Pursuant to and by the effect of Article 13 of the European Regulation 2016/679 concerning the protection of individuals with regard to the processing of personal data (“GDPR”) and the legislative decree 196/2003, (“Privacy Code”), some obligations are set forth upon the subjects carrying out the processing of personal data referred to other subjects.
ENERVIT S.p.A. (the “Company” o “Enervit”) wish to inform you, in the following sections, about the modalities and purposes dealing with the processing of your personal data (as defined in Article 4 paragraph 1 no. 2 of the GDPR) collected through the website [●].
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller for personal data is ENERVIT S.p.A. with registered office in Via Achille Papa, 30, 20149, Milan, Italy, in the person of its legal representative pro tempore (hereinafter the "Data Controller").
The Data Controller may be contacted by e-email at the following address email@example.com or at the following address Via Achille Papa, 30, 20149, Milan Italy.
The Company has named the Data Protection Officer (“DPO”), pursuant to and by the effect of Article 37 and the European Regulation 2016/679, contacted for questions or concerns regarding the processing of personal data at the email: firstname.lastname@example.org or
2. CATEGORIES OF PERSONAL DATA PROCESSING
The personal data processed by the Data Controller are those provided by the user when browsing the website [●] or any registration / adhesion to the services / programs present and / or any purchase of products made available by ENERVIT, such as:
a) name, surname, postal address, e-mail address, telephone number;
b) information necessary for the provision of the online sales service such as, for example, those functional to the execution of the payment and the shipment / exchange of the products purchased.
(c) information about your habits, preferences, and interests in order to send you personalized offers and promotions.
3. LEGAL BASIS AND PURPOSE OF PROCESSING
The personal data provided by the User when browsing the website [●] are processed by the Data Controller in accordance with the current regulations for the protection of personal data.
The processing of your personal data by ENERVIT S.p.A. is aimed at pursuing the following purposes:
a) Online shopping activities (at points of sale or online): personal data provided will be used for the establishment, management, execution and/or conclusion of the online sales contract. The data you provide will be processed by the Data Controller for the purpose of managing the purchase order with reference to, for example, payment, shipment, management of returns, customer support, administrative and accounting purposes related to the management of the order and the fulfillment of obligations under the current legislation. In case of payment by credit card, the fundamental information for the execution of the transaction (credit card holder, credit/debit card number, expiration date, security code) will be processed by authorized credit institutions or, possibly, by companies in charge of anti-fraud control through encrypted protocol and without third parties being able to access it in any way. This information will never be displayed or stored by the seller;
Legal basis: for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract and for compliance with a legal obligation to which the controller is subject - art. 6 paragraf 1 letter b) c) of the GDPR.
b) Participation in general promotional activities. Participation in prize contests and/or loyalty programs: your data may be processed to enable you to participate in loyalty programs, prize contests, and/or take advantage of discounts for Enervit fidelity card holders. The data will be processed to allow the user to accumulate points to be used to access prizes provided by the same.
Legal basis: execution of the contractual relationship and fulfillment of a legal obligation - art. 6 par. (1)(b)(c) of the GDPR.
c) Online marketing activities: In the case that you decide to subscribe to the Newsletter, only after your express and specific consent, your personal data will be processed by the Data Controller for sending of commercial or promotional communications, relative updates, for example, to the latest trends, new arrivals, exclusive offers, special events and promotions. Users can subscription to the newsletter through: (i) Pop Up NL & Banner on the Home Page, (ii) subscription to Maya Account, (iii) when purchasing products at the functionality in the "Shopping Cart", (iv) via footer. You can give your consent using the specific check boxes on the sections.
You can give your consent using the specific check boxes on the sections. To unsubscribe from the newsletter, simply click on the unsubscribe link at the bottom of the e-mails received or by writing to the address email@example.com.
To compare and possibly improve the results of communications, the Data Controller uses systems for sending newsletters and promotional communications equipped with a reporting mechanism, thanks to which the Data Controller will be able to know, for example: the number of readers, openings and clicks; the type of device used to read the communication (desktop, mobile);the number of pending users who have not yet confirmed the registration; the number of emails sent per date/hour/minute; the details of the emails delivered compared to those sent; the list of unsubscribers to the newsletter; opening emails and clicking on individual links; problems displaying the message; link tracking (i.e. the number of clicks made on the links of the message); click tracking (which links have been clicked). All these data are used for the purpose of comparing, and possibly improving, the results of communications.
Legal basis: consent to the processing of personal data - art. 6 paragraf 1 letter a) of the GDPR.
d) Registration on the website [●]: In the case that you decide to register on the website, only after your express and specific consent, Data Controller processed personal data for the purpose of registration on the website. In particular, in providing your name, last name, email address and the setting of an access password, these will be processed for the creation of your personal account, to speed up the purchase process, to allow you to view the status of orders and receive updates on purchases made, set and change your data and any “Preferences” that will improve navigation, update your account and view the history of returns.
When registering on the site and when creating their personal account, the user adheres to the loyalty program. The data will therefore also be processed for this purpose and to allow the user to accumulate points to be used to access prizes provided by the same.
Legal basis: consent to the processing of personal data - art. 6 paragraf. 1 letter a) of the GDPR.
e) Profiling of the physical person: Only after your express and explicit consent, Data Controller provided the personal data for profiling activities, or analysis of your preferences aimed at creating personalized content and offers.
Legal basis: consent to the processing of personal data - art. 6 letter a) of the GDPR.
f) Internal research analysis, analytics, security: the personal data collected may be processed by the Data Controller to carry out internal commercial analysis, including data analysis, research, trend analysis, for statistical and survey purposes;
Legal basis: for the purposes of the legitimate interests pursued by the controller - art. 6 letter f) of the GDPR.
g) Defense in court for the rights of the Data Controller: the Data Controller may provide the information of the interested parties to the authorities and bodies responsible for the application of the law, regulations and judicial acts, as well as third parties in litigation or in the extrajudicial phase, also for the purpose of credit recovery.
Legal basis: for the purposes of the legitimate interests pursued by the controller - art. 6 letter f) of the GDPR.
4. NATURE OF PROCESSING
In relation to the purposes referenced in point a) of the previous section, providing your personal data and consent to its processing is mandatory. Failure to provide the consent will make, it impossible for the Company to proceed with the establishment, management, execution and/or conclusion of the online sales contract. It is impossible to perform, for example, activities related to payment, shipment, management of returns, customer support, administrative and accounting purposes related to the management of the order and the fulfillment of obligations under current legislation.
In relation to the purposes referenced in point b) of the previous section, providing your personal data and consent to its processing is optional. Failure to provide consent will make it impossible for the Company to allow you to subscribe to the Newsletter, to send commercial or promotional communications, updates on, for example, latest trends, new arrivals, exclusive offers, special events and promotions. Failure to provide data will also result in the user being unable to participate in loyalty programs or any discount initiatives
In relation to the purposes referenced in point c) of the previous section, providing your personal data and consent to its processing is mandatory. Failure to provide consent will make it impossible for ENERVIT to allow you to register on the website, create a personal account, speed up the purchase process, view the status of orders and receive updates on purchases, the possibility to update personal settings and account preferences, view the history of orders.
In relation to the purposes referenced in point d) of the previous section, providing your personal data and consent to its processing is optional. Failure to provide consent will make it impossible for the Company to perform profiling activities, or to perform analysis of your preferences aimed at creating personalized content and offers.
In relation to the purposes referred to in point f) g) of the previous paragraph, the provision of personal data and consent to their processing is mandatory. Failure to provide consent will make it impossible for the Company to carry out the activities indicated therein.
5. METHODS OF PROCESSING AND STORING DATA
Data Controller processes personal data in compliance with the provisions of the current legislation on Privacy. The Data Controller processes personal data using IT and/or telematic tools and with organizational and logical procedures strictly related to the purposes indicated in this policy, as well as adopting the appropriate security measures to prevent access, disclosure, unauthorized modification or destruction of personal data, its loss and its illicit and incorrect use. However, the Company cannot guarantee its Users that the measures taken for website security and the transmission of data and information on the website are capable of limiting or excluding any risk of unauthorized access or loss of data by devices pertaining to the User. For this reason, it is suggested that the Users of the website make sure that their computer is equipped with adequate software to protect the transmission of data (such as updated antivirus) and that its Internet provider has adopted appropriate measures for the security of the transmission of data on the network. The Company also undertakes to process the data according to the principles of correctness, lawfulness and transparency, to collect the data to the extent necessary and exact for processing and to allow its use only by personnel for authorized purposes. The management and storage of personal data acquired will take place in archives or on servers located within the European Union owned by the Data Controller and/or by third-party companies appointed as External Data Processor for processing and, in any case, currently located in Italy.
In relation to the different purposes for which data is collected, personal data will be kept for the time strictly necessary to achieve that purpose and, in any case, in accordance with the current relevant regulations.
In any case, the Company will take care to avoid the use of data indefinitely by proceeding, on a regular basis, to verify appropriately the effective permanence of the interest of the User to which they refer.
6. COMMUNCIATION OF PERSONAL DATA
The data collected will not be disseminated in any way, but will be processed within the limits and for the purposes described by:
a) employees / collaborators of the Company on the basis of adequate operating instructions (for example, administrative, commercial, marketing, legal, system administrators, etc.), appointed as authorized subjects to process pursuant to art. 29 of the GDPR;
b) third parties - who have been appointed as External Data Processors pursuant to art. 28 of the GDPR - which the Data Controller uses or could use in the context of the management of the contractual relationship, the provision of the services offered and for the technical / organizational needs of its activity;
c) subjects, public and private, who can access the data by virtue of the provision of law, regulation or community legislation, within the limits set by these rules;
d) subjects who need to access the data for purposes related to the contractual relationship between the parties, within the limits strictly necessary for the performance of auxiliary tasks (such as, for example, banks and credit institutions, technical service providers, hosting providers, IT companies, communication agencies, postal couriers and shipping companies);
e) collaborators and / or consultants, within the limits necessary for the performance of their professional assignment.
The updated list of Data Processors and persons authorized to process is kept at the headquarters of the Data Controller and is available to the Interested Party, upon request to be sent to the addresses of the Data Controller.
7. DATA TRANSFER TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANIZATION
The management and storage of personal data will take place on servers of the Data Controller and / or third-party companies duly appointed as External Data Processors located within the European Union. Personal data may be transferred abroad, in accordance with the provisions of current legislation, even in countries outside the European Union. The transfer to non-EU countries, in addition to the cases in which this is guaranteed by Adequacy Decisions of the Commission, is carried out in such a way as to provide appropriate and appropriate Guarantees pursuant to Articles 46 or 47 or 49 of the Regulation.
8. RIGHTS OF THE DATA SUBJECT
As the data subject, you may exercise, at any time, the rights provided to you in Articles 15, 16, 17, 18, 20 and 21 of the GDPR which, in particular, confer the rights to:
a) Obtain from the Data Controller, pursuant to Article 15, confirmation of the existence or not of personal data being processed and, in this case, obtain access to the data and information such as: (i) the purposes of the processing; (ii) the categories of personal data; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients located in Third Countries or International Organizations; (iv) when possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
b) Obtain from the Data Controller, pursuant to Article 16, the correction of inaccurate personal data without undue delay; taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, by providing an additional declaration;
c) Obtain from the Data Controller, pursuant to Article 17, the deletion of their personal data without undue delay. The Data Controller has the obligation to cancel, without undue delay, personal data if there is one of the reasons indicated in paragraph 1 of Article 17;
d) Obtain from the Data Controller, pursuant to Article 18, restriction of processing when one of the hypotheses governed by paragraph 1 of Article 18 occurs;
e) Obtain from the Data Controller, pursuant to Article 20, the portability of data or to receive in a structured, commonly used and machine-readable format, their personal data provided to a Data Controller. The data subject also has the right to transmit such data to another Data Controller without impediments by the first Data Controller to whom it has provided them, if the conditions indicated in Article 20 paragraph 1 are met. Finally, the data subject has the right to obtain the direct transmission of personal data from one Data Controller to another, if technically feasible;
f) Object to, in whole or in part, pursuant to Article 21, the processing of their personal data.
It should also be noted that the Data Subject has the right to revoke the consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation, without prejudice to the consequences indicated above regarding a refusal to provide such personal data.
You also has the right to lodge a complaint with a Guarantor Authority for the Protection of Personal Data based in Via Piazza Venezia n. 11 - 00187 Rome, mail: firstname.lastname@example.org.
You can make requests regarding these rights by sending an email to email@example.com.
ENERVIT will respond to requests made by the interested party within one month, except in cases of particular complexity, for which it may take up to a maximum of three months. In any case, the Data Controller will provide the interested party with the reason for the delayed response within one month of the request. The outcome of the request will be provided in writing or in electronic format. In case of request for rectification, cancellation and limitation of processing, the Data Controller will communicate the results of the requests received by the data subject to each of the recipients of their data, unless this proves impossible or involves a disproportionate effort.
The Company specifies that a contribution may be requested from the data subject if the applications manifest to be unfounded, excessive or repetitive; in this regard, the Data Controller will provide a register to track the requests for intervention.
9. CHANGES TO THIS POLICY
Date last updated: 17/11/2022