Data notice on the treatment of personal data according to art. 13 and 23 from the Italian D.lgs. no. 196/2003 and to the EU Directive no. 679/2016
As Your personal privacy is our priority, we invite You to read the following data notice before giving Your consent to the treatment and processing of Your personal data.
The following notice is given, in accordance to art. 13 and 23 from the Italian D.lgs. no. 196/2003 (hereafter referred to as “Code”), as well as to the EU Directive no. 679/2016 (hereafter referred to as “GDPR”), to all users interacting with the web services offered by the websites https://brucleshop.com, https://b2b.brucleshop.com and https://brucle.it (hereafter referred to as “Website”).
With “interaction” we mean everything from the simple visitation of a webpage to the usage of specific services offered by the Website, such as, for example, online form compilation for information requests or subscriptions to Newsletters, requests on information via e-mail, wishlists, purchase of products and all services offered upon purchase.
We commit to treating Your personal data in accordance with the values of honesty, lawfulness, transparency, limitation of goals and storing, minimization, precision, integrity and privacy, as well as the value of accountability of which on art. no. 5 from the EU Directive 679/2016, and in accordance with all dispositions from the same Directive about privacy obligations.
With “processing of personal data” we therefore mean every action (or set of actions) taken even without the use of information technology regarding the collection, registration, organization, storing, consultation, processing, modification, selection, cancellation and destruction of data, even in the case of those data not getting registered in a data bank.
In case of refusal of consent about the treatment of personal data, Your data will not be collected, and, as a result, neither treated nor stored.
The following data notice on the treatment of personal data is an integral part of our Sales conditions, of the Website and of the services offered.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is BRUCLE SRL (hereafter referred to as “BRUCLE” or “Data Controller”) with registered office in Via G. De Leva n°9, 35128 Padova– Italy, VAT number 02774030924, Padova Commercial register number REA n. PD-410009.
The Data Controller has not appointed a Data Protection Officer (“D.P.O.”), otherwise known as Supervisor of the Processing of Personal Data as per artt. 37 e ss. Reg. UE 2016/679.
2. PERSONAL DATA PROCESSED
With «personal data» we refer to every information pertaining an identified (or identifiable) natural person («involved party»); a natural person is considered identifiable when it can be identified, directly or indirectly, via identifiers such as name, identification code, location data, online identifier, or one or more characteristic traits of their physical, physiological, genetic, psychological, financial, cultural or social identity;
Personal data processed through the Website are the following:
2.1. Navigation data
During their normal course of operations, the computer systems and software procedures used to operate this Website acquire certain personal data, the transmission of which is implicit in the use of internet communication protocols. This information is not collected with the intent of associating it with identified users but, by its nature, it could lead to the identification of users through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users who connect to the Website, URI addresses (Uniform Resource Identifiers) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply given by the server (successful, error, etc.) and other parameters regarding the user's operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website to check its correct functionality, to identify anomalies and/or abuses; in any case, they are deleted immediately after processing.
The data may be used to ascertain responsibility in the event of computer crimes against the Website.
2.2. Links to third party websites
The Website contains links to third party websites such as, for example, social networks, websites for electronic payment, courier websites from which to track packages and so on. The Data Controller isn’t in any case responsible for any access or for cookies, tracking and analytics bugs and other online tracking technology handled by third parties the user has access to while on the Website. Furthermore, the Data Controller has no control over contents and materials published by or obtained through third party websites, nor over their methods of the user’s personal data processing; as such, the Data Controller denies every responsibility in these cases. The user is liable to verify methods of data processing as operated by third party websites they have access to through the Website and to inquire about the data processing conditions for third party websites.
The treatment of personal data is applied to the Website according to the specifications here presented.
2.3. Data voluntarily provided by the user
In many pages of the Website, You will be able to transmit Your personal data to us (for example: e-mail address, name, personal details, ZIP code etc.) via online forms, flags, pop-ups.
The compilation and transmission of these data is discretional, explicit and voluntary, and it implicates Your consent to the acquisition of the personal data You inserted in order for the Website to meet Your needs, according to the finalities of the service requested that You consented to. Unless we refer to specific regulations contained in this data notices, our acquisition and treatment of personal refers to information that You inserted in all the forms present on this Website too. Regarding such data, we request You to only enter the personal data strictly necessary for the purposes of managing Your request, thus excluding irrelevant information and/or details that may fall within the special categories of personal data pursuant to Article 9 of the GDPR ([...] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to the person's health, sexual behavior or sexual orientation).
2.4. Third-party data voluntarily provided by the user
In the case of third party information provided by the user, for example data related to payments concluded referencing the bank details of third parties; billing information; details You may provide when purchasing items to be sent to a third party, You become the independent Data Controller, assuming all the applicable legal obligations and responsibilities. To this effect, You fully indemnify us against any dispute, claim, request for compensation for processing-related damages etc. the Data Controller may receive from third parties whose personal data has been processed, through Your use of the Website's services, in violation of the applicable the personal data protection rules. In any event, if You provide or otherwise process personal data of third parties when using the Website, You hereby and henceforth guarantee that such possible data processing scenario shall be based, where necessary, on the prior acquisition – by Yourself – of the third parties' consent to the processing of their information and You accept all related liability.
2.5 Cookies and other tracking technologies
Information about cookies used on the Website is available at this link: Cookies
3. PURPOSES OF DATA PROCESSING
Your personal data will be processed, with Your consent where necessary, for the following purposes, where applicable:
3.1. for statistical assessment and monitoring purposes, without enabling the Data Controller to trace Your identity;
3.2. to enable navigation of the Website and to be able to guarantee the services offered by the Website, such as Website security, contractual relations and administrative and accounting needs;
3.3. to follow up specific requests addressed to the Data Controller, including requests for Customer Service sent via e-mail, via telephone call or via Contact Us form;
3.4. to respond to possible obligatios dictated by laws in effect, regulations, EU directives or authority requests;
3.5. for direct marketing, via e-mail, about similar products to those You have purchased, according to art. 130, comma 4 of the Code, unless You expressly refused receiving such messages, which You can do as soon as You register to the Website or at later times;
3.6. to send You announcements and commercial proposals, including newsletters and market analysis through automated tools (SMS, MMS, email, instant messaging and chat) and otherwise (post, telephone). in accordance with the General Provision of the Data Privacy Guarantor "Guidelines on promotional activities and counteracting spam" of 4 July 2013, the Data Controller collects a single consent declaration for the marketing purposes described here. If, in any case, You wish to oppose the processing of Your data for marketing purposes carried out with the means indicated here, You can do so at any time by contacting the Data Controller at the addresses indicated in the "Contacts" section, reachable from every page of the Website, without prejudice to the lawfulness of the processing undertaken prior to Your opposition;
3.7. for general profiling purposes about Your consumer choices and preferences, and in order to send You communications and customized commercial offers; finally, for market analysis purposes.
3.8. in order to communicate Your data to companies that collaborate with the Data Controller for the sending of promotional communications and direct marketing purposes through automated tools (SMS, MMS, email, instant messaging and chat) and otherwise (post, telephone).
Specific security measures have been implemented to prevent data loss, illicit or incorrect use of data and unauthorized access.
4. LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING
4.1. The legal basis for the processing of personal data for the purposes is referenced in section 3.2, in accordance with art. 6 ( 1 )(b) from the GDPR ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Consent to the processing of personal data is discretional, but a lack of consent may result in the impossibility to activate the requested services.
4.2. The processing performed for the purposes referenced in section 3.4 is a legitimate treatment and is necessary in accordance to the legal obligations the Data Controller is subjected to according to art. 6 ( 1 )(c) of the GDPR ([…] processing is necessary for compliance with a legal obligation to which the controller is subject)
4.3. The processing performed for the purposes referenced in sections 3.6, 3.7 and 3.8, which is direct marketing, profiling and communication of data to third-parties that collaborate with BRUCLE, is done in accordance with art. 6( 1 )(a) ([…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes)and art. 22( 2 )(c) of the GDPR.
Consent to the processing of personal data is discretional and does not result in the impossibility to activate the services offered by the Website.
If, in any case, You wish to oppose the processing of Your data for the purposes of which on sections 3.6, 3.7 and 3.8, You can do so at any time by contacting the Data Controller at the addresses indicated in the "Contacts" section or, if You are a registered user, by accessing Your private area on the Website.
4.4. The processing performed for the purposes referenced in section 3.5 for direct marketing is in accordance with art. 130( 4 ) of the Code ([…]if the Data controller, for direct marketing of their own products and services, uses the e-mail address of the involved party in the context of selling products and services, they are allowed not to ask for consent for as long as the services offered are analogous to those of the purchased object or service and for as long as the involved party, adequately informed, does not refuse such use of their data before then, after then or during that very occasion. The involved party, at the time of collecting of data and at the moment of the sending of any communication for the purposes on which here, is informed about their right to refuse consent to the treatment of their data, easily and without needing to pay to revoke consent.
4.5. The processing performed for the purposes referenced in section 3.1 can be freely done by the Data Controller because it is not done using personal data.
5. RECIPIENTS OF PERSONAL DATA
5.1. persons authorised by the Data Controller to process personal data in accordance with art. 28 and 29 of the GDPR, such as:
5.1.1. persons, companies or professional firms that provide assistance and consultation services to BRUCLE for accounting, administrative, legal, tax related and financial operations;
5.1.2. persons that provide maintenance of technological services;
5.1.3. credit institutes, insurance companies and brokers;
5.2. institutions, persons and authorities with the duty to transmit Your personal data because of legal obligations and authority mandates;
5.3. persons authorized by the Data Controller, in accordance with art. 30 of the Code and 29 of the GDPR, to treat and process personal data that are necessary for activities connected with the services offered, and bound to keeping the privacy with legal obligations;
5.4. companies that collaborate with BRUCLE, for internal administrative activities;
5.5. companies that collaborate with BRUCLE, for purposes on which in section 3.8, after You have given Your consent (as better explained in section 4.3).
These subjects are collectively referred to as "Recipients".
6. TRANSFERS OF PERSONAL DATA
Some of your personal data is shared with Recipients who may be situated outside the European Economic Area. The Data Controller ensures that these Recipients process your personal data in compliance with artt. 43 and 44 of the Code and 44–49 of the GDPR. With regard to the transfer of personal data to third countries, the Data Controller declares that the processing will be undertaken according to one of the methods permitted by current legislation, such as the consent of the concerned party, the adoption of Standard Clauses approved by the European Commission.
7. STORING OF PERSONAL DATA
7.1. Your personal data, treated for the purposes on which in sections 3.2 e 3.3, are only stored for the strictly necessary to achieve those very purposes.
As this treatment of data is done in order to give a service, the Data Controller will store those data for the amount of time regulated by Italian law (art. 2946 et seq. of the Italian Civil Code).
7.2. The personal data necessary for the purposes referenced in section 3.3 will be stored for as long as strictly necessary for those very purposes or in accordance with the relative applicable laws.
7.3. The personal data necessary for the purposes referenced in section 3.4, will be stored until consent is revoked.
7.4. The personal data necessary for the purposes referenced in sections 3.5 e 3.6, will be store for a maximum period of 5 years starting from the day of registration of those data.
In any case, the Data Controller is allowed to store Your personal data for as long as allowed by the Law in order to protect their interests (Art. 2947( 1 )( 3 ) of the Italian Civil Code).
8. RIGHTS OF THE DATA SUBJECT
As a Data Subject, You can exercise your rights according to art. 7 of the Code (Storing of Personal Data), those rights being: requesting confirmation of the storing of Your personal data, knowing their contents and origin, verifying their correctness or requesting additions, updates and corrections. You have also the right to request cancellation of Your personal data, transformation of them to anonymous form or blocking of data that are being treated in violation of the Law, as well as to oppose the treatment of data for legitimate reasons.
Since May 25th, 2018, You have the right to request access to Your personal data, to refuse consent to their treatment and storing, to request the limitation of the treatment of Your personal data in accordance to art. 18 of the GDPR, whenever it is technically possible and not in contrast with the Law; you also have the right to receive all the data that concern you in a standard, readable document in the cases allowed by art. 20 of the GDPR.
These requests may be sent in written form to the Data Controller’s contacts that you can find in the “Contact us”; if You are a registered user, you can also freely download them from Your personal account in the section “EXPORT PERSONAL DATA AND REQUEST CANCELLATION”.
In any case, You are always entitled to present a claim to competent authorities (Warrantor of the protection of Personal Data), in accordance with art. 77 of the GDPR, if You believe that the treatment of your personal data is done in violation of the laws in force.
For any request, in accordance with Your rights, you can write us at the e-mail address firstname.lastname@example.org, at the physical address written above or through the online form present in the section “Contact us” of the Website.
10. AMENDMENTS TO THE DATA NOTICE
The Data Controller reserves the right to modify or simply update its content, wholly or partially, also as a result of variations in the applicable legislation.
In accordance with our values of transparency and information of our client, we will provide you with an extract of the articles that regulate the aforementioned rights of the Data Subject.
RIGHTS OF THE INVOLVED PARTY
Decreto Legislativo 30 giugno 2003 n. 196 and following updates and integrations:
Art. 7 – Access to personal data and other rights
1. The involved party has the right to request confirmation of the existence of their personal data and to request access to them, even if not yet registered, and to be given them in a readable form.
2. The involved party has the right to request information such as:
a) origin of the personal data;
b) finalities and methods of treatment of the data;
c) what logic is applied to the treatment of personal data with technological systems;
d) identification details of the Data Controller or of whoever responsible and representative of the treatment of data in accordance with art. 5 ( 2 );
e) parties or categories of parties to which the data can be transmitted, parties that can be informed of them as representatives in regional areas;
3. The involved party has the right to obtain:
a) updates and corrections to their personal data;
b) cancellation or transformation into anonymous form of their data or interruption of transmission of data that are being treated in violation of the Law, including those data of which storing is not necessary n order to achieve the purposes for which the data were initially collected and/or treated;
c) confirmation that, in case of actions pertaining to a) and b) were done, all subjects that had access to them have been informed and updated, in any case that is technically possible and achievable with reasonable ease.
4. The involved party has the right to refuse, completely or in part, consent to:
a) treatment of personal data, for legitimate reasons that are within the boundaries of the reasons why the data were collected in the first place;
b) treatment of personal data for the purpose of sending commercial offers and doing market analyses.
EU Directive no. 679/2016 and following updates and integrations:
Article 15 – Right of access by the data subject.
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. Section 3 Rectification and erasure
Article 16 – Right to rectification.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Article 17 – Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defense of legal claims.