DISCLOSURE ON PROCESSING PERSONAL DATA UNDER ARTICLES 13 AND 14 OF REGULATION (EU) NO. 2016/679 (“GDPR”)
Driade Srl (“Driade,” the “Data Controller,” or “we”) provides this disclosure to anyone who interacts with the website www.driade.com (the “Website”), including anyone who intends to register and access the reserved area of the Website or who intends to purchase Driade products through the Website (the “Users,” “Data Subjects,” or “you”).
Specifically, Driade will act as data controller for purposes of managing the Website and the e-commerce activities carried out through it.
Driade and the companies of ICG Italian Creation Group S.p.A. (“ICG”), Valcucine S.p.A. (“Valcucine”), and FontanaArte S.p.A. (“FontanaArte”) (hereafter, jointly, the “Companies”) will act as independent data controllers for the additional purposes of marketing and profiling.
1. Categories of personal data processed. Their sources.
The following categories of data may be collected through the Website:
- non-sensitive personal data, including data that you voluntarily provide (for example, by completing the forms on the Website or uploading your curriculum vitae to the “Careers and Projects” section), such as personal details and contact information, telephone number, and information related to your profession;
- browsing data.
This data may be provided directly by Users or collected through the Website.
With regard to Users who voluntarily send their curriculum vitae and processing the personal data contained therein, the disclosure pursuant to Art. 13 of the GDPR will be provided when the candidate is effectively contacted, pursuant to Art. 111-bis of Legislative Decree no. 196/2003 (“Privacy Code”), as amended by Legislative Decree no. 101/2018.
In addition, the Data Controller may also process personal data collected from other third parties, such as operators of social networks (for example, Facebook, Instagram and Twitter) with whom it has entered into an agreement to share information related to Users’ preferences and their interactions with those social networks.
2. Purpose and legal basis for processing. Legitimate interests pursued.
The personal data collected will be processed:
a) to meet the information needs that Users have indicated;
b) for activities related to registration with the reserved area of the Website, and for use of the relative services, including downloading technical documents related to product sheets;
c) for contractual purposes and/or purposes related to pre-contractual steps taken at your specific request or related to the sale of Driade products through the Website;
d) to meet the Data Controller’s legal obligations, including tax, accounting, and administrative obligations related to the sale of Driade products;
e) to communicate data between parent companies, subsidiaries or affiliates, for administrative-accounting purposes, or related to activities of an organizational, administrative, financial and accounting nature;
f) to establish, assert, or defend a right of the Data Controller, including before the courts;
g) to send advertising messages on products and services similar to those already purchased (so-called “soft spam”), subject to the User’s right to object to this at any time;
h) to carry out promotional initiatives and send direct marketing messages from the Companies about their products and services, via email, newsletters, text messages, and WhatsApp;
i) to engage in profiling for purposes of personalizing the aforementioned marketing activities and direct the Companies’ promotional offers, including through an analysis of your use of the Website and the other websites of the Companies you visit, using data collected from you and from third parties;
j) for activities related to the functioning and operation of the Website.
Data processing for the purposes set out in points a), b), and c) does not require consent from the data subjects, as this is necessary to respond to their specific requests, or to execute a contract to which the data subject is a party, or to take the pre-contractual steps requested by the Data Subject, pursuant to Art. 6, par. 1, lett. b) of the GDPR.
Data processing for purposes of point d) does not require the consent of Data Subjects, as it is required in order to meet the Data Controller’s legal obligations under Art. 6, par. 1, lett. c) of the GDPR.
Data processing for the purposes set out in points e), f), g), and j) does not require the consent of Data Subjects, as it is required in order to pursue the Data Controller’s legitimate interest under Art. 6, par. 1, lett. f) of the GDPR.
Personal data processing for purposes of point h) requires the consent of Data Subjects under Art. 6, par. 1, lett. a) of the GDPR.
3. Provision of data and consequences if data is not provided.
Provision of personal data for purposes of points a), b), c), and d) is optional, but is required in order to manage and meet User requests, and to meet the Data Controller’s legal and contractual obligations. Provision of personal data for purposes of points e), f), and j) is optional, but is required in order to pursue the Data Controller’s aforementioned legitimate interests. In all these cases, failure to provide data will make it impossible to respond to User requests and establish contractual relationships with them.
Provision of personal data for purposes of points h) and i) is optional, and failure to provide them will make it impossible for the Companies to engage in the activities necessary to achieve the purposes in question.
4. Data Controllers.
Driade is the data controller for personal data related to the purposes set out in points a), b), c), d), e), f), g), and j).
Each Company acts as an independent data controller for personal data related to the purposes under points h) and i),
Following are the information and contact data for each one.
- Driade S.r.l. has registered headquarters at Via Alzaia Trieste 49, 20094 Corsico, tel. +39 0523 818618, e-mail email@example.com.
- Italian Creation Group S.p.A. has registered headquarters at Via Alzaia Trieste 49, 20094 Corsico, tel. +390245151, email firstname.lastname@example.org;
- Valcucine S.p.A. has registered headquarters at Via Luciano Savio 11, 33170 Pordenone, tel. +390434 517911, e-mail email@example.com;
- FontanaArte S.p.A. has registered headquarters at Via Alzaia Trieste 49, 20094 Corsico, tel. +390245121, fax. +39024512660, email firstname.lastname@example.org;
For any request involving personal data, the Data Subject may always contact ICG by writing to email@example.com.
5. Recipients and potential categories of recipients of personal data
Personal data may be made accessible to, brought to the attention of, or communicated to the following parties, who, depending on the case, will be appointed by the Companies as data processors or authorized data processing agents or who will act as independent data controllers:
- companies in the ItalianCreationGroup (parent companies, subsidiaries, affiliates);
- employees and/or collaborators of any kind of the Companies and/or of companies in the ItalianCreationGroup (parent companies, subsidiaries, affiliates);
- consultants, auditing firms, accountants;
- private parties, natural persons or legal entities that the Companies use to perform the aforementioned activities (for example, companies that offer hosting services);
- public authorities or police forces, in the cases provided by law.
The data will not be disseminated.
6. Transferring data to countries outside the European Union.
Data will normally circulate within the countries of the European Union.
If the aforementioned recipients are established or process data in a country outside the European Union, the data will be transferred to those parties based on an adequacy decision from the European Commission under Art. 45 of the GDPR, which verifies that said third party country, or multiple specific sectors within the third party country, guarantee adequate protection of your rights, or based on standard data protection clauses approved by the European Commission under Art. 46, par. 2, of the GDPR.
7. Length of time personal data are stored
The data collected will be stored for no longer than the statute of limitations for the Data Controller to assert its legal rights, which is normally 10 years after termination of the contract.
Data collected and processed for marketing and profiling purposes are stored, respectively, for a maximum of 24 and 12 months.
Cookies are small text files that the websites visited send to the User’s terminal, where they are stored, and then re-transmitted to said sites on the next visit. Cookies allow websites to function properly and efficiently to improve the User’s experience, allowing the Website to store the information in the memory of the computer or other devices.
The Website uses traffic log cookies. These cookies are used, in aggregate form, to analyze Website traffic and use (for example, which pages are visited), in order to improve performance and usability.
The Website also uses the third party analytic cookies (Google Analytics) listed below. In this regard, also reported is the link to the relative disclosure on the processing of personal data and on methods for potential disabling of the cookies utilized. With regard to third party cookies, the Data Controller’s sole obligation in this disclosure is to include the link to the third party site. That party has the obligation to provide the disclosure and indicate methods for consenting to and/or disabling cookies.
- Google Analytics: https://support.google.com/analytics/answer/6004245.
Finally, the Website uses the technical cookies listed below. As these cookies are technical, they do not require the User’s prior consent to be installed and utilized.
Name of cookie Description of cookie
FORM_KEY Stores a randomly generated key in order to prevent forged requests.
PHPSESSID The User’s session ID on the server.
GUEST-VIEW Allows Users to view and modify their orders.
PERSISTENT_SHOPPING_CART A link to information regarding the cart and to the chronology of views, in case the User requests it.
STF Information on the products that the User has emailed to their contacts
STORE View of the store or language that the User has selected.
MAGE-CACHE-SESSID Facilitates caching of contents on the browser so that pages are loaded faster.
MAGE-CACHE-STORAGE Facilitates caching of contents on the browser so that pages are loaded faster.
MAGE-CACHE-STORAGE-SECTION-INVALIDATION Facilitates caching of contents on the browser so that pages are loaded faster.
MAGE-CACHE-TIMEOUT Facilitates caching of contents on the browser so that pages are loaded faster.
SECTION-DATA-IDS Facilitates caching of contents on the browser so that pages are loaded faster.
PRIVATE_CONTENT_VERSION Facilitates caching of contents on the browser so that pages are loaded faster.
X-MAGENTO-VARY Facilitates caching of contents on the browser so that pages are loaded faster.
MAGE-TRANSLATION-FILE-VERSION Facilitates translation of contents into other languages.
MAGE-TRANSLATION-STORAGE Facilitates translation of contents into other languages.
In all cases, the User may disable cookies by checking and/or changing browser settings based on instructions provided by the relative suppliers at the links listed below: - Internet Explorer - Mozilla Firefox - Google Chrome - Apple Safari
9. Rights of Data Subjects.
Data Subjects may assert the rights in Art. 7, par. 3, and Art. 15 et seq. of the GDPR by sending an email to firstname.lastname@example.org.
In particular, Data Subjects may:
• obtain confirmation of whether or not personal data concerning them have been processed and the purposes of that processing;
• access their personal data and information related to processing, as well as request a copy of said personal data;
• rectify inaccurate personal data and supplement incomplete personal data;
• if any of the conditions set out in Art. 17 of the GDPR are met, obtain the erasure of personal data concerning them;
• restrict processing in the cases provided by Art. 18 of the GDPR;
• if the conditions of Art. 20 of the GDPR are met, receive personal data concerning them in a structured, commonly used, and machine-readable format and transmit those data to another controller, if technically feasible.
Right to object to processing based on the legitimate interest of the Data Controller.
Any Data Subject has the right to object, at any time, to the processing of their personal data based on a legitimate interest of the Data Controller. In case of objection, the personal data will not be processed, unless there are legitimate reasons to proceed with processing that prevail over the interests, rights and liberties of the Data Subject, or to establish, exercise or defend legal claims.
Right to object and to revoke consent regarding processing for marketing and profiling purposes.
With regard to processing personal data for marketing and profiling purposes, any Data Subject may at any time revoke their prior consent or object to processing by sending an email to email@example.com, or by clicking on the link in each email message. In any case, the User may object or revoke consent with regard to processing, by one or more Companies, for marketing and profiling purposes.
Right to file a complaint with the Authority.
Any Data Subject may file a complaint with the Personal Data Protection Authority if they believe their rights under the GDPR have been violated, following the procedures indicated on the Authority’s website at www.garanteprivacy.it.
10. Amendments to this disclosure
This disclosure may be subject to updates or amendments (including based on new laws or regulations). Substantive amendments will always be noted through the Website, your reserved area, or via email.