We want to inform you fully and transparently of how our company may process your personal data provided and/or collected during the various contacts you may have with us, by visiting our website www.shhmilano.it (hereinafter the “Website”) and/or other websites related to us at any time, while visiting our stores, by downloading and using our Apps, participating in prize competitions, using Wi-Fi systems in our stores, via social networks (hereinafter collectively “Personal Data”).
Your privacy is extremely important to us and we kindly invite you to read the following notice carefully.
By submitting your Personal Data you can enjoy the advantages and benefits we reserve exclusively for our registered customers (subject to availability in your Country) and offer to people who love our products, visit our online or physical stores around the world or use our App or other online services.
1. Who collects your personal data
The subjects who collect and process the Personal Data as data controllers (hereinafter jointly “Data controllers” or “Controllers”) are:
- Shh Milano srl, with registered offices in Italy, Milano, Via Stendhal, 58, 20144, email email@example.com, for marketing and profiling purposes and, in case of purchase through the Site, also for administrative and accounting purposes;
If you want to receive more information on local affiliates of Shh Milano srl, you can write an email to firstname.lastname@example.org or write to the mailing addresses shown above.
The Data Controllers have also appointed the following data processors to process the Personal Data on their behalf (hereinafter collectively “Data Processor” or “Processor”):
A full and up-to-date list of the Data Processors appointed by the Controllers can be obtained by contacting the addresses shown above or by sending an email to email@example.com.
2. Why we collect personal data
Personal Data will be processed for the following purposes:
a. administrative and accounting purposes: fulfillment of the sales contract, accounting and fulfillment of legal obligations, after-sales services;
b. subject to your consent, for marketing purposes: dispatch of advertising material or direct sales material, market research, commercial communication, including customized communication with automated contact systems (e-mail, other remote communication systems via communication networks including, but not limited to: text messages, picture messages, Whatsapp) and traditional (paper mail) contact methods, and the offer of customized sales services at the Controllers' stores worldwide;
For the purposes of letter a., Data Controllers may collect and process the following Personal Data:
• personal information: first name, middle name, surname, name and surname in the local alphabet;
• during a visit to our online store we will collect your shipping and invoicing address, method of delivery and payment, name of the credit card holder and card expiry date, information requested from customer services.
In addition to the Personal Data listed above, for the purposes of letters b. and c. above, Data Controllers may also collect and process the following Personal Data related to your profile and preferences:
• data collected during your visit to our stores, including use of the Wi-Fi system: birthday, presumed age group, date of birth, gender, method and date of registration, preferences regarding store and sales assistant, language, categories of preferred products, mode of use of services, any service preferences recorded in store, redemption campaign, event attendance, products tried on in the dressing room but not purchased;
• data concerning purchases made online and in stores: details of the products purchased, size, price, discount, units, color, wash, fit, model, collection, level of expenditure calculated, abandoned shopping cart;
• data regarding participation in prize contests;
• data collected during navigation or during online store purchases or the use of Apps: data related to browsing behavior and/or use held on Data Controllers' websites by using, for example, cookies or information about pages that have been visited or searched or related to the wishlist.
3. What happens if you do not provide personal data
Some Personal Data that we will point out during the registration procedure or purchase are required in order to fulfill the purchase contract and to perform the administrative and accounting procedures (letter a. of Paragraph 2).
The processing of Personal Data for profiling and marketing purposes (letters b. and c. of paragraph 2) is optional and therefore the inclusion of this Personal Data in our Customer Relationship Management (CRM) systems, which allows the Personal Data to be processed for marketing and profiling purposes, will only take place with your consent.
You may at any time revoke your consent to the profiling and/or marketing purposes (letters b. and c. of Paragraph 2) contacting the Data Controllers individually at the addresses given above. Failing to provide the Personal Data and/or withholding your consent will preclude the pursuit of profiling and marketing purposes but will have no effect on your ability to complete your purchases.
4. How we will process personal data
The Personal Data provided and/or collected by Data Controllers will be processed and stored using automated tools and, in some cases, they may be processed and stored on paper. In particular, Personal Data processed for profiling and marketing purposes will be stored in the CRM systems that allow the processing of Personal Data for marketing and profiling purposes by Data Controllers and/or Data Processors.
The Personal Data collected for administrative and accounting purposes (letter a. of Paragraph) will be stored for the time necessary to perform the contract and in accordance with the time limits established by local laws and regulations. The Personal Data collected for marketing and profiling purposes (paragraph 2, letters b. and/or c.) will be stored until the customer asks to revoke the registration or the consent to the processing of Personal Data. The Personal Data related to the details of purchases processed for profiling and/or marketing purposes will be retained for the time allowed by the Italian Data Protection Authority (hereinafter the “Authority”) in its decision of 24 February 2005 or, in case of acceptance, for the number of years required by the decision accepting a preliminary verification request presented by the Data Controllers if adopted by the Authority.
On expiry of the retention terms indicated above, the Personal Data will be automatically erased or made permanently anonymous.
5. Who will process personal data
The Personal Data will be processed by:
• employees and associates of the Data Controllers designated as persons in charge of the processing;
• employees and associates of the Data Processors designated by Data Controllers including (i) subjects that manage the traditional or online stores and that may view, edit and update the Personal Data entered into the CRM systems by which the Data Controllers process for marketing and profiling purposes (ii) subjects that manage storing of the Personal Data on behalf of the Data Controllers in accordance to local agreements and laws;
• third party members in or outside the EU, Data Processors, used by the Data Controllers in particular for Personal Data collection and data entry services, shipping, mailing of promotional material, after sales support and customer service, market research, management and maintenance of the CRM systems by means of which the Data Controllers perform processing activities for marketing and profiling purposes and other Data Controller IT systems. The full list of Data Processors appointed by the Data Controllers can be obtained by writing to the email address firstname.lastname@example.org or the mailing addresses given above.
The Personal Data may also be disclosed to third parties, independent data controllers, in particular professionals or legal or tax advice and assistance firms and companies managing payments made by debit or credit card. The Personal Data will not be disseminated in any way. The Personal Data may only be transferred to countries outside the European Union that do not offer an adequate level of data protection in accordance with the safeguards set forth by applicable laws.
6. Your rights
According to article 7 of Italian Legislative Decree 196/2003 and Chapter III of Regulation (EU) 2016/679, you can at any time request information on your personal data processed by the Data Controllers (right of access), ask for them to be supplemented, rectified or deleted and object to their processing. Furthermore, starting from May 25, 2018 (when Regulation (EU) 2016/679 will come into force), you will also be able to exercise the right to restrict data processing and portability and to lodge a complaint with a supervisory authority.
In particular, you have the right to object partially or entirely to the processing of your personal data for market research or commercial communication purposes both by automated means (e-mail, other remote communication systems via communication networks including, but not limited to: text messaging, picture messaging, Whatsapp) and traditional means (paper mail).
If you prefer the processing of your personal data to be carried out solely by means of traditional contact methods, you may object to the processing of your personal data by automated contact methods.
In order to exercise your rights, send a request to the Data Controllers by writing to the following address: email@example.com or to the mailing addresses given above.
Article 7 of Legislative Decree 196/2003. Rights of the person concerned
1. The person concerned will be entitled to obtain confirmation of whether or not personal data concerning him/her exist, even if they have yet to be recorded, and to receive a communication of such data in intelligible form.
2. The person concerned will be entitled to be informed of:
a. origin of the personal data;
b. data processing purposes and methods;
c. logic applied in case of processing carried out using electronic tools;
d. details of the data controller, processors and representative appointed pursuant to article 5, paragraph 2;
e. the entities or categories of entities to whom the personal data may be communicated and who may gain knowledge of said data in their capacity as designated representative in the territory of the State, data processors or persons in charge of the processing.
3. The person concerned will be entitled:
a. to have the data updated, rectified or, if he/she has an interest in doing so, supplemented;
b. to have the data deleted, made anonymous or blocked if they have been processed unlawfully, including data that do not need to be retained for the purposes for which they were collected or subsequently processed;
c. to a certification stating that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. The person concerned will be entitled to object, in whole or in part:
a. on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b. to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials, direct selling, market research of commercial communication purposes.