This policy also constitutes the policy provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”).
The policy is provided only for the website www.savetheduck.com, and not also for other third-party websites that may be accessed by the user through links published thereon.
Detailed policy is provided separately in relation to particular functionalities or data release forms or specific services (for example, “newsletter” and “cookie”).
1. CONTROLLER OF DATA PROCESSING – CONTACT DETAILS
The data controller is Save The Duck S.p.A., with registered office in Via Arcivescovo Calabiana, 6, Milano, Italy, fiscal code and VAT number 07853840960 (the “Controller” or “STD”). To request information about the processing of your personal data, you can contact the Controller or send inquires/question to the email address firstname.lastname@example.org.
2. CATEGORIES OF DATA PROCESSED – PURPOSE AND LEGAL BASIS FOR PROCESSING
2.1 Browsing data
During their normal operation, the computer systems and computer programs used to operate the Website acquire some personal data whose transmission is implicit in the communication protocols of the Internet. Such information is not collected to be associated with identified data subjects, but because of their very nature they could allow to identify users through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users who connect to the Website, URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters regarding the operating system and computer environment. Browsing data will be collected exclusively in the legitimate interest of allowing the user to enjoy the content published on the Controller's Website and its proper administration and management.
2.3 Voluntarily provided personal data
The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this Website implies the subsequent acquisition of the sender's address, necessary to respond, and any other personal data included in the message.
If the voluntary contact by the user takes place by filling out the form in the “contact us” section, personal data released in the fields with compulsory completion (for example, name, email, phone number), as well as information voluntarily rendered in the field with free completion, will be processed; in this regard,
please do not release sensitive information or related to third parties nor statements that are offensive to the decorum or dignity of others. The legal bases of the processing are, therefore, the need to fulfill the pre-contractual requests made by the data subject (Art. 6, par. 1, lett. b, of the GDPR) as well as the legitimate interest of the Controller to respond to data subject’s received communications (Art. 6, par. 1, lett. f, of the GDPR).
Should the user intend to fill out a web form that the Website offers for particular services, he/she may consult the detailed information notice before submitting the form containing his/her personal data.
2.4 Account creation and purchase of STD’s products
It is not required to create a personal account for using the Website. However, each user has the chance to create his/her own personal account and become a registered user; through a personal account the user can view his/her orders and saved addresses as well as request returns of purchased products.
When creating your personal account, you will be asked to enter the following registration information:
- First name and Surname*;
- e-mail address*;
- Birth date,
Personal data voluntarily provided at the execution of an order relating to the purchase of a product through the Website are collected and processed, and consist of those data collected by sending emails, interacting with Website features/functions, and requesting services and/or products offered by the Website. Personal data that are processed for the purpose of executing and performing purchases of STD’s products through the Website include first name, surname, fiscal code, email address, address, phone and/or mobile phone number, bank details and information regarding order submitted to STD and,
in general, contractual relationship with STD.
Should any information referring to third parties is collected, processed and disclosed to us, you must do so in accordance with the provisions of the applicable legislation, including the GDPR and, therefore, you must give them prior notice of the processing and, if necessary, you must collect free and express consent before processing.
2.6 Marketing and profiling
By virtue of your consent (optional and revocable at any time):
phone call with an operator, as well as through targeted advertising carried out through digital platforms, social networks and, in general, advertising carried out by digital methods and/or tools, none excluded;
(b) STD may collect information about your preferences, habits, lifestyles, as well as the details of purchases made in order to use them for the creation of group and individual profiles (“profiling”) and the sending of personalized communications; such activity will be carried out through email (including in the form of newsletters), MMS, SMS or similar modalities, traditional mail, phone calls with an operator, as well as through targeted advertising carried out through digital platforms, social networks and, in general, advertising carried out through digital methods and/or
tools, none excluded.
Personal data will only be processed if one of the legal prerequisites provided in the current legislation is met, and specifically:
(i) for the management of pre-contractual fulfilments, for the execution and performance of an agreement to which the user is a party with respect to the purchase of the products offered on the Website, as well as the provision of any services for registered users, as well as to fulfill pre-contractual requests of the data subject (Art. 6, par. 1 lett. b) of the GDPR). Assistance on contracted services and products (and eventual complaints) is also included in this field and, in general, the processing of any customer requests and the management of interactions that occur
in the context of the contractual or commercial relationship is included;
(ii) to comply with a legal obligation to which the Controller is subject within the scope of its purposes (Art. 6, par. 1, lett. c), of the GDPR);
(iii) for the legitimate interest of the Controller in order to ensure the browsing and registration activity for registered users, to prevent and prosecute fraudulent activities to process requests for information solicited by the date subject, to defend a right or interest of the Controller before any competent authority or entity (including for debt collection purposes), as well as to proceed to the direct offer of products or services similar to those object of previous purchase, limited to the email coordinates provided in the contractual/commercial context and subject to opposition to such
processing (soft spamming), as well as for customer archive management and statistical processing, in aggregate form, for internal purposes (Art. 6, par. 1, lett. f), of the GDPR);
(iv) based on the consent of the data subject with respect to marketing and profiling activities referred to in section 2.6 above (Art. 6, par. 1, lett. a), of the GDPR).
3. OPTIONAL OR MANDATORY NATURE OF PERSONAL DATA PROVISION
you from using some of the services reserved for registered users.
In addition, it will be necessary to process the personal data indicated in section 2.5 for the purpose of carrying out the contractual relationship arising from the purchase of STD products. The provision of such data is a contractual obligation: the user is free to provide the data or not, but without the required data it will not be possible to conclude or execute the contract and the requests.
In relation to the purposes referred to in section 2.6 above (marketing and profiling), the provision of data is merely optional and its processing is based on consent, which is optional and revocable at any time.
Failure to give consent will not entail any consequence, but only the impossibility of receiving from STD advertising material or offers related to products and/or services of the Controller, also included personalized newsletters. Without prejudice to the foregoing, it is understood that, in the event of a refusal to consent to the processing of personal data for the purposes referred to above, the Controller may still use the personal data solely for the purpose of properly fulfilling its obligations under applicable
laws and obligations arising from contractual relationships established with the Controller and/or for the pursuit of its own legitimate interest. Any consents given for the purposes set forth in Section 2.6 may be revoked at any time, it being understood that any subsequent revocation of consent will not affect the lawfulness of the data processing carried out during the period prior to such revocation.
4. PROCESSING MODALITIES AND PROCESSING AUTHORIZATED SUBJECTS – STORAGE PERIOD
The processing of personal data is carried out in a lawful, correct, and confidential manner and is done for purposes that are determined, explicit, legitimate, and not exceeding the purposes indicated in this document. The processing of personal data is carried out with the help of paper, optical, computer and telematic media, eventually even in cloud, as well as through automated and computerized procedures, always, however, according to criteria of maximum fairness and security, in accordance with the
provisions of the protection of personal data’s applicable legislation and through appropriate technical and organizational measures suitable to prevent the destruction or loss of data, illicit or incorrect use and unauthorized access.
Any IT service providers who may - for reasons of support, maintenance or rescue - come into contact with personal data, will be expressly authorized by the Controller, and will operate under strict contractual obligations or as data processor under the GDPR. The e-commerce service through the Website is managed by the company Shopify, which has been designated as a data processor under Article 28 of the GDPR.
In order to achieve the purposes stated herein, your personal data may be disclosed, including abroad, to the entities or categories of entities listed below and always only in connection with the implementation of the purposes stated in paragraph 2 above:
(a) public authorities, administrations and/or agencies to carry out legal or secondary and EU regulatory fulfillments;
(b) any suppliers, subcontractors, business partners, collaborators in various capacities of the Controller, as part of the implementation of the supply activities provided for in the contracts with customers, of the implementation of technical and design analysis with reference to your requests for contractual services. These subjects may operate as autonomous data controllers or data processors designated by the Controller in accordance with Article 28 of the GDPR;
(c) external parties who carry out in Italy or abroad specific tasks on behalf of the Controller (such as, but not limited to, certification of financial statements, invoicing and filing of invoices, shipping of documents and materials, insurance coverage, debt collection, legal/accounting/tax consulting, crediting and/or debiting of economic entitlements). These subjects may act as autonomous controllers or as data processors designated by the Controller pursuant to Art. 28 of the GDPR;
the data required for electronic invoicing will be transferred to the e-Invoicing service provider appointed as data processor pursuant to Art. 28 of the GDPR, which will automatically forward them to the Interchange System of the Internal Revenue Agency (“Sistema di Interscambio dell’Agenzia delle Entrate”);
(d) entities, consortia, associations and bodies, operators of authorized credit information systems, having the purpose of credit protection.
To find out the identity, activities carried out and the framework under the GDPR of third parties who may process your personal data, you can submit a specific request to the email address email@example.com.
Personal data will be stored until the purposes for which they were collected are achieved, and in particular:
- with regard to the personal data referred to in Section 2.1, they are kept for the short time necessary for the use of the Website and could be used to ascertain liability in case of hypothetical computer crimes against STD; thereafter, the data are kept only in anonymous form for statistical interest only;
- with respect to the personal data referred to in Section 2.3, it will be retained for as long as necessary to comply with any requests from the sender or matters therein submitted to the Controller and, in any event, for as long as required by specific legal provisions;
- with respect to the data of the user who has created an account as set forth in Section 2.4, such data will be retained as long as the account is active to the extent strictly necessary to provide the user with the features described above; even after the account is closed, the data may be retained, if necessary, for the purpose of complying with obligations imposed by laws or regulations, to protect the rights of the Controller, to prevent fraud, or to enforce this policy;
- with regard to data relating to or connected with relationships of a contractual nature, they will be processed and stored for the entire duration of the contractual relationship and, thereafter, for the maximum time provided for by the applicable legal provisions regarding the statute of limitation (including in the administrative-fiscal filed) and, in general, for the exercise/defense of the rights of the Controller in disputes promoted by public authorities, public subjects/entities and private parties; the term of retention of personal data will not, however, exceed 10 years from the termination of the contractual relationship, unless legal protection needs arise or changes in the terms of law occur;
- with regard to marketing and profiling purposes referred to in section 2.6, personal data will be retained until consent is revoked.
5. PLACE OF PROCESSING AND TRASFER OF DATA ABROAD
The processing operations related to the web services of this Website (physically placed in hosting at the servers of the company Shopify, a company designated as a data processor under Article 28 of the GDPR) take place at the headquarters of the Controller.
Should the Controller uses other web service providers located outside the EU or the European Economic Area (EEA) that have access to some personal data of the users of the website, the Controller will provide them with full information and will verify that every measure (contractual and non-contractual) appropriate and necessary to ensure an adequate level of protection of their personal data is taken in accordance with and in the manner indicated by Chapter V of the GDPR and, in any case, by the legislation in force at the time regarding the protection of personal data.
In any case, you may always request more information about the identity of non-EU third parties who may know/process your personal data and the activities they carry out by making a request to the Controller at firstname.lastname@example.org.
6. RIGHTS OF DATA SUBJECTS
As a data subject, you have the right to ask the Controller for access to your data, rectification, deletion of your data, restriction of processing or to object to the processing of your data under the conditions set out in Articles 15,16,17,18, 21 of the GDPR. Finally, you have the right to lodge a complaint with a Supervisory Authority if you believe that the processing concerning you violates the legislation applicable to the protection of your personal data. To request information about data processing or exercise your rights to your data, please contact the Controller at email@example.com.
The news rendered here may be subject to revision as a result of:
- changes in data protection regulations, for the aspect of interest here;
- technological implementations adopted by the Controller that impact the current processing methods;
- organizational changes in the structure of the Controller that may affect the date subject.