1. PERSONAL DATA CONTROLLER
2. PERSONAL DATA COLLECTED
a) Sign up for the newsletter or create an account By subscribing to the newsletter, the user provides the following personal data: name, surname, email. These data are necessary, therefore, in the absence of such data, it will not be possible to register for the newsletter or to create an account.
b) Online purchases The user can proceed to purchase online, even if he is not a registered user with an account, providing the following data: name, surname, VAT number/tax code, country, city, address, postcode, telephone, email. These data are necessary, therefore, in the absence of their contribution, it will not be possible to proceed with the online purchase. It is also possible to insert the company name as optional data. Failure to include this information will in no way compromise the execution of the online purchase contract. In the case of online purchases, some data relating to the sale are also acquired on the E-commerce site, such as, for example, products purchased, payment data, product codes, amount.
c) Assistance / request for information To obtain a support service or to request information, the User can send a request to the email address firstname.lastname@example.org or to the other email addresses indicated on the Website, or use the “Contact” section on the Website, and must provide the following personal data: name, surname, mail, telephone. These data are necessary: failure to provide such data could prevent Ella from providing the requested assistance. It is also possible to provide additional optional data (such as company, interest, comment): failure to provide such data could prevent Ella from providing assistance that is adequate to the user’s requests.
d) Browsing data During the browsing of the Sites by the user, the information systems and software procedures relied upon to operate these Sites acquire personal data as part of their standard functioning, the transmission of such data is an inherent feature of Internet communication protocols. This data category includes the IP addresses and/or the domain names of the computers and terminal equipment used by any user, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user’s operating system and computer environment.
3. PURPOSE OF THE PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD
3.1 Newsletter subscription, creation of an account and assistance/request for information
The personal data provided by the user or collected when the user subscribes to the newsletter creates an account on the Website or requests assistance/information, will be used: a. provide the requested services (for example, perform account registration processes, manage authentication on the Website and user accounts, assist it and manage any complaints and respond to a question or contact request possibly forwarded by the user, also through customer service); b. to manage newsletter subscription if the user is not registered. Personal data must be provided for the aforementioned purposes and the refusal would prevent completing the request. The processing of data for the aforementioned purposes is carried out to follow up on the request to receive newsletters, create/manage the account, and the request of information/assistance. The personal data processed for newsletter subscription will be kept until the user requests cancellation from the newsletter or, in any case, until the user is an active user (the user is considered inactive if he/she does not open mail for more than 12 months). The personal data processed for the management of an account on the Website will be retained until the user closes his account or, in any case, until the user is an active user (the user is considered inactive if he/she does not log in to his/her account for more than 12 months). The personal data processed for the assistance/request for information will be kept for the time necessary to manage the request. Once the retention periods indicated above have expired, personal data will be permanently deleted or anonymized. Without prejudice to the foregoing, the user’s personal data will be kept only for any legal and regulatory obligations (such as for example, accounting and tax obligations).
3.2 Online sales
The personal data provided by the user or collected at the time of purchase, made as a registered user or not, will be used for order processing, for the related administrative activities as well as to comply with any legal obligations. The processing of data for the purposes indicated is carried out, as necessary to execute the order. Personal data processed for online purchases, made by users not registered on the Website, will be kept for the duration of the business relationship, including any return practices or credit recovery procedures. Personal data processed for online purchases, made by users registered on the Website, will be kept until the account is closed or, in any case, until the user is an active user (the user is considered inactive if he/she does not log in to his /her account for more than 12 months). Passed the retention periods indicated above, personal data will be permanently deleted or anonymized. Without prejudice to the foregoing, the user’s personal data will be kept only for any legal and regulatory obligations (such as for example, accounting and tax obligations).
3.3 Use of web services
The browsing data, which are acquired by the Controller during the browsing of the Sites by the Customer, are necessary for the use of web-based services and are also processed in order to: a. extract statistical information on service usage (most visited pages, visitors by time/date, geographical areas of origin, etc.); b. check the functioning of the services. Browsing data are kept for no longer than seven days and are erased immediately after being aggregated (except where judicial authorities need such data for establishing the commission of criminal offenses).
Personal data collected on the Sites will be used, after obtaining consent, to offer promotions, discounts, and other tailored services and send newsletters, other marketing, and commercial communications on products of Ella, surveys and researches, market analysis, promotions and other initiatives for users or registered customers (“marketing”). The Controller may use traditional (postal mail and telephone) and/or digital and automated (e-mail, SMS) contact means. The use of data for marketing purposes is optional and free, due to the fact that it is based on the consent that the user can choose to lend. The user can revoke his consent at any time. In any case, the refusal to provide personal data for marketing purposes does not prevent the user from using the services of the Sites or making purchases, but the same will not be informed of marketing initiatives promoted by the Controller. Personal data processed for marketing purposes will be kept, in accordance with the provisions of the Italian data protection authority’s (hereinafter the Garante), for a period not exceeding 24 months, unless the user renews his consent and except for further measures issued by the Garante. Passed the retention period indicated above, personal data will be permanently deleted or anonymized. Without prejudice to the foregoing, the user’s personal data will be kept only for any legal and regulatory obligations (such as for example, accounting and tax obligations).
4. COMMUNICATION OF PERSONAL DATA
The personal data of the user will be processed by authorized persons of the Controller and, if appointed, the Processor. Personal data may also be processed by third parties who perform, for example, shipping services, services for sending communications via e-mail or SMS, computer system maintenance services, payment management services, hosting services, and infrastructure backend. The above-mentioned persons will only process the personal data necessary for the performance of the related services and will not be authorized to process them for different purposes. The user’s personal data may also be communicated to other persons, such as law enforcement agencies, administrative or judicial authorities, and public administrations for the fulfillment of legal obligations, regulations, or community provisions. The data used for the payment are not subject to the processing by the Controller, but are acquired directly by the payment service operator requested, which acts as an independent holder, in order to provide the user with online sales services.
5. PROTECTION OF THE PRIVACY OF MINOR
The processing of personal data of the minor is lawful where the child is at least 16 years old. If the child is under the age of 16, such treatment is lawful only if the consent is given or authorized by the holder of parental responsibility. The Data Controller will, in any reasonable way and in consideration of the available technologies, make sure that the consent is given or authorized by the holder of parental responsibility on the child. If the Data Controller or the Processor comes to know that a minor’s data have been collected, they will immediately cancel them. In the event that the user is not of the required age, please do not register or proceed with the online purchase and ask an adult (or their parents or legal guardian) to perform the necessary procedures.
6. METHOD OF PROCESSING
The personal data collected through the Sites is processed mainly using computerized and telematic methods and tools, adopting the necessary security measures in order to minimize the risk of destruction or loss, even accidental, of the data, unauthorized access or of treatment not allowed or not in accordance with the collection purposes indicated in this statement. However, these measures, due to the nature of the online transmission medium, cannot limit and exclude absolutely any risk of unauthorized access or data loss. To this end, the user is advised to: periodically check that the computer is equipped with appropriate software devices for the protection of data transmission in the network, both incoming and outgoing (as updated antivirus systems); verify that the internet service provider has taken appropriate measures for the security of data transmission over the network (such as for example, firewalls and antispam filters); keep confidential and not tell anyone the username and password to access the account; change the password periodically. In the event that the Controller believes that the security of the personal data of the user in his possession or under his control has been or may have been compromised, the same will inform the user of the incident according to the procedures established by the law in force, using the methods prescribed by it (providing his/her email address to the Controller, the User consents to receive such communications in electronic format through this email address).
7. TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
8. USER RIGHTS
To exercise the rights indicated below, the user can send a request by contacting the Controller and by sending an email to email@example.com or a letter by postal mail to the address of the Controller. When contacting the Controller, the user must include his name, email address, postal address, and/or telephone number(s) to be sure that the Controller can correctly handle his/her request.
8.1 Right of access
The user shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data; the recipients or categories of recipient; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the user, any available information as to their source; the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the user; Where personal data are transferred to a third country or to an international organization, the user shall have the right to be informed of the appropriate safeguards relating to the transfer. The user has the right to obtain a copy of the personal data undergoing processing.
8.2 Right of rectification The user shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the User shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.3 Right to erasure
The user shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the user withdraws consent on which the processing is based; c) the user objects to the processing and there are no overriding legitimate grounds for the processing, or the user objects to the processing for direct marketing purposes, which includes profiling; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject; f) the personal data have been collected in relation to the offer of information society services directly to a child.
8.4 Right of restriction
The user shall have the right to obtain from the controller restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the user, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead; c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defense of legal claims; d) the user has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
8.5 Right to data portability
The user shall have the right to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of Regulation or on a contract pursuant to point (b) of Article 6(1) of Regulation; and b) the processing is carried out by automated means. In exercising his/her right to data portability pursuant to paragraph 1, the user shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
8.6 Right to object
The user shall have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
8.7 Further rights
The user shall have the right not to be subjected to a decision based only on automated processing, including profiling, which produces legal effects that affect him/her or that significantly affects his person. The user shall have the right to lodge a complaint with a supervisory authority (in Italy, the Italian data protection authority’s, Garante).
9. UPDATE OF PERSONAL DATA
The user is invited to check and update their personal data on a regular basis. To this end, in case of changes, the user is invited to write to the email address firstname.lastname@example.org or to directly modify the data online using the settings of the user account on the Website, where registered.
10. UPDATES OF THIS INFORMATION – COMMUNICATIONS
Last change: 05-12-2020