Privacy Policy

PREMISE

Pursuant to Art. 13 of the European Regulation 2016/679 ("GDPR") and Legislative Decree 196/2003 ("Privacy Code"), Gianvito Rossi S.r.l. (hereinafter also the "Company" or "GVR") makes this Information Notice in order to communicate to its customers and, more generally, to the users of the site www.gianvitorossi.com (the "Site") its policy regarding the protection of personal data.

The information highlighted below is relevant:

A) when accessing the Site for browsing, using the services (including e-commerce) and interacting with the pages of connected social networks (hereinafter, for brevity, also referred to as "Online");

B) on the occasion of visits and/or purchases at Gianvito Rossi's physical stores (hereinafter also referred to as 'Retail' for brevity).

GVR processes Personal Data in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, minimisation, accuracy, integrity and confidentiality and with the provisions of the GDPR and the Privacy Code.

The Company adopts appropriate and preventive security measures, as well as technical, logistical and organisational measures with the aim of preventing damage, loss, including accidental loss, alteration, improper and unauthorised use of the processed data.

DATA CONTROLLER - PERSONAL DATA PROTECTION OFFICER

Data controller

Gianvito Rossi S.r.l.

Via dell'Indipendenza 15, 47030 San Mauro Pascoli (FC)

Telephone contact details: +39 0541 935600

E-mail contact details: privacy@gianvitorossi.com

The Data Controller has appointed its own Data Protection Officer (also 'DPO'), who can be contacted directly at the following e-mail address: dpo@gianvitorossi.com for any clarification regarding the processing activities carried out by GVR and for the exercise of the rights that the GDPR grants to the data subject.

TYPES OF DATA PROCESSED - RETENTION PERIODS

	Type of data	Description / Storage time	Applicability
A	Navigation data	data whose transmission is implicit in the use of Internet communication protocols. These data include the type of Internet browser and operating system used, the IP address, the domain names of the website of origin, the number of visits, the average time spent on the Site, the pages viewed. This information is not collected in order to be associated with the user, however, through processing and association with data held by third parties, it may allow users to be identified only if necessary in relation to possible infringements against GVR. Navigation Data are deleted, except in the case of detection of unlawful activity, no later than 48 (forty-eight) hours after their collection.	Online
B	Identification, contact and access data	contact data such as name, surname, date of birth, contact details (e-mail and/or telephone and/or postal address), credentials for accessing a personal account on the Site. The data related to the contractual relationship between GVR and the customer shall be stored for the duration of the contractual relationship and no longer than 10 years after the termination of the contractual relationship for the fulfilment of legal obligations and requirements to protect GVR's rights related to the contract.	Online Retail
C	Invoicing data and payment	C.F. No. and VAT No. and other information necessary to enable billing and payment activities in case of purchase of GVR's products. The data related to the contractual relationship between GVR and the customer shall be stored for the duration of the contractual relationship and, at the end thereof, no longer than 10 years after the termination of the contractual relationship for the fulfilment of legal obligations and requirements to protect GVR's rights related to the contract.	Online Retail
D	Product data	the information related with the shoe size identification, purchases made and services requested, as well as products viewed and/or placed on the wish list or in the shopping cart, data relating to product preferences and purchase history. The data related to the contractual relationship between GVR and the customer shall be stored for the duration of the contractual relationship and, at the end thereof, no longer than 10 years after the termination of the contractual relationship for the fulfilment of legal obligations and requirements to protect GVR's rights related to the contract. Data collected for marketing and/or profiling purposes will be processed for 7 (seven) years from the time consent is given or renewed.	Online Retail
E	Usage data	information such as the date of the login/logout/password recovery event and other data that may be entered in the forms available in the reserved section and on other pages of the Site. Usage data will be stored for as long as is necessary for the provision of the service and the verification of its performance; therefore, data will not normally be stored for longer than 6 months after the service has been used.	Online
F	Consent	free, informed and express consent to the processing of personal data that GVR has to collect in order to be able to carry out the following activities: (i) to send to its customers communications and promotional material relating to its products and brand events and initiatives (direct marketing) and/or (ii) to analyse purchasing preferences and choices in order to offer products and services in line with such preferences and to send invitations to personalised events and initiatives to its customers (profiling) Data collected for marketing and/or profiling purposes will be processed for 7 (seven) years from the time consent is given or renewed	Online Retail
G	Cookies	Information on the use of cookies can be found in the Cookie Policy	Online

At the end of the above-mentioned processing periods, the data will be permanently deleted from the Company's databases or, in any case, irreversibly anonymised.

PURPOSE AND LEGAL BASIS OF PROCESSING

	Purpose	Legal Basis	Applicability
A	sending commercial communications relating to products and/or services similar to those already purchased and/or subscribed to by the customer (so-called 'Soft Spam')	legitimate interest of the Controller in promoting products/services to its customers	Online Retail
B	direct marketing activities, such as the promotion of product sales by letters, telephone, automated communication systems (i.e. messaging apps), e-mail; as well as invitations to events and brand initiatives	specific and free consent collected on the Site or in a GVR store	Online Retail
C	profiling activities aimed at analysing preferences and purchasing choices in order to offer products and services in line with these preferences and send invitations to customised events and initiatives	specific and free consent collected on the Site or in a GVR store	Online Retail
D	creation and management of customer master data (except for purchases made in 'guest' / 'generic customer' mode)	pre-contractual and contractual relationship	Online Retail
E	pre-contractual and contractual relationship management in relation to purchases and related services requested by the customer (such as, notification of re-stocks, special order requests, repairs, pick-up service at a physical store of purchases made online, home delivery, handling of any complaints or returns) and management of related payments	pre-contractual and contractual relationship	Online Retail
F	fulfilment of regulatory obligations (e.g. of an administrative, accounting and tax nature) or to comply with requests received from the Public Authorities or the Judicial Authorities in the event of the detection of suspicious, illegal or fraudulent activities perpetrated to the detriment of the Company	fulfilment of legal obligations	Online Retail
G	detection of the user experience of the web services offered through the Site, also with a view to ensuring the proper functioning of the web pages and contents of the Site	legitimate interest of the Controller in providing its customers with a good quality of navigation on the Site	Online
H	Survey of the visit and/or purchase experience made at a physical store in order to ensure the high standard of service that GVR is committed to providing to its customers	legitimate interest of the Controller in providing its customers with a high quality of service at the brand's physical stores	Retail
I	conducting market surveys and statistical analyses in anonymous and aggregate form regarding products and sales trends	legitimate interest of the Controller in monitoring the sales performance and market positioning of products	Online Retail
J	browsing and interacting with GVR's social pages whose links are present on the Site	pre-contractual and contractual relationship	Online
K	protection of the Company's legal position in extrajudicial and/or judicial proceedings, including in the event of unlawful, fraudulent or criminal activities perpetrated against the Company	legitimate interest of the Controller in protecting its legal position in the appropriate juridical forums	Online Retail

Without prejudice to the freedom to provide personal data on the part of the data subject, please note that:

The provision of data for the purposes D) and E) above is necessary in order to enable GVR to provide the requested products and/or services;
the provision of data for the purposes A), B), C) above is optional, but failure to provide such data may result in the impossibility of benefiting from dedicated and personalised services offered by the Company.

DATA CONTROLLERS AND RECIPIENTS

Personal data are processed exclusively by the Company's personnel specifically authorised and appointed in accordance with the GDPR and the Privacy Code and adequately instructed and trained in relation to legal requirements concerning the protection of personal data.

The data referred to in paragraph 3. above may be shared with qualified third parties with whom the Company collaborates for the provision of its products and services. Where such parties process personal data of which GVR is the Data Controller, they have been appointed as Data Processors pursuant to Article 28 of the GDPR. By way of example, such third parties could belong to the following categories:

other companies belonging to Gianvito Rossi group;
collaborators and/or consultants within the limits of their contractual obligations towards the Company (including consultants in accounting, administrative, legal, tax and financial matters);
banking and credit institutions, insurance companies, payment service providers;
suppliers within the limits of their contractual obligations towards the Company (including, but not limited to, transporters, suppliers of software, application solutions, hosting providers)
members of control bodies, such as the Board of Statutory Auditors, Auditors, internal and external auditors appointed to carry out inspections and audits on behalf of the Company;
national or international public bodies, organisations or authorities acting as independent data controllers to which your Personal Data may be disclosed, in accordance with applicable law or binding orders of such bodies, organisations or authorities.

All the data as described above, will not be disclosed to third parties for their own promotional purposes and will not be disseminated in any way.

EXTRA-EU DATA TRANSFER

The data will mainly be processed within the European Union, but it may happen that they could be transferred, for the pursuit of the purposes mentioned in paragraph 4 above, to entities located in third countries (outside the EU).

The transfer of personal data to third parties resident or located in countries that do not belong to the European Union and that do not ensure adequate levels of protection will only be carried out with (i) the consent of the data subject or (ii) subject to the conclusion between the Company and such entities of specific agreements containing appropriate safeguard clauses and guarantees for the protection of personal data (so-called "standard contractual clauses") also approved by the European Commission, or, (iii) in the presence of an adequacy decision, or (iv) if the transfer is necessary for the conclusion and execution of a contract between the Company and the data subject, or for the management of the data subject's requests.

RIGHTS OF THE PERSON CONCERNED

The following rights may be exercised vis-à-vis GVR at any time and in connection with the personal data covered by this privacy policy:

Right of access and rectification (Articles 15 and 16 GDPR): the right to access and have a copy of personal data and to request that they be corrected, amended or supplemented.
Right to data deletion (Art. 17 GDPR): in the cases provided for by current legislation, request the deletion of personal data.
Right of restriction (Art. 18 GDPR): the right to request the restriction of the processing of personal data in the event of unlawful processing or contestation of their accuracy.
Right to portability (Art. 20 GDPR): the right to request and obtain, from the Data Controller, personal data in order to transmit them to another Data Controller, in the cases provided for in the aforementioned article.
Right to object (Art. 21 GDPR): the right to object at any time to the processing of personal data by the Controller.
Right to lodge a complaint (Art. 77 GDPR): the right to lodge a complaint with the competent Data Protection Authority if the data subject considers that a breach relating to the processing of his/her personal data has occurred or is occurring.

With regard to processing carried out on the basis of consent, the data subject may revoke the consent at any time, without prejudice to the lawfulness of the processing carried out prior to revocation.

Furthermore, at any time, the person concerned may express his or her wish to no longer receive communications of a commercial nature sent pursuant to Article 130 of the Privacy Code ("Soft Spam") referred to in letter A. of the table under paragraph 4 of this Notice.

The above-mentioned rights of the data subject may be exercised:

by e-mail to privacy@gianvitorossi.com
by ordinary mail to the Holder's address, as set out in paragraph 2
by contacting the DPO at dpo@gianvitorossi.com

UPDATES

This Information Notice may be amended and/or supplemented over time, either as a result of legislative interventions regarding the protection of personal data, or in relation to changes in best practices or services offered by the Company.

The updated version of the Policy is, in any case, always published and available on the Site.

DATE OF LAST UPDATE: 17 JULY 2023