Art. 1. Identity and contact details of the Data Controller as data controller.
Art. 2. Data processing for the purpose of purchasing services intermediated by the Controller
Art. 3. Data processing for generic marketing purposes
Art. 4. Data processing for assistance and customer care purposes
Art. 5. Data processing for the establishment, exercise or defense of a right
Art. 6. Categories of recipients to whom the Controller communicates the user’s personal data (recipients)
Art. 7. Transfer to third countries
Art. 8. Right to object
Art. 9. Right of access
Art. 10. Right to rectification
Art. 11. Right to erasure
Art. 12. Right to restriction of processing
Art. 13. Right to data portability
Art. 14. Timing and methods of response in case of exercise of data subject rights
Art. 15. Right to lodge a complaint with a supervisory authority
Art. 1. Identity and contact details of the Data Controller as data controller
Shoppylo s.r.l (the “Controller”) is the data controller of the users’ personal data outlined in this notice and relating to the data collected from this landing page for the purposes indicated therein.
The identification details and contact information of the Controller are as follows:
Shoppylo s.r.l – Via laguna 12, Venice (VE) – VAT ID IT06151535501
Email: [email protected];
Art. 2. Data processing for the purpose of purchasing services intermediated by the Controller
The Controller will process the user’s personal data to allow them to be contacted by companies offering the services described by the landing page to which this privacy policy refers (Partner Companies) and to conclude the relevant contracts for the purchase of these services.
The legal basis for this processing is the execution of pre-contractual measures taken at the user’s request (Art. 6.1.b) of the Regulation).
For this purpose, the Controller will process the user’s data for the time strictly necessary for the communication of the data to the Partner Companies, provided that, after this period, the Controller may retain the data for the purposes and for the maximum retention periods indicated in the other sections of this notice, if relevant, and/or, in any case, in the cases established by the Regulation and/or by law.
The provision of data for the above purpose is optional: there is no legal or contractual obligation to provide the data; however, since their processing is necessary to allow the Controller to communicate the data to the Partner Companies, failure to provide the data will make it impossible for the user to be contacted by the Partner Companies.
Art. 3. Data processing for generic marketing purposes
The Controller will not collect or process the user’s personal data to send them, via email, informative and promotional communications, nor newsletters, related to products and/or services of its own and/or third parties.
Art. 4. Data processing for assistance and customer care purposes
The Controller will process the data of users for generic assistance and customer care activities and therefore to respond to requests for information from users or to respond to complaints, reports, disputes, as well as to allow the user, if desired, to leave a review.
The legal basis for this processing is the execution of pre-contractual measures taken at the user’s request (Art. 6.1.b, last paragraph, of the Regulation) or, depending on the cases, the legitimate interest of the Controller (Art. 6.1.f of the Regulation).
It constitutes a legitimate interest of the Controller to respond to requests for information and/or reports and/or disputes and/or complaints from users. This legitimate interest of the Controller also coincides with the legitimate interest of the users themselves who make the requests and/or reports and/or disputes and/or complaints in question and who, therefore, within the relationship with the Controller, can reasonably expect their personal data to be used by the Controller to give them feedback. The legitimate interest of the Controller thus identified can therefore be considered to prevail over the fundamental rights and freedoms of the data subject, also by virtue of such reasonable expectations and the relationship between the data subject and the Controller as well as considering the nature of the data processed and the coinciding interest of the data subjects themselves.
The user has, in any case, the right to object, at any time, for reasons related to his/her particular situation, to the processing of personal data concerning him/her for the purpose in question (i.e. assistance and customer care).
Art. 5. Data processing for the establishment, exercise, or defense of a right
The Controller will process the user’s data for the establishment, exercise, or defense of a right in all competent forums. The legal basis for this processing is the legitimate interest of the Controller (Art. 6.1.f of the Regulation). It constitutes a legitimate interest of the Controller, in fact, to resort to legal means to ensure compliance with its contractual rights or to demonstrate that it has fulfilled the obligations arising from the contract with the data subject or imposed on the Controller by law. This legitimate interest, in turn, is based on the constitutionally protected right to defense. It can therefore be considered to prevail over the fundamental rights and freedoms of the data subject, also in view of their reasonable expectations. The data subject has, in any case, the right to object, at any time, for reasons related to his/her particular situation, to the processing of personal data concerning him/her for the purpose in question (i.e. defense of a right/justice purposes).
The user can exercise this right by contacting the Controller at the contact details indicated in Art. 1 of this privacy notice.
Art. 6. Categories of recipients to whom the Controller communicates the user’s personal data (recipients)
The personal data provided by the user may be communicated by the Controller to the categories of recipients indicated below. The subjects to whom the Controller communicates the data act as data processors appointed by the Controller through a specific contract (Data Processors) or as persons authorized to process personal data under the Controller’s direct authority (Designated) or, in the case of third parties used by the Data Controller, as “Sub-Processors”, as provided for in Art. 28.4 of the Regulation.
The personal data of users may be communicated by the Controller to the following categories of recipients:
to Partner Companies, as defined in Article 1 of this notice, so that they can contact the user and propose the conclusion of contracts relating to the services described by the landing page to which this notice refers;
to companies appointed by the Controller to send commercial communications, which act on behalf of the Controller as Data Processors;
to all those subjects, including public authorities, who have access to the data under regulatory or administrative measures;
Art. 7. Transfer to third countries
Personal data is not transferred to countries outside the European Union and the United Kingdom.
The data subject has the right to object at any time, for reasons related to his/her particular situation, to the processing of personal data concerning him/her carried out for purposes based on the legitimate interest of the data controller.
In case the data are processed for direct marketing purposes, the data subject also has the right to object at any time to the processing of personal data concerning him/her carried out for such purposes.
In the event of exercising the right to object, the Controller refrains from further processing the personal data, unless he/she demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of a right in court.
If the data subject objects to processing for direct marketing purposes, the personal data are no longer processed for this purpose.
The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her is being processed, and, if so, access to the personal data and the following information.
In the event of exercising the right of access, the user can obtain access to personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
the existence of the right of the data subject to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Articles 22.1 and 22.4 of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller provides a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information is provided in a commonly used electronic format.
Art. 10. Right to rectification
The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject has the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing based on legitimate interests pursued by the data controller for reasons relating to his/her particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data concerning him/her for direct marketing purposes;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject.
Art. 12. Right to restriction of processing
The data subject has the right to obtain from the Controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
the data subject has objected to processing pursuant to Article 21.1 of the Regulation pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Art. 13. Right to data portability
The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
the processing is based on consent or on a contract;
the processing is carried out by automated means.
In exercising his/her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability shall be without prejudice to the right to erasure. The right to data portability shall not adversely affect the rights and freedoms of others.
Art. 14. Timing and methods of response in case of exercise of data subject rights
The Controller provides the data subject with information about the actions taken in relation to a request to exercise the rights recognized by Articles 15 to 22 of the Regulation (i.e. right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object) and by this privacy notice (Data Subject Rights), without undue delay and in any case within one month of receiving the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests. The Controller informs the data subject of such extension and the reasons for the delay within one month of receiving the request. If the data subject makes the request by electronic means, the information is provided, where possible, by electronic means, unless otherwise requested by the data subject.
Art. 15. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, the data subject who considers that the processing of his/her personal data violates the Regulation has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work, or place of the alleged infringement. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy.