destruction, loss, unauthorised access or processing that is not permitted or does not comply with the purposes of collection.
5. MANDATORY OR OPTIONAL NATURE OF THE PROVISION OF PERSONAL DATA OF THE DATA SUBJECT - CONSEQUENCES OF ANY REFUSAL
The provision of personal data by you to perform and manage the contractual relationship, to register on the Site and for the related navigation as well as to fulfil the legal obligations under paragraphs 3(i) and 3(ii) and 3(v) is optional, however, failure to provide such data will make it impossible to register on the Site, to establish and/or continue the contractual relationship and/or to provide the services related to the abovementioned relationship.
The provision of your personal data for the marketing and profiling purposes referred to in paragraphs 3(iii) and 3(iv) is optional and failure to provide them will have no effect on the possibility of registering on the Site and/or purchasing products and/or receiving services requested, but it will not be possible to inform you about promotional and commercial initiatives and send invitations to events or evaluate your interests and preferences.
It should also be noted that where you have given your consent to authorise the Data Controller to pursue the marketing purposes referred to in paragraph 3(iii) above, you will in any case be free at any time - by sending a clear written communication to the contact details specified in greater detail in paragraph 9 "Contacts for the exercise of the rights of the data subject and for further information" below - to withdraw your consent and/or object to the processing of your data for the abovementioned purpose, even if only for the contact methods and, for example, where you wish the processing to be performed solely with traditional contact methods, you may object to the processing of your personal data through automated contact methods.
6. SCOPE OF COMMUNICATION AND TRANSFER OF DATA OUTSIDE THE EU
6.1. Internal and external communication of personal data
Your personal data will not be disclosed.
Your personal data may be disclosed only for the purposes described above.
Your personal data can be accessed, according to the criteria of necessity, by Etro staff duly authorised and instructed in writing (such as CRM, Digital, Retail, IT staff).
Your personal data may be disclosed to third parties such as:
- governmental authorities for tax and financial audits, judicial authorities and/or public bodies for legal and regulatory provisions and/or specific requests by the abovementioned governmental entities;
- providers of services such as technical and IT services, shipping companies, marketing companies, remote electronic payment management providers. In this case, the abovementioned providers - to whom only the data necessary to perform the agreed services will be disclosed - will process the data as data processors and therefore on the basis of the instructions provided in writing by Etro;
- companies of the Etro Group as data processors;
- legal, tax and accounting consultants.
For a complete and updated list of the entities to whom the data are disclosed you can contact us by following the indications given in paragraph 9 below "Contacts for the exercise of the rights of the data subject and for further information".
6.2 Transfer of data outside the EU
Should your personal data be transferred or accessed (e.g. by US personnel of the U.S. subsidiary part of the Etro Group) outside the European Economic Area, this will only be done if the level of protection of your personal data is adequate in accordance with the Relevant Privacy Legislation.
- International Transfers: Should it become necessary to transfer your personal data outside the European Economic Area (EEA), to companies of the Etro Group and/or to third parties that perform, on our behalf, technical and organisational tasks consistent with the pursuit of the purposes for which your data was collected and processed, this will only take place if it is possible to guarantee a level of data protection equivalent to that of the European Community. We ensure, in fact, that your personal data will only be transferred with adequate guarantees, as provided for in the Regulations: (1) transfer of your personal data to countries whose level of data protection has been recognised as adequate by the European Commission. For more information please consult the European Commission page: “Adequacy of the protection of personal data in non-EU countries”; (2) provision of specific Standard Contractual Clauses (EU-type Clauses), approved by the European Commission, to ensure that the processing carried out outside the European Economic Area (EEA) by our providers and/or companies of the Etro Group, offer guarantees to protect your personal data that comply with those carried out within the territory of the European Union. For more information please consult the European Commission page: "Model contracts for the transfer of personal data to third countries"; (3) transfer of your personal data to partners based in the United States of America
For further information on the guarantees protecting your personal data, which may be transferred outside the European Economic Area, and to obtain further information on the specific mechanism used for the transfer of personal data outside the European Economic Area, please contact us by following the instructions provided in paragraph 9 below "Contacts for the exercise of the rights of the data subject and for further information". In any case, your data will be processed only by persons duly instructed and able to provide adequate technical and organisational protection, and bound to the utmost confidentiality by the Data Controller.
7. DURATION OF THE PROCESSING
The Company will process your personal data for variable periods according to the different purposes of processing. We will, in any case, keep your personal data only for the period strictly necessary to achieve the purposes for which the data were collected and processed, without prejudice to the need for further storage in connection with specific legal provisions.
- Data collected and processed for marketing purposes: 7 years from the date of your consent and registration in the Etro CRM, after this period of time they will be rendered irreversibly and permanently anonymous
- Data collected and processed for profiling purposes: 7 years from the date of collecting your data and from when they are uploaded in the Etro CRM, after this period of time they will be rendered irreversibly and permanently anonymous
- Data collected and processed to establish, perform, manage the business relationship and/or to provide services related to the contractual relationship: for the entire duration of the contractual relationship and for a period of 10 years after the termination of the business relationship, except in cases where further storage is justified by disputes and/or litigation and/or requests by the competent authorities.
- Data, including log files, collected to ensure proper navigation in the areas of the Site: 30 days from when they are generated.
- Data collected to ensure your registration on the Site and the management of the technical administration of the Site and your personal account: for the time strictly necessary to perform the service requested and in any case no later than 7 years from your last show of interest for the service in question.
- Data collected and processed to comply with your request: your data will be stored and processed for the time strictly necessary to fulfil your contact request and any of our tasks arising from it, after which they will be immediately erased, except in the case of litigation or potential litigation.
- Data collected and processed to perform legal obligations: your data will be stored and processed for the time required by the regulations applicable at any time.
8. DATA SUBJECT'S RIGHTS
We remind you that at any time you have the right to know what your personal data is in our possession and the related processing in progress, to request their updating or have them rectified and, in the cases provided for by law, to have them erased and to restrict or to object to their processing. If you wish, you may also receive your personal data in electronic format for the purpose of their transfer to a third party indicated by you. If the processing is based on your explicit consent, you may withdraw this consent at any time.
Rights of data subjects:
At any time, you may exercise the rights recognised by the Regulations, with reference to the specific processing operations carried out by us:
a) Request to access your personal data as well as to receive information about the purpose of the processing, the categories of data processed, the recipients or categories of recipients to whom your personal data may be disclosed, the storage period envisaged, whether or not profiling mechanisms and automated decision-making processes are applied;
b) Request to rectify your personal data. This right allows you to correct or complete the data concerning you, although in some cases it is necessary to verify the fairness of the new data provided by you in advance;
c) Request to have your personal data erased. This right allows you to request the erasure or deletion of your personal data if one of the conditions set out in Article 17 of the Regulation is met (for example: your personal data is no longer necessary for the purposes for which they were collected, you decide to withdraw your consent to the processing - where this is the legal basis - and there is no other legal basis for the processing itself, you object to the processing and no other legitimate reason of the Data Controller prevails, the personal data are processed unlawfully). Please note that any requests for erasure may not be met or may be met only partially; this is due, for example, to legal, juridical or fiscal constraints, beyond our control, that prevent us from erasing all or part of your personal data. The reasons for our inability, in whole or in part, to carry out your request will be promptly disclosed to you;
d) Request to object to the processing of your personal data. By exercising this right, you may obtain the termination of the processing of your personal data for the purpose(s) indicated by you. Please note that our acceptance of your request to object may or may not be based on the assumption that the processing is lawful. You have the right to object to the processing of your data for marketing purposes at any time;
e) Request to withdraw consent. If the processing is carried out with your explicit consent, we will, within the time limits set out in the Regulation, implement your request, ceasing the processing in question without prejudice to the lawfulness of the processing of personal data of the data subject based on consent and carried out before withdrawal. Please note that the withdrawal of your consent may make it impossible for us to continue to provide certain services or products, provided both by the Site and by Etro boutiques. In this case, we will notify you of this when you withdraw your consent to allow you to fully assess the consequences of withdrawal. Should the processing be carried out based on a legitimate interest, either ours or that of third parties, we reserve the right to assess the reasons for your request.
e) Request to restrict the processing of personal data. This right allows you to request the suspension of the processing of your personal data in the following cases:
- if the data subject disputes the fairness of your data,
- if the processing is unlawful and you do not wish to have your data erased,
- if Etro no longer needs them for the purposes of processing but you wish you wish to have your data stored to establish, exercise or defend a legally protected right,
- if you have objected to the use of your data in order to assess whether the Data Controller's legitimate grounds override yours.
f) Request the portability of your personal data to transmit to a third party. We will provide you or a third party that you have indicated with your personal data in a structured, commonly used and machine-readable format. This will be done, if technically feasible, only for personal data whose processing is carried out by automated means and where the processing is based on consent or on a contract.
When exercising the above rights, we reserve the right to ask you, in any way we deem appropriate, for specific information to help us confirm your identity, in order to be reasonably certain that only you can dispose of your personal data and that they will not be disclosed to third parties not entitled to receive them.
We undertake to respond and comply with your request, where justified, within one month of receiving your request to exercise one or more rights. Occasionally, and always within the time allowed by the applicable law, we may take longer if your request is particularly complex or if you have submitted numerous requests. In such a case, we will communicate this to you and keep you informed.
The exercise of your rights is completely free of charge.
However, if your requests are manifestly unfounded or excessive, specifically due to their repetitive nature, we reserve:
a) the right to charge you a reasonable fee based on the administrative costs incurred in providing the information or communication or taking the action requested;
b) the right to refuse to comply with your request.
Finally, we remind you that you may decide to lodge a complaint with the applicable Supervisory Authority or Attorney General or any other entity which is competent to receive such complaint under the applicable law at any time in the event of an infringement of personal data protection regulations and/or if you believe that one or more of your rights have been breached.
These rights may be exercised by sending a written notice to the addresses indicated in paragraph 9 "Contacts for the exercise of the rights of the data subject and for further information".
Withdrawal of Consent
You may exercise your right to withdraw the consent given to us for the processing of your personal data for marketing purposes by writing, among other things, to the e-mail address: . We would also like to inform you that each of our newsletters contains a web link through which you can deactivate the newsletter service or withdraw your consent to the processing of your data for marketing purposes. In this case, all our advertising and/or promotional communications will cease and any active newsletter service will be automatically deactivated. Furthermore, you may withdraw (or provide) your consent to the processing of your personal data for marketing purposes at any time by accessing your personal account, if you have activated one, on our Site. If the processing is based on your consent, you may withdraw this consent at any time without prejudice to the lawfulness of the processing carried out before the withdrawal.
9. CONTACTS FOR THE EXERCISE OF THE RIGHTS OF THE DATA SUBJECT AND FOR FURTHER INFORMATION
11. PRIVACY NOTICE TO CALIFORNIA RESIDENTS
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, please read the Privacy Notice at the following link: [INSERT LINK]