DATA PROTECTION NOTICE
1. INTRODUCTION
In accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR“), we explain below how we may process personal data relating to you and what special rights you have.
The specific data processing activities depend on how you interact with us. In particular, the processing differs depending on whether you merely visit our website (see point 3), accept the use of non-technical cookies (see point 4), subscribe to our newsletter (see point 5), are a customer or partner (see points 6 and 7), a supplier or service provider (see point 8), or communicate with us via social media channels (see point 9). The information on this is specifically formulated.
Other information in this data protection notice, on the other hand, applies generally; for example, the information on automated decisions (see point 10), the data sources (see point 11), the obligation to provide the data (see point 12), the recipients of the data (see point 13), international data transfers (see point 14), the retention periods (see point 15), the security of the website (see point 16), the rights under the GDPR (see point 17) and the right to complain with a data protection authority (see point 18).
Please note that we may also process personal data relating to you in other situations. This is the case, for example, if you apply for a job with us. In such cases, we will provide you with a specific data protection notice in good time.
If something should not be clear to you, please do not hesitate to contact us at any time (see point 2).
2. DATA CONTROLLER AND CONTACT DETAILS
We, the following company, are the data controller:
Vitalis Dr. Joseph S.r.l.
with a sole shareholder
Via Cristoforo 5
39031 Brunico (BZ)
South Tyrol / Italy
Email: dataprotection@teamdrjoseph.com
We have appointed an internal data protection coordinator who will be happy to answer any questions or suggestions you may have about data protection and who can be reached under the afore-mentioned contact details.
3. INFORMATION FOR VISITORS OF THE WEBSITE
3.1 Log data
When you simply visit our website https://www.teamdrjoseph.com/ (hereinafter our “Website” or “Webshop“), your browser (for example, Firefox or Safari) automatically transmits information to the server of our Website.
Such information is temporarily stored in a server log file. The stored log data includes, in particular, the IP address of your terminal equipment (for example, computer, smartphone or tablet), the time stamp of the access (date, time, time shift), the content of the request (the specific page), the http status code (for example, “200” for successful request), the amount of data sent (in bytes) and information on the browser used and the operating system of your terminal equipment (for example, Windows or macOS).
The log data may be processed for the purpose of establishing a connection with our Website, evaluating system security and stability and identifying errors.
The legal basis for this is our overriding legitimate interests (Article 6(1)(f) GDPR) resulting from the afore-mentioned purposes.
3.2 Skin analysis
It is possible on our Website to answer a few short multiple choice questions about your skin so that we can automatically suggest suitable products based on your answers. You can then have the resulting product suggestions sent to you by email.
The legal basis for this is your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by simply contacting us (see contact details under point 2).
4. USE OF COOKIES ON THE WEBSITE
4.1 Only with your consent
Provided you have given your consent via the cookie banner (Article 6(1)(a) GDPR), we use non-technical cookies and similar technologies from third-party providers (for example, Google, Microsoft and Facebook) on our Website, which may involve the processing of personal data.
We would like to use such technologies, in particular, to be able to analyse interactions with our Website and relevant services and to be able to place personalised advertisements or send personalised messages.
In the following, we inform you about the technologies used and you will find further information – including the retention period of the individual cookies as well as on the use of purely technical cookies without personal reference – in our [Cookie Notice].
4.2 Google Analytics
Our Website uses “Google Analytics”, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google“).
We use Google Analytics to analyse user interactions on our Website and to improve our offer and make it more interesting through the statistics and reports obtained.
The interactions between you as a user and our Website are recorded with the help of cookies, which are listed in detail in our [Cookie Notice]. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us, as the operator of our Website, with information about which country, region or location the respective user accesses the Website.
We use so-called “IP masking”, whereby Google cuts the IP addresses within the European Economic Area (EEA) by the last octet. You are of course free to install the browser add-on to deactivate Google Analytics, which you can find here: https://tools.google.com/dlpage/gaoptout?hl=de .
Further information on the scope of services provided by Google Analytics is available at https://marketingplatform.google.com/about/analytics/terms/de/. Google provides information on data processing when using Google Analytics at the following link: https://support.google.com/analytics/answer/6004245?hl=de/ .
4.3 Google Ads with Conversion Tracking and Remarketing
Our Website also uses the Google Ads service. This allows us to draw attention to ourselves with the help of advertisements. When you access our Website via a Google advertisement, Google Ads stores a cookie in your device.
The advertisement is delivered by Google via so-called “ad servers”. For this purpose, Google uses so-called ad server cookies on our Website and other websites, through which the success of the advertising measures (for example, the integration of the ads or clicks by the users) can be measured. According to our information, this cookie usually stores analysis values, namely a unique cookie ID, the number of ad impressions per placement (“frequency”), last impression (relevant for post-view conversions) and opt-out information, that is information that a user no longer wishes to be addressed by advertising.
The cookies set by Google enable Google to recognise your browser. Thus, if you visit certain pages of the website of a Google Ads customer and the cookie stored on your terminal device has not yet expired, Google can recognise that you clicked on the ad and were redirected to the page concerned. A different cookie is assigned to each Google Ads customer, so that the cookies cannot be tracked across the websites of other Google Ads customers. By integrating Google Ads, Google receives the information that you have visited the relevant part of the website or clicked on an advertisement. If you are registered or logged in to a Google service, Google can associate the visit with your account. Even if you are not registered or logged in to Google, it cannot be ruled out that Google will not obtain and store your IP address.
By using Google Ads, your browser automatically establishes a direct connection with Google’s server. Google can thereby collect information and provide us with statistical reports, for example regarding the ads that were clicked on and the prices at which they were clicked on. We do not receive any further information from the use of the advertising service and we cannot identify users on the basis of this information.
We use Google Ads with “Google Conversion Tracking”. This allows us to check the success of our advertising measures. The advertisements are thereby provided with technical elements, for example, an ID. This enables Google to determine how a user interacts after clicking on the ads and whether one of our offers is taken up. We receive statistical information about the total number of users of our ads and the popularity of our ads and, if applicable, further information about the implications of the ad.
We also use Google Ads with the “Google Remarketing” service. This allows advertisements to be created based on existing information about you. You can thus be addressed again during your further internet use. This is done by means of cookies, through which your usage behaviour when visiting various websites is recorded by Google and evaluated in pseudonymised form. According to Google’s own statements, the data collected in the course of remarketing is not combined with your personal data that may be stored by Google.
For more information on Google’s data protection notice, please visit www.google.com/intl/de/policies/privacy and services.google.com/sitestats/en.html.
4.4 Microsoft Advertising with UET Tag
Our website uses Microsoft Advertising with UET Tag, a service provided by Mircosoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (hereinafter “Microsoft“).
This allows us to attract interest in our products from a target audience that has previously visited our Website. Indeed, by using the Universal Event Tracking (UET) tag on our website, Microsoft can identify end-user visits to our Website. This allows us to create remarketing lists based on end-user activity on our Website and to optimise our advertising campaigns based on these segments. These remarketing lists are only used for our campaigns. According to Microsoft, they will not be shared with third parties or other advertisers or otherwise used by Microsoft for any purpose not described in the Microsoft Advertising Guidelines,.
The afore-mentioned guidelines and further information can be found at https://about.ads.microsoft.com/de-de/policies/legal-privacy-and-security#privacy-and-data-protection-policies.
4.5 Facebook Pixel
Our Website uses “Facebook Pixel”, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Meta“).
Facebook Pixel enables us to display our advertising measures (so-called Facebook Ads) to users of our Website and the social network Facebook and to measure and evaluate the success of the advertising measures in order to improve them if necessary.
Through Facebook Pixel, your browser establishes a direct connection with Meta’s servers. According to our information, Meta receives the information that you have visited the relevant page of our Website or clicked on one of our ads. If you are registered with a Meta service, Meta can assign your interactions to your personal account. Even if you are not registered or logged in to Facebook, Meta may obtain your IP address and other data and use it for profiling. We have no influence on further data processing by Meta and refer in this regard to Meta’s data protection notice: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.
For more information, please visit https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/legal/terms/page_controller_addendum.
4.6 Pinterest Tag
Our Website uses “Pinterest Tag”, a service provided by Pinterest Inc, 808 Brannan Street, San Francisco, CA 94103, USA (hereinafter “Pinterest“).
The Pinterest tag is a code snippet that allows Pinterest to track visitors of our Website and the actions visitors take on the Website after seeing our Pinterest ad. This allows us to see how effective our Pinterest ads are and improve our advertising efforts.
For more information, see https://policy.pinterest.com/de/privacy-policy and https://help.pinterest.com/de/article/personalization-and-data.
4.7 Hotjar
Our Website uses Hotjar, a service provided by Hotjar Limited, Dragonara Business Center, 5th floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta (hereinafter “Hotjar“).
Hotjar’s technology gives us a better understanding of our users’ experiences (for example, how much time users spend on which pages, which links they click on, what they like and dislike, etc.) and this helps us to tailor our offering to our users’ interactions.
Hotjar uses cookies and other technologies to collect data about the behaviour of our users and their devices, in particular the IP address of the device (only collected and stored anonymously during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for viewing our Website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.
For more information, please visit https://help.hotjar.com/hc/en-us/categories/115001323967-About-Hotjar.
4.8 Sendinblue Tracker
Our Website uses the Sendinblue Tracker, a service provided by Sendinblue GmbH, Köpenicker-Straße 126, 10179 Berlin (hereinafter “Sendinblue“).
The Sendinblue Tracker allows marketing automation. Through Sendinblue, the pages of our Website visited by a visitor can be tracked if the visitor is a registered customer or partner (see point 6), has submitted a newsetter form on our Website or clicks on an email or link in an email created through our Sendinblue account (see also points 5 and 7). This allows us to create custom workflows based on visits and actions on specific pages of our Website and, based on the visit, send, for example, a targeted email of abandoned shopping cart. Data collected is only processed in our Sendinblue account in connection with the contact details and is not disclosed to third parties.
For more information, see https://de.sendinblue.com/ and https://de.sendinblue.com/legal/cookies/.
4.9 Integration of Vimeo videos
We make videos available on our Website that are stored on https://vimeo.com/ which can be played directly from our Website. Vimeo is operated by Vimeo.com, Inc., 555 West 18th Street, New York, New York 10011 (hereinafter “Vimeo“).
By embedding these videos, your browser establishes a direct connection with Vimeo servers. Vimeo sets cookies in your browser and thus saves your interactions on the Website. This data may be linked to other data that Vimeo collects. However, this happens outside our sphere of influence and, in this context, we refer to Vimeo’s data protection notice, which you can access at https://vimeo.com/privacy.
For further information, please refer to the data processing agreement we have concluded with Vimeo: https://www.vhx.tv/data-processing.
4.10 Withdrawal of consent
As mentioned above, the above technologies are only used if you have given your consent (Article 6(1)(a) GDPR) via our cookie banner. You can withdraw this consent(s) at any time with effect for the future.
You can withdraw your consent, in particular, by changing the relevant settings in the [Cookie Notice]. In addition, you have the option of deleting cookies that have already been set – as described in more detail in the afore-mentioned Cookie Notice – or blocking them from the outset.
5. INFORMATION REGARDING THE NEWSLETTER
5.1 Free subscription
You can subscribe to our free newsletter if you are interested in receiving periodic information about our current offers and news. If you would like to subscribe to our newsletter, we need your email address in order to send you the newsletter.
5.2 Double-opt-in procedure
We use a so-called double-opt-in procedure for subscription. This means that after your registration, we will send you an automated email to the email address you provided, in which you can confirm that you are actually the owner of the email address provided and that you actually wish to receive the newsletter.
5.3 Sending and evaluating newsletters
We process data for sending you the newsletter and evaluating the opening and click rates in order to be able to measure and improve the success of the newsletter and possibly to adapt it to your individual interests.
For this evaluation, the newsletter emails contain so-called tracking pixels. For the evaluation, the tracking pixels are linked to your email address and an individual ID; links contained in the newsletter also contain this ID. Such an evaluation is not possible if you have deactivated the display of images by default in your email programme, unless you display the images manually.
The legal basis for this is your consent (Article 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.
5.4 Withdrawal of consent
You have various options for withdrawing your consent and unsubscribing from the newsletter. For example, you can (a) simply click on the unsubscribe link that you will find at the end of every newsletter email. If you are a registered customer (see point 6), you can also (b) declare your withdrawal in the customer area at any time. Of course, you can also (c) inform us in another way that you no longer wish to receive the newsletter (see contact details under point 2).
6. INFORMATION FOR CUSTOMERS AND PARTNERS
6.1 Contacting us
When you contact us (for example, by email or via the contact form or chat service on our Website), the data you provide (for example, name, address and content of the enquiry) will be stored by us in order to answer your enquiries or process your request.
The legal basis for this is pre-contractual measures or the performance of the contract (Article 6(1)(b) GDPR) if your enquiry concerns a possible order or an order that has already been placed. In all other cases, the legal basis is our overriding legitimate interests (Article 6(1)(f) GDPR) in responding to your enquiries or processing your requests.
6.2 Registering as a customer
If you wish, you can register as a customer in our Webshop to enjoy the benefits described in the Webshop. When you register, we store the data you provide as well as the sales history. This can, for example, facilitate future orders. As a registered customer, you can also rate the products on our Website.
The legal basis for this is your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by simply contacting us (see contact details under point 2).
6.3 Registering as a partner
If you conclude a partner contract with us, you can be activated for the corresponding portal on our website by sending us a corresponding request to be able to enjoy the relevant advantages described in the web shop. When you register, we store the data you provide as well as the sales history. This can, for example, facilitate future orders. As a registered partner, you can also rate the products on our website.
The legal basis for this is your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by simply contacting us (see contact details under point 2).
6.4 Placing orders in the Webshop
If you wish to place an order in our Webshop, you can place the order either as a guest or as a registered customer or partner. We require certain data in the order process, unless you have already provided this data in the course of registering as a customer or partner.
Certain data are, in fact, necessary for the processing of the order (for example, for sending the order confirmation, invoicing and delivery of the goods). All other data is voluntary. This voluntary data is not required for the order but may facilitate communication and a more personal contact with you. For payment, you can also use Paypal or Amazon Pay if you wish; we refer in this regard to the data protection notices of Paypal (https://www.paypal.com/myaccount/privacy/privacyhub) and Amazon Pay (https://pay.amazon.de/help/V89K8AFK7BJZW4M).
The legal basis for the processing of required data is the implementation of pre-contractual measures or the fulfilment of the contract (Article 6(1)(b) GDPR) on one hand, and your consent (Article 6(1)(a) GDPR) for voluntarily provided data on the other hand. You can withdraw your consent at any time with effect for the future by simply contacting us (see contact details under point 2).
6.5 Birthday surprises
If you voluntarily provide your date of birth when placing an order, we may store and process your birthday in order to send you, at our discretion, a birthday surprise by email (e.g. a voucher code for a free product in travel size).
The legal basis for the processing is your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by simply contacting us (see contact details under point 2).
6.6 Placing orders outside the Webshop
Of course, you can also order products or services from us in other ways, for example by contacting us via the contact form, chat function, telephone, email, or fax. In this case, we process the data you provide to be able to communicate with you and process the order and carry out all activities that are closely related to your order (for example, sending the products, invoicing or managing receivables).
The legal basis is the implementation of pre-contractual measures or performance of contract (Article 6(1)(b) GDPR) if you are the customer or partner; and our overriding legitimate interests (Article 6(1)(f) GDPR) if you are a contact person at the customer or partner, overriding legitimate interests being to be able to communicate with you.
6.7 Solvency checks
If we are required to provide goods or services before you have paid us, we may check your creditworthiness with credit agencies to reasonably ensure that we do not suffer any economic loss due to possible non-payment.
The legal basis for this is our legitimate interests (Article 6(1)(f) GDPR) arising from the said purposes.
7. INFORMATION REGARDING DIRECT MARKETING
7.1 General
Where there is a relevant and appropriate relationship between us, we may process the personal data you provide to contact you as described below.
7.2 Product rating
If you have purchased products from us, we may send you an email to ask if you were satisfied with the products and would like to leave a rating. If you wish to leave a rating, it will then be published on our Website.
The legal basis for sending the request is our overriding legitimate interests (Article 6(1)(f) GDPR) to be able to assess customer satisfaction. The legal basis for the publication of the rating, on the other hand, is your consent (Article 6(1)(a) GDPR), which you can withdraw at any time with effect for the future by simply contacting us (see contact details under point 2).
7.3 Shopping basket reminder
If you have placed products in the shopping basket in the Webshop (see point 6.4), but the order process was not successful, we may inform you of this by email to ensure that the uncompleted order process was not an oversight or did not fail for technical reasons.
The legal basis for sending such a shopping basket reminder is our overriding legitimate interests (Article 6(1)(f) GDPR) arising from the afore-mentioned purposes.
7.4 Objection
If you do not wish the processing in question based on our legitimate interests, you can object at any time by simply informing us (see contact details under point 2). If you are a registered customer or partner (see points 6.2 and 6.3), you can also declare your objection at any time in the settings of your account by unchecking the product rating and/or shopping basket reminder boxes.
8. INFORMATION FOR SERVICE PROVIDERS AND SUPPLIERS
If you are a service provider or supplier, we may process the personal data necessary for our enquiry and, where applicable, our order and closely related activities (for example, for communicating with you, processing orders, making payments or also for the purposes of notices of defects).
If we are required to pay you in advance, we may also check your creditworthiness with credit agencies to reasonably ensure that we do not suffer any economic loss due to possible non-fulfillment of your obligations.
The legal basis for this is our overriding legitimate interests (Article 6(1)(f) GDPR) arising from the afore-mentioned purposes.
9. INFORMATION REGARDING OUR SOCIAL MEDIA PROFILES
9.1 General
We are present with own profiles on the social networks Facebook, Instagram, and Pinterest.
When visiting or interacting with our profiles, the providers of the social networks collect data through cookies, such as the IP address of your final equipment and other information. This information is collected by the operators to provide us with anonymous statistics through which we can improve our presence on the respective social network.
Moreover, data may also be processed by the providers of the social networks to display personalised ads to you. We do not have access to the specific user data generated and processed by the social networks.
When you visit our profiles, various data processing activities are initiated that depend on the respective providers of the social network and they are not entirely comprehensible to us. For details, please refer to the data protection notices of the respective provider, to which we refer below.
9.2 Facebook
The data protection notice of the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, can be found
at https://www.facebook.com/about/privacy/update?ref=old_policy.
We have also entered into a joint controller agreement with Meta, which you can find at https://de-de.facebook.com/legal/terms/page_controller_addendum.
9.3 Instagram
You can access the data protection notice of the social network Instagram, which is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA, at https://help.instagram.com/155833707900388.
9.4 Pinterest
The data protection notice of the social network Pinterest, which is operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, can be found
at https://policy.pinterest.com/de/privacy-policy.
9.5 Personal communication
If, on the other hand, you use our profiles on social networks to communicate with us (for example, by commenting on a post or sending a private message), we may use the data you enter to interact with you based on the functionalities of the respective social network.
Depending on the circumstances, the legal basis is your consent (Article 6(1)(a) GDPR), which you can withdraw at any time with effect for the future by simply deleting the data you entered on the social network or by contacting us (see contact details under point 2). On the other hand, if your interact with us regarding a potential or existing order, the legal basis for the processing is taking pre-contractual measures or performing a contract (Article 6(1)(b) GDPR). In all other cases, the legal basis is our overriding legitimate interests (Article 6(1)(f) GDPR) in interacting with you.
10. NO AUTOMATED DECISIONS
We do not intend to process personal data for the purposes of taking an automated decision (including profiling) within the meaning of Article 22 of the GDPR that produces legal effects concerning you or similarly significantly affects you. This means that no important decision is made by a computer alone at our company.
11. DATA SOURCES
We usually collect the data directly from you or from people you have instructed to provide it.
However, we may also collect certain data from third parties or obtain it from publicly available sources, such as a register of enterprises or a credit agency, for example, if you are a customer or supplier and we are required to some advance performances and therefore reasonably need to check your creditworthiness.
12. NO OBLIGATION TO PROVIDE DATA
The provision of personal data is neither legally nor contractually required. In principle, you are not obliged to provide personal data.
However, we will reasonably require certain data for each of the purposes described above: for example, your name and a delivery address for any delivery of our products or your email address for the sending of our newsletter.
13. RECIPIENTS OF THE DATA
13.1 General
To achieve the respective purposes of the processing mentioned above, it is necessary that certain persons obtain knowledge of the personal data. In doing so, we naturally ensure that only those persons gain knowledge of it as is necessary for the completion of their respective tasks, whereby disclosure only takes place to the extent that it is necessary for the respective tasks.
13.2 Employees
Persons employed by us may obtain knowledge of certain data in the course of their operational duties. For example, it is necessary that our persons responsible for customer service know the personal data to be able to serve you properly.
13.3 Data processors
In addition, certain service providers (for example, website hosting providers or newsletter service providers) may gain knowledge of the data. They process relevant data as our data processors. They are bound to us by a relevant data processing agreement are obliged to maintain confidentiality.
13.4 Other service providers
Other service providers who are typically used in the context of the processing purposes mentioned in this data protection notice may also become aware of the data. For example, postal or shipping service providers may receive the data required for deliveries or banks may receive data as a result of payments to us. If necessary, external consultants (for example, IT service providers in the context of maintenance work or tax consultants) may also obtain knowledge of the data. If the processing of the data should become necessary for the establishment, exercise, or defence of legal claims (for example, in the context of our claims management), the necessary data may typically also be disclosed to debt collection companies, lawyers and experts. We have either obliged these categories of recipients to confidentiality or they are subject to an appropriate statutory duty of confidentiality.
13.5 Public bodies
In some circumstances, we may be required by law to disclose some data to public bodies.
This is the case, for example, when we need to transfer billing data to the Revenue Agency. Such transfer therefore takes place not only because it is closely linked to the performance of the contract (Article 6(1)(b) GDPR), but also because we are legally obliged to do so (Article 6(1)(c) GDPR, in particular in conjunction with Article 1(3) or 3-bis of the Italian Legislative Decree of 5 August 2015, No 127).
Furthermore, in the context of establishing, exercising, or defending legal claims, it may of course be necessary to disclose personal data to the competent judicial authorities.
14. INTERNATIONALE DATENÜBERMITTLUNG
As a matter of principle, we do not actually intend to transfer personal data to third countries or international organisations.
However, we use services that may imply a transfer of personal data to third countries (i.e., countries outside the European Economic Area, hereinafter “EEA“). This is particularly the case with services provided by American companies – often also via their subsidiaries in Europe – such as Google, Meta, Microsoft, or Facebook (see, in particular, point 4).
Data transfer to third countries, and, in particular, to the US, is sometimes unavoidable even when we use European service providers as processors. Even such service providers often use sub-processors based in the US as part of their services. In this case, data may be transferred to the US even if the data is stored on a server in the EEA. Even accessing these servers in the EEA from the US (for example, for maintenance or support purposes) is usually already regarded as a data transfer to the US.
If we want to provide high-quality and scalable services within an economically justifiable framework, improve and remain competitive (and thereby not least also secure jobs), data transfers, in particular, to the US, may thus occur in principle. For these cases, we ensure that the transfer is made, in particular, either on the basis of an adequacy decision or, especially in the case of transfers in the US, appropriate standard contractual clauses of the European Commission, whereby we endeavour as far as possible to ensure that additional measures are taken by our processors to guarantee an equivalent level of data protection as under EU law.
For further questions (also) about this, you can of course contact us (see contact details under point 2).
15. RETENTION PERIOD
We retain personal data primarily for as long as is reasonably necessary to achieve the purposes for which they are processed.
For example, log data (see point 3) is automatically deleted after about 7 days, unless we are required to retain it for longer in the context of investigations by competent authorities. The retention period of cookies (see point 4) is listed for each cookie in our [Cookie Notice]. Data in connection with our newsletter (see point 5), the registration as a customer or partner (see point 6) or product ratings (see point 7) are usually retained until you withdrawn your consent. Data relating to orders, or a contractual relationship, will be usually retained for as long as a contractual relationship exists between us (see points 6 and 8). Data processed in connection with direct marketing (see point 7) will be retained for as long as our relevant and appropriate relationship reasonably justifies retention; for example, data for the purposes of shopping basket reminders will be kept for two months unless you delete the cookies or withdraw your consent before then. Other data, however, such as data processed for solvency checks (see points 6 and 8), are usually not retained at all.
However, longer retention of your data may be necessary, in particular, due to accounting or tax retention obligations. Moreover, longer retention may also be justified by the establishment, exercise, or defence of legal claims (for example, due to default of payment or notices of defects) in accordance with the applicable prescription periods (statutes of limitations). In this context, Articles 2496 and 2497 of the Italian Civil Code are particularly relevant under Italian law. In the international context, other prescription periods may apply under certain circumstances.
16. WEBSITE SECURITY
Unfortunately, the transmission of information via the internet is never completely secure. However, we secure our website against security incidents through appropriate technical and organisational measures.
In particular, we use encryption technologies. For example, data on our Website is transmitted in encrypted form by TLS (Transport Layer Security) encryption.
17. YOUR RIGHTS UNDER THE GDPR
As a data subject, you have special rights under the GDPR.
Those “data subject rights” include the following rights: access (Article 15 GDPR); rectification (Article 16 GDPR); erasure (Article 17 GDPR); restriction of processing (Article 18 GDPR); and data portability (Article 20 GDPR).
Moreover, Article 21 GDPR provides for a special right to object: If, in fact, personal data concerning you is processed based on our legitimate interests (Article 6(1)(f) of the GDPR), you may object to the processing at any time on grounds relating to your particular situation. If, on the other hand, personal data is processed on such basis for direct marketing purposes, you may object at any time without having to provide any specific reason.
Please note that restrictions to these rights may arise from EU or national law.
If you have any questions about the afore-mentioned rights or would like to exercise any of them, please contact us (see contact details under point 2).
18. RIGHT TO COMPLAIN WITH DATA PROTECTION AUTHORITY
If you believe that the processing of personal data concerning violates the GDPR, we would of course be grateful if you would bring this to our attention so that we can initiate appropriate checks (see contact details under point 2).
In this case, however, you also have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a data protection authority. A complaint may, in particular, be lodged in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
The Italian data protection authority is the Garante per la protezione dei dati personali (GPDP) based in Rome (https://gpdp.it/).
19. VERSION AND PDF OF THIS DATA PROTECTION NOTICE
This data protection notice applies since 1 January 2023. You can find the current version of our data protection notice on our website at any time.
You can also download this data protection notice as a PDF.