• The nature of the personal data processed (as defined below);
• The purposes and means of the processing of personal data;
• The identity and contact details of the controllers;
• The contact details of the data protection officer (DPO);
• Any third parties involved in the processing operations;
• The period the personal data will be stored;
• A brief description of the security measures adopted to protect personal data;
• The existence of the data subject’s right to request from the controller access to and rectification or erasure of his/her personal data, right to limit the processing of the data concerning him/her or to oppose their processing, and the right to the portability of user data.
Users under the age of 14 (fourteen) are unable to give consent to the processing of personal data without the authorization of the holder of parental responsibility.
Pursuant to the GDPR, the controller is the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.
The joint controllers relating to the activities of the Site are:
• FRANKBROS, Italy, Piazza Arcole 4, 20143 Milan, Italy; contact details: email@example.com
• THE LEVEL GROUP S.R.L., Piazza Arcole 4, 20143 Milan, Italy; contact details: firstname.lastname@example.org (the “Joint Controllers”).
A Data Protection Officer has been designated to ensure that personal data is processed in accordance with the GDPR. The Data Protection Officer may be contacted for any request at the following email address: email@example.com
Regarding the processing of personal data relating to marketing and profiling activities, FRANKBROS will act as the sole controller, while The Level Group S.r.l. will carry out data processing activities as the processor on behalf of FRANKBROS.
Personal data. Purpose of the processing.
The term “personal data” means any information relating to users of the Site, including data that identify them personally, alone or in combination with other information.
Personal data are collected automatically through the Site or received through multiple sources: forms, chats, emails, apps, devices, social media and other means.
The Joint Controllers process personal data in connection with the following activities:
Managing Site browsing
The Joint Controllers collect browsing data (which, according to the GDPR, do not fall under the special categories of data) using automatic means to enable and improve the user’s browsing of the Site (e.g. IP address, date/time of the visit and relative duration, any referring URLs, pages visited on the Site, device used and other information).
The processing of such personal data allows users to access the Site and make full use of its features and services. Browsing data may also be used to ensure the Site is functioning properly.
From time to time, browsing data are processed anonymously for statistical purposes.
Browsing data are unlikely to allow identification of the relevant data subject. However, by their very nature, browsing data may allow identification of data subjects if associated with other information.
The browsing data described above are stored only temporarily in accordance with applicable regulations.
The legal basis for the processing of personal data in this case is the legitimate interest of the controller.
At the time of verification, the Site will ask users to provide personal data for the essential purpose of ensuring the management of orders and complying with existing contractual obligations with users (the data processed include, but are not limited to, first name, last name, email address, delivery address).
These personal data are also necessary to allow customer service to assist customers with any requests or questions before or after the sale (e.g. concerning the delivery status of the order or returns of products).
Personal data relating to orders are kept for as long as necessary to fulfil contractual obligations and any accounting and tax obligations.
The Joint Controllers may also verify that payment instruments used by customers for purchases on the Site (e.g. credit or debit cards, etc.) are valid, mainly to prevent fraud or to fulfil statutory anti-money laundering obligations. Since this activity is delegated to duly authorized third parties, the Joint Controllers do not process or store financial information relating to customers and payment instruments.
Failure to transmit/provide the personal data requested at checkout will prevent users from completing an order on the Site.
The legal basis for the processing of personal data in this case is Article 6(1)(b) of the GDPR (performance of a contract to which the data subject is party).
Based on their legitimate interest (Article 6(1)(f) of the GDPR) in improving customer relations, the Joint Controllers will send customers who have made purchases on the Site email communications containing product suggestions, discounts, requests for feedback or other updates. Customers are free to object to any further email communication at any time (e.g. by clicking on the “unsubscribe” link at the foot of each email).
Registering an account on the Site
When users decide to create and register a personal account on the Site, they are asked to provide personal data (e.g. date of birth, gender, etc.). The Site clearly indicates which personal data are (or are not) required to set up an account on the Site.
Users must provide true and accurate personal data at the time of registration and are encouraged to keep their personal data up to date by accessing their personal account to make any necessary changes.
Users who choose to activate or access their account on the Site through social media must be aware that when they connect their Site account to a social media account, the Site collects certain personal data the user has already provided to that social media platform (e.g. email address and public profile on Facebook).
The Joint Controllers do not monitor or manage these social media services or user profiles on these social media services, nor do the Joint Controllers establish the personal data protection settings or the rules regarding the methods of use of personal data on these social media platforms (Facebook, Twitter, or other). Users are strongly encouraged to read any information published by the managers of these services concerning the protection of personal data to obtain further information on the methods of processing personal data through these channels.
The legal basis for the processing of personal data in this case is the data subject’s consent given at the time of registration (Article 6(1)(a) of the GDPR).
Newsletters and marketing communications
Site users can opt to receive newsletters and marketing communications.
The Joint Controllers collect users’ freely given, express, and unequivocal consent before sending them newsletters and marketing communications or, more generally, before undertaking dedicated marketing initiatives.
In these cases, in addition to their email address, users may be asked to provide personal data (e.g. gender, country of residence, etc.) to receive marketing communications and newsletters tailored to their user profile.
Users may at any time withdraw their consent to receive newsletters and marketing communications:
• In their account settings;
• By clicking on the “unsubscribe” link at the bottom of an email;
• By contacting our customer service representatives.
The legal basis for the processing of personal data in this case is the data subject’s consent to the processing of his/her personal data.
Based on the user’s express consent, the newsletter and marketing communications may be adapted to the user’s profile, based on the personal data the Joint Controllers collect about the user concerned.
As for the customers of the Site, it is in the legitimate interest of the Joint Controllers to process personal data to offer more interesting products, improve the Site and personalize the products offered on the Site.
The main purpose of profiling is to offer products, services and initiatives that better meet users’ and customers’ tastes, purchasing habits and interests.
Personal data may also be used for remarketing, retargeting or profiling purposes, including through third parties (e.g. social networks, etc.).
Neither the Site nor the Joint Controllers profile minors.
The legal basis for the processing of personal data in this case is the data subject’s consent to the processing of his/her personal data (Article 6(1)(a) of the GDPR).
Sharing and transfer of personal data
The Joint Controllers transfer customers’ personal data to major third-party providers acting as data processors (the “Processors”) to carry out the operations necessary to fulfil their contractual obligations (e.g. delivery of ordered goods, payments, etc.).
The Joint Controllers make every effort to ensure that all Processors apply the best procedures available to protect personal data and do not use these data for purposes other than those established by the controllers.
For example, the Joint Controllers may share personal data with the following categories of Processors:
• Courier services and postal operators;
• Fulfilment centres and warehouses;
• Advertising, digital, marketing and social media agencies;
• IT service providers;
• Customer support service providers;
• Payment service providers.
The Joint Controllers are required to share personal data with third parties where strictly required by law and where necessary to protect the rights of the Joint Controllers, related parties, or third parties.
Personal data may also be disclosed to other companies within the same group of companies to which each of the Joint Controllers belong or to third parties in the event of a company reorganization procedure, in full compliance with applicable law.
In all other cases, the sharing of personal data is subject to users’ prior express consent, unless the processing is permitted on the basis of another legal basis.
The Joint Controllers will not transfer any personal data outside the European Economic Area (EEA), unless the user (data subject) has explicitly authorized the transfer or the transfer of personal data outside the EEA is permitted by the GDPR based on another legal basis.
Processing methods and security measures
Users’ personal data are processed by the Joint Controllers using information technology, automated and electronic tools and, in limited cases, paper means. In compliance with the GDPR, specific security measures have been implemented to prevent data loss, unlawful or improper use of and unauthorized access to data.
Only the persons authorized by the Joint Controllers or by the providers acting as Processors have access to personal data relating to the activities of the Site. Instructions and security measures have been defined in agreements or when appointing the Processors to ensure that the level of security required by the GDPR is ensured at all times during the processing of personal data for Site activities.
While security measures have been adopted in Site settings and processing operations to prevent the loss, destruction or dissemination of personal data, the security risks associated with the online transmission of data cannot be excluded.
Storage of personal data
The Joint Controllers keep personal data for as long as necessary to provide users and customers with the services they request or to comply with legal or tax obligations or for the minimum period prescribed by law.
The Joint Controllers promptly delete or anonymize personal data whose retention is no longer necessary/mandatory according to the law.
Without prejudice to the right to be forgotten within the limits established by the applicable legislation, where the retention of personal data is no longer permitted/provided for by legislation, the maximum storage period of personal data is 10 (ten) years from the date of the relevant data subject’s last interaction with the Site.
Links to third-party websites or platforms
The Site may display banners, advertisements and other links to third-party websites or platforms. The Joint Controllers have no control over and are not responsible for the conduct of these third-party websites and platforms in relation to data protection legislation. Users are encouraged to read the data protection policies of third-party websites for information on their personal data collection and storage or processing procedures.
Rights of users
Users/customers (as data subjects) have the right to obtain confirmation as to whether or not personal data concerning them is held by Joint Controllers.
Where this is the case, under the GDPR, users, as data subjects, also have the right to:
• Be informed about the collection and use of personal data concerning them;
• Obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, if so, obtain access to the personal data and the following information:
a)the purposes of the processing
b)the categories of personal data concerned
c)the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
d)where possible, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
e)the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing
f)the right to lodge a complaint with a supervisory authority (in Italy: Garante per la protezione dei dati personali – Personal Data Protection Authority)
• Obtain the rectification or completion of inaccurate or incomplete personal data;
• Obtain the erasure of their personal data (“the right to be forgotten”);
• Receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (“the right to data portability”);
• Object, under specific conditions, to the processing of personal data concerning them;
• Object at any time to the processing of personal data concerning them for the purposes of “profiling” or “automated decision-making processes”;
• Withdraw, at any time, their consent to the processing of their personal data, where requested and given, without affecting the lawfulness of processing based on consent before its withdrawal;
• Lodge a complaint with the competent Italian supervisory authority: Garante per la protezione dei dati personali, Piazza di Montecitorio n. 121, 00186, Rome (RM), Italy.
What are cookies
Cookies are small text strings that the Site sends to the user's device, where information is memorized for various purposes. In particular, cookies allow the Site to recognize users on subsequent visits or enable other websites to recognize such users for particular purposes.
What kind of cookies the Site uses
The Site uses various types of cookies for different purposes:
Technical cookiesTechnical cookies are cookies enabling users to browse on the Site or to enjoy its basic features. These cookies are installed automatically on the user device by the Site as a result of the user’s access to the Site and do not require any specific consent by the user.
Indeed, consent is not required by the law if and when a cookie is:
• Used for the sole purpose of carrying out the transmission of a communication; and
• Strictly necessary in order for the provider of a digital service explicitly required by the user to provide that service.
Technical cookies used by the Site include:
• Navigation cookies: to ensure the normal browsing and use of the Site, through different options or services;
• Functional cookies: to save user preferences and facilitate the browsing experience based on a set of selected criteria (for example, language, browser type, etc.).
The Site also collects the IP address or any other identifying information on the user device that is necessary in order to manage the Site, diagnose server problems and meet other lawful purposes.
Disabling technical cookies may limit the ability of users to browse the Site and to enjoy its features or the services offered.
All cookies other than technical cookies are installed or activated only if previous consent by “opt-in” is given by users.
On their first visit to the Site, users are shown a cookie banner on the screen or interface. This banner will disappear once the user has accepted or refused the cookies used on the Site.
Opt-in may be expressed in a general way, for instance by closing the banner, or by clicking the OK button, or by scrolling the page or clicking on any of its elements; opt-in can be also provided in a selective way.
Opt-in given by users is tracked and recorded in order to make their next visits to the Site more effective. However, users can always revoke all or part of the consents previously given.
The non-technical cookies used by the Site are third-party cookies: cookies set up on the user’s device by a domain or website distinct from the Site. Third party cookies are implemented by marketing vendors and partners of the Site by the means of third party tags. The Site does not control such cookies.
The Site does not have any access or control over cookies or other tracking technology used by third parties accessible by the Site and cannot ensure compliance of third parties with the applicable privacy law.
Advertising cookies: these cookies allow the Site to create an anonymous profile of users based on their browsing experience on this Site and on others. In such a way, it is possible to provide users with advertisements targeted to their interests rather than generic advertising. This is a list of advertising cookies:
Retargeting cookiesthese cookies allow third-parties to send advertising to users who have previously visited the Site. This is a list of retargeting cookies (it includes a link to more information on such cookies and the instructions on how to manage user consent):
Social media cookies
These cookies are needed to share content on social networks. This is a list of social media cookies:
Analytical cookies: these cookies are collected by third parties, in individual or aggregated form, in order to collect information on the number of users and on how they visit the website, such as information on which pages or sections are most viewed. This is a list of analytical cookies:
Users can manage cookie preferences through their web browser settings:
For more information, Users can visit:
http://www.allaboutcookies.org or www.youronlinechoices.com
Users wishing to contact the Site concerning any matter relating cookies are encouraged to write to: firstname.lastname@example.org