This information on the processing of Personal Data (hereinafter “Information”) is provided to the User of the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com with reference to the consequent processing of the User’s Personal Data ‐ provided in his/her capacity as a natural person directly concerned in the purchases and the consequent processing, in compliance with the provisions contained in articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016, in relation to the protection of natural persons with regard to the processing of Personal Data, as well as the free movement of such data (General Data Protection Regulation, hereinafter also “GDPR”).
Pursuant to articles 13 and 14 of the GDPR, hence, you are invited to take note of the following Information.
I. Personal Data
The Personal Data that will be collected are the following:
• in the case of a Customer who is a natural person: identifying data (name, surname, tax code, VAT number), landline or mobile phone number, residence address, and any shipping address (if different from the residence address), and email address.
(Hereinafter “Personal Data” or “Data”).
The User is responsible for the completeness and truthfulness of the Personal Data, and must therefore hold the Data Controller exempt from any liability towards third parties. As regards so-called “navigation” data and/or the use of so-called “cookies”, please refer to the separate policy, which can be accessed on the website of the Data Controller.
II. Data Controller in charge of the processing of Personal Data
The Data Controller in charge of the processing of the Personal Data provided by the Customer is Istituto Image Srl, Via Pietro Mascagni 14, 20122 Milan (MI), Tax code: 06564590963 and VAT Number: 06564590963 (hereinafter “Data Controller”). For any communication to be sent to the Data Controller, it is possible to send an e‐mail to the following address: shop@istitutoimage.com; or a PEC (Certified e‐mail) to: istitutoimagesrl@legalmail.it; or a registered letter to the address of the Data Controller’s offices.
III. Purposes of the processing
In fulfilment of the obligations established by current legislation, the Data Controller collects the Personal Data and carries out their processing, for the following purposes:
a) managing the User’s registration on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com; and during the precontractual and contractual phase for the purpose of implementing the collection and management of orders relating to the products and the services offered by the Data Controller on said platform; as well as for following up on any requests made by the User, including requests for information regarding the products and the services offered by the Data Controller; and also for proceeding with the completion of the procedures and activities associated with the performance of the Order itself in favour of the Customer;
b) fulfilling the legal and contractual obligations associated with the execution of the Order and the Service in favour of the Customer, including the performance of invoicing and payment collection activities, and the related tax obligations;
c) fulfilling any legal, accounting and tax obligations (e.g., customer due diligence obligations and customer information communications in compliance with the provisions relating to the prevention of money laundering, obligations deriving from the provisions relating to the verification and repression of computer crimes, tax violations etc.);
d) sending advertising material, newsletters, and carrying out direct marketing actions;
e) the exercising of rights in court and out of court, connected to the relationship (e.g., management of any disputes).
IV. Nature of the conferral and legal basis for the processing
The Personal Data collected in the context of this processing are strictly functional to the purposes referred to in the preceding paragraph.
For purposes a) and b) of paragraph III above, the provision of Personal Data does not require the User’s consent, given that their processing is necessary for the execution of the contract and of the precontractual measures, and for the management of the orders transmitted by the User on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com.
For the purposes referred to in letters b) and c) of paragraph III above, the legal basis for the collection of the Personal Data is the necessary fulfilment of a legal obligation to which the Data Controller is subject.
For the purposes referred to in letter d) of paragraph III above, the legal basis for the collection of the Personal Data is the free and specific consent of the User, which may have been given during the registration phase on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com or subsequently communicated to the Data Controller. It is understood that, by virtue of the rights granted to the interested parties by EU Regulation 2016/679 of 27 April 2016, referred to in paragraph VIII below, the User may at any time and without any prejudice revoke his/her previously granted consent, without prejudice to the legitimacy of the processing carried out in the meantime.
For the purposes referred to in letter e) of paragraph III above, the legal basis for the collection of the Personal Data is the legitimate interest of the Data Controller in the exercise and protection of the Data Controller’s rights in court and out of court.
In the event of the User’s failure to provide the Personal Data for the purposes referred to in letters a), b), c) and e) of paragraph III above, it will not be possible for the User to register on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com, nor to forward orders through them, and hence to correctly execute the contractual relationships and the Services connected with them. The provision of Personal Data by the User for the purposes referred to in letter d) of paragraph III above, on the other hand, is optional, given that it is also possible to correctly execute the contractual relationships and the Services connected with them without it.
V. Methods of processing
The processing will be carried out both with manual tools on hard-copy format and with IT and/or telematic tools, with organization and processing logics strictly related to the purposes for which the Personal Data are processed, and in any case in such a way as to guarantee the security, integrity, and confidentiality of the Data in compliance with the organizational, physical, and logical measures envisaged by the provisions in force. The processing will be carried out in accordance with the principles of correctness, lawfulness, and transparency, in order to protect the privacy and the rights of the interested party (User) at all times in compliance with the current legislation.
The Data Controller declares and guarantees that the Personal Data provided by the User will be processed with the greatest confidentiality and protection, also guaranteeing that the appropriate technical and organizational security measures will be adopted so as to prevent the unauthorized access, disclosure, accidental or improper alteration, loss, or destruction of the Personal Data.
VI. Storage times
The Personal Data will be stored, in compliance with the provisions of current legislation on the subject, for a period of time not longer than that necessary for achieving the purposes for which they have been collected, processed, and provided. For the purposes of order execution and invoicing and associated obligations, the Personal Data will be stored by the Data Controller for the entire duration of the contractual relationship and for 10 (ten) years following the date of registration of the last invoice pursuant to article 2220 of the Italian Civil Code.
In the event that the processing is necessary for the pursuit of the purposes referred to in letter e) of paragraph III above, the Data Controller may store the Data deemed reasonably necessary to be processed for these purposes, and for as long as is necessary for exercising and/or protecting the Data Controller’s rights, out of court and/or in court, in any case no later than the definitive judgement on any dispute that may have arisen becomes enforceable.
VII. Categories of recipients of Personal Data ‐ Transfer/communication of Data to third parties
In addition to the Data Controller, in some cases, the Personal Data may also be accessed by subjects involved in the organization of the Data Controller, as well as other subjects, including:
– Subjects who typically act as data controllers pursuant to article 28 of the GDPR (hereinafter “Data processors”), namely:
i. persons, companies, or professional firms that supply assistance and consultancy activities to the Data Controller in accounting, administrative, legal, tax, financial, and debt collection matters in relation to the orders;
ii. subjects external to the Data Controller who operate on the Data Controller’s behalf and provide services and/or carry out connected, instrumental, or support services to those performed by the Data Controller (e.g. couriers and logistics operators, companies operating in the transport sector, hosting providers, system engineering service providers, agents/commercial representatives/business agents/brokers etc., collection service providers, IT companies, associated and/or controlled and/or contracted and/or affiliated companies etc.);
iii. subjects delegated to carry out technical maintenance activities (including maintenance of network equipment and electronic communication networks);
iv. subjects, bodies, or authorities, and independent data controllers, to whom it is mandatory to communicate the Personal Data pursuant to provisions of the law or orders of the Authorities with respect to the purpose of Compliance (e.g., banks, insurance companies, tax registers, judicial authorities, and police);
v. subjects authorized pursuant to article 29 of the GDPR by the Data Controller to process the Personal Data necessary for carrying out activities strictly related to the management and fulfilment of the Orders, as well as to the supply of the Services, who are committed to confidentiality, or have an appropriate legal obligation to confidentiality. These subjects have access only to the Personal Data that are necessary for performing their duties, and with reference to the specific purposes for which the Data have been collected/provided, with the exclusion of the use of the Personal Data for any other purpose.
They are also required to process the Personal Data in compliance with this Information and in accordance with the applicable regulations relating to the protection of Personal Data.
In the event of any future transfer of Personal Data to a third country outside the European Union, or to an international organization, all the provisions of chapter V of the GDPR will be respected, in order to ensure an appropriate level of protection.
VIII. User’s rights
The User has the right:
• to request confirmation as to whether or not his/her Personal Data are being processed, and if they are, to obtain access to them (right of access);
• to request the rectification of inaccurate Personal Data or the integration of incomplete data (right to rectification);
• to request the cancellation of Personal Data, in the cases provided for by the GDPR (right to cancellation);
• to request the limitation of processing, in the cases provided for by the GDPR (right to limitation);
• to receive the Personal Data in a structured, commonly used and automatically readable format, and to transmit such data to another Data Controller (right to portability);
• to revoke, at any time, any consent given for the processing of his/her Personal Data for marketing purposes, without prejudice to the lawfulness of the processing based on consent given prior to revocation (right to withdraw consent). To exercise his/her right to withdraw consent, without prejudice to the procedures set out in the last indention of this paragraph, the User may also revoke his/her consent by selecting the appropriate link at the bottom of each newsletter and/or promotional e-mail of the Data Controller;
• to oppose at any time and for reasons related to the interested party’s personal situation, the processing of data carried out on the basis of the Data Controller’s legitimate interests (right of opposition);
• to lodge a complaint with a Supervisory Authority (Guarantor for the Protection of Personal Data: https://www.garanteprivacy.it/), in the event that he/she considers that the processing violates the GDPR (right to complain).
To exercise his/her rights, the Customer may formulate an express written request to the Data Controller to be sent to the following e-mail address: shop@istitutoimage.com; or by PEC (Certified e‐mail address) to the address istitutoimagesrl@legalmail.it; or by registered letter to the address of the Data Controller’s offices.