1. Foreword
The company Stefano Ricci S.p.A., holding company of the Stefano Ricci Group, takes the protection of your personal data very seriously. The Company’s objective is to ensure the protection of the personal data of its website users at all times, since data relating to identified or identifiable persons may be processed as a result of its consultation. Pursuant to Regulation (EU) 2016/679 (hereinafter the “Regulation” or “GDPR”), this page describes the methods for processing the personal data of users who browse the Stefano Ricci S.p.A. Website, which is accessible via electronic means at the following address: www.stefanoricci.com (“Site”). This information does not apply to other sites, pages or online services that can be reached via hyperlinks that may be published on the site, but which refer to resources outside the Company’s domain.
2. Purposes, legal basis for data processing; retention period, mandatory or optional nature of processing
Stefano Ricci will process user data for the following purposes:
a) To provide users with the products and services purchased and to send communications relating to orders or payments.
For this purpose, the Data Controller will process the following user data: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, landline and/or mobile telephone number.
The legal basis for this processing is the fulfilment of the GDPR contract (Art. 6.1.b).
The retention period of the user’s data for the above purposes is equal to the period necessary to process the order, it being understood that, once this period has expired, the Data Controller may retain the data for the purposes and maximum retention periods set out in the other sections of this policy, if relevant, and/or, in any case, in the cases established by the GDPR or the law.
The provision of data for the above-mentioned purpose is optional, there is no legal or contractual obligation to communicate the data; it is, however, a necessary requirement for the conclusion of the purchase contract on the Site: failure to communicate the data will make it impossible for users to conclude such contract.
b) To enable users to register on the Site.
For this purpose, the Data Controller will process the following user data: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, landline and/or mobile telephone number.
The legal basis for this processing is the execution of pre-contractual measures taken at the request of the data subject (Art. 6.1.b GDPR).
For this purpose, the Data Controller shall process user data for the time strictly necessary to perform the individual processing activities (e.g.: registration data shall be processed until the account is closed, taking into account the technical time required for this), it being understood that, once this period has expired, the Data Controller may retain the data for the purposes and for the maximum retention periods set out in the other sections of this policy, if relevant, and/or, in any case, in the cases established by the GDPR or the law.
The provision of data for the above-mentioned purpose is optional, there is no legal or contractual obligation to communicate the data, but any refusal by users to provide such data will make it impossible to register on the Site and use the services reserved to registered users.
c) To provide users with the necessary after-sales service in compliance with the applicable product warranty legislation.
For example, we will use user data to provide support, handle returns and/or repair the products purchased in accordance with applicable law.
The legal basis for this processing is compliance with legal obligations (Consumer Code) and the retention period is as long as required by the legislation (the Consumer Code in particular).
For this purpose, the Data Controller shall process the following personal data concerning users who have purchased on the site: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, data relating to the product purchased.
d) For administrative/accounting purposes in relation to purchases on the Site
The Data Controller, in the event of a purchase on the Site, shall process users’ personal data for the purpose of fulfilling administrative/accounting and/or fiscal obligations connected with the contract of purchase on the Site.
For this purpose, the Data Controller shall process the following personal data concerning users who have purchased on the site: first name, last name, tax code and/or VAT number, place and date of birth, physical and electronic address.
The legal basis for this processing is the fulfilment of legal obligations to which Stefano Ricci is subject (Art. 6.1.c GDPR). The provision of data for the purpose in question is compulsory, because their processing is necessary to allow Stefano Ricci to fulfil its legal obligations. Any refusal to provide data for this purpose will make it impossible for users to make purchases on the Site.
For this purpose, the Data Controller shall retain user data until the expiry of the legal terms provided for the performance of each administrative-accounting and fiscal fulfilment and/or for the retention periods provided for by law.
e) For general assistance and customer care activities in relation to purchases on the Site and therefore to respond to requests for information from users or to respond to complaints, reports and disputes.
For this purpose, the Data Controller shall process the following data concerning users: name, surname, tax code and/or VAT number, physical and electronic address, order identification code, data relating to the product purchased.
The legal basis for this processing is the execution of pre-contractual measures taken at the request of the data subject (Art. 6.1.b GDPR) or, as the case may be, the legitimate interest of the Controller (Art. 6.1.f GDPR). It is in fact in the legitimate interest of Stefano Ricci to respond to requests for information and / or reports and / or complaints of Site users. The legitimate interest of Stefano Ricci, thus identified, may therefore be deemed to prevail over the fundamental rights and freedoms of the data subject, also on account of such reasonable expectations.
In any case, customers have the right to object – for reasons related to their personal situation – to the processing of their personal data for the purpose of assistance and customer care at any time by writing to the Data Controller at the addresses indicated in section 3.
For this purpose, the Data Controller will retain customer data for the time strictly necessary to carry out the requested activities (e.g. for the time required to provide the requested information).
The provision of data for the above-mentioned purpose is optional, there is no legal or contractual obligation to communicate the data; however, given the purpose of the processing, failure to communicate the data and/or exercise the right to object may make it impossible to respond to customers’ requests.
f) For the purpose of ascertaining, exercising or defending a right in relation to purchases on the Site
For this purpose, the Data Controller shall process the following data concerning users who have purchased on the site: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, order identification code, data relating to the product purchased.
The legal basis for this processing is legitimate interest (Art. 6.1.f GDPR). It is in the legitimate interest of the Data Controller to pursue remedies to ensure that its contractual rights are respected or to demonstrate that it has fulfilled its obligations under the contract of purchase on the Site. This legitimate interest is based on the constitutionally protected right of defence and can therefore be considered to take precedence over the fundamental rights and freedoms of the person concerned. In any case, users have the right to object – for reasons related to their personal situation – to the processing of their data for this purpose, by writing to the Data Controller at the addresses indicated in section 3 above.
Users are informed that the Data Controller will retain the data for the purpose of proving the fulfilment of the purchase contract on the Site and/or to initiate or respond to actions relating to this contract; for this purpose the data will be retained for 10 years from the delivery of the product or from the termination of the contract if the product is not delivered. The provision of data for this purpose is optional: there is no legal or contractual obligation for data subjects to provide data for this purpose.
g) To enable users to exercise rights
The Data Controller shall process user data in order to: give feedback to requests to exercise the right of withdrawal and/or requests to exercise the legal guarantee of conformity and/or other rights arising from the purchase contract; carry out the activities that prove necessary as a result of the exercise of these rights and to proceed, where appropriate, to the relevant refunds; receive and give feedback to requests to exercise the rights regarding the protection of personal data provided for by the GDPR. For this purpose, the Data Controller will process the following data relating to users: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, fixed and/or mobile telephone number. The legal basis for this processing is the fulfilment of legal obligations (Art. 6.1c GDPR – Consumer Code). The provision of data for the purpose in question is compulsory, because their processing is necessary to allow the Controller to fulfil legal obligations and users to exercise the rights that the law or the contract attributes to them. Any refusal to provide data for this purpose will make it impossible for users to exercise these rights. For this purpose, the Data Controller shall retain user data until the expiry of the legal deadlines provided for the exercise of rights, i.e. for the time necessary to manage and close the file; in the case of exercising the rights provided for by the GDPR, the data shall be processed until the data controller certifies that it has fulfilled the request or fulfilment itself.
h) For marketing purposes
Subject to consent, the personal data provided by users by filling in the Company’s forms will be entered into the centralised CRM system and will be processed by the Data Controller to send, via traditional means of contact (ordinary mail and telephone) or via e-mail, news about events and promotions, commercial communications, advertising material, catalogues, including newsletters. For this purpose, the Data Controller will process the following data concerning users: first name, surname, physical and/or electronic address, landline and/or mobile telephone number.
The legal basis for this processing is the explicit consent of users in accordance with Art. 6, par. 1 lett. A (GDPR). The provision of personal data for this purpose is entirely optional and does not affect the use of the Company’s services or ability of users to make purchases
. In any case, users have the right to object at any time, as well as the right to revoke their consent to the processing of data for this purpose, without any prejudice to the lawfulness of the processing carried out before the revocation, by writing to the addresses indicated in section 3, or through the Privacy Settings contained in the Personal Area, or using the “unsubscribe” link found in all of the Company’s electronic marketing communications. For this purpose, the Data Controller may process the data until consent is revoked or the newsletter is unsubscribed, and shall retain the data for no longer than 24 months from the date of registration. At the end of this period, or following revocation of consent or unsubscription in relation to this purpose, personal data will no longer be processed for this purpose, but will continue to be processed for the other authorised purposes.
i) For profiling for marketing purposes
Subject to consent, the personal data provided by the users who have created an account on the Website will be entered in the centralized CRM system and will be processed by the Data Controller to analyse the geographical area, preferences and purchasing habits in order to send through traditional means of contact (ordinary mail and telephone) or via e-mail communications and personalised commercial proposals, invitations to events organised by Stefano Ricci Group.
For this purpose, the Data Controller will process the following user data: name, surname, tax code and/or VAT number, place and date of birth, physical and electronic address, landline and/or mobile telephone number.
The legal basis for this processing is the explicit consent of users in accordance with Art. 6, par. 1 lett. A.
The provision of personal data for this purpose is entirely optional and does not affect the use of the Company’s services or the ability of users to make purchases. In any case, users have the right to object at any time, and revoke their consent to the processing of their data for this purpose, without any prejudice to the lawfulness of the processing carried out before the revocation, by writing to the addresses indicated in section 3, or through the Privacy Settings contained in the Personal Area. For this purpose, the Controller shall process personal data until consent is revoked and shall be stored for no longer than 12 months from the date of their registration. At the end of this period, personal data will no longer be processed in relation to this purpose, but will continue to be processed for the other authorised purposes.
j) To satisfy and manage requests for spontaneous applications from users sent via the “submit your application” form on the Site
The data provided by users when submitting spontaneous application requests by filling in the “Submit your application” the form on the Site will be processed by the Data Controller solely for the management of selection procedures for new employees or collaborators.
For this purpose, the Data Controller will process the following data relating to candidates: name, surname, place and date of birth, tax code and/or VAT number, landline and/or mobile telephone number, physical and electronic address, language, curriculum vitae data, data relating to health status. The Data Controller may use some of the candidates’ personal information for the following communications: sending of e-mails to receive applications; sending of e-mails to reset and/or recover passwords; sending of e-mails to warn of profile and/or application expiry 15 days before the term of 12 months from registration or from the last update of the profile and/or application; sending of e-mails to warn of profile expiry at the end of the 12 months from registration or from the last update of the profile and/or application. The legal basis for the processing of personal data is the implementation of pre-contractual measures taken at the request of the data subject (Art. 6, para. 1 lett. b). The provision of data is optional but, given the purpose of the processing, failure to provide such data will make it impossible to participate in the selection procedure. The data will be processed for the time strictly necessary to achieve the purpose of selecting new employees or collaborators: for this purpose, the data will be kept by the Company for a maximum period of 12 months starting from the registration or from the last update of the profile, after which the data will be deleted.
l) For sending non-commercial communications
The Controller may use some user personal contact information for the following non-marketing communications: sending of emails to reset passwords and usernames; notifying of updates, corrections or incidents that may involve user personal information; notifying of updates to our privacy policy or Terms of Use.
3. Type of data processed
In addition to what stated in the above sections of this policy, the personal data that may be processed through the Site are the following:
a. Browsing data
The computer systems and software procedures used to operate the Site acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This category includes the IP addresses or domain names of the computers used by users connecting to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to user operating system and computer environment. These data, which are necessary for the use of web services, are also processed for the purpose of: -) obtaining anonymous statistical information on the use of the Site -) checking the proper functioning of the services offered.
b. Data voluntarily provided by users
The optional, explicit and voluntary sending of messages to the contact addresses of the Data Controller, the private messages sent by users to profiles/pages on social media (where this possibility is provided for), as well as the creation of an account and/or the forwarding of requests on the Site, and the subscription to the newsletter where users are not registered, entail the acquisition of the personal data of senders, necessary to provide the requested service and/or to reply, as well as all the personal data included in the communications and in the profile creation forms. Specific information will be published in the pages of the Stefano Ricci’s website prepared for the supply of such specific services.
4. Cookie policy
This Site uses technical and profiling cookies. Please consult the Site’s cookie policy, which can be accessed via the “Cookie Policy” link in the Site footer.
With regard to profiling cookies, it should be noted that the Site will process user personal data by means of special profiling cookies only with their explicit consent and for the following purposes:
– display content and advertisements that are personalised on the basis of the preferences expressed by users while browsing the Site and network;
– provide social media features;
– analyse e-shop traffic;
– share information on how users use the e-shop site.
For any further information on cookies, as well as on the procedures for rejecting and/or removing cookies (with the exception of technical cookies), also through the browser settings, and/or on their purpose and/or duration and/or on their providers, we invite users to consult the cookie policy in the Site footer.
5. Recipients of personal data
The subjects to whom the Data Controller communicates the data, act as data processors designated by Stefano Ricci (“Data Processors”) or persons authorized to process personal data under the direct authority of Stefano Ricci (“Processors”) or, in the case of third parties used by the Data Processor, as “Sub-Processors”, pursuant to art. 28.4 of the GDPR.
In particular, user personal data may be communicated by Stefano Ricci to the categories of recipients indicated below.
– Persons in charge of providing the Services (e.g. hosting providers or providers of e-mail platforms);
– Persons authorised to carry out technical maintenance (including maintenance of network equipment and electronic communication networks).
– Persons, entities or authorities to whom it is mandatory to communicate personal data by virtue of legal provisions or orders of the authorities;
– personal data may be accessible to other companies of Stefano Ricci Group for the same purposes as above and/or for administrative and accounting purposes pursuant to art. 7. 6 paragraph 1, letter f) and Recitals 47 and 48 of the GDPR.
6. Security of personal data
In order to protect user personal data from unauthorised access, disclosure and alteration, both technical and other security measures have been implemented. These security measures are periodically adapted in an attempt to always offer a high level of security. Nevertheless, users are reminded that, despite all efforts, no security measure is perfect or impenetrable, so the Company cannot in any way be held liable for infringement due to errors, omissions or unauthorised actions of third parties. In addition, and in order to help maintain a high level of security, users are requested to keep their chosen username and password secret at all times and not to disclose them to third parties. Some information regarding users will be stored on servers provided by third parties, currently on a server located at Retelit S.p.A. (Milan – Italy).
7. Data transfer abroad
The Data Controller does not transfer user personal data abroad (non-EU countries).
8. Rights of the persons concerned
Data subjects have the right to obtain from the Data Controller, in the cases provided for, access to their personal data, their rectification, erasure, restriction of processing, portability, as well as the right to object to processing (Articles 15 et seq. of the EU Regulation).
Basically, users may, at any time and free of charge and without any particular charges or formalities for the request, do the following:
– obtain confirmation of the processing carried out by the Controller
– access personal data and know their origin (when the data are not obtained from users directly), the purposes and aims of the processing, the data of the persons to whom they are communicated, the data retention period or the criteria for determining this period
– update or rectify personal data so that they are always exact and accurate
– delete personal data from databases and/or archives, including backup archives, if, among other things, they are no longer necessary for the purposes of the processing or if the processing is assumed to be unlawful, and provided that the conditions laid down by law are met; and in any case if the processing is not justified by another equally legitimate reason
– limit the processing of personal data in certain circumstances, for example where their accuracy is questioned, for the period necessary for the Controller to verify the accuracy. Users must also be informed, in good time, when the period of suspension has expired or the cause of the restriction on processing has ceased to exist, and the restriction has therefore been lifted.
9. Right to complain
Data subjects who believe that the processing of their personal data carried out through this website is in breach of the provisions of the EU Regulation are entitled to lodge a complaint with the Authority for the protection of personal data, as provided for in Article 77 of the Regulation itself.
10. Amendments to this policy
Please note that this Privacy Policy is subject to change from time to time in order to improve the protection of user personal data. In the event of changes, we will update the “last modification date” to indicate when the changes came into effect.
Users are advised to check this Privacy Policy periodically.