PRIVACY POLICY
INFORMATION AND REQUEST FOR CONSENT FOR THE PROCESSING OF PERSONAL DATA
This information is provided pursuant to art. 13 of Legislative Decree 30 June 2003 n. 196 and subsequent amendments (so-called Privacy Code), as well as pursuant to art. 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
www.shop-smb.com is the e-commerce site owned by Twenty-Twenty srl, with registered office in Verdellino (BG) Via Lisbon 29. The site offers the online sales service of bags and accessories. The site contains sections where users can leave their data in order to receive news, updates, proposals and promotional offers as well as to make online purchases.
All data collected will be processed by Twenty-Twenty srl, as Data Controller (hereinafter also Data Controller), in the person of its pro tempore legal representative who, in turn, has appointed Valentina Azzia as Data Processor as well as the persons in charge Alberto Locatelli, Enrica Pezzoli and this in compliance with the protection principles established by the Code regarding personal data and subsequent amendments, as well as all European and national legislative interventions and / or provisions of the supervisory authorities.
The following information is provided exclusively for the website of www.shop-smb.com owned by Twenty-Twenty srl, in relation to the content of the attached pages and the services provided and from the analysis carried out by the IBI IUS legal studio. Avv. Vatinee Suvimol, with prohibition of reproduction, even partial, of the contents of this document.
The www.shop-smb.com site is equipped with the following plugins that can collect, directly or indirectly, the User's personal data:
Newsletter, cart section and analytics; contents of third-party platforms: Facebook, Instagram, PayPal, Wix, Mailchimp, Iubenda.
The plug-ins and accessories may vary over time, the site has no specific duration and the purposes, methods, type and place of processing remain unchanged. Wordpress, Wix, Iubenda and the plugins implement updates in order to allow the management, processing, collection, extrapolation and revocation of personal data provided by users as well as the navigation methods depending on the granting of consent of third party cookies and profiling by the users.
A. PURPOSE OF THE TREATMENT
The processing of data, spontaneously provided by the User while browsing the www.shop-smb.com site, takes place through the following functions:
1. newsletter (optional option for the user if he wants to receive updates from the blog for promotions, discounts, news and offers).
2. account creation after registration (optional option for the user if he wants to register).
3. Shopping cart section (email, name and surname, residence, telephone)
The data is provided by the user and processed exclusively by www.shop-smb.com and the related companies for the sole purpose of executing the contract and, specifically:
- allow the User to ask questions directly to the customer service or via email;
- allow the User to be updated on any promotions, news, initiatives, events and discounts by receiving newsletters;
- allow the User to complete an online purchase transaction;
The user can express his will not to receive communications, not to be contacted and not to consent to the processing of data by sending an email to: contact@savemybag.it
B. TYPE OF DATA COLLECTED AND PROCESSED
PLUGIN:
Wix, Sentry. Without prejudice to personal autonomy and the right of the interested party to provide or not to provide their data to the site, the provision of data referred to in paragraph A) consists of:
name, surname, company name, e-mail, address, city, country, region, post code, telephone, tax code, delivery address (when different from residence) data relating to payment methods (extremes and details are managed by PayPal and Stripe)
CONTENTS OF THIRD-PARTY PLATFORMS
Facebook, Instagram, Google Analytics. These are third-party platform services that collect traffic data relating to the site on which they were installed, in this case of www.shop-smb.com
For the methods, place and other processing details, please refer to the respective Privacy Policy of each platform.
C. OWNER, RESPONSIBLE AND RESPONSIBLE
The data controller is Twenty-Twenty srl, Milan, E-mail: contact@savemybag.it
The data processor is Valentina Azzia
The persons in charge of processing are: Alberto Locatelli and Enrica Pezzoli
The managers and agents are aware of the access credentials to the back office of the site www.shop-smb.com, and can change the aforementioned credentials. Upon authorization and for technical reasons, the Owner, the manager and the persons in charge may authorize third parties to access the site for limited periods of time and for needs related to technical needs. The Wix technicians, the chosen hosting service, also have access to the site, but only with the authorization of the Owner. On this point, please refer to the privacy policy and the adoption measures undertaken by Wix.
D. PROCESSING METHOD
The personal data provided will be processed:
a. by the company Twenty-Twenty srl and any third party companies responsible for carrying out the execution of orders and shipments. As part of the back office management software in use at Twenty-Twenty and the site back office as well as at the hosting (to whose privacy policy reference is made in full for the part pertaining to it);
b. in some cases, through the plugins (eg. Newsletter) through automated procedures provided by the plugins themselves, in the ways and within the limits necessary to pursue the aforementioned purposes (to whose privacy policy reference is made in full for the part pertaining to it).
The collected data are not disclosed in any other way and remain within the company and under its responsibilities.
E. PLACE AND TRANSFER OF DATA TO THIRD COUNTRIES
The data collected is processed at the offices of the Data Controller, mainly at the operational headquarters in Verdellino (BG). The Data Controller will not transfer personal data to third countries.
F. PERIOD OF CONSERVATION
The data provided will be processed and stored by the Data Controller, the manager, the persons in charge and external managers for the purpose strictly connected to the aforementioned purposes and stored at the Data Controller for the period of provision of services (sale, guarantees pursuant to law, after sales). The retention period is 10 years.
G. RIGHTS OF THE INTERESTED PARTY
The interested party may at any time exercise his rights towards the Data Controller pursuant to Legislative Decree 193/2006 and Regulation (EU) 2016/679. The undersigned IBI IUS Law Firm Avv. Suvimol on behalf of Twenty-Twenty srl reports here the envisaged rights:
I. RIGHT OF ACCESS TO THE INTERESTED PARTY - Art. 15 Reg. (EU) 2016/679
1. The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him is being processed and, in this case, to obtain access to personal data and the following information;
a) the purposes of the processing;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients of third countries or international organizations;
d) When possible, the retention period of personal data provided or, if not possible, the criteria used to determine this period;
e) the existence of the data subject's right to ask the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
f) the right to lodge a complaint with a supervisory authority;
g) if the data are not collected from the tierced all available information on their origin;
h) the existence of an automated decision-making process, including profiling pursuant to art. 22 paragraphs 1 and 4 and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.
2. If personal data are transferred to a third country or to an international organization, the interested party has the right to be informed of the existence of adequate guarantees pursuant to art. 46 relating to the transfer.
3. The data controller provides a copy of the personal data being processed. In the event of further copies requested by the interested party, the data controller may charge a reasonable fee based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 must not affect the rights and freedoms of others.
II. RIGHT OF RECTIFICATION - Art. 15 Reg. (EU) 2016/679
The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning him without justified delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
III. RIGHT TO CANCELLATION ("RIGHT TO BE FORGOTTEN") - Art. 17 Reg. (EU) 2016/679
1. The data subject has the right to obtain from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if one of the following reasons exists:
a) the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b) the interested party revokes the consent on which the processing is based in accordance with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and if there is no other legal basis for the processing ;
c) the interested party opposes the processing pursuant to art. 21, paragraph 1, and there is no legitimate overriding reason to proceed with the processing, or oppose the processing pursuant to Article 21, paragraph 2;
d) personal data are processed unlawfully;
e) personal data must be deleted to fulfill a legal obligation under Union law or the Member State to which the data controller is subject;
f) the personal data were collected in relation to the information society service offer referred to in Article 8, paragraph 1.
2. The data controller, if he has made personal data public and is obliged, pursuant to paragraph 1, to delete them, taking into account the available technology and implementation costs, he shall take reasonable measures, including technical ones, to inform the data controllers who are processing the personal data of the request of the interested party to delete any link, copy or reproduction of his personal data.
3. paragraphs 1 and 2 do not apply to the extent that the processing is necessary:
a) for the exercise of the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the processing provided for by the law of the Union or of the Member State to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of public authority of which the data controller is invested;
c) for reasons of public interest in the public health sector in accordance with Article 9, paragraph 2, letters h) and i), and Article 9, paragraph 3;
d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the of this treatment; or
e) for the assessment, exercise or defense of a right in court.
IV. RIGHT TO LIMITATION OF TREATMENT - Art. 18 Reg. (EU) 2016/679
1. The interested party has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
b) the processing is unlawful and the interested party opposes the cancellation of personal data and instead requests that its use be limited;
c) although the data controller no longer needs it for processing purposes, the personal data are necessary for the person concerned to ascertain, exercise or defend a right in court;
d) the interested party opposed the processing pursuant to art. 21, paragraph 1, pending verification of the possible prevalence of legitimate reasons of the data controller with respect to those of the interested party.
2. If the processing is limited pursuant to paragraph 1, such personal data are processed, I was that for conservation, only with the consent of the interested party or for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or of a Member State.
3. The interested party who has obtained the processing limitation pursuant to paragraph 1 is informed by the data controller before this limitation is revoked.
V. RIGHT TO DATA PORTABILITY - Art. 20 Reg. (EU) 2016/679
1. The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments on the part of the data controller to whom he provided them if:
a) the processing is based on consent pursuant to article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), or on a contract pursuant to article 6, paragraph 1, letter b); and the processing is carried out by automated means.
2. In exercising their rights relating to data portability pursuant to paragraph 1, the interested party has the right to obtain the direct transmission of personal data from one data controller to the other, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this article is without prejudice to Article 17. This right does not apply to the processing necessary for the performance of a task in the public interest or connected to the exercise of public authority referred to the data controller is invested.
4. The right referred to in paragraph 1 must not affect the rights and freedoms of others.
VI. RIGHT OF OBJECTION - Art. 21 Reg. (EU) 2016/679
1. The interested party has the right to object at any time, for the reasons connected to his particular situation, to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e) or f), including profiling on the basis of these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court.
2. If personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him for these purposes, including profiling to the extent that it is connected to such marketing direct.
3. If the data subject objects to the processing for direct marketing purposes, the personal data are no longer processed for these purposes.
4. The right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the interested party and is presented clearly and separately from any other information at the latest at the time of the first communication with the interested party.
5. In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, the interested party can exercise his right to object with automated means that use specific techniques.
6. If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89, paragraph 1, the interested party, for reasons connected to his particular situation, has the right to object to the processing of personal data which concerns him, unless the processing is necessary for the performance of a task of public interest.
GENERAL RULES FOR THE EXERCISE OF RIGHTS
We inform you that the rights referred to in the preceding paragraphs may be exercised at any time by sending an email to the following address:
together with a digital copy of your valid identity document.
We remind you that if you ask us to stop all processing of your personal data, we will not be able to continue to provide you with the services you have request