Stefano Ricci website Privacy Policy
Stefano Ricci SPA, based in Fiesole (FI), via Faentina, 171, postcode 50010, (hereinafter 'the Company' or 'SR'), as Data Controller within the meaning of Arts. 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter 'GDPR' or 'Applicable Privacy Law'), provides you with the following information with regard to its website www.stefanoricci.com (hereinafter, 'Website').
1. Source of data
Where personal data are not collected directly from the data subject, the source of the data is the person who communicates them to the Company and undertakes to make this Privacy Policy known.
2.Processed data
The Controller will process the following personal data:
- Browsing data: The computer systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature might allow for user identification through processing and association with data held by third parties. This category of data includes the IP addresses or domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. Such data are used to obtain statistical information on website usage and to check its correct functioning and are deleted in accordance with the applicable law. They may be used to establish liability in the event of any computer crimes damaging the Website, only to the extent permitted by the applicable law.
- Data needed to access the Website, cookies and other technologies: Our Website uses cookies and other technologies, also on the basis of your prior consent when required by applicable law; for more information, please visit our Cookie Policy.
- Data related to services rendered through the Website: Processing of identification data or of contact, user, password, payment, shipping data, as voluntarily provided by you for the purpose of the services rendered online, with particular reference, for example, to account creation and use, goods purchase, returns and customer service, Newsletter subscription, product preferences.
- Identification data, contact data, other personal information: The optional sending of e-mail messages to the e-mail addresses indicated on this Website, as well as the sending of messages by filling in forms, chats and messaging, entails the subsequent acquisition of the sender's name and address, the latter being necessary to reply to requests, and of any other personal data included in the message.
With reference to these types of data, you are advised to include in your communications with the Controller only the personal data strictly necessary for the purposes thereof, thus excluding irrelevant information and/or information that may fall within the special categories of personal data referred to in Art. 9 of the GDPR ([...]personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or a natural person’s sex life or sexual orientation) or personal data relating to criminal convictions and offences as referred to in Art. 10 of the GDPR.
The Website includes 'buttons' (known as 'social buttons/widgets') showing the icons of social networks (e.g. Facebook, Instagram, LinkedIn, etc.). By clicking these buttons, users browsing the Website can interact directly with social networks and other websites shown thereon. In this case, the social network and the other websites acquire data relating to the user's visit. The Controller will not share any browsing information or user data acquired through the Website with any social networks or other websites that can be accessed through the social buttons/widgets. Please refer to the Privacy Policies of the providers of these services.
3. Purposes of data processing, legal bases and storage periods
| Purposes | Legal basis | Storage periods |
|---|---|---|
| Website operation, granting access to it, improving it, solving any technical issues and ensuring its security | Legitimate interest of the Controller, namely its interest in ensuring Website operation, improving its appearance and user experience, and guaranteeing its security | 2 years running from the user's last access to the Website |
| Location of the user's position on the map and indication of the nearest store (Store Locator) | Consent | Cookie Policy |
| Account registration and management, including technical communications and access to the social log-in system | Contract performance | For as long as the account is activated and thereafter for the technical time required for its deactivation |
| Purchase of goods | Contract performance | 10 years running from purchase of the good |
| Storage of credit card data to make subsequent online transactions easier | Consent | 2 years |
| Shipment of goods | Contract performance | Time required to process and dispatch the order |
| Administration and accounting | Legal obligation | 10 years |
| Request for information | Contract performance | Time needed to handle and process requests |
| Returns and refunds management | Legal obligation | Time required to process the request and for 10 years thereafter |
| Complaint management | Legal obligation | Time required to handle the complaint and for 10 years thereafter |
| Defence of legal claims | Legitimate interest | For the whole duration of the legal action and until the time when no further appeals can be brought |
| Legal obligations | Legal obligation | Until the deadline for compliance with the legal obligation to which the Controller is subject |
| Newsletter subscription | Performance of a contract (if it is the only service required) Consent (if the service is offered by the Controller) |
Until unsubscription |
| Customer Care | Contract performance | For the time required to handle customer care requests and for no more than 24 months thereafter, unless further storage is required by law or to protect the Controller's rights. |
| Marketing | Consent | 7 years |
| Profiling | Consent | 7 years |
Please note that the storage period for marketing and profiling purposes, based also on a prior positive Impact Assessment (DPIA) conducted by the Controller, is in line with what has already been established by the Privacy Authority in similar cases concerning the processing of customers' personal data for profiling and profiled marketing purposes in the luxury goods sector.
4. Processing methods
Processing may take place with or without using electronic and automated tools. While processing your personal data, the latter may be brought to the attention of persons authorised to process them by the Company, who will be given specific instructions in this regard. Personal data will be stored at the company's registered office.
5. Mandatory or optional nature of data supply
The supply of your personal data is required for the purposes set out in paragraph 3 above, where processing is not based on consent. Should you refuse to provide them, in whole or in part, the Controller will be prevented from providing the services requested and fulfilling its regulatory obligations.
Your failure to supply your data for consent-based purposes or your denial of consent will not prevent the Controller from providing the services requested, where not based on consent, but will prevent, for example, Newsletter subscription, the receiving of marketing communications, user profiling, Store Locator usage and the saving of credit card data to make subsequent online transactions easier.
6. Communication and dissemination
Without prejudice to data communication and/or dissemination carried out to meet a legal obligation, the personal data relating to the processing in question will not be disseminated and may be communicated:
- to IT consultancy and software application companies;
- to payment service providers;
- to companies providing miscellaneous IT services (e.g. website operation, system security, technical support, servers, CRM, social log-in, etc.);
- to couriers for shipments;
- to Customer Care and support service providers;
- to providers of newsletter services;
- to providers of profiling tools;
- to the professionals and/or firms used by our Company (such as consultants, auditors, accountants, etc.);
- to the banking and credit system;
- to other public and/or private entities to whom such communication is strictly necessary for the pursuit of the aforementioned purposes.
7. Transfer of data abroad
Personal data may be transferred to countries outside the European Economic Area (EEA), also with respect to the Controller's suppliers.
In particular, with reference to the applicable safeguards:
- adequacy decision: United States (Data Privacy Framework), Japan, Canada, Switzerland, United Kingdom, Argentina.
- BCR and SCC: Australia, India, Brazil, Singapore.
8. Data Protection Officer and data subject's rights
Lei potrà esercitare i diritti di cui al Capo III, articoli 15 e ss, del GDPR a Lei riconosciuti dalla legge in qualità di dipendente/collaboratore del Titolare del trattamento (e.g. avere conferma circa l’esistenza o meno di un trattamento in essere, ottenere l’accesso, la rettifica e la cancellazione dei dati personali trattati in violazione di legge, opporsi per motivi legittimi al trattamento, ottenere la limitazione del trattamento, revocare il consenso, ove prestato), mediante comunicazione indirizzata al Data Protection Officer della Società tramite l’indirizzo . Le ricordiamo, inoltre, che potrà sempre esercitare un diritto di reclamo nei confronti dell’Autorità Garante per la protezione dei dati personali.
You may exercise the rights granted by Chapter 3, Art. 15 et seq. of the GDPR as an employee/collaborator of the Data Controller (e.g. the right to obtain confirmation as to whether or not personal data concerning you are being processed, to obtain access, rectification and erasure of personal data processed in breach of the law, to object to the processing on legitimate grounds, to obtain restriction of processing, and to withdraw consent, where given), by sending an e-mail to the Company's Data Protection Officer at dpo@stefanoricci.com You may always exercise your right to lodge a complaint with the Data Protection Authority.
