1. General provisions

1.1 Introduction

Cosmatic (“Company”) is accordingly committed to protecting personal data collected through use of its website www.cosmatic.it (“Website”), according to any national legislation in force on personal data protection (“National Data Protection Laws”) and the EU General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46/EC (“GDPR”). This Privacy Policy explains how information and data identifying individuals (“Personal Data”) received by Company through its Website are processed.

 

1.2 Controller

Company processes Personal Data as a Controller (or Joint Controller, as the case may be), as defined in the National Data Protection Laws and in the GDPR. The identity and contact details of Company are specified in the Website.

 

1.3 Amendments

The Controller reserves the right to amend and update the Privacy Policy as a result of any further new or revised provisions of any national and EU laws and regulations on personal data protection. The Privacy Policy shall be published on the Website and marked with progressive identification numbers and month of publication. Any new release of the Privacy Policy shall be published on the Website as a replacement of the previous version and shall be valid and enforceable from the publication date, unless otherwise specified.

 

1.4 Applicable rules

The Controller processes Personal Data in accordance with:

  1. provisions of the GDPR and, in particular, with the principles set forth in the same, such as, inter alia, lawfulness, fairness and transparency, purpose limitation, data adequacy and minimisation, accountability, accuracy, and – prior to any processing activity – the principles of privacy by design and privacy by default;
  2. provisions of National Data Protection Laws in force as of the date of the Privacy Policy;
  3. guidelines and decisions issued by the competent supervisory authority (“Supervisory Authority”).

 

 

2. Data subjects and scope of application

2.1 Data subjects

Company processing activities relate to

  1. any individual visiting the Website (“Visitors”); and
  2. any individual/entity with which Company establishes relationships, when registering for Company events and/or signing up for information, informational materials, newsletters and other communications (“Users”).

For the purposes of this Privacy Policy, Visitors and/or Users are to be intended as Data Subjects, as defined in the GDPR and in the National Data Protection Laws.

2.2 Scope of application

The Privacy Policy shall be applicable to Visitors and/or Users, provided that Company, in its capacity as Controller, is only liable for the processing of Personal Data, which are under its own powers, duties and liabilities. The Privacy Policy shall not be deemed valid and enforceable for any processing activity made by third parties whose websites may be reached by the Website.

 

 

3. Types and source of processed Personal Data

3.1 Source

Company processes:

  1. in its capacity as Controller, the Users’ Personal Data – as hereinafter specified – provided by Users;
  2. in its capacity as Controller, the Visitors’ Personal Data – as hereinafter specified – as well as any data connected to cookies, used through its Website, according to the Cookie Policy published on the Website.

 

3.2 Identification data

Company processes Visitors’ and Users’ Personal Data, that consist of common Personal Data; sensitive and/or judicial data (as defined in the National Data Protection Laws in force) and/or special categories of personal data as well as personal data concerning health as defined in the GDPR are expressly excluded from the Company processing activities under the scope of this Privacy Policy (all these types of personal data are hereinafter jointly referred to as “Special Data”). The Personal Data provided by Visitors and Users data may include:

  1. Navigation data, such as IP addresses, domain names of the computers used by any Visitor connecting with the Website, the URI (Uniform Resource Identifier) addresses of requested resources, the time of request, the server query method, the answered file dimension, the server status code (good, error etc.), other parameters related to the Visitors’ operating system and informatics environment; these data, however, will only be used to extract anonymous statistical information on the Website and its functionalities and will be immediately cancelled at the end of the respective processing activity;
  2. Personal Data provided voluntarily by Users, such as first name and surname (including first name and surname of the legal representative of the Company/entity for which Users are working), tax and VAT code numbers, location/domicile (also for tax purposes), contact details (including mobile numbers, facsimile numbers and/or other identification numbers), postal and email addresses (including business email addresses of employees/collaborators of Users and, where applicable, certified email addresses), postal code numbers, bank accounts details and/or data referred to payments etc.

 

3.3 Special Data

The activities that may be carried out through the Website do not require any provision of Special Data, so that Data Subjects are requested to not supply and/or anyway make available to Company any Special Data. Unless expressly agreed in writing, Special Data inadvertently provided by Data Subjects, shall be cancelled and/or removed or however anonymized by the Controller.

 

 

4. Legal basis for and purposes of processing the Personal Data. Period of data retention

4.1 Legal basis

The legal basis for the processing of Personal Data is: (i) the Data Subjects’ consent; (ii) the legitimate interest of Company, in particular when the processing of Personal Data is necessary for the purposes of preventing fraud or where the processing activity is carried out to accomplish formalities required by law or for direct marketing purposes, subject however to the GDPR requirements.

 

4.2 Purposes

The Controller processes Personal Data for the following purposes, as specified in the table here in below, in which is furthermore highlighted

  1. if an express consent to processing of Personal Data is needed (or not) as well as
  2. the period of data retention:

 

A

Purposes: Allow Cosmatic to accomplish all formalities required by law, including those of administrative and tax/fiscal nature

Consent: Not required

Data retention: 20 years

 

B

Purposes: Improve the Website by analyzing how Visitors and/or Users navigate and/or use the Website

Consent: Not required

Data retention: Not applicable (aggregate or anonymous data)

 

C

Purposes: Send communications and reply to queries concerning the Company Activities

Consent: Required

Data retention: 20 years

 

D

Purposes: Send newsletters of a general informational, promotional and advertising nature and/or other materials for marketing communication purposes, in relation to the Website’s functionalities, to Cosmatic and Company Activities

Consent: Required for newsletters, other materials for advertising or direct e-marketing communication purposes (i.e.: marketing communications sent over electronic communication channels, such as e-mail, facsimile, SMS and MMS-type messages), questionnaires and surveys. Not required for postal and/or email marketing communications sent to clients, according to applicable laws

Data retention: Until the withdrawal of consent or the denial has been communicated

 

E

Purposes: Communicate Personal Data between Marchesini Group companies, of which Cosmatic is part, in order to receive commercial information, newsletters and/or materials above (under letters C and D)

Consent: Required

Data retention: Until the withdrawal of consent

 

F

Purposes: Process Personal Data for statistical analysis purposes

Consent: Not required

Data retention: Not applicable (aggregate or anonymous data)

 

4.3 Optional supply of Personal Data

Subject to what specified above as to navigation data, the provision of Personal Data is fully optional and free. However, failure to provide Personal Data may entail failure to be provided with the communications and/or replies and/or activities requested.

 

4.4 Consent declaration and withdrawal

In relation to the purposes specified under the letters C), D) and E) of the Table above, Data Subjects express their consent to processing activities by addressing queries or communications to Company or ticking the appropriate box following the procedures and instructions given on the Website. Data Subjects may revoke their consent by informing Company by any means and in written form; however, having particular regard to the purpose specified under letter D), in order to facilitate accomplishment of all relevant formalities, related to the request concerned, including the cancellation and removal of the email address from the mailing list, Data Subjects are invited to follow the instructions specified in every newsletter. If Data Subjects revoke their consent in relation to the purposes specified under letters C), D) and E) of the Table above, the relevant Company processing activities will be interrupted.

 

 

5. Persons in charge of the processing and processors

5.1 Controller and persons in charge of the processing

As specified above, Company processes Personal Data collected from Visitors and/or Users through the Website. Directors, shareholders and independent collaborators (independently from the contractual relationship concerned) of the Company may process Personal Data in their capacity as persons in charge of the processing, according to National Data Protection Laws and to art. 29 of the GDPR. The persons in charge of the processing are duly trained and empowered to allow access to Personal Data according to the Privacy Policy and subject to their tasks being performed and assignments.

 

5.2 Joint controllers and processors

The Controller may designate as processors internal and external entities/individuals, including but not limited to (legal and tax) advisors and third companies (in particular, internet service providers and service providers, also using cloud platforms). The complete list of all processors may be required by Data Subjects to the Controller, by sending an email to the Controller email address specified in article 8.1. of the Privacy Policy.

 

5.3 Limitations

Persons in charge of processing activities and processors – where appointed – shall be appropriately trained and duly empowered to allow access to and use of Personal Data, subject to the specific duties and tasks assigned to them and in compliance with the Privacy Policy.

 

 

6. Processing of hidden Personal Data (of Website navigation)

6.1 Navigation data

The Controller processes hidden Personal Data collected during navigation in accordance with the Cookie Policy.

 

6.2 Link

The Website may include hypertext links to other websites that are not managed or otherwise associated to Company. The Controller hasn’t any kind of access to or control of such websites. Data Subjects are requested by Controller to read the privacy policies of such third parties websites to which Data Subjects may access from the Website, in order to know the personal data collection and processing methods.

 

6.3 Access data to the newsletter

The analysis of the newsletter opening and consultation Personal Data is carried out for statistical analysis purposes in order to provide Company with information on the use of the same, which may be useful to amend its contents and formats.

 

 

7. Method of processing, storage of Personal Data and security measures

7.1 Methods of processing

The Personal Data of Data Subjects are processed almost exclusively through automated procedures, by using computerized systems and software or, in a limited number of cases, through manual means (e.g. on paper), provided however that in any event such Personal Data are processed adopting methods which are strictly related to the purposes for which such data have been collected and anyway to ensure their security, in accordance with the GDPR and the National Data Protection Laws.

 

7.2 Place of automated data processing

Processing of Personal Data is made in the headquarters of the Controller and/or – if appointed – of the processors and/or joint controllers. Personal Data are stored in the headquartersof the Controller where the physical servers are and in some cases on servers of third parties, which may provide cloud services to allow storage of Personal Data.

 

7.3 Transfer of Personal Data

Personal Data exclusively consisting in e-mail address may be transferred for organizational and/or commercial purposes only to Marchesini Group S.p.a. or to other Marchesini Group companies, whether they are located in EU or in third countries outside the EU, provided however that in the latter case, the transfer of Personal Data as above specified shall be made subject to the Controller’s assessment of full compliance with the provisions of the GDPR and in particular with articles 44 and 45 of the same.

 

7.4 Place of manual data processing

When Personal Data are collected offline (e.g. on paper), all documents where said data are contained, are stored in the head offices of the Controller or of the processors and service providers, where appointed, and inserted in appropriate archives.

 

7.5 Personal Data storage period

Personal Data will not be disseminated. Personal Data may be communicated to external processors and/or service providers (e.g. welfare providers) or – subject to limitations set out in art. 7.3 above – to Marchesini Group S.p.a. or Group companies.

 

7.6 Dissemination of Personal Data

Personal Data will not be disseminated.

 

 

8. Data Subjects’ rights

8.1 Rights

Data Subjects, when they are individual/natural persons, may directly address to the Controller or the processor/s designated by the same Controller in order to enforce their rights according to provisions of National Data Protection Laws and to the GDPR (articles 15 and subsequent articles), and, in particular, to have access to their own Personal Data, obtain updating and rectification or erasure of the same, restriction of processing, object on legitimate grounds to processing of their Personal Data (with the effects provided for in the Privacy Policy) as well as obtain data portability by sending an email to the email address privacy@marchesini.com

 

8.2 Complaint

The above notwithstanding, according to articles 13 and 15 of the GDPR, Data Subjects, when they are individual/natural persons, may lodge a complaint with the competent Supervisory Authority, in order to enforce their rights, as specified above.