INFORMATION TO DATA SUBJECT FOR ECOMMERCE
This information to data subject governs how the personal information you provide by using the website at www.toosh.it/en is processed by Iltex S.r.l., with registered office in Via Gabrio Serbelloni, 14 - 20122 Milan (MI), VAT number 13169870154 , email info@iltexsrl.com, hereafter the “Controller,” in accordance with current laws on data protection, in particular EU Regulation 2016/679 (hereinafter “GDPR”).
The Data Controller, shall process personal data related to customers or users, whether interested or contracting parties, as defined by the current legislation on personal data (hereinafter “Personal Data”)..
1. Identity and contact details of the data controller
The Data Controller is Iltex S.r.l.As the Data Controller is established in the Italian territory, no representative has been appointed.
2. Contact details of the data protection officer
The Data Controller has not appointed a data protection officer.
3. Third Parties Data
If the user were to communicate personal data of third parties to the Data Controller, also for the performance of the contract, the user must not only inform the third party of such circumstance, but also provide him with this Information to Data Subject and make the present disclosure to third parties.
4. Purposes of the processing and legal basis
The Data Subject’s data shall be processed for the following purposes:
a)For contractual purposes and/or for purposes connected to the performance of pre-contractual measures adopted upon his or her specific request or anyhow connected to the performance of the order entered by the data subject as well as for the purpose of complying with legal obligations connected to the aforementioned purposes, also for pre-contractual relations.
b)To send direct marketing communications, newsletters, advertising and commercial material, through the use of traditional systems of contact and automated computer systems, including commercial or promotional communications by email or text message or for marketing survey. In this case, the data subject’s consent expressed in compliance with this information to data subject shall provide the legal basis;
c)For profiling purposes and for the determination of the habits and preferences. In this case, the data subject’s consent expressed in compliance with this information to data subject shall provide the legal basis;
5. Modalities of expressing consent
Consent, whenever required, shall be given through the following means:
- By signing a digital document, also by clicking on a specific flagbox;
- By signing a paper document.
6. Modalities of processing
- In connection with the personal data processed and retained for the purposes referred to in point a), number 4 of this information on data subject (contractual, pre-contractual and legal obligation purposes), the processing will be carried out by way of paper means, automated means and through the use of CRM management software that allows to effectively manage the fulfilment of the contractual obligations;
- In relation to the personal data processed for the purposes referred to in point b), number 4 of this information to data subject (marketing purposes), the processing will be carried out through the use of software that automatically sends commercial information;
- In relation to the personal data processed for the purposes referred to in point c), number 4 of this information to data subject (profiling purposes) the processing will be carried out through CRM that allows to define the likings and preferences in order to offer personalised services and communications;
7. Automated decision-making and profiling
If the data subject has given his or her consent to the processing of personal data for profiling purposes, the data may be subject to an automated decision-making process through a specific algorithm that will determine which communications are more suitable to his or her profile or which may be of more interest to him or her. The processing carried out in such way shall have, as expected consequence, for example, the sending of highly profiled commercial communications, discounts, invitations to events deemed to be of interest, etc. In any case, the data subject shall have the right to obtain the human intervention in the Data Controller’s decision processing, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision
8. The source of personal data
Only the data provided by the data subject, in compliance with this information to data subject, will be processed and collected at the Data Controller’s headquarter or by the send of an email of yours or by filling the form.
In relation to the processing for profiling purposes in order to make available personalized services through profiling, those data may be correlated in order to obtain additional profiled information.
9. Recipients and categories of recipients of personal data
Recipients of the data subject’s personal data may be communicated:
- communication, and other category, companies that carry out commercial communication and profiling activities, if the related consent has been given, on behalf of the Data Controller and are responsible for the processing;
- companies that offer services of an information society, including, in particular, those offering hosting services;
- companies that carry out statistical surveys, whenever you have expressed the related consent;
- auditing companies;
- a consultant, within the limits necessary for carrying out the assignment with the owner or company of the Group as controllers, subsidiaries or associates;
- suppliers of goods and services within the limits necessary for carrying out the activities subject to the contractual and pre-contractual relationships;
- banks for the management of receipts and payments;
- financial administrations and other companies or public bodies in fulfillment of regulatory obligations.
10. Categories of data
The personal data of the data subject will be processed, financial data required to properly fulfill the orders received or handle any refund requests. Special categories of data will not be processed (by way of example, data concerning health).
11. Transfer of personal data
The Data Controller may intend to transfer personal data to a third country or to an international organisation. Such subjects may be:
- Communication companies that conduct communication activities on behalf of the Data Controller;
- Service providers of the communication society;
- Subsidiary or parent companies
The transfer of personal data to the aforementioned subjects, if based in a third country or international organization, is carried out according to a decision of suitability of the European Commission, which evaluates how the third country, the territory or one or more specific sectors in the third country or the international organization ensure an adequate level of protection of the data subject’s rights. In the absence of such decision, the Data Controller – if deemed in any case appropriate – reserves himself the right to conclude specific separate agreements that oblige such subjects to adopt adequate security and also organizational measures, in order to offer appropriate guarantees related to the data subject’s rights. The data may be transferred to the following countries: United States of America. In order to obtain a copy of such data or the place where they have been made available a request may be sent to the address set forth at the beginning of this document.
12. Personal data retention period
- The personal data processed and stored for the purposes referred to in point a), number 4 of this information to data subject (contractual, pre-contractual and legal obligation purposes) are processed, in the case of a concluded contract, for a period of time not exceeding 10 years from the termination of the effects of the contract for a period not exceeding 10 years from the termination of the negotiations;
- The personal data processed for the purposes referred to in point b) number 4 of this information to data subject (marketing purposes) are processed and retained until the data subject does not request the cancellation thereof;
- The personal data processed for the purposes referred to in point c), number 4 of this information to data subject (profiling purposes) are processed and retained for a period of time not exceeding 24 months from the collection of the data;
13. Optional nature of the consent and consequences in case of lack of consent
- In relation to the personal data processed and retained for the purposes referred to in point a), number 4 of this information to data subject (contractual, pre-contractual and legal obligation purposes) the communication of personal data is both a contractual obligation and a necessary requirement for the performance of the contract and for the negotiations. The data subject has the right to provide personal data; however, in the event of failure to communicate such data, it will not be possible to conclude any contract or perform any negotiation;
- In relation to the personal data processed for the purposes referred to in point b), number 4 of this information to data subject (marketing purposes), the communication of personal data is not a contractual obligation. The data subject has the right to provide personal data; however, in the event of failure to communicate such data, no marketing activity shall be carried out;
- In relation to the personal data processed for the purposes referred to in point c), number 4 of this information to data subject (profiling purposes), the communication of personal data is not a contractual obligation. The data subject has the right to provide personal data; however, in the event of failure to communicate such data, no profiling activity shall be carried out.
14. Right to object
The data subject has the right to object as set out here in below:
- The right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, according to point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
- Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing;
- Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. The right of opposition of the data subject to the processing of his personal data for those purposes, may be exercised even only partially, for example, in order to send promotional communications realised by means of authomated and/or digital tools, or through sending paper communications;
- Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
15. Other rights
The Data Controller shall also inform the data subject about the existence of his or her following rights:
- Right of access by the data subject: the data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other specific information, pursuant to article 15 of the GDPR;
- Right to rectification: the data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, pursuant to article 16 of the GDPR;
- Right to data deletion, including the right to withdraw consent: the person in question has the right to have his/her personal data deleted by the Holder without undue delay and the Holder is obliged to delete this personal data without undue delay, or to withdraw consensus, if the reasons defined in art. 17 of the GDPR are present. As far as the right to withdrawal is concerned, the person in question also has the right to withdraw consensus at any time without compromising the legitimacy of the handling based on the consensus presented prior to withdrawal;
- Right of data handling limitation: the data subject shall have the right to obtain from the Data Controller restriction of processing where the grounds set out in article 18 of the GDPR apply;
- Right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided under the conditions set out in article 20 of the GDPR;
- Right to oppose to commercial communications: the data subject has the right to object, at any time, free of charges, on receipt of commercial communications.
16. Rights exercise
The request to exercise the rights outlined in this information to data subject must be addressed directly to the Data Controller at the email address info@iltexsrl.com. Alternatively, such rights may be exercised by sending a letter to such effect by registered post with acknowledgement of receipt to the address stated at the top of this information to data subject
17. Accessibility to information to data subject
The information to data subject is made available at the following address, as well as at the Data Controller’s headquarter. If expressly requested by the data subject, the information may also be orally provided, provided that identity of the data subject is proven, by means of a telephone call.
18. Amendments
The Data Controller may make changes to this information to data subject, also in order to incorporate changes in national and/or EU legislation, to adapt to technological innovations or for other reasons. Any new version of this information to data subject will be made available on Fashtime website. The data subject is therefore invited to periodically check the Information to data subject. Any substantial modification (processing purposes and/or personal data categories), will be communicated by Data Controller to data subject, demanding, if necessary, the related consent.
I have read and accepted both the Terms of use and the Information to data subject.
I give my consent, explicit and unambiguous, with regard to the processing purposes as expressed in point 4, letters b) and c) of this information to data subject:
b) To receive direct marketing communications, newsletters, advertising and commercial material by means of computerized automated systems, included commercial communications through email or SMS, or for market analytic purposes (marketing purposes): Yes [_] No [_];
c) For profiling purposes: Yes [_] No [_].