In general, any information or Personal Data that you provide to ELI, the Data Controller, through the Website will be processed in accordance with the internationally recognized principles of lawfulness, fairness, transparency, purpose limitation and storage, data minimization, accuracy, integrity and confidentiality.
ELI wishes to inform you that, pursuant to Article 13 of (EU) Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data (hereinafter the "European Regulation"), it needs to proceed to the processing of certain personal data collected automatically or provided through the navigation or use of the Website.
TYPE OF PERSONAL DATA PROCESSED
In order to allow the use of the Website and its services, including the possibility to make purchases, and to get in touch with ELI, the Data Controller needs to know and process certain Personal Data.
As a result of browsing the Website, we inform you that ELI will process your Personal Data, - IP addresses or domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.
These data, necessary for the use of the Website, are processed for the sole purpose of obtaining statistical information on the use of the Services (most visited pages, number of visitors per hour or per day, geographical areas of origin, etc.) and to check the correct functioning of the Services offered.
Navigation data do not persist for more than seven days and are deleted immediately after their aggregation, except in the event of the need to ascertain crimes by the judicial authorities.
Data provided voluntarily by the user
In order to allow the use of the Website, ELI processes the following personal data:
To register to the personal area "my account": e-mail, password, gender, date of birth. If you purchase products from the Website, you will also be asked for your billing address and shipping address, if different;
To subscribe to the newsletter: e-mail address, (first) name, (last name) surname, and gender;
To take advantage of support services through Costumer Care: the personal data that will be communicated to provide the requested assistance.
The optional, explicit and voluntary sending of e-mail messages involves the acquisition of the sender's name and surname and his or her e-mail address, which is necessary in order to respond to requests, as well as any other personal data included in the e-mail message.
PURPOSE OF PROCESSING AND LEGAL BASIS
The personal data in the possession of the Data Controller are exclusively those provided during navigation on the Website and during the use of its Services.
Personal data are processed for the following purposes:
A) To conclude and execute the contract of purchase of the goods offered through the Website and is necessary in order to invoice the purchase and to be able to deliver the ordered products to you. The provision of personal data for this purpose is mandatory for the conclusion of the purchase contract. In fact, in the event of failure to confer, it would not be possible to process the order.
The legal basis of data processing is the need to execute a contract to which you are a party and the need to comply with legal obligations.
B) To allow registration in the personal area "my account" within the Website and the use of the Services reserved for registered users is necessary in order to provide you with the Services. The provision of personal data for this purpose is optional. However, in the absence of such consent, you will not be able to take advantage of the convenience and all the Services offered to you through your personal area. The legal basis for the processing is your explicit consent to the processing of your personal data.
C) To manage requests forwarded to Customer Care both for general information (through the Contact Form) and for after-sales service. The provision of your personal data for this purpose is optional. However, in the absence of such consent, it will not be possible for the Controller to process the requests that you decide to make to our Customer Care.
The legal basis of data processing is your express consent to the processing of your personal data or to comply with legal obligations under consumer legislation for after-sales service.
D) With your express consent, use your e-mail address to send commercial communications about products and Services, updating you on news, new arrivals, exclusive products, our offers and promotions. Data processing for this purpose is carried out by the Data Controller, the provision of personal data for this purpose is optional. However, in the absence of such consent, it will not be possible for the Data Controller to keep you constantly updated on offers and promotions reserved for our customers.
The legal basis of data processing is your express consent to the processing of your personal data.
G) With your express consent, use your e-mail address to offer you advances and commercial offers in line with your purchasing preferences. This personalization will be carried out through the analysis of the precedents. Data Processing for this purpose is carried out by the Data Controller. The provision of your personal data for this purpose is optional. However, in the absence of such consent, it will not be possible for the Data Controller to send you offers in line with your tastes and preferences.
The legal basis of data processing is your explicit consent to the processing of personal data.
Personal data may be processed both through computer tools and paper media.
PERIOD OF STORAGE OF PERSONAL DATA
The Data Controller intends to store personal data for no longer than is necessary for the achievement of the purposes for which they were collected and processed.
With this in mind, in compliance with the regulatory provisions in force, including accounting provisions, the Data Controller will keep your personal data acquired through the sale of its products for a period not exceeding 10 years. Subsequently, we will provide for their cancellation, or their transformation into anonymous form in a permanent and non-reversible way.
With regard to the processing of your personal data for the purposes of direct marketing, if it has been explicitly authorized, in compliance with regulatory requirements and the General Provision of the Italian Guarantor for the protection of personal data adopted on 24 February 2015, the Data Controller has established to provide for the cancellation of your personal data processed for direct marketing purposes within 24 months of their registration. Personal data processed for profiling purposes, on the other hand, will be deleted 12 months after registration.
With regard to the other personal data, not being able to determine with precision the period of conservation of your personal data, the Data Controller commits as of now to inspire the processing of your personal data to the principles of adequacy, pertinence and minimization of data, as required by the European Regulation, verifying annually the need for their conservation. Therefore, once the purposes for which they were collected and processed have been achieved, we will remove them from the systems and records and/or take appropriate measures to make them anonymous, so that you cannot be identified.
This, except where the Data Controller needs to retain such data to comply with regulatory obligations, or to ascertain, exercise or defend our rights in court.
CATEGORIES OF DATA RECIPIENTS
The personal data processed will not be disclosed to third parties. The following persons/entities may, however, become aware of your personal data in relation to the purposes of data processing set out above:
The persons/entities who can access the data by virtue of legal provisions provided for by the law of the European Union or by that of the Member State to which the Data Controller is subject;
The persons/entities that carry out, within the borders of the European Union, in total autonomy, as separate Data Controllers, or as Data Processors appointed by the Data Controller, purposes ancillary to the activities and services referred to in paragraph 4., or bank operators, internet providers, couriers and shippers, companies that carry out marketing activities, companies that offer computer infrastructures and computer support and consulting services as well as design and creation of software and websites, law firms, companies that offer services useful to customize and optimize our services, companies that offer data analysis and development services (including those related to user interaction with our services), service centers, companies or consultants responsible for providing further services to the Data Controller, within the limits of the purposes for which they were collected;
The issuer of the credit card used by you, service providers for anti-fraud monitoring related to the payment process, and (where necessary) for the activation of the procedure for anti-fraud monitoring.
In addition, your personal data may also be disclosed to our employees, provided that they are previously designated as acting under the authority of the Data Controller pursuant to Art. 29 of the European Regulation or as System Administrator.
Any communication of your personal data will take place in full compliance with the legal provisions provided for by the European Regulation and the technical and organizational measures taken by the Data Controller to ensure an adequate level of security.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
For the provision of its Services, the Data Controller may transfer personal data to third countries. In such case, we undertake to:
Ensure that the country to which your personal data will be sent guarantees an adequate level of protection, as provided for in Article 45 of the European Regulation; or
Use the standard contractual clauses for personal data protection approved by the European Commission for transfers of personal information outside the EEA (these are the clauses approved under article 46.2 of the European Regulation). For more information on the rules for data transfers to third countries, click here.
ANY AUTOMATED DECISION-MAKING PROCESSES
If you consent to profiling, the data you provide may be used by the Data Controller to analyze or predict your preferences and behavior, as well as to detect your GPS location, in order to customize the content of commercial communications and offer only products and offers dedicated to you and in line with your tastes and preferences.
In particular, the following could be detected and analyzed:
The number and type of requests for information on products found on the Website over the last 12 months;
The number and type of products on the Website purchased and the amount of expenses incurred over a 12-month period;
The number and type of visits to the Website over a predetermined time period, including through third party profiling cookies.
RIGHTS OF THE DATA SUBJECT
In relation to the processing of your personal data, pursuant to the European Regulation, the data subject has the right to:
Revoke consent to personal data processing at any time. It should be noted, however, that the revocation of consent does not affect the lawfulness of the processing based on the consent prior to the revocation, as provided for in art. 7, paragraph 3, of the European Regulation;
Ask the Data Controller for access to personal data, as provided for by art. 15 of the European Regulation;
Obtain from the Data Controller the rectification and integration of personal data deemed to be inaccurate, even by providing a simple supplementary declaration, as provided for by art. 16 of the European Regulation;
Obtain from the Data Controller the cancellation of personal data if there is even only one of the reasons provided for by art. 17 of the European Regulation;
Obtain from the Data Controller the limitation of personal data processing in the event of one of the cases provided for by art. 18 of the European Regulation;
Receive from the Data Controller the personal data concerning you in a structured, commonly used and machine-readable format, as well as the right to transmit such data to another data controller without hindrance, as provided for by art. 20 of the European Regulation;
Object at any time, for reasons related to your particular situation, to the processing of personal data carried out pursuant to article 6, paragraph 1, letters e) or f), including profiling on the basis of these provisions, as provided for in Article 21 of the European Regulation;
Not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you, if you have not given your prior and explicit consent, as provided for by art. 22 of the European Regulation. By way of example and without limitation, this category includes any form of automated processing of personal data aimed at analyzing or predicting aspects concerning consumption and purchase choices, economic situation, interests, reliability, behavior;
Lodge a complaint with a supervisory authority (art. 77) or take legal action (art. 79), if you believe that the processing of your personal data violates the European Regulation. The complaint may be lodged in the Member State in which you normally reside or work or in the place where the alleged infringement occurred.
P To exercise each of your rights, you may contact the Data Controller, in the person of the legal representative, by sending a communication to the address, providing the following personal data:
- (First) name, (last name) surname, and postal address;
- Details of the request;
- Purchase number;
- Photocopy of a valid identity document.
CONSENT OF CHILDREN IN RELATION TO THE SERVICES OF THE INFORMATION SOCIETY
Childrenunder the age of sixteen (16) are expressly prohibited from using the Services provided through the Website. In view of the technologies available and the Services provided, ELI has put in place systems to verify that children's consent to the processing of their personal data has been given or authorized by the person exercising parental authority. By registering or purchasing on the Website, you confirm that you have reached the legal age in your country of residence.
DATA BREACH POLICY
In the event of a personal data breach, the autonomous Data Controller has set up a crisis team and provided specific intervention procedures, in order to quickly resolve the problem and give the user an appropriate communication so that he can take appropriate precautions to minimize the potential damage resulting from the breach.
When notifying you of a breach, you will be provided with:
The name and contact details of the Data Protection Officer or other contact point from which to obtain more information;
Any consequences of the personal data breach;
The measures taken or proposed to be taken by the Legal Representative to remedy the personal data breach and also, if applicable, to mitigate its possible negative effects.
The Data Controller will proceed to a public communication, or similar measure, and will not be obliged to inform the user when adequate technical and organizational protection measures are put in place on the data subject to the breach, when measures are subsequently adopted to avoid new high risks for the user's rights, when the communication would require disproportionate efforts. In any case it will evaluate the opportunity, even if not strictly compulsory, to keep the user updated.
The Data Controller will also proceed to communicate, within 72 hours and where necessary, the violation to the Privacy Guarantor.
For this reason, if a Data Controller or a Sub-Controller becomes aware of the violation, they are obliged to communicate the violation within 24 and 12 hours respectively from the discovery of the fact.
Any violation of personal data can be communicated by writing to firstname.lastname@example.org .