Who are we and what do we do with your personal data?
The Data Controller, Santoni S.p.A. with registered office at Via Monte Napoleone 9, Milan (hereinafter also Data Controller), takes the confidentiality of your personal data very seriously and strives to protect it from any potentially compromising event.
To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of your rights under applicable legislation. The Data Controller shall update personal data protection policies and practices as often as necessary and in the event of regulatory and organisational changes that may affect the processing of your personal data.
The Data Controller has appointed a data protection officer (DPO) to contact if you have any questions about the policies and practices in place.
You can contact the DPO at the following e-mail address: email@example.com
How does Santoni S.p.A. collect and process your data?
The Data Controller collects and/or receives data relating to you, such as:
- tax ID number or VAT number
- PEC [certified e-e-mail]
- telephone number
- date of birth
- sex (M/F)
- id code
- accounting data
- invoicing data
- bank data
- data relating to purchases made [recent orders (order id number, date, store, order status, shipping address if different), product colour and material]
- foot characteristics (length, ankle height, collar circumference, foot entry, metatarsals and ankle)
- computer data
- data relating to personal preferences/habits
- browsing data
Your personal information will be processed:
1. To manage the contractual relationship and fulfilment of consequent regulatory and other obligations
Your personal data is processed in order to carry out the activities preliminary and subsequent to the management of the contractual relationship that has been formed (including sales of products remotely by telephone or via WhatsApp, via the contact details of our stores in Italy), for the management of the order, payments, processing of complaints and shipping of the product, as well as for the fulfilment of any other obligation arising from the contract, such as the registration and storage of your personal data, as well as additional obligations that the Data Controller must fulfil depending under the contract and specific regulations governing it, including those relating to the keeping of accounting records.
In addition, the processing of your personal data (e.g. name, surname, e-mail, foot characteristics (length, ankle height, collar circumference, foot entry and metatarsals, as well as product colour and materials) is carried out in order to carry out the preliminary and subsequent activities following your request to configure and create a product tailored to your needs.
Your personal data may also be used to send you specific communications and information relating to contractual obligations or deadlines, the way in which the service is provided or for any business operational requirements. Subject to the principles of necessity, relevance and non-excessiveness, such communications may be made by post, telephone or e-mail.
Your personal data is also processed to prevent fraud, including contract fraud. Finally, your data (such as landline and/or mobile telephone number and e-mail address) will be processed to provide you with assistance on the services covered by the contract.
2. To carry out marketing activities related to the services of the Data Controller
Your personal data is processed in order to provide you with services that are additional to the service you have signed up for, which may be better or more suited to your needs, and in order to send you advertising material, as well as to carry out market research or opinion polls. Your personal data (such as name, surname, physical and telematic address, landline and/or mobile telephone number) may be processed via:
- telephone (possibly automated);
The processing in question may be carried out if:
- you give your consent to the use of your data also with regard to the traditional and automated methods of communication with which the data is processed;
- if, in the event that the processing is carried out by means of contact with a telephone operator, you are not enrolled in the opt-out register referred to in Italian Presidential Decree no. 178/2010;
- if you did not object to the processing and/or if, in the event, you did not specifically and separately object to the sending of communications by traditional means and/or by automatic means.
3. To create your profile for the purpose of sending you promotional messages
Your personal data – especially data relating to products purchased by you (including product colour and material), your preferences and habits – is processed in order to create a profile of you, so that we can send you targeted promotional messages through the following channels: e-mail, sms, WhatsApp and telephone (possibly automated).
The processing in question is carried out, with your consent, only on the above-mentioned personal data. The Data Controller shall in now way disseminate or communicate the data processed for this purpose to third parties.
4. For online profiling
Your personal data (including browsing data) is processed by observing and analysing your browsing behaviour on the website and creating a personal profile for you. This profile considers your habits and preferences to send you (by e-mail) advertising and promotional material about new products and/or services in line with your needs and interests. Such processing only takes place if you give your consent.
5. To disclose data to third parties and other recipients
Your personal data is processed in accordance with the contract and associated legal/regulatory/other obligations.
Your data will not be disclosed to third parties/ other recipients for their own independent purposes unless:
- you authorise it;
Your data will be disclosed to third parties/other recipients if:
- it is necessary for the fulfilment of obligations under the contract and the laws governing it (e.g. to defend your rights, to make reports to supervisory authorities, etc.);
- it is sent to IT, administrative and accounting consultants, banks and credit institutions, shipping companies, law firms/lawyers, IT service providers;
- The data may also be sent to the tax administration and to public supervisory and control bodies, to which the Data Controller has specific obligations.
6. For information security purposes
The Data Controller processes, including via its suppliers (third parties and/or other recipients), your personal data to the extent strictly necessary and proportionate for the purposes of ensuring that a network or connected servers are secure and able to resist, to a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data.
For these purposes, the Data Controller has procedures in place to manage personal data breaches.
What happens if you do not provide your data?
If you do not provide your personal data, the Data Controller will not be able to carry out the processing required to manage the contract and the services connected to it, or to fulfil associated obligations.
The Data Controller intends to carry out some processing operations in accordance with certain legitimate interests that do not affect your right to privacy, such as those that:
- enable the prevention of cyber incidents and the notification of supervisory authorities or users, if necessary, of a personal data breach;
- allow disclosure to third parties/other recipients for activities related to contract management.
What happens if you do not give your consent to the processing of personal data for marketing purposes (direct, research and market surveys) by the Data Controller and for the creation of your profile?
Your personal data will not be processed for these purposes. This will not affect the processing of your data for the main purposes. Nor will it affect that for which you have already given your consent if requested.
How and for how long is your data stored?
Data processing is carried out by specially authorised and trained internal staff using hard-copy or computerised procedures. These staff are allowed access to your personal data to the extent and within the limits necessary for the performance of the processing activities concerning you.
The Data Controller periodically checks the means by which your data are processed and the security measures in place, which must be kept up to date. The Data Controller also verifies, including through authorised data processors, that no unnecessary personal data is collected, processed, archived or stored. Lastly, the Data Controller checks that data is stored with guaranteed integrity and authenticity and that they are actually used for the purposes of the processing.
The Data Controller transfers your personal data to the following non-EU countries, with full assurance of the guarantees provided by European legislation:
THE USA, JAPAN, SINGAPORE AND COLOMBIA: the standard contractual clauses as per the EU Commission Decision of 5 February 2010 No 2010/87 is in place.
For how long
The personal data processed by the Data Controller is kept for the time necessary to perform the activities related to the management of the contract with the Data Controller and for up to ten years after its conclusion (art. 2946 Italian Civil Code) or from when the rights granted by it can be enforced (art. 2935 Italian Civil Code), for the fulfilment of obligations (e.g. tax and accounting requirements) that remain even after the conclusion of the contract (art. 2220 Italian Civil Code), for which purposes the Data Controller must retain only the necessary data. The above is without prejudice to cases in which the rights deriving from the contract need to be asserted in court, in which case only your data needed for such purposes, will be processed for the time necessary to pursue these actions.
Personal data processed by the Data Controller for marketing purposes (direct, research and market surveys) will be kept for 24 months by the Data Controller, unless you revoke the consent you have given and/or unless you object to the processing.
With regard to the retention of data processed by the Data Controller (including: data relating to products purchased by you, including colour and material of the product, your preferences and habits) for the purpose of profiling (creation of your profile), the data will be retained for a period not exceeding 24 months from the time of their collection, unless you revoke the consent you have previously given and/or unless you object to the processing. The data will be deleted once the above-mentioned deadline has been reached.
Personal data processed by the Data Controller for online profiling purposes will be kept for 1 year from the time of first access, unless you revoke the consent you have given and/or unless you object to the processing.
Finally, the data relating to the customisation of the shoe, in particular those relating to the characteristics of your foot will be kept for a period not exceeding 24 months from the time of their collection.
The above is without prejudice, in any case, to your right to object at any time to processing based on legitimate interest for reasons related to your particular situation.
What are your rights?
Essentially, you can do the following at any time, free of charge and without any particular requirements or formalities:
- obtain confirmation of the processing carried out by the Data Controller;
- access your personal data and know its origin (when the data is not obtained from you directly), the purposes and aims of the processing, information about the persons to whom it is communicated, the storage period of your data or the criteria used to determine it;
- withdraw consent at any time if this constitutes the basis for the processing. The withdrawal of consent shall not in any case affect the lawfulness of processing based on consent before its withdrawal;
- update or rectify your personal data so that it is always accurate and precise;
- delete your personal data from the Data Controller’s databases and/or archives, including backup archives, if for example they are no longer necessary for the purposes of the processing or if this is assumed to be unlawful, provided that the conditions set forth in law are met; and in any case if the processing is not justified by another equally legitimate reason;
- restrict the processing of your personal data in certain circumstances, for example where you have challenged its accuracy, for the period necessary for the Data Controller to verify its accuracy. You must also be promptly informed of when the suspension period has expired or the cause of the restriction of processing has ceased to exist, and thus the restriction itself revoked;
- obtain your personal data, if received and/or processed by the Data Controller with your consent and/or if their processing is carried out on the basis of a contract and with automated tools, in electronic format also for the purpose of transmitting them to another data controller.
The Data Controller shall do the above without delay and, in any case, no later than one month after receiving your request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests received by the Data Controller. In such cases, the Data Controller will inform you within one month of receiving your request and will inform you of the reasons for the extension.
For any further information and to submit your enquiry, please contact the Data Controller at firstname.lastname@example.org.
How and when can you object to the processing of your personal data?
For reasons relating to your particular situation, you may object at any time to the processing of your personal data if it is based on legitimate interest or if it concerns the processing of personal data provided subject to your consent, by sending your request to the Data Controller at email@example.com.
You have the right to the erasure of your personal data if there is no legitimate reason prevailing over that which gave rise to your request, and in any case if you have objected to the processing.
Who can you complain to?
Without prejudice to any other administrative or judicial action, you may file a complaint with the relevant supervisory authority, i.e. the authority discharging its duties and exercising its powers in Italy where you have your permanent residence or place of work or, if otherwise, in the Member State where the breach of EU Regulation 2016/679 occurred.
You will be promptly informed of any updates to this policy by appropriate means, and you will also be informed if the Data Controller processes your data for purposes other than those set out in this policy, before doing so and in time to give your consent if required.
Last updated 09/06/2022