INFORMATION ON PERSONAL DATA
INFORMATION NOTICE ON PERSONAL DATA PROCESSING
We wish to inform you comprehensively and transparently about the processing that our company could carry on your personal data provided and/or collected during various contacts that you could have with us, by visiting our website www.diesel.com (hereinafter the “Site”) and/or other websites related to us during the time, during the visit in our stores, by downloading and using our Apps, participating in prize contests, Wi-Fi systems in stores, social networks (hereinafter collectively, “Personal Data”).
Your privacy is extremely important for us and we kindly invite you to read the following information notice.
By submitting your Personal Data you may enjoy the advantages and benefits reserved exclusively to OUR registered customers (subject to availability in your Country), and we offer to those who love our products, that visit our online store or our stores in the world or that use our App or other online services.
1. WHO COLLECT THE PERSONAL DATA
Subjects who collect and process the Personal Data, as DATA CONTROLLER (hereinafter “Data Controllers” or “Controllers”) are:
- OTB S.p.A.,with registered offices in Italy, Breganze (Vi), Via dell'Industria 2, 36042, telephone +390445306555, email email@example.com, for marketing and profiling purposes;
- Diesel S.p.A.,with registered offices in Italy, Breganze (Vi), Via dell'Industria 4-6, 36042, telephone +390424477555, email firstname.lastname@example.org, for marketing and profiling purposes and, in case of purchase through the Site, also for administrative and accounting purposes;
- the local affiliate of Diesel S.p.A. of the Country where you will purchase our products or will use our services, will process data for administrative and accounting purposes;
- the local affiliate of Diesel S.p.A. of the Country where you are resident (or if a local affiliate where you are resident is not available, the local affiliate where you register for the first time), will process data for marketing and profiling purposes.
If you want to receive more information on local affiliates of Diesel S.p.A. you could visit the following link or write an email to email@example.com or to the postal addresses mentioned above.
Data Controllers appointed also the following data processors that could process the Personal Data on their behalf (hereinafter collectively “Data Processors”):
- the service provider of e-commerce: Arvato SCM Consumer Products GmbH, with registered office in Germany, An der Autobahn, 3333 Gütersloh;
- the Chief of marketing and communication campaigns to customers: the Marketing Director of Diesel S.p.A.
A complete list of Data Processors appointed may be prompted by writing to Data Controllers an email to firstname.lastname@example.org or to the postal addresses mentioned in the epigraph of this information notice.
2. WHY WE COLLECT THE PERSONAL DATA
Personal Data will be processed for the following purposes:
a. administrative and accounting purposes: execution of sales contract, accounting and fulfillment of legal obligations, after-sales services;
b. subject to your consent, for marketing purposes: dispatch of advertising material or direct sales material, market research, commercial communication even customized with automated systems (e-mail, other communication systems via communication networks such as, by way of example but not limited to: sms, mms, Whatsapp) and traditional (paper mail) contact methods, and offering of customized sales services at Data Controllers stores worldwide;
c. subject to your consent, for profiling purposes, that is analysis of your consumer choices consistent in automated processing of the Personal Data included data relating to purchases details in stores and websites of Data Controllers worldwide. This processing is finalized to predict your purchase preferences and to create customers profiles.
For the purposes of letter a., Data Controllers could collect and process the following Personal Data:
• personal information: first name, middle name, surname, name and surname in the local alphabet;
• during your visit in stores we will ask you, address of residence, city of residence, province of residence/state of residence, Country of residence, zip code, email address, phone number, mobile number, during a visit on online store we could collect shipping and invoicing address, method of delivery and payment, name of the holder of the credit card and expiration, requests made to customer service.
In addition to the Personal Data listed above, for the purposes of letters b. and c., Data Controllers could collect and process also the following Personal Data related to your profile and preferences:
• data collected during your visit in stores included use of Wi-Fi system: birthday, alleged age group, date of birth, in certain Country Wechat ID, gender, method and date of registration, preferences on store and sales assistant, language, categories of preferred products, mode of use of services, preferences about the services marked in stores, redemption campaign, attendance events, products brought into the dressing room but not purchased;
• data concerning purchases made online and in stores: detail of the products purchased, size, price, discount, units, color, wash, fit, model, collection, level of expenditure calculated, abandoned shopping cart;
• data regarding participation in prize contests;
• data collected during navigation or during online store purchases or the use of Apps: data related to browsing behavior and/or use held on Data Controllers websites by using, for example, cookies or information about pages that have been visited or searched or related to wishlist.
3. WHAT HAPPENS IF YOU DO NOT PROVIDE THE PERSONAL DATA
Some Personal Data that we will point out during the registration procedure or purchase are required in order to execute the purchase and to pursue the administrative and accounting purposes (letter a. of the Paragraph 2).
Providing and processing of Personal Data for profiling and marketing purposes (letters b. and c. of paragraph 2) is optional and therefore their inclusion in our Customer Relationship Management (CRM) systems that allow the processing of the Personal Data for marketing and profiling purposes will take place only with your consent.
You may at any time revoke your consent to the profiling and/or marketing purposes (letters b. and c. of Paragraph 2) contacting individually Data Controllers to the addresses above mentioned. Failing to provide the Personal Data and/or withhold your consent preclude the pursuit of profiling and marketing purposes but will not have any effect on your ability to finalize your purchases.
4. HOW WE WILL PROCESS THE PERSONAL DATA
The Personal Data provided and/or collected by Data Controllers will be processed and stored by automated tools and, in some cases, they will be processed and stored on paper. In particular, Personal Data processed for profiling and marketing purposes will be stored in the CRM systems that allow the processing of Personal Data for marketing and profiling purposes of Data Contollers and/or Data Processors whose server is located in United States of America. You acknowledge that the Personal Data is being transferred abroad, also outside European Union, and may become accessible to governments under a lawful order made in that country.
The Personal Data collected for administrative and accounting purposes (paragraph 2, letter a.) shall be stored for the time necessary to perform the contract, or the provision of legal warranties in accordance with the terms of the retention required by the applicable law. The Personal Data collected for marketing and profiling purposes (paragraph 2, letters b. and/or c.) will be stored until the customer asks to revoke the registration or the consent to the processing of the Personal Data.
The Personal Data related to the details of purchases processed for profiling and/or marketing purposes, which will be retained for the time allowed by Italian Data Protection Authority (“Authority”) in his measure dated 24 February 2005 or, in case of acceptance, by the number of years required by the accepted measure of the request for preliminary verification presented by Data Controllers if adopted by the Authority.
On expiry of the retention terms indicated above, the Personal Data will be automatically erased or made permanently and irreversibly anonymous.
5. WHO WILL PROCESS THE PERSONAL DATA
The Personal Data will be processed by:
• employees and associates of the Data Controllers designated as persons in charge of the processing;
• employees and associates of the Data Processors designated by Data Controllers including (i) subjects that manage the traditional or online stores and that may view, edit and update the Personal Data entered into the CRM systems by which the Data Controllers process for marketing and profiling purposes (ii) subjects that manage storing of the Personal Data on behalf of the Data Controllers in accordance to local agreements and laws;
• third party members in or outside the EU, Data Processors, used by the Data Controllers in particular for acquisition services and data entry of Personal Data, shipping, distribution of promotional material, after sales support, market research, management and maintenance of the CRM systems by which the Data Controllers process for marketing and profiling purposes and others Data Controllers IT systems.
A full list of data processors appointed by the Data Controllers can be communicated by writing to the following email address email@example.com or to the postal addresses mentioned in the epigraph of this information notice. The Personal Data may also be disclosed to third parties, independent data controllers, in particular professionals or legal or tax advice and assistance firms and companies managing payments made by debit or credit card. The Personal Data will not be disseminated in any way. The Personal Data will be transferred outside of the country or of the European Union, in countries not providing for an adequate level of data protection, only in accordance with the safeguards set forth by applicable privacy laws.
6. YOUR RIGHTS
According to art. 7 of the Italian Legislative Decree n. 196/2003, Chapter 9 of Danish Act No. 429 of 31 May 2000, (The Danish Act on the Processing of Personal Data) and to Chapter III of Regulation (EU) 2016/679, you can at any time request information on personal data collected, used, disclosed or processed by the Data Controllers (right of access), as well as request for integration, rectification or erasure and object to their processing. Furthermore, starting from 25th of May 2018 (when Regulation (EU) 2016/679 shall apply), you will be able to exercise also the following rights: restriction of processing, data portability and lodge a complaint with a supervisory authority.
In particular, you have the right to object and withdraw your consent, in whole or in part, to the collection, use, disclosure or processing of your personal data for purposes of dispatch of advertising material, direct selling or for the fulfillment of market surveys or commercial communication both automated (e-mail, other systems of distance communication as, by way of example: SMS, MMS, Whatsapp) and traditional (paper mail).
If you prefer that the processing of your personal data is carried out solely by means of traditional contact methods, you may object to the processing of your personal data by means of automated contact methods.
In order to exercise your rights above and/or submit an inquiries or complaints with regard to the processing of your personal data, you may send a request to the Data Controllers by writing to this email address firstname.lastname@example.org or to the postal addresses and contacts mentioned in the epigraph of this information notice.
Article 7 of the Italian Legislative Decree no. 196/2003. Rights of the Data Subject.
1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part,
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
Chapter 9 of Danish Act No. 429 of 31 May 2000 (The data subject’s right of access to data)
31. – (1) Where a person submits a request to that effect, the controller shall inform him whether or not data relating to him are being processed. Where such data are being processed, communication to him shall take place in an intelligible form about:
1. the data that are being processed;
2. the purposes of the processing;
3. the categories of recipients of the data; and
4. any available information as to the source of such data.
(2) The controller shall reply to requests as referred to in subsection (1) without delay. If the request has not been replied to within 4 weeks from receipt of the request, the controller shall inform the person in question of the grounds for this and of the time at which the decision can be expected to be available.
32. – (1) Section 30 shall be correspondingly applicable.
(2) Data which are processed on behalf of the public administration in the course of its administrative procedures may be exempted from the right of access to the same extent as under the rules of sections 19 to 29 and section 35 of the Act on Public Access to Documents in Administrative Files.
(3) The right of access shall not apply to data processed on behalf of the courts where the data form part of a text which is not available in its final form. This shall, however, not apply where the data have been disclosed to a third party. There is no right of access to the records of considerations of verdicts or to any other court records of the deliberations of the court or material prepared by the courts for the purpose of such deliberations.
(4) Section 31 (1) shall not apply where data are processed solely for scientific purposes or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.
(5) As regards processing of data in the area of criminal law carried out on behalf of the public administration, the Minister of Justice may lay down exemptions from the right of access under section 31 (1) in so far as the provision of section 32 (1), cf. section 30, is assumed to result in requests for rights of access in general being turned down.
33. A data subject who has received a communication in accordance with section 31 (1) shall not be entitled to a new communication until 6 months after the last communication, unless he can establish that he has a specific interest to that effect.
34. – (1) Communication in accordance with section 31 (1) shall be in writing, if requested. In cases where the interests of the data subject speak in favour thereof, the communication may, however, be given in the form of oral information about the contents of the data.
(2) The Minister of Justice may lay down rules for payment for communications which are given in writing by private companies, etc.
Chapter 10 of Danish Act No. 429 of 31 May 2000 (Other rights)
35. - (1) A data subject may at any time object in relation to the controller to the processing of data relating to him.
(2) Where the objection under subsection (1) is justified, the processing may no longer involve those data.
36. - (1) If a consumer objects, a company may not disclose data relating to that person to a third company for the purposes of marketing or use the data on behalf of a third company for such purposes.
(2) Before a company discloses data concerning a consumer to a third company for the purposes of marketing or uses the data on behalf of a third company for such purposes, it must check in the CPR-register whether the consumer has filed a statement to the effect that he does not want to be contacted for the purpose of marketing activities. Before data relating to a consumer who has not given such information to the CPR-register are disclosed or used as mentioned in the first clause of this subsection, the company shall provide information about the right to object under subsection (1) in a clear and intelligible manner. At the same time, the consumer shall be given access to object in a simple manner within a period of two weeks. The data may not be disclosed until the time limit for objecting has expired.
(3) Contacts to consumers under subsection (2) shall otherwise take place in accordance with the rules laid down in section 6 of the Danish Marketing Act and rules issued by virtue of section 6 (7) of the Danish Marketing Act.
(4) The company may not demand any payment of fees in connection with objections.
37. - (1) The controller shall at the request of the data subject rectify, erase or block data which turn out to be inaccurate or misleading or in any other way processed in violation of law or regulations.
(2) The controller shall at the request of the data subject notify the third party to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with subsection (1). However, this shall not apply if such notification proves impossible or involves a disproportionate effort.
38. The data subject may withdraw his consent.
39. - (1) Where the data subject objects, the controller may not make him subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects.
(2) The provision laid down in subsection (1) shall not apply if that decision:
1. is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests; or
2. is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests.
(3) The data subject has a right to be informed by the controller as soon as possible and without undue delay about the rules on which a decision as mentioned in subsection (1) is based. Section 30 shall be correspondingly applicable.
40. The data subject may file a complaint to the appropriate supervisory authority concerning the processing of data relating to him.