Information on the processing of personal data in accordance with Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“General Data Protection Regulation”)
FOREWORD
This Privacy Policy, together with the
Terms of Use and Terms and Conditions
and the
Cookie Policy
, sets out the basis on which your Personal Data will be processed by the Website
www.gurmido.com
1. Data controller
Impresa individuale Pasquale Santamaria (P.Iva 04283740613) Caserta (CE) Via Roma 188, cap 81100, mail: info@gurmido.com, as the Data Controller of the personal data of users (hereinafter, the “Users“) who browse and use the Services available therein including the purchase of the Services on the Site www.gurmido.com (hereinafter, the “Site“) informs you, pursuant to Art. 13 of EU Regulation 2016/679 of April 27, 2016 (hereinafter, “Regulation,” or also the “Applicable Legislation“), on how your personal data is processed.
For any information in relation to this privacy policy, Users may contact the Controller using the following methods:
- By sending an e-mail message to privacy@gurmido.com;
- Contacting the Owner through the contact forms on the Site.
2. Methods of Processing Personal Data
The Holder holds in the highest regard the right to privacy and protection of personal data of its Users, which will be lawfully processed in accordance with Art. 6 of the Regulations.
The Personal Data provided or acquired will be subject to Processing based on the principles of fairness, lawfulness, transparency and protection of confidentiality in accordance with current regulations.
The Data Controller processes Users’ Personal Data by taking appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data.
The Processing is carried out by means of computer and/or telematic tools, with organizational methods and logics strictly related to the indicated Purposes.
3. Category of Personal Data processed
Among the Personal Data processed by this Site, independently, including by filling out the Newsletter subscription form, are: Cookie, Usage Data, Email, First Name and Last Name, Tax Code, Address, Name of the holder of the credit card used for the purchase, Billing Data (where requested by the data subject) and Telephone Number.
Personal Data may be provided voluntarily by the User when using the Site, by subscribing to the Newsletter, filling in the Contact Form, during the purchase process, when communicating with the Controller by email, by phone, by mail, etc.
Additional Personal Data collected may be indicated in other sections of this privacy policy or through informational text displayed at the same time as the Data is collected.
Personal Data may be collected independently by the Owner or through third parties.
The optional, explicit and voluntary sending of electronic mail through the Contact Form or by means of the addresses indicated on this Site, entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other Personal Data included in the email.
For operation and maintenance purposes, this Website may collect System Logs, which are files that record interactions and may also contain Personal Data, such as the User IP address.
Payment card data
To make a payment through one of the payment cards offered on the Site, the user will have to enter the confidential data of the payment card directly on a page that will communicate through secure encryption protocol with the payment service provider (who will act as an autonomous data controller), without transiting through the server of the Data Controller who, therefore, will not process such data in any way. The data will be captured in an encrypted format.
In execution of the legal obligations under Directive 2015/2366/ (EU) on payment services in the internal market (PSD2), you are informed that, with reference to purchases made on the Site by credit card, the data required to complete the purchase process may include the cell phone number you have provided, or a different personal data necessary to complete the purchase process. In fact, in order to allow you to complete the purchase, the payment institution in charge of handling the transaction will send you an authentication code, which must be reported by you as part of the purchase process to meet the authentication criteria required by PSD2 (Strong Customer Authentication). The processing of your personal data for these purposes has as its legal basis the fulfillment of legal obligations and does not require your consent.
With reference to the payment card data, it should be noted that the processing of your personal data is necessary to enable the conclusion of the online purchase contract with the Data Controller. Failure to provide this data, therefore, will not allow you to complete the online purchasing process.
PayPal
On the Site you can also purchase via the PayPal payment tool. In this case, you will be directed to a page outside the Site, where you will have to indicate the personal data required by PayPal – which will act as an autonomous data controller – to complete the purchase process. Personal data will not pass through the server of the Site, which, therefore, will not process such data in any way. The processing of your personal data is necessary to enable the conclusion of the online purchase contract with the Data Controller. Failure to provide this data, therefore, will not allow the online purchasing process to be completed.
Bank transfer
If the User chooses bank transfer as the payment instrument, in the presence of any hypothesis of reimbursement, the Data Controller will ask you for the bank details useful for arranging the payment.
4. Purposes of Processing, Legal Basis and Retention Times
The Data Controller will process Users’ personal data for the following purposes.
Conclusion and Execution of the Contract
The Controller will process Users’ personal data to enable, through the creation of an account, placing an online purchase order and thus the conclusion of a contract through the Site, the proper performance of the obligations arising from that contract, manage and execute any pre-contractual requests sent by the User.
The legal basis for processing is the need to execute pre-contractual and contractual obligations to which the User is a party (Art. 6.1.b) of the Regulations).
The provision of personal data for the above processing purposes is optional, as there is no legal or contractual obligation to communicate them; however, their processing is necessary to enable the conclusion and execution of the contract through the Site or to respond to pre-contractual requests made by the User in relation to the Site.
Failure to provide the data, therefore, will result in the impossibility for the user to conclude a contract through the Site and/or receive a response to pre-contractual requests made.
For this purpose, the Data Controller will process the user’s data for the time strictly necessary to carry out the individual processing activities, it being understood that, once this period has expired, the Data Controller may retain the data for the purposes and for the maximum retention periods referred to in the other sections of this notice, if relevant, and/or, in any case, in the cases established by the Regulations and/or the law.
Support and Customer Care
The Controller will process Users’ personal data to carry out support and customer care activities as well as to respond to requests, complaints, reports, and disputes from Users via email to the Controller’s addresses or through a chat service, if active.
The legal basis for this processing is the execution of pre-contractual measures taken at the request of the data subject (Art. 6.1.b) of the Regulation) or, as the case may be, the legitimate interest of the Data Controller (Art. 6.1.f) of the Regulation).
In the second case, it constitutes a legitimate interest to respond to Site Users’ requests for information, reports, disputes or complaints.
It, among other things, coincides with the legitimate interest of Users in obtaining response to requests, reports, and complaints submitted, and it can be reasonably expected that Users will expect their data to be used for this purpose.
The legitimate interest thus identified, therefore, can be considered to prevail over the fundamental rights and freedoms of the data subject, also because of these reasonable expectations and the existing relationship between the data subject and the Data Controller as well as in view of the nature of the data processed and the interest of the users themselves.
The provision of personal data for this purpose is optional as there is no legal or contractual obligation to provide the data; however, failure to provide the data and/or exercise the right to object may make it impossible to respond to users’ requests, reports, complaints, or grievances when this involves the processing of the user’s personal data.
For this purpose, the Owner will process the user’s data for the time necessary to carry out the aforementioned activities (e.g., time necessary to provide the requested information or follow up on complaints, reports or disputes).
Administration and Accounting
The Site will process Users’ personal data to perform administrative, accounting and tax activities such as activities related to the provision of the Site Services and/or the purchase contract concluded through the Site, such as, but not limited to, issuance of receipts and/or invoices, maintenance of accounting records.
The legal basis for this processing is the fulfillment of legal obligations to which the Controller is subject (Art. 6.1.c) of the Regulations).
The provision of data for the purpose in question is mandatory, because their processing is necessary to enable the Owner to fulfill the legal obligations incumbent on it. Any refusal to provide data for this purpose will result in the impossibility for the User to conclude the purchase contract through the Site.
For this purpose, the Owner will process the User’s data until the expiration of the legal deadlines stipulated by law for the performance of each administrative-accounting and tax compliance and/or for the storage periods stipulated by law for the preservation of related documentation.
Establishment, Exercise or Defense of a Right
The Owner will process user data for the establishment, exercise or defense of a right in all appropriate forums.
The legal basis for this processing is legitimate interest (Art. 6.1(f) of the Regulations).
It is the legitimate interest of the data controller to appeal to ensure compliance with its contractual rights or to demonstrate that it has fulfilled its obligations arising from its contract with the data subject or imposed by law. This legitimate interest is, in turn, grounded in the constitutionally guaranteed right to defense. It can therefore be deemed to override the fundamental rights and freedoms of the person concerned.
To this end, it is noted that the Holder will retain and eventually use the data:
- to prove performance of the contract and/or to initiate or respond to actions related to such contract and/or performance before any administrative and/or jurisdictional authority and/or to protect its rights in the preparatory stages of the trial and/or proceedings;
- to prove that you have consented to the exercise of your rights under the purchase agreement on the Site, the law (e.g., right of withdrawal or legal guarantee) or the Rules and have complied with the provisions therein;
- to prove that it has responded to the complaints and/or reports and/or disputes of users;For the purpose mentioned in n.1 above, the data will be kept for 10 years from the delivery of the product and/or the provision of the Services of the Site or from the termination of the contract.In the case of the exercise of rights provided for in the contract or by law, the data will be kept for 10 years, starting from the closure of the practice or from the performance of the action that defines it (e.g.: refund, in the case of withdrawal); by closure of the practice is meant the last correspondence relating to the exercise of the right in question.In the case of the exercise of the rights of the interested parties provided for in the Regulations, the data will be kept for 5 years from the attestation of having acknowledged the request of the interested party or from such acknowledgment, if later.In the case of complaints, reports or disputes, the data will be kept for 3 years from the last correspondence on the matter.The provision of data for the aforementioned purpose is not mandatory.
The data used for this purpose are initially collected for a different purpose, the further processing of which is permitted insofar as it is based on the legitimate interest of the data controller, given the compatibility of this further purpose with the initial purpose of the collection, taking into account also the fact that, to the extent that the processing is necessary for the establishment, exercise and defense of a right, the data controller is, furthermore, exempted from the obligation to erase, by express provision of the Regulation; in fact, even in the case of the exercise of the right to object, the data controller shall refrain from further processing of personal data, unless the data controller demonstrates the existence of compelling legitimate grounds for processing that override the interests, fundamental rights and freedoms of the data subject or for the establishment, exercise or defense of a right in a court of law.
Allowing the Exercise of Users’ Rights.
The Data Controller will also process Users’ data in order to respond to requests to exercise the rights recognized to Users by the contract entered into with the Data Controller or by law in connection with such contract (e.g., right of withdrawal); to follow up on the exercise of the aforementioned rights (e.g., refund in case of right of withdrawal); to receive and respond to the exercise of Users’ rights recognized by the Regulations; and to carry out the resulting activities.
The legal basis for this processing is the fulfillment of legal obligations to which the Controller is subject (Art. 6.1.c) of the Regulations).
The provision of data for this purpose is compulsory as their processing is necessary to enable the Data Controller to comply with legal obligations as well as the user to exercise the rights that the law or the contract gives him/her. Any refusal to provide data for this purpose will make it impossible for the User to exercise these rights.
For this purpose, the Data Controller will process the data until the expiration of the legal terms provided for the exercise of the right (limitation and/or forfeiture period) or, in the case of the exercise of these rights, for the time necessary to manage and close the file; in the case of the exercise of the rights provided for in the Regulations, the data will be processed until the data controller certifies that it has fulfilled the request or until the fulfillment itself, whichever occurs last.
Generic Marketing and Newsletters
The Data Controller will process your personal data for the purpose of sending, exclusively by e-mail, information and communications of a commercial nature concerning commercial offers, news about the Gurmido brand and scheduled events, information about Gurmido products and/or services, including by sending periodic newsletters.
The legal basis is the User’s express consent to the processing of personal data for this purpose (Art. 6.1.a) of the Regulations). Sometimes the legal basis is legitimate interest (Art. 6(1)(f) in conjunction with Recital 47 of the Regulations), for sending transactional email communications (e.g., abandoned shopping cart).
Providing data for this purpose is optional. There is no legal or contractual obligation on you to provide such data for this purpose and/or to consent to the processing of your personal data for this purpose.
In case of non-consent, revocation of the same or exercise of the right to object, the User’s ability to make purchases on the Site will not be affected in any way.
If consent is given, the User may at any time revoke the consent given and/or object to the processing of personal data for generic marketing and newsletter purposes, using the revocation of consent form, found at the following link, or, in case of opposition, the form for the exercise of the rights of the data subject found at the following linkto besent, duly completed and with signature and attachments, to the Controller by email to: privacy@gurmido.com.
The User may revoke consent or object to processing that has a different legal basis, including through the opt-out link provided in each promotional communication sent by email from the Data Controller.
If consent is withdrawn, processing carried out on the basis of consent given before its withdrawal will still be considered legitimate.
If you withdraw your consent and/or object to the processing of your data for the purpose of generic marketing, your data will no longer be processed for that purpose and will only be retained by the Data Controller in the circumstance that there is another legal basis that legitimizes its processing (e.g., contractual performance; legal obligation; legitimate interest).
For marketing purposes, the Data Controller will process the user’s data until consent is revoked and/or the right to object is exercised and, in any case, no later than 3 years from the collection of the data, reserving the right, before the expiration of this period, to ask the user to renew consent and/or update the data.
Soft-Spam
The Owner will process the email coordinates, i.e. the User’s email address issued as part of the purchase of products/services through the Site, in order to propose direct sales of similar products/services through commercial communications concerning the same.
This activity does not require the acquisition of prior express consent from the data subject as an activity exercised under Art. 130, paragraph 4, of the Privacy Code (Legislative Decree No. 196 of June 30, 2003), which expressly allows it, provided that the user does not object to such processing in the manner indicated below (so-called soft-spam).
Thus, the legal basis is Art. 130, paragraph 4, of the Privacy Code (Legislative Decree No. 196 of June 30, 2003).
In any case, the user may object to the processing of personal data for soft-spam purposes by using the form for the exercise of data subject’s rights at the following link, to be sent duly filled in and signed and attached to the Data Controller by email to: privacy@gurmido.com.
Providing data for this purpose is optional: there is no legal or contractual obligation on the user to provide such data for this purpose. Failure to provide data for soft-spam purposes or opposition to such processing will have no effect on the user’s ability to make purchases on the Site.
In the event that you object to the processing of your data for this purpose, your data will no longer be processed by the Data Controller for soft-spam purposes and will be retained by the Data Controller only in the circumstance that there is another legal basis that legitimizes its processing (e.g., contractual performance; legal obligation; legitimate interest).
For soft-spam purposes, the Data Controller will process the user’s data until the right to object is exercised and, in any case, no longer than 3 years after collection, except for the purchase detail which will be kept and processed for soft-spam purposes for a period of 24 months after collection.
Profiling for Marketing Purposes
The Holder, subject to the free and optional consent of the User, will process his/her data in an automated way, to monitor the user’s behavior on the Site, collecting and recording browsing data (e.g.: pages visited, products/services viewed, whether the user purchased or did not purchase, abandoned carts, access device, dwell time) and purchase data (e.g.: type of product/service purchased, frequency of purchases, amounts spent, payment method).
This data may be used to place users within groups (or clusters) of customers with common characteristics, identified by the Owner, and send them personalized offers.
The purpose, therefore, is to offer users personalized and diversified commercial communications corresponding to the users’ profile. Each user can be matched to multiple clusters.The processing, including the final decision about the promotional communication to be sent or displayed to the user based on the cluster(s) they belong to, is not done in an automated way, i.e., without human intervention.
The legal basis for this processing is the explicit consent of the data subject (Art. 6.1(a) of the Regulation)
Users may revoke the consent given and/or object at any time to the processing of their data for the purpose of profiling for marketing purposes using the revocation of consent form, found at the following link, or, in case of opposition, the form for the exercise of the rights of the data subject found at the following link to be sent, duly completed and with signature and attachments, to the Controller by email to: privacy@gurmido.com.
For the purpose of profiling for marketing purposes, the Data Controller will process user data until consent is revoked and/or the right to object is exercised and, in any case, no later than 12 months after collection.
The provision of data for the purpose of profiling for marketing purposes is optional: that is, there is no legal or contractual obligation on the user to provide such data for this purpose and/or to give consent to the processing of his or her data for this purpose.
Failure to provide data for the purpose of profiling for marketing purposes, failure to provide consent, revocation of consent, or exercise of the right to object will result in Users’ data not being (any longer) used for this purpose and will only be retained by the Data Controller in the circumstance that there is another legal basis that legitimizes its processing (e.g., legitimate interest).
This will not affect your ability to register with the Site and/or make purchases on it.
Revocation of previously given consent will not affect the lawfulness of processing performed on the basis of consent, prior to its revocation.
___________
It should be noted that with respect to all the different processing purposes identified above in letters A-H, the Data Controller may use personal data collected initially for other purposes and, specifically, for the purposes of registering on the Site and/or concluding and/or executing the online purchase contract and/or browsing on that Site. Further processing should be considered legitimate insofar as it is based, from time to time, on the relevant legal basis indicated in this policy.
5. Communication and dissemination of data
In addition to the Owner, in some cases, they may have access to the Data:
- Categories of Distributors, specially trained for this, involved in the organization of the Website (administrative, sales, marketing, legal, system administrators);
- Public or private entities that can access the Data in compliance with legal obligations;
- Subjects that perform ancillary and instrumental tasks with respect to the Holder’s activity (e.g., payment services), Autonomous Data Controllers.
6. Place of Processing and Transfer of Data Abroad
Data processing takes place mainly in Italy and in the countries of the European Union. Some third-party tools may process the data of users of this website in countries outside Europe (the “Third Countries”).
Should there be a need to transfer data to Third Party Countries, the Owner undertakes to:
– Ensure that the country to which the data will be sent guarantees an adequate level of protection as required by Article 45 GDPR; or
– Use standard contractual Data Protection Clauses approved by the European Commission for the transfer of personal information outside the EEA in accordance with Article 46.2 GDPR.
7. Cookie
This Website uses cookies. Cookies are small text files that can be installed by websites on users’ devices to make the browsing experience more efficient and to personalize content and ads, provide social network features, and analyze traffic. To learn more, read the Cookie Policy.
8. External Personal Data Processing Tools
This Website uses certain third-party tools that may process personal data of users, in the manner and under the terms specifically stated in the privacy policies of each of these services. The following is a list of them.
(a) Statistics
Statistical services allow the Data Controller to monitor and analyze traffic data and are used to track User behavior. This Site uses the following services:
Google Analytics (Google Ireland Limited)
Google Analytics is an analytics service provided by Google Ireland Limited. Google uses the Personal Data collected for the purpose of tracking and examining the use of this Website, compiling reports, and sharing them with other services developed by Google. Google may use Personal Data to contextualize and personalize ads in its ad network. Google may also transfer this information to third parties where required by law or where such third parties process this information on Google’s behalf. IP address anonymization is enabled on this site. The IP address transmitted by the browser for purposes related to Google Analytics will not be merged with other data already held by Google.
At the following link https://tools.google.com/dlpage/gaoptout?hl=it the browser add-on for disabling Google Analytics is made available by Google. Personal Data Collected: Cookies and Usage Data.
Place of processing: IRELAND – Privacy Policy(https://policies.google.com/privacy?hl=it)(b) Newsletter
Newsletter services allow the Data Controller to email users promotions and commercial communications. This Site uses the following services:
Mailchimp (The Rocket Science Group LLC)
Mailchimp is an address management and email messaging service provided by The Rocket Science Group LLC.
Personal Data Processed: last name; email; first name.
Place of processing: UNITED STATES – Privacy Policy.
(c) Remarketing
These services allow this Website to communicate, optimize, and deliver advertisements based on the User’s past use of this Website. This activity is carried out through the tracking of Usage Data and the use of Cookies. This Web Site uses the following services:
Facebook Remarketing (Facebook Ireland Ltd)
Facebook Remarketing is a Remarketing and Behavioral Targeting service provided by Facebook, which links this Site’s activity with the Facebook advertising network. This Site makes use of the Facebook Pixel tool in order to measure conversions. Thanks to the Facebook Pixel, you can understand the actions people perform on the Website. The Data you collect can be used to make sure ads are shown to the right people; create audience groups to target ads to; leverage the additional advertising tools of the platform you are advertising on.
The information collected is anonymous to the operators of this Site and cannot be used to identify an individual user. However, the information is saved and analyzed by Facebook, which could link the action back to an individual profile and use this information for internal Facebook advertising purposes, as outlined by Facebook’s privacy policy. This will allow Facebook to show advertisements on both Facebook and third-party sites. The Site Owner has no control over how this data is used. For more information on how users can protect their privacy, please refer to Facebook’s Privacy Policy. (https://www.facebook.com/about/privacy/).
(d) Live Chat
Live Chat via the ‘Whatsapp’ channel can be used by users to take advantage of support or customer care services, before, during and after purchase.
The service is provided by Facebook Ireland Limited and may use various technologies to collect and store information when you use the services with which it is integrated, this may include the use of cookies and similar tracking technologies. Place of Processing: IRELAND – Privacy Policy (https://www.whatsapp.com/legal/privacy-policy-eea?eea=1).
e) Interaction With Social Networks
These services allow for interactions with social networks or other external platforms directly from the pages of this Site. Interactions and information captured by this Site are in each case subject to the User’s privacy settings related to each social network. In the event that a social network interaction service is installed, it is possible that, even if Users do not use the service, it will collect traffic data related to the pages where it is installed.
Facebook (Facebook Ireland Ltd.)
Facebook buttons are interaction services with the social network Facebook, provided by Facebook Ireland Ltd. Personal Data Collected: Cookies and Usage Data. Place of processing: IRELAND – Privacy Policy (https://www.facebook.com/about/privacy)
Instagram (Facebook Ireland Ltd.)
Instagram buttons are interaction services with the social network Instagram, provided by Facebook. Personal Data Collected: Cookies and Usage Data. Place of processing: IRELAND – Privacy Policy(https://help.instagram.com/519522125107875)
9. Rights of the Interested Parties
Data subjects have the right to exercise the faculties provided for in Articles 7, 15-22 of the Regulations.
In particular, Users have the right to obtain:
- (a)access,updating, rectification or, when interested,integration of data;
- (b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
- (c) certification that the transactions referred to in subparagraphs. (a) and (b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves the use of means manifestly disproportionate to the right protected.
In addition, Users have the right:
- (d) to withdraw consent at any time if the processing is based on their consent;
- (e) (where applicable) to data portability (the right to receive all personal data concerning them in a structured, commonly used, machine-readable format), the right to restriction of processing of personal data, and the right to erasure(“right to be forgotten”);
- (f) of the right to object:
– in whole or in part, for legitimate reasons to the processing of personal data concerning them, even if relevant to the purpose of collection;
– in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;
– where personal data are processed for direct marketing purposes, at any time to the processing of their data carried out for that purpose, including profiling insofar as it is related to such direct marketing.
Pursuant to the Applicable Regulations, the Holders inform that Users have the right to obtain the indication (i) Of the origin of personal data; (ii) Of the purposes and methods of processing; (iii) of the logic applied in case of processing carried out with the aid of electronic tools; (iv) of the identification details of the Holders and responsible persons; (v) of the individuals or categories of individuals to whom the personal data may be communicated or who may become aware of them in their capacity as managers or appointees.
Data subjects may exercise their rights by sending the data subject rights exercise form, which can be found at this link, to be sent, duly completed and with signature and attachments, to the Data Controller by email to: privacy@gurmido.com.
Data subjects, should they believe that the processing concerning them violates the Regulations, also have the right to lodge a complaint with the Garante della Privacy as the supervisory authority for the protection of personal data (Garante per la protezione dei dati personali, based at Piazza Venezia no. 11 – 00187 – Rome(http://www.garanteprivacy.it/).
Changes to this Privacy Policy
The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to Users on this page. Therefore, please consult this page often, taking the date of last modification shown at the bottom as a reference. If you do not accept the changes made to this Privacy Policy, you must cease using this Website and may request the Data Controller to remove your Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that point. The Owner is not responsible for updating all links viewable in this Privacy Policy, so whenever a link is not working and/or updated, Users acknowledge and agree that they should always refer to the document and/or section of the websites referred to by that link.
Privacy Policy updated as of July 2022
