PRIVACY POLICY
Information regarding the processing of personal data on the bhalos.com website (“Website”) pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”).
1.DATA CONTROLLER
The Data Controller is AMBRA ROSA DI ALICE DA LIO based at Via Marconi, 1 33034 Mira (Ve) C.F. and P. IVA 04355929275 (“Data Controller”).
2. PERSONAL DATA PROTECTION OFFICER
The Data Controller is business owner Alice da Lio and can be contacted at the following email address: [email protected].
3. CATEGORIES OF DATA PROCESSED
When Users browse the Website, their usage data is collected (which includes, among others, IP address, user account where registered, browsing data such as pages visited and times spent on them, session duration). More information can be found in the cookie policy.
In our contact form (web assistance) the following personal data are requested: email address, description and other data of a personal nature that can be shared in the free field of “description” or message/chat. Data of special and sensitive nature are not requested, but if photographs, health information and other personal information are spontaneously shared, these will also be processed by the authorized personnel of the Owner.
In case Users subscribe to the newsletter, their full name, gender, e-mail address, cell phone number (if provided), city, country, and date of birth are also collected.
If Users choose to respond to surveys sent by the Data Controller or questionnaires/tests on the Website, the Data Controller will also process the information included in their responses.
In our contact form (web assistance) the following personal data are requested: email address, description and other data of a personal nature that can be shared in the free field of “description” or message/chat. Data of special and sensitive nature are not requested, but if photographs, health information and other personal information are spontaneously shared, these will also be processed by the authorized personnel of the Owner.
In case Users subscribe to the newsletter, their full name, gender, e-mail address, cell phone number (if provided), city, country, and date of birth are also collected.
If Users choose to respond to surveys sent by the Data Controller or questionnaires/tests on the Website, the Data Controller will also process the information included in their responses.
Where Users register with the Website, their first and last name, gender (if provided), e-mail address, cell phone number, date of birth and the address at which they choose to receive any orders placed on the Website are also collected. As part of purchases, all information necessary to follow up on orders is also collected (including, for example, payment method, shipping address, and all order details). When Users request an invoice as part of purchases made on the Website, their social security number is also collected.
When Users decide to leave a review, the Owner will process information about that User as well as the date of the review and its content.
4. PURPOSE OF PROCESSING
Personal data will be processed only for the following purposes:
- enable the Owner to fulfill its obligations under the law as well as follow up on administrative/accounting requirements related to the management of the Website;
- Allow Users to browse the Website, register on the Website, make purchases on the Website, and participate in sweepstakes events;
- To allow the Controller, at the request of Users, to contact Users in order to respond to their requests (as part of support and customer care activities or as a result of another contact request from the User);
- Allow the Controller to contact Users via email and/or SMS for commercial purposes, i.e. to send them discounts, news, updates and commercial communications as well as ask Users to participate in market research and surveys;
- allow the Controller to personalize the commercial communications indicated above and sent to Users based on the purchasing habits manifested on the Website (type of purchases made, frequency of purchases, behavior during the purchase process, specific characteristics of the User) and other personal information collected from Users, including through the technologies indicated in the cookie policy;
- Allow Users to send gift cards to third parties;
- Allow to make available to Users discounts at their request (discount code in the confirmation email of the first purchase);
- Allow the Owner to manage any reviews left by Users;
- To allow the Owner to receive and manage any applications for job positions.
5. LEGAL BASIS FOR PROCESSING
The processing of personal data for the purpose referred to in subparagraph A of the paragraph is necessary to fulfill legal obligations to which the Controller is subject (e.g., of a fiscal nature or relating to consumer protection) as well as – in connection with administrative/accounting requirements – to pursue legitimate interests of the Controller relating to the proper management of its business activities.
The processing of personal data for the purposes referred to in subparagraph B of paragraph 4 is necessary for the performance of a contract to which Users are party and/or the execution of pre-contractual measures taken at their request.
The processing of personal data for the purposes referred to in letter C of paragraph 4 is carried out on the basis of the legitimate interest of the Data Controller in following up Users’ requests.
The processing of personal data for the purposes referred to in letters D and E of paragraph 4 is carried out on the basis of Users’ consent. Any refusal to provide personal data for these purposes does not affect in any way the possibility to access the Website and use the related services. Some activities related to the sending of commercial communications indicated in letter D may also be carried out on the basis of the legitimate interest of the Data Controller to perform minimum segmentation activities (for example, an invitation to an event in the store).
The processing of personal data for the purpose referred to in letter F of paragraph 4 is carried out on the basis of the consent of Users who expressly request a discount code following their first purchase. Any refusal to provide personal data for these purposes does not affect in any way the possibility to access the Website and use the related services and will have as a consequence the failure to make available said discount code.
The processing of personal data for the purposes referred to in letters G and H of paragraph 4 is carried out on the basis of the legitimate interest of the Data Controller in following up Users’ requests.
The processing of personal data for the purposes referred to in subparagraph I of paragraph 4 is necessary for the execution of pre-contractual measures taken at their request.
6. CONSEQUENCES OF ANY REFUSAL TO GIVE CONSENT AND HOW TO REVOKE IT
Where Users do not wish to consent to the processing of their personal data for the purposes referred to in letters D, E and F of paragraph 4, the Controller may not send them commercial communications referred to in letters D and E of paragraph 4 and Users may not receive them. Should only consent to the personalization of communications be withdrawn, Users will no longer receive communications based on their shopping experience and specific characteristics. Furthermore, in the event that the consent referred to in letter F is not given, the User will not be able to receive the mentioned discount code.
7. PROCESSING METHODS.
In relation to the aforementioned purposes, the processing will be carried out both on paper and with the help of electronic and automated tools. Personal data will be processed under the authority of the Data Controller, only by persons specifically appointed, authorized and instructed for the processing in accordance with Art. 29 GDPR.
Appropriate technical and organizational measures will be put in place, in accordance with Article 32 GDPR, to ensure a level of security appropriate to the risk related to destruction, loss, modification, unauthorized disclosure of or access to personal data.
In the event that Users provide their consent to the processing of personal data in order to receive personalized communications, they may be subject to automated decision-making, using specific technologies that will indicate which communications are best suited to their profile or which may be of most interest to them.
8. RECIPIENTS OF PERSONAL DATA
Your personal data may be communicated in full compliance with the provisions of the GDPR to the following entities: to public authorities, where required by law or at their request; to external structures and/or companies that the Data Controller uses to carry out related or instrumental activities (hosting of the Website, administrative/accounting management of activities related to the Website, marketing analysis, sending communications to Users, order management, shipment management); to external consultants. The Data Controller will appoint the third parties who process data in its name and on its behalf as data processors in accordance with Article 28.
9. PERIOD OF STORAGE OF PERSONAL DATA
Personal data collected will be kept in accordance with the provisions of the relevant regulations for a period of time not exceeding that necessary to achieve the purposes for which they are processed.
The criteria for determining the period of retention of personal data shall take into account the period of permitted processing and applicable regulations on the prescription of rights and legitimate interests where they form the legal basis for processing.
For example, in order to handle orders, the relevant personal data will be processed for the necessary time arising from tax but also consumer protection regulations.
With reference to the purposes referred to in letters D and E of paragraph 4, personal data will be processed until any withdrawal of consent. In any case, data relating to the details of Users’ purchases will be kept for the purposes referred to in letters D and E for a period not exceeding, respectively, twenty-four and twelve months from their registration, subject to transformation into anonymous form that does not allow, even indirectly or by linking to other databases, Users to be identified. In any case, the data in question may still be processed for purposes of a contractual nature or to follow up on User requests (e.g. because they are present in the “history” of purchases within the User’s account or because the User needs assistance or in the event of disputes).
At the end of the retention period, personal data will be deleted, anonymized or aggregated in such a way that Users cannot be identified.
10. RIGHTS
Users may contact the Holder, at any time and free of charge to:
- To obtain confirmation as to whether or not personal data is being processed and, if so, to obtain access to the information referred to in Article 15 GDPR, as well as copies of the personal data;
- obtain the rectification of inaccurate personal data concerning them, or, taking into account the purposes of processing, the integration of incomplete personal data;
- Obtain the deletion of personal data in the presence of one of the reasons referred to in Article 17 GDPR;
- Obtain the restriction of the processing of personal data, if any of the cases referred to in Article 18 GDPR apply;
- object to the processing of personal data on grounds related to their particular position, where applicable, pursuant to Article 21 GDPR;
- to receive in a structured, commonly used and machine-readable format personal data concerning them as well as to transmit such data to another data controller without hindrance by the Controller, if technically possible, in the cases and within the limits set out in Article 20 GDPR, where applicable;
- in relation to personalization of communications (where consent has been given), to be able to express their opinion, obtain information about the rationale for the personalization, and challenge it.
Furthermore, Users have the right to revoke their consent to the processing of personal data (where given), at any time, without affecting the lawfulness of the processing based on the consent given prior to revocation.
Subject to the provisions of Section 6 in relation to how consent may be revoked, requests to exercise the above rights should be sent to:
- via e-mail at: [email protected]
- via PEC to the address: [email protected]
Under the GDPR, the Data Controller is not authorized to charge fees to fulfill one or more of the requests listed in this section, unless they are manifestly unfounded or excessive, and in particular are repetitive in nature. In cases where Users request more than one copy of personal data or in cases of excessive or unfounded requests, the Data Controller may (i) charge a reasonable fee, taking into account the administrative costs incurred to process the request or (ii) refuse to comply with the request. In these eventualities, the Controller will inform Users of the costs before processing the request. The Controller may request additional information before processing requests if it needs to verify the identity of the individual making the request.
11. COMPLAINT TO THE SUPERVISORY AUTHORITY
Without prejudice to any other administrative or jurisdictional remedy, Users have, in addition, the right to lodge a complaint with the Data Protection Authority or the Supervisory Authority of their State, if they believe that the processing concerning them is carried out in violation of the GDPR. Further information is available on the website www.garanteprivacy.it and at www.edpb.europa.eu/about-edpb/about-edpb/members_en.
The Controller, in any case, invites Users to make contact directly through the above-mentioned channels, before approaching the Supervisory Authority, so as to amicably resolve any dispute regarding the protection of personal data as soon as possible.
