What is this document? This document is the personal data processing policy related the website
Who is for? The policy is addressed to all the visitors and clients who interact with the website
Why this document? National and international data protection legislations ask that You – Data Subject - are informed on personal data that are processed and on who will process them, in order to guarantee that the processing will be fair and transparent.
Hereinafter you will therefore see clearly listed who will process your data, what personal data will be processed, the purposes for which the personal data will be processed, for how long the data will be processed, which are your rights and how to exercise them.
Which laws are referred to this document? The policy is offered by taking in conjunction with:
• Law 171/2018 on natural person Protection with regard to personal data processing (hereinGrazieafter referred “Law”)
• The General Data Protection Regulation (GDPR) EU 2016/679 (hereinafter referred “Regulation”)
• European Directive n. 2002/58/CE the so called “e-Privacy”
POLICY
1) DATA CONTROLLER
Duke S.p.A. - Strada Acquasalata, 4 - 47899 Serravalle (Rep. di San Marino) – C.O.E. SM22855 - email [email] – Tel. (+378) 0549 904251
European Union Representative of the Data Controller:
PRIVACY365 Italia S.r.l. viale Berna 9/B – 47924 Rimini (RN) – art27gdpr@privacy365.eu - PEC: privacy365italia@pec.it – Tel. (+39) 0541 1647198
2) AIMS, LEGAL BASIS, RETENTION PERIOD AND NATURE OF THE PROCESSING
Your personal data are processed for the following aims:
a. To buy in the online store:
• The legal basis of this processing is the need to execute precontractual measures taken at the request of the data subject to which he/she is party;
• The data retention period for those aims is the contractual duration and, in case of litigation, for the entire duration of the same, until the expiration of the time limits for appeal proceedings;
• The provision of personal data marked with an asterisk (*) is necessary to process the purchase and any refusal will make it impossible to process the order.
b. To sing in the reserved area of the online store:
• The legal basis of this processing is the need to execute a contract to which the data subject is party;
• The data retention period for those aims is the contractual duration and, in case of litigation, for the entire duration of the same, until the expiration of the time limits for appeal proceedings;
• The provision of personal data marked with an asterisk (*) is necessary to process the purchase and any refusal will make it impossible to process the order.
c. To send brochures and marketing material (soft spam), also with emails and SMS (mailing list, offers, etc.) similar to products or services previously provided:
• The legal basis of this process is the pursuit of the legitimate interest of the Data Controller in offering products or services similar to those previously provided;
• The data retention period for this purpose is valid until the data subject asks for the unsubscription from the promotional communication service.
d. Anonymous market research (customers satisfaction survey and analysis):
• The legal basis of this process is the pursuit of the Data Controller’s legitimate interest in carrying out anonymous customer satisfaction analysis;
• The data retention period for this purpose is valid until the data subject decides to exercise his/her rights under Article 15 and following of the Law and the Regulation.
e. To reply to received requests by the form:
• The legal basis of this processing is the need to execute precontractual measures taken at the request of the data subject to which he/she is party;
• The data retention period for this purpose is equal to the time necessary to process the request;
• The provision of personal data marked with an asterisk (*) is necessary to process the request and any refusal will make it impossible to contact the data subject again.
f. To send brochures and marketing material (direct marketing), also with emails or SMS (mailing list, offers, etc.):
• the legal basis of this process is the explicit consent of the data subject
• The data retention period for this purpose is valid until the data subject asks for the unsubscription from the promotional service/sending of newsletters. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal
g. To analyze consumption habits and choices (profiling), carry out market research (surveys and analysis of Customer satisfaction):
• The legal basis of this processing is the explicit consent of the data subject;
• The data retention period for this purpose is valid until the withdrawal of the data subject’s consent. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
• Additional information on the logic applied and on protection provided for the data subject are available by sending a written request to the Data Controller.
h. To prevent, accept and pursue unlawful conducts:
• the legal basis for this processing is pursuit the legitimate interest of the Data Controller in order to prevent or pursue offences or intellectual property rights breaches (also of third parties) or informatic crimes or made through telematic networks;
• The data retention period for this purpose is equal to the time reasonably necessary to assert the Data Controller’s rights from the time you become aware of the offence or of its potential commission
3) PERSONAL DATA PROCESSED
By processing personal data we mean any operation or a set of operations, performed with or without the aid of automated processes and applied to personal data or a set of personal data, as the recollection, the registration, the organization, the structure, the retention, the trend or change, the exfiltration, the consultation, the use, the communication through the transmission, spread or any other form available, the comparison or the interconnection, the limitation, the deletion or the disruption. It could be send by the Data Subject (for example contact in the field “message”) to the Data Controller also classified data, according to the article 8 of the Law and the Article 9 of the Regulation, like “particular categories of personal data” and so those data that reveal the ethnical origin, political opinions, religious or philosophical beliefs or the trade union membership, data related to health or sexual life or the sexual orientation of a person. This category of data will be processed by the Data Controller, in order to execute the request received. Further treatments, categories of particular data by the Data Controller, will be done only with prior and explicit consent.
Personal data processed are the following:
• Data required in the online purchase form:
By sending the request, the Data Controller processes the following personal data: name, surname, email address, phone number, date of birth, residence and shipping address (nation, province, city, postal code and street), personal tax code (tax code, ISS code, etc.) any personal data included in the “Order Notes”, number of credit card Payal account.
• Data required in the contact form:
By sending the request, the Data Controller processes the following personal data: name, surname, email, phone number, nation, city, data included into the “message”
• Data required in the contact form for leasing quotation request:
By sending the request, the Data Controller processes the following data: name, surname, address, city, postal code, email, phone number, nation, tax code and VAT number and any personal data included in the “message”.
• Browsing data
Informatic systems and the software procedures used for this site acquire, during their normal exercise, some personal data which transmission is implicit in the use of Internet communication protocols.
In this category of data fall into the IP addresses or the domain names of computers and the endpoints used by the users, all the addressed in URI/URL (Uniform Resource Identifier/Locator) of requested resources, the timetable of the request, the methods which has been used to submit the request to the server, the file dimension, the code number which identifies the state of the given response by the server (successful, error etc) and other parameters related to the operational system and the information environment of the user. Those data, necessary for the use of the web services, are also processed in order to obtain statistical information on the service use (most visited pages, number of visitors hourly, geographical areas of expertise etc.) and control the correct operation of the services offered. Browsing data do not persist more than 365 days and are immediately deleted after their combination (unless required by the Judicial Authority to carry out any criminal investigation).
• Data given by the user
The optional, explicit and voluntary sending of messages to the contact addresses of the Data Controller involves the acquisition of the sender's contact data, necessary to reply, as well as all personal data included in the communications.
• Cookie and other tracking systems
Please refer to the detailed policy available at the following link: www.xeniosusa.com/en/cookie-policy/
4) PERSONAL DATA RECIPIENTS
Your data can be shared, for the above-mentioned purposes, with:
• Persons acting as “Data Processors”, according to the Article 29 of the Law and the Article n. 28 of the Regulation namely, persons, companies or professionals who provide assistance and advisory activities to the Data Controller in connection with the provision of goods/services;
• Subjects with which is necessary to interact for the goods/services provision (for example its sale network);
• Subjects, bodies or Authorities whom the communication of data is mandatory by the law or orders from the Authorities;
• Personnel expressed authorized by the Data Controller, according to the Article 30 of the Law and the Article 29 of the Regulation, necessary to carry out activities strictly related to the provision of goods/services, which are undertaken to confidentiality or are legally bound to do so and that have received opportune operational instructions
The full list of Data Processors is available by sending a written request to the Data Controller.
5) TRANSFER OF PERSONAL DATA
Some of your personal data are shared with recipients who could be out of the Republic of San Marino and the European Economic Area (EEA). The Data Controller ensures that the processing of Your personal data is carried out according to the Law and the Regulation. Verily, transfers can be based on an adequacy decision or on Standard Contract Terms approved by the European Commission. Further information is available at the Data Controller.
6) EXISTANCE OF AN AUTOMATED DECISION-MAKING PROCESS, INCLUDING PROFILING
The Data Controller does not adopt an automated decision-making process on personal data, including the profiling, referred to in Article 22 of the Law and the Regulation. Further information will be available at the Data Controller.
7) DATA ABOUT PERSONS UNDER 18 YEARS OLD
Persons under 18 years old can not provide personal data. The Data Controller will not be responsible of possible recollection of personal data, as well as false statements, offered by the minor, and in every cases, if it is seen to be used, the Data Controller will facilitate the right to access and the right to erasure forwarder by the guardian, foster or who exercises the parental responsibility.
8) RIGHTS OF THE DATA SUBJETS
Data subject has the right to obtain from the Data Controller, in certain specific cases, the access to personal data and the rectification or the erasure of the same or the treatment limiting or to oppose to the processing (Articles 15 and following of the Law and the Regulation). The appropriate petition to the Data Controller shall be presented by contacting the e-mail responsible for the feedback to the data subject.
9) RIGHT TO COMPLIAN
The data subjects that believe that the processing of personal data take place in violation of the provisions of the Law and the Regulation, they shall have the right to lodge a complaint:
• if in the Republic of San Marino to the Data Protection Authority (www.garanteprivacy.sm), according to the Article 66 of the Law, or refer the matter to the appropriate courts (Article 70 of the Law);
• if in the EU wide to the Italian Data Protection Authority (www.gpdp.it), according to the Article 77 of the Regulation, or refer the matter to the appropriate courts (Article 79 of the Regulation).
10) HOW TO EXERCISE YOUR RIGHTS
In order to exercise your right, you can access the Privacy Area of the website www.xeniosusa.com and use the special form provided. Alternatively, you can contact the persons in charge of the data subject’s response:
• Data Controller:
Privacy office c/o Duke S.p.A. - Strada Acquasalata, 4 - 47899 Serravalle (Rep. di San Marino) – C.O.E. SM22855 - email [email] – Tel. (+378) 0549 904251
• Data Controller Representative not established in the European Union:
PRIVACY365 Italia S.r.l. viale Berna 9B – 47924 Rimini (RN) – art27gdpr@privacy365.eu - PEC: privacy365italia@pec.it – Tel. (+39) 0541 1647198
11) CHANGES
The Data Controller reserves the right to amend and/or supplement this Policy at any time and he undertakes to publish the changes on the website www.xeniosusa.com into the Privacy Area and/or to inform Clients in the most appropriate manners assessed.
Website Policy - in force since 01/01/2022