The term “Personal Data” refers to any information related to a natural person, either identified or identifiable, even indirectly, by reference to any other information.
Processing of Personal Data
Access to several sections of the Website and/or any request for information or services by Users of the Website may require the insertion of Personal Data. Furthermore, any contact with CR Online Shop, such as for instance through customer service or the optional, explicit and voluntary dispatch of electronic mails or postal mails to the addresses of CR Online Shop indicated on the Website, entails the subsequent acquisition of the sender’s address, and e-mail where relevant, or the telephone number, necessary to respond to these requests, as well as any other Personal Data included in the message.
As Data Controller, CR Online Shop informs that the processing of Personal Data as mentioned above will take place in accordance with the Code and the GDPR.
This policy is intended to inform Users of Personal Data processing by CR Online Shop before they access various areas of the Website and provide their Personal Data. Users must read it before providing any Personal Data, by filling the relevant gaps in the appropriate areas of the Website.
Purposes of Data Processing
Depending on the different needs of Users accessing different areas of the Website, Personal Data provided directly by Users can be used in the following ways:
1. to allow the registration on the Website, which is required to access certain areas of the Website itself and to provide and manage the wide range of services offered on the Website;
2. upon Users’ specific prior consent and as long as this consent is not revoked, to carry out marketing activities (such as, for illustrative, yet incomplete purposes, distribution of promotional and advertising material, communication of marketing campaigns or promotions, conduction of analysis of registered users and customer satisfaction surveys, which allow CR Online Shop to improve the services and products offered to its clients), including via e-mail, SMS, calls or by ordinary post; Users shall have the right to object at any time to receiving such communications;
3. upon Users’ specific prior consent and as long as this consent is not revoked, to send newsletters with updates about the Website and other news about CR Online Shop;
4. to provide assistance and respond to Users’ requests concerning CR Online Shop products, advertisements or the Website (“Contacts” section of the Website);
5. Social Networks: to provide advertising and engage Users on CR Online Shop’s Social Networks (such as Facebook, Twitter, Instagram, Pinterest etc.) through the use of their Personal Data deriving from Users interaction with third-party Social Network features (such as the “Like’ features). Users can learn more about how these features work, which profile Personal Data CR Online Shop obtains and how to withdraw consent, by consulting the privacy policies of the relevant third-party Social Networks;
6. Communications concerning orders: if an order is placed on the e-commerce platforms, CR Online Shop will use the Users’ Personal Data to process and send orders as well as to send purchase confirmation e-mails, delivery confirmation e-mails and requests for feedback. The processing of Personal Data is necessary for the provision of services by CR Online Shop, therefore the legal basis for this Personal Data Processing is Article 6 (1) (b) of the GDPR. Users are contractually required to provide these Personal Data, without which CR Online Shop would not be able to send communications regarding Users’ orders;
7. legal reasons or merger/acquisition: should CR Online Shop be acquired or merged with another society, CR Online Shop shall have the right to transfer Personal Data to any legal successor. Furthermore, CR Online Shop may disclose Personal Data to third parties (a) as required by applicable law; (b) to respond to legal processes; (c) in response to a competent law enforcement agency’s request; (d) to protect its own rights, privacy, safety or property; (e) to fulfil the terms of any contract or the terms of its own website.
Users are not required to register on the Website to access certain services provided by CR Online Shop; however, in order to respond to Users’ requests concerning these services, Users will be invited to provide Personal Data which will be processed solely for relevant purposes for no longer than necessary.
Means of data processing
Personal Data will be processed by operations of collection, recording, organisation, storage, consultation, processing, rectification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of Personal Data.
Personal Data will be processed primarily by automated means, but also in paper format, with means strictly related to the aforementioned purposes.
Nature of the provision of Users’ Personal Data
The provision of Personal Data is optional, but partly necessary, to ensure that CR Online Shop meets the needs of Users with regards to the services provided on the website and for the aforementioned purposes. Failure to provide Personal Data, or the partial or inaccurate provision thereof, being necessary for the provision of the services requested, will render this provision impossible; failure to provide optional Personal Data that are not necessary, or the partial or inaccurate provision thereof, will have no consequences.
Categories of Personal Data subject to processing
As well as Personal Data provided directly by Users (such as name, surname, postal address, e-mail address, password, age, birth date, gender, image, profession, civil status etc.) when connecting to the Website, information systems and software procedures employed by the Website acquire, both automatically and indirectly, some Personal Data, whose transmission is implicit in the use of internet communication protocols (e.g. IP address or domain names of computers used by Users connecting to the website, URI address – Uniform Resource Identifier – of requested resources, the time of the request, method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of response from the server – successful, error etc. – and other parameters regarding the User’s operating system and IT environment).
Such Personal Data are processed with the purpose of carrying out anonymous statistical surveys on the use of the Website and checking its correct functioning, and are deleted immediately after processing. Personal Data could be used to determine potential liabilities in the event of hypothetical computer crimes against the Website.
Categories of entities to which Users’ Personal Data may be disclosed
Personal Data may be disclosed to employees or partner companies of the Data Controller or of the company in Italy and abroad, who or which, working under the direct authority of the Controller, are appointed Data Processors and/or persons in charge of data processing and will receive adequate operational instructions in this regard.
Scope of communication or disclosure of Users’ Personal Data
Personal Data provided directly by Users through the completion of online forms may be communicated to external service providers responsible for the management of Personal Data for the purposes for which the Personal Data were originally collected; CR Online Shop shares Users’ Personal Data to the extent necessary to enable these external service providers to provide the service on behalf of CR Online Shop or on their behalf (e.g. executing orders, services and processing payments, managing credit cards, recovering credits, managing the functioning of the website and the e-commerce platform, providing support services, promotions, developing the website, providing e-mail services to send e-mails and/or newsletters and/or SMS/MMS on its own behalf, analysing Personal Data etc.). These providers, whose Personal Data may be requested by contacting the Data Controller mentioned below, are appointed Data Processors and should provide their employees or company partners, to whom Personal Data may be communicated, with appropriate instructions.
CR Online Shop does not share, sell, transfer or otherwise disclose Users’ Personal Data to third parties, unless otherwise required by law pursuant to article 6(1) (c) of the GDPR, unless otherwise required in the contract pursuant to article 6(1) (b) or unless the User has expressly agreed to pursuant to article 6 (1) (a).
The same Personal Data may be disclosed, should the Website list the names of winners in the event of competitions or prize contests promoted by CR Online Shop via the Website.
Data Controller and Data Processors
The Data Controller is CR Online Shop S.n.c. di Nicola Cini & C., Via Cassia, 129/B, 52047 Marciano della Chiana, AR, Fiscal code and VAT number 02381090519.
The updated list of Data Processors and persons in charge of data processing can be requested by contacting the Data Controller at the above-mentioned contact details.
Users rights recognised in article 7 of the Code and article 15 of the GDPR
The data subject shall have the right to obtain confirmation as to whether or not Personal Data concerning him/her are being processed, even if not yet been recorded, and communication of such data in intelligible form as well as access to their content.
1. Data subjects shall have the right to obtain the following information:
- the origin of Personal Data;
- purposes and means of processing;
- the logic involved in the processing, if the latter is carried out with the help of electronic means;
- identity of the Data Controller, Data Processors and the designated representative in the Italian territory, where applicable;
- the individuals or entities to whom Personal Data may be communicated, or that have access to them in their capacity as designated representative in the Italian territory, Data processors or persons in charge of data processing.
2. Data subjects shall have the right to obtain:
- updating, rectification or, when interested therein, integration of Personal Data;
- erasure, anonymisation or blocking of Personal Data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they were collected or subsequently processed;
- certification to the effect that the operations described above have been notified, as also related to their content, to those to whom or which Personal Data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effect compared to the right that is to be protected.
3. Data subjects shall have the right to object, in whole or in part:
- on legitimate grounds, to the processing of Personal Data concerning him/her, even though they are relevant to the purpose of the collection;
- to the processing of Personal Data concerning him/her, where it is carried out for the purpose of sending advertisement materials or direct selling, or else for the performance of market or commercial communication surveys.
4. Data subjects, where applicable, shall also enjoy the rights specified in article 16-21 of the GDPR (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Data Protection Supervisor.
The above rights may be exercised either directly or by conferring, in writing, a proxy or power of attorney to persons or organisations.
Retention of Personal Data
In accordance with applicable laws, CR Online Shop will retain Personal Data as long as necessary to achieve the purposes for which they were collected (as described in the section “Purposes of Data Processing’) or in order to comply with applicable legal requirements.
Modalities for the exercise of the rights and to obtain a complete list of Data Processors
Users may, at any given moment, exercise their aforementioned rights and obtain the complete list of Data Processors, by sending an e-mail to the Data Controller’s address or a letter by regular or certified post, or a certified e-mail.
Furthermore, Users, if consent has previously been given, shall have the right to withdraw at any time their consent to process their Personal Data for the purposes outlined in points 2 and 3 of the “Purposes of Data Processing’, by clicking on the specific “link” found in every e-mail message or by contacting the Data Controller in the manners described in the previous paragraph.