- THE DATA CONTROLLER AND SUPERVISORS
The data controller is the Company, with registered office and address for service at Via Achille Papa 30, 20149 Milan, Italy, in the person of its acting legal representative (the Data Controller).
You can contact the Data Controller via email at email@example.com or by post at the above address.
The Data Controller may appoint internal or external data supervisors (the Data Supervisors) and appointed people with the authority to process data (the Appointed People). A full up-to-date list of the Data Supervisors and Appointed People is available from the Data Controller at the above addresses.
Under article 37 of the GDPR, the Company has also appointed a Data Protection Officer (DPO), who can be contacted via email at firstname.lastname@example.org and by post at the above address.
- TYPE OF DATA PROCESSED
In providing its services, the Company obtains your personal data directly from you. In particular, the Company processes the following kinds of non-sensitive personal data:
- Personal contact details. All the details you provide for us to contact you, e.g. your forename, surname, postal address, email address, social-media details or telephone number.
- Account access details. Any information needed for you to access your specific account: e.g. your access ID / email address, user name, password and/or security questions and answers.
- Demographic information. Any information about your demographic or behavioural traits, e.g. your date of birth, age or age group, sex, geographical area (e.g. postcode), favourite products, hobbies and interests, and domestic or lifestyle details.
- Technical information on your computer / mobile device. Information about the IT system or device that you use to access one of our websites or apps, such as the IP address used to connect your computer or device to the internet, the operating system, or the type and version of your web browser. If you access an Enervit website or app via a mobile device, such as a smartphone, then we shall also obtain your device’s unique identifier, advertising ID, geolocation and similar data about it, where permitted.
- Information on website use / communication. When you browse and interact with our websites or newsletter, we use technologies to gather data automatically to obtain certain information about your behaviour. This includes information about the links that you clicked on, the pages or content that you viewed and how long for, and similar information and statistics about your interactions, the time you took to respond to the content, any download errors and how long you spent on certain pages. This information is collected using automated technologies, such as cookies (browser cookies, flash cookies) and web beacons, and via third-party monitoring services.
- Consumer feedback. Information on your experience with using our products and services that you choose to share with us.
- Consumer-generated content. Any content that you create and share with us on social media or by uploading it to one of our websites or apps, including via network apps such as Facebook. This may include, for example, photos, videos, personal stories or other similar content or media. Where permitted, we collect and publish content generated by users in connection with various activities, including competitions and other promotions, the shared functions of websites, user participation and third-party social events.
- Social-media information. Any information that you share publicly on a social network or information that is part of your profile on a third-party social network (e.g. Facebook) and that you allow the third-party social network to share with us. Examples include basic account information (e.g. name, email address, sex, date of birth, town of residence, profile photo, user ID, list of friends) and all other information or activities that you allow the third-party social network to share. We receive your social-network profile information (or part thereof) whenever you download or interact with an Enervit web app on a social network such as Facebook, whenever you use a function integrated with an Enervit website (e.g. Facebook Connect) and whenever you interact with us via a social network. To find out more about how Enervit obtains your information from third-party social networks or to stop sharing this social-media information, please visit the website of the social network in question.
- Payments and financial information. All the information that we need to fulfil an order or that you use to place one, e.g. your credit or debit card details (cardholder name, card number, expiry date, etc.) or other available payment methods (if any). We handle all payment and financial information in accordance with all applicable laws, regulations and safety standards, e.g. the data protection standards in the payment card sector.
- Telephone calls to Customer Services. Calls to Customer Services may be recorded, in line with the applicable laws, for local operational purposes (e.g. for quality or training purposes) and, in certain cases, to obtain proof of consent for direct marketing or profiling. Payment card details are not recorded. Where the law requires, we shall inform you when calls are recorded at the start of your call, and you will be able to decline.
- WHY WE PROCESS YOUR PERSONAL DATA
The Company processes your personal data specifically in order to provide services for the following purposes:
- Selling Enervit products and providing customer service. Our sales and customer services efforts involve using Enervit customers’ general personal and contact details (forename, surname, email address, telephone number, delivery address, billing details and order history).
- Fulfilling orders. We use your personal data to fulfil and ship your orders, to inform you about the status of your orders and deliveries (which may involve a link to the shipper’s web platform), to enable you to view your order history and amend addresses, and to perform identity checks and other fraud-prevention activities. This involves the use of certain personal and payment method information.
- Compliance with accounting and tax obligations. We are required by law to comply with specific administrative, accounting, tax and other obligations.
- Marketing – Company promotional and commercial messages. We use your personal data – with your specific consent – to send you commercial messages about goods or services and to offer you exclusive promotions. This may be done via email, the post, advertising, text messages or telephone calls, as permitted by law. Some of our marketing campaigns may appear on third-party websites and/or social-media sites. This use of your personal data is voluntary; therefore, you may object to having your data processed for these purposes. We use your personal data when you interact with third-party social-media functions, e.g. by clicking on “Like” buttons, in order to send you advertising. To find out more about how these social networks operate, including the profile data that we obtain about you and how you can exercise your rights against them, you can read the privacy policies of the social networks that you use.
- Marketing – Promotional and commercial messages from third-party companies. With your specific consent, we send your personal data to third-party companies and/or individuals that Enervit works with or has partnership agreements with. Those third parties may process your data in order to send you newsletters or other commercial, promotional, marketing or general information about their products.
- Profiling (offline and online). With your express consent, we use your personal data (i) to analyse your preferences, habits and consumption choices, (ii) to anticipate your needs based on our analyses of your profile, (iii) to enhance and personalise your experience on our websites and apps, and (iv) to enable you to use interactive functionality, when you wish. For example:
- We record your access ID / email address or user name so that you can access our website immediately the next time you visit and retrieve the products previously added to your cart.
- We automatically generate an email to remind you about products that you left in your cart.
- We send you an email or notification with personalised promotions once you access your personal area.
Based on this type of information and with your consent, we show you content or specific promotions from Enervit based on your interests. This use of your personal data is voluntary; therefore, you may object to having your data processed for these purposes.
- Other general purposes (e.g. internal research, analysis and security). We perform internal commercial analyses, including data analyses, research projects and trend analyses for statistical purposes and as surveys, e.g. collecting demographic information about users, information on age, willingness to spend, measuring the effectiveness of advertising campaigns, the amount of time that users spend on web pages, and how they browse the website. That data will be anonymised, and the aggregated information cannot be linked to any specific user.
- LAWFUL BASIS FOR PROCESSING
The lawful bases for processing users’ personal data for the above purposes include:
- to fulfil a contract, including for the purposes in section 3, points a) and b);
- to fulfil one or more of Enervit’s legal obligations, including for the purposes in section 3, point c);
- your consent, such as for the purposes in section 3, points d)–f);
- to pursue Enervit’s legitimate interests, including for the purposes in section 3, point g).
- WHY YOUR PERSONAL DATA IS NEEDED AND WHAT HAPPENS IF YOU REFUSE TO PROVIDE IT
You must provide the personal data that the Company needs to execute its contractual (section 3, letters a)–c)) or legal obligations (section 3, point d)) regarding the services, so no specific consent is needed to that end under GDPR article 7. Nor is consent required about data processed in the Data Controller’s legitimate interest (section 3, point g)). In these scenarios, if you do not provide your personal data or if you do not let us process it, then we shall be unable to enter into a contract with you, and you will be unable to receive our services.
In other scenarios, you will be asked for consent for the Company to use your personal data (section 3, points d)–f)). You do not have to provide your personal data for those purposes, so if you do not do so or if you do not let us process it, then the Company will still be able to enter into a contract with you. The Company and the other companies in Enervit group and any third-party companies will not, however, be able to update you about events, new product/service presentations, promotions, etc., nor will you be able to receive invitations, advertising, information or other publications that might interest you.
Your personal data may also be used, with no need for your prior consent, if it comes from public registers, lists, records or documents accessible to anyone and, in any event, if the data is processed (not including dissemination) to assert or defend the Company’s rights in a court of law.
- HOW WE PROCESS YOUR PERSONAL DATA
Your personal data is processed by people with the necessary training in personal data processing. They may be employees, contract staff or external consultants specifically appointed by the Data Controller as Data Supervisors or Appointed People within the context of their respective roles. Your personal data is also processed using electronic, automated, telematic and digital means and, in any event, for reasons strictly related to the above purposes, in order to keep the personal data confidential and secure. The Company processes data lawfully, transparently, meticulously and proportionately, with honesty and integrity, only where the processing is relevant to and necessary for the purposes involved, while safeguarding your privacy and your rights.
- KEEPING YOUR DATA
We shall keep your personal data for the period of time permitted by law or by regulations, where applicable, and in any event for no longer than is strictly necessary for the purposes involved and in line with Enervit’s Data Retention policy. Your personal data will be processed and kept in electronic storage systems at the Company headquarters and at the offices of the professionals and/or service companies to which your personal data is sent for the above purposes and in line with our supplier/consultancy agreements with them.
- WHO CAN RECEIVE YOUR PERSONAL DATA
To comply with specific legal obligations or for reasons strictly instrumental to the execution of the contract with the Company, your personal data gathered in the process of supplying the service may be shared for the above purposes with the following recipients:
- freelance professionals and advisors providing legal, tax and commercial services;
- banks and financial institutions;
- service suppliers and other third parties, where strictly necessary for the above purposes, or to parties permitted to access the data under secondary or European Union law;
- Enervit group companies;
- the Fondazione Paolo Sorbini food science foundation;
- social media (e.g. Facebook).
The service suppliers are external companies that we use to help run our business (for order fulfilment, payment processing, fraud monitoring, identity verification, credit recovery, developing or operating our website, support services, promotions, data analysis, customer services, etc.). The service suppliers and their appointed personnel may access and use your personal data only on our behalf and in line with our instructions. These recipients are obliged to keep your personal data confidential and secure.
- TRANSFERRING DATA WITHIN THE GROUP
To comply with specific legal obligations or for reasons strictly instrumental to the execution of the contract, your personal data may be shared with other companies in our group. If your data is sent outside the EU, then your rights will be safeguarded and protected to the same extent as under the GDPR.
- YOUR RIGHTS
You may exercise your rights regarding your data under GDPR article 15 at any time, i.e.:
- to ask the Data Controller for access to your personal data, to have it corrected or deleted, or to restrict how it is processed;
- to object to having your personal data processed;
- to exercise your right to data portability;
- to withdraw your consent at any time (without affecting the lawfulness of the processing carried out based on your consent before you withdrew it);
- to complain to a supervisory authority.
You can exercise the above rights by contacting the Data Controller informally via email at email@example.com or by post at Via Achille Papa 30, 20149 Milan, Italy.