1.1 Cookies: text files (letters and/or numbers) that contain information that is stored on a User’s computer or mobile device each time the User visits a website through a browser. Upon subsequent visits, the browser sends cookies to the website that generated them or to another website. Cookies are stored either for a limited period of time for a specific site (i.e. session cookies), or for a longer period of time regardless of browsing time (i.e. persistent cookies).
1.3 Customers: customers who have already purchased at least one Aspesi product.
1.4 Events: events and promotional and commercial initiatives related to the Products and to Aspesi.
1.5 GDPR: Regulation (EU) 2016/679 of 27 April 2016.
1.6 General Terms and Conditions: general terms and conditions of the Websiste and the services offered by Aspesi through the Website.
1.7 Personal Data: any information that directly or indirectly concerns an identified or identifiable natural person such as the person’s name, identification number, location data, online identifiers, or factors of the person’s physical, physiological, genetic, psychic, economic, cultural or social identity.
1.9 Post-Registration Services: the creation of a personal account, the purchase of Products through a simplified procedure (by accessing to the Users’ Personal Data recorded in his/her personal account, such as for example the data concerning the payment method), the creation and updating of a wishlist, the monitoring of the status of the Products purchased and the receipt of birthdays cards.
1.11 Processing: any operation or set of operations concerning Personal Data, including, by way of example, the collection, organisation, structuring, storage, modification, extraction, consultation, use, circulation, interconnection, limitation, erasure and destruction of the Personal Data.
1.12 Products: clothes, shoes and accessories (such as, for example, scarfs, belts and bags) bearing the trademark “Aspesi” that are sold through the Website.
1.13 Profiling: Processing of Personal Data through the evaluation of personal aspects of the Users by using fully or partially automated procedures, for evaluation and predictive purposes.
1.14 Services: services strictly connected to the purchase of Products, such as the delivery of the Products to the address communicated by the User, the management and verification of payments, returns and warranties, the performance of fiscal and financial assessment concerning the purchase, the managing of Products purchase orders, costumer care services (such as, for example, information regarding purchase orders and deliveries, reimbursements and returns of Products).
1.15 Users: users of the Website.
1.16 Website: this Website.
2. Data Controller
The data controller is Alberto Aspesi S.p.A., with registered office in Corso Venezia, 14, 20121, Milan (Italy), Italian Fiscal Code, VAT and Registrar of Companies of Milano No. 02683619139 (“Aspesi”).
Any requests by the Users concerning the Processing carried out by Aspesi as the data controller (including if Users wish to exercise their rights as per points 9 and 10 below) shall be addressed to Aspesi via mail, sent to its registered office, or via e-mail, sent to the address “firstname.lastname@example.org".
3. Purposes and legal basis of Processing
Aspesi collects and uses Users’ Personal Data for the following purposes:
c) Allow Users to purchase the Products and use the Services offered by Aspesi: the Processing of Personal Data for the purpose under this letter c) is necessary for the User to purchase the Products and use the Services, and any refusal will prevent the User from purchasing the Products and using the Services, according to the General Terms and Conditions. This Processing is based on the execution of the General Terms and Conditions by Users, and on the related pre-contractual measures proposed by Aspesi.
d) Prevent and repress unlawful and fraudulent behaviours (also by third parties) against the applicable law, the General Terms and Conditions, and any rule of fairness and good faith: the Processing of Personal Data for the purpose under this letter d) is necessary in order to ensure the correct functioning of the Website and purchase of Products from the Users. This Processing is based on Aspesi’s legitimate interest to protect its company and customers from any unlawful or fraudulent behaviour, that Aspesi considers prevailing over Users’ right to privacy.
4. Personal Data modalities of collection
5. Categories of recipients of Personal Data
Personal Data are processed by Aspesi and/or by third parties, selected based on their reliability and expertise, to which the Personal Data could be provided as necessary or appropriate, as long as they operate within the European Economic Area. Users’ and Clients' Personal Data could be processed by, and/or provided to:
a) employees and/or staff of Aspesi;
b) third-party providers of services necessary for the proper functioning of the Website (e.g. companies that offer web hosting services);
c) third-party providers of services necessary to ensure the commercialization of the Products and the use of the Services and/or the Post-Registration Services (such as, for example, manufacturers, couriers, providers of payment services);
d) third-party providers of consultancy and advisory services (e.g. fiscal consultant);
e) third-party providers of browsing data analysis concerning the Website;
f) competent authorities, for the purposes of performing investigations regarding unlawful or fraudulent use of the Website;
g) subject to the optional consent of the User, third-party providers of automated newsletter services and/or commercial communications, and of services involving marketing, promotion, and analysis of habits and consumer choices, also through Profiling;
h) third-party providers of PR and managing services for the Events.
6. Period of storage of the Personal Data (or criteria for determining such period)
were collected, as per point 3 above. Without prejudice to User’s exercise of their right to withdraw their consent as per point 9 a) below or their right to object as per point 9 f) and as per point 10 below, Aspesi will keep Personal Data as follows:
b) Personal Data for the use of the Post-Registration Services and/or the Services: for the purposes under point 3 letters b) and/or c) (in this case, limited to the Services other than the purchase of the Products), for the duration of the General Terms and Conditions and for 26 months after the expiry of such General Terms and Conditions, without prejudice to point 6 letter f) below;
c) Personal Data for the purchase of Products and for preventing unlawful and fraudulent behaviours: for the purposes under point 3 letters c) (limited to the purchase of Products) and d), for a period of 5 years after the conclusion of the purchase procedure of a Product, without prejudice to point 6 letter f) below;
d) Personal Data for Profiling and for commercial communications of Aspesi: for the purposes under point 3 letters e) and f), for a period of 5 years after the User’s last interaction with Aspesi, suitable to demonstrate an interest in receiving marketing communications concerning Aspesi, including the collection of consent or the participation to Events and/or initiatives promoted by Aspesi;
e) Personal Data for direct marketing communications: for the purpose of point 3 letter g), for a period of 5 years following the last purchase by the Customers, suitable to demonstrate an interest in Aspesi’s Products;
f) Personal Data for managing the contact request: for the purpose under point 3 letter h), for a period of 3 months from the receipt of the contact request sent by the User by filling in the designated form on the Website. By way of exception from this term, in case of a complaint or a claim being sent via the "contact" form, the User's Personal Data will be kept for the period referred to in point 6 letter g) below;
g) in any case, Aspesi is authorised to keep, in whole or in part, Personal Data for a maximum of 10 years from when they are collected, limited to the information necessary to comply with legal obligations and allow Aspesi to ascertain, exercise and defend its rights in court or before any other competent authority, or for a longer period if the potential legal assessment or procedure lasts more than 10 years.
Once these terms expired, Aspesi will automatically erase the Personal Data collected or transform them into an irreversibly anonymous form.
Profiling is carried out by Aspesi as follows:
a) object: Personal Data concerning Users, collected on the Website and suitable to reveal tastes, behavioural habits and preferences referred to the purchase of Products, the use of the Services and/or the Post-Registrations Services (e.g. wishlist) and the participation to Events;
b) purpose: improving the promotion and marketing communications referred to Aspesi’s Products and Events, by sending commercial communications in line with interests and preferences expressed by the User on the Products, Services, Post-Registration Services and/or Events;
c) rationale of Processing: the Users’ profiles are identified on a statistical basis through the analysis and processing of the Personal Data of all the Users on the Website and with the classification of Users within homogeneous categories of Users;
d) effects for Users: receipt of commercial and marketing communications concerning the Products, Services, Post-Registration Services and/or Events that are in line with the interests and preferences expressed by Users in browsing the Website, purchasing the Products and/or using the Services. In no way does Aspesi Profiling: i) constitute an automated decision-making process whereby legal or similarly significant effects derive for Users; ii) affect the behaviour and training or purchasing choices of Users; iii) have a prolonged and permanent impact for Users, considering that Personal Data collected by Aspesi can be independently updated at any time by Users; or iv) due to the nature of Products sold by Aspesi and the category of Users interested in the Processing, discriminate such Users.
8. Transfer of Personal Data outside of the EEA (including the EU)
1) the company Salesforce UK Limited, with registered office in Floor 26 Salesforce Tower, 110 Bishopsgate Londra EC2N 4AY, UK, by virtue of the Commission Implementing Decision (EU) 2021/1773 of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom;
2) the following US companies, which provide services related to the managing of the Website and to the performance of Aspesi’s marketing activities, in the absence of an adequacy decision by the European Commission, by virtue of appropriate safeguards provided for by the GDPR:
a) Google Inc., with registered office at 1600 Amphitheater Parkway Mountain View, CA, United States, 94043, on account of the company’s being part of the EU–US Privacy Shield List;
b) Magento, Inc., with registered office at 345 Park Avenue, San Jose, CA 95110-2704, USA;
3) the company DHL Express Italy S.r.l., with registered office at Via Lombardia 2/A, 20068, Peschiera Borromeo (MI), which, also through its affiliate, deliveries the Products worldwide, according to the exception set forth in article 49, paragraph 1, lett. b), since the transfer of Personal Data is necessary to the performance of the purchase agreement of the Products executed between Aspesi and the User.
9. User Rights
a) with reference to Processings under point 3 letters b), e), f) and h), withdraw consent at any time without prejudice to the lawfulness of prior Processing, by sending an email to Aspesi or by opting out of Aspesi commercial and marketing communications (Article 7 of the GDPR);
b) ask Aspesi for access to the Personal Data and information regarding the Processing, as well as request an electronic copy, unless otherwise specifically requested by the User (Article 15 of the GDPR);
c) request the rectification of the Personal Data and/or have it completed without undue delay (Article 16 of the GDPR);
d) request, for specific reasons (e.g. unlawful processing, withdrawal of consent, non-existence of the purpose for processing), the erasure of the Personal Data without undue delay (Article 17 of the GDPR);
e) in certain circumstances (e.g. inaccurate Personal Data, unlawful processing, exercise of a right before court) request that the Processing be restricted (Article 18 of the GDPR);
f) with reference to the Processings under point 3 letters d) and i), object to the Processing of the Personal Data at any time (if anonymous data were not used), by sending an email to Aspesi (Article 21 of the GDPR);
g) in cases of automated processing, receive the Personal Data in a readable format, for the purpose of communicating them to a third party, or, where technically feasible, request that Aspesi send the Personal Data directly to the third party (right to Personal Data portability – Article 20 of the GDPR);
h) be informed by Aspesi without undue delay of any breaches or unauthorised access by third parties to Aspesi’s systems that contain the Personal Data (data breaches – Article 34 of the GDPR);
i) lodge a complaint with the supervisory authority of the EU country where the User resides, works or where the User believes that his or her rights have been breached (Article 77 of the GDPR).
10. Objection to the Processing of Aspesi's direct marketing communications
Aspesi points out that each Customer has the right to object to the Processing of Personal Data as per point 3 letter g), at any time and without any reason, by sending an e-mail to Aspesi or by exercising the opt-out in Aspesi's direct marketing communications. In case such right is exercised, Aspesi will stop the use of the Customer's Personal Data for direct marketing purposes of Products similar to those previously purchased by the Customer.