Information about the processing of personal data collected at the Boutiques GENTE Roma
"Personal Data" means any information which allows a Client to be identified as an individual, either directly or indirectly.
"Processing" of personal data means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The processing of Personal Data shall follow principles of correctness, lawfulness, transparency, purpose and retention limitation, data minimization, accuracy, integrity, confidentiality and accountability pursuant to article 5 of the GDPR. Client's Personal Data will therefore be processed in accordance with the data protection regulations and other applicable laws.
The processed Personal Data described in this statement coincides with those voluntarily provided by the Customer, through
(i) filling in the appropriate forms at GENTE ROMA Boutiques, or
(ii) filling in the online forms on the web pages on the website www.genteroma.it (hereinafter the "Site"), or
(iii) social media channels (eg. Facebook, Twitter), or
(iv) through the different communication channels chosen by the Customer at his discretion.
On the above forms, the Customer can provide: name, surname, email address, telephone number (landline and / or mobile), address of domicile in Italy and address of domicile in the country of residence.
The data collected through the aforementioned forms are associated with data relating to purchases made by the customer.
The Data Controller is the company that manages the Boutique that the Client has provided with his Personal Data, in particular:
- the Boutique on via del Babuino 77, the company BD77 s.r.l., based on Via del Babuino, 77 - 00187 Roma, P. IVA 10826481003;
- as for the Boutique on via del Babuino 81, the company BABUINO 81 s.r.l., based on Via del Babuino 81 - 00187 Rome, P.IVA 08723031004;
- as for the Boutique on Via Cola di Rienzo 277, the company COLA 277 s.r.l., based on Via Cola di Rienzo, 277 - 00192 Rome, P.IVA 08723071000;
- as for the Boutique on via di Vigna Stelluti 177, the company VIGNA 177 s.r.l., based on Via di Vigna Stelluti, 177 - 00191 Rome, P.IVA 06695321007;
- as for the Boutique on Via Viale Europa 91, the company EUROPA 91 s.r.l., based on Viale Europa, 91 - 00144 Rome, P.IVA 05809961005;
- as for the Boutique on Via Frattina 92.93, the company FRATTINA 69 s.r.l., based on Via Frattina 69 - 00187 Rome, P.IVA 01926791003;
- as for the Boutique on via del Babuino 185, the company BABU s.r.l., based on Via del Babuino 185 - 00187 Rome, P.IVA 05809991002;
- as for the Boutique on Via Cola di Rienzo 246, the company PROPERZIO 5 SRL, Via Cola di Rienzo 246 - 00192 Rome - VAT: 10113161003.
In the event that the customer provides his personal data through the Site or through the GENTE ROMA social media channels, the data processing owner will be VAIR S.p.A. 4, VAT number: 05809951006.
All Boutiques are reachable at the following email address: firstname.lastname@example.org
Purposes of data processing
The Personal Data will be processed for the following purposes:
- Allow the provision of the services requested by the Client (for example, in relation to the sale of a product, request for contact or a quote, newsletter subscription, request for information, participation in contests and similar initiatives.
- To answer specific requests addressed to the Data Controller.
- To carry out marketing activities, conduct studies, research, market statistics and send advertising and information material related to the activities, the products and the services regarding the brand GENTE ROMA and by third parties. If the Client gave his consent to the above processing activities, said activities can be performed by way of postal mail, a phone call with an operator (“traditional methods”), e-mail, SMS and through the use social networks (“automated methods”). The Client can, at any time, withdraw his consent by giving notice to the Data Controller without any formality, by simply sending an email to email@example.com, without prejudice to the lawfulness of the processing based on previous consent.
- Inform loyal customers of advantages linked to the volume and type of expense, also by sending them specific information through the communication channels referred to in the previous point.
- To fulfill any obligations required by the laws in force, by regulations or by EU legislation, or to satisfy requests from the authorities.
- To carry out statistical analysis without the possibility of identifying the Client.
- To carry out direct marketing activities via e-mail for services similar to those the Client has subscribed to, in accordance to art. 130, coma 4 of the code unless the Client objects to receiving such communications.
Legal basis and mandatory or optional nature of the processing
The legal basis for the processing of Personal Data as described in sections 4 a) and b) is Article 6(1)(b) of the GDPR (“[…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”), since processing operations are required in order to provide the services or to respond to requests. The provision of Personal Data for these purposes is optional, however, failure to provide them would imply the inability to initiate the requested services or respond to requests.
Processing operations carried out for the marketing purposes described under Section 4 c) are based on the granting of Client's consent pursuant to Article 6(1)(a) of the GDPR (“[…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes”).
The Processing based on art. 4.d) on the legitimate interest of the holder pursuant to art. 6 (1)(a) of the GDPR, consisting in particular of the interest in maintaining and perpetuating the business model that made the success of the GENTE ROMA group possible, namely the establishment of a relationship of trust and continuity with the customer, with a "customer by customer" approach. The owner has carefully considered the impact of these treatments on the personal data of the Customers, implementing an appropriate balance between his own interest and the interests of the Customers, putting in place adequate technical and organizational measures in order to protect the rights of the Customers. The document containing the related privacy impact assessment (prepared by Article 35 of the GDPR) is available upon written request from the Customer.
The processing of Personal Data described in Section 4.e) is based on a legitimate processing of personal data pursuant to Article 6 (1) (c) of the GDPR (“[…] processing is necessary for compliance with a legal obligation to which the controller is subject”).
Please note that the processing referred to in Section 4.f) is not performed on Personal Data and therefore it can be freely performed by the Data Controller.
The processing of Personal Data for the purposes described in Section 4 f) represents a legitimate processing under the applicable law, which does not require the Client's consent. The Client can object to the processing of Personal Data at any time by simply writing to the following email address: firstname.lastname@example.org
Recipients of Personal Data
For the purposes referred to in Section 4 above, Personal Data may be shared with:
(i) subjects acting as Data Processors, e.g., persons, companies or firms providing the Data Controller with advice and consulting services in accounting, administrative, legal, tax, financial and other matters. Among the Data Processor, a primary role is played by the company VAIR S.p.A., with office in Rome, via Properzio n. 4, VAT Number: 05809951006, in its quality as provider of consulting and general managing services to the Data Controller regarding all those activities pertaining to IT, communication/marketing and commercial development matters; upon authorization by the Data Controller, VAIR S.p.A., can also appoint third parties to act as sub-Processors, e.g., those subjects providing maintenance services of network equipment and electronic communications networks;
(ii) subjects, entities or authorities to which the Personal Data must be communicated pursuant to legal provisions or orders of the authorities or in the event of reports of abuses;
(iii) persons authorized by the Data Controller, who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality (e.g., the employees of the Data Controller);
(iv) Other companies of the GENTE ROMA Group, limited to the pursuit of internal administrative purposes;
(v) commercial partners, in the sole case the Customer has given a specific consent to do so.
The complete list of the Data Processors, as well as of the employees authorized to process Personal Data, can be requested to the Data Controller by email to: email@example.com
Transfers of Personal Data
In the use of certain IT services (provided by third parties in their quality as Data Processor of sub-Processors) some Personal Data may be transferred outside the European Economic Area.
That may happen as a consequence of the use of the following services:
- Mailchimp: a service to manage email addresses and to send email messages, provided by the company The Rocket Science Group, LLC.
Personal Data communicated to Mailchimp: first name, family name, email address, nationality.
Place of the processing: United Stated – Country bound by the Privacy Shield.
- Amazon Glacier: a storage and back-up service provided by Amazon Web Services Inc.
Place of the processing: United Stated – Country bound by the Privacy Shield.
Retention of Personal Data
Personal Data will be retained in both paper and digital format.
The Personal Data processed for the purposes referred to in Section 4 a) and b) will be retained for the period deemed strictly necessary to fulfill such purposes.
The Personal Data processed for the purposes referred to in art. 4.c) and 4.d) will be processed until the revocation of the Client's consent, and in any case for a maximum period of 15 years, in line with the legitimate interest of the Owner. In fact, concerning GENTE ROMA group of luxury goods (high-end goods), whose average purchase frequency by the customer is one / two times a year, the storage time of the purchase data must be equal to at least 15 years; storage for a shorter time than the aforementioned period would not allow an adequate valuation of the customer base.
The Personal Data processed for the purposes referred to in art. 4.e) will be kept up to the time required by the specific obligation or rule of applicable law.
Personal Data processed for the purpose referred to in art. 4.g) will be processed up to the Client's opposition to such treatment.
More information about the data retention period and the criteria used to determine this period can be requested by writing to the following address: firstname.lastname@example.org
The possibility for the Data Controller to keep the Personal Data for the time allowed and admitted by Italian law for the protection of his / her rights (Article 2947 Civil Code) is reserved.
Data Subjects Rights
Under Articles 15 and following of the GDPR, the Client, as a data subject, is entitled to request from the Data Controller, at any time, access to the Personal Data, the correction and erasure of the Personal Data, as well as to object to the processing according to Article 21 of the GDPR. The Client is also entitled to request the restriction of the processing of the Personal Data in the cases set out in Article 18 of the GDPR, as well as to obtain the Personal Data in a structured, commonly used and machine-readable format, in the cases set out in Article 20 of the GDPR. Requests should be made in writing to email@example.com
In any case, the Client will always be entitled to file a complaint with the competent supervisory authority (the Italian Data Protection Authority), pursuant to Article 77 of the GDPR, if the Client believes that the processing of the Personal Data violates applicable law.
The Data Controller may modify or simply update this information, in part or completely, also as a result of changes in the legislative and regulatory provisions governing the matter.
These changes will be made known to the Customers through publication on the Site.
We therefore invite you to regularly visit our site to gain knowledge of the most recent and updated version of this information.