to prove that it has responded to the complaints and/or reports and/or disputes of users;For the purpose mentioned in n.1 above, the data will be kept for 10 years from the delivery of the product and/or the provision of the Services of the Site or from the termination of the contract.In the case of the exercise of rights provided for in the contract or by law, the data will be kept for 10 years, starting from the closure of the practice or from the performance of the action that defines it (e.g.: refund, in the case of withdrawal); by closure of the practice is meant the last correspondence relating to the exercise of the right in question.In the case of the exercise of the rights of the interested parties provided for in the Regulations, the data will be kept for 5 years from the attestation of having acknowledged the request of the interested party or from such acknowledgment, if later.In the case of complaints, reports or disputes, the data will be kept for 3 years from the last correspondence on the matter.The provision of data for the aforementioned purpose is not mandatory.
The data used for this purpose are initially collected for a different purpose, the further processing of which is permitted insofar as it is based on the legitimate interest of the data controller, given the compatibility of this further purpose with the initial purpose of the collection, taking into account also the fact that, to the extent that the processing is necessary for the establishment, exercise and defense of a right, the data controller is, furthermore, exempted from the obligation to erase, by express provision of the Regulation; in fact, even in the case of the exercise of the right to object, the data controller shall refrain from further processing of personal data, unless the data controller demonstrates the existence of compelling legitimate grounds for processing that override the interests, fundamental rights and freedoms of the data subject or for the establishment, exercise or defense of a right in a court of law.
Allowing the Exercise of Users’ Rights.
The Data Controller will also process Users’ data in order to respond to requests to exercise the rights recognized to Users by the contract entered into with the Data Controller or by law in connection with such contract (e.g., right of withdrawal); to follow up on the exercise of the aforementioned rights (e.g., refund in case of right of withdrawal); to receive and respond to the exercise of Users’ rights recognized by the Regulations; and to carry out the resulting activities.
The legal basis for this processing is the fulfillment of legal obligations to which the Controller is subject (Art. 6.1.c) of the Regulations).
The provision of data for this purpose is compulsory as their processing is necessary to enable the Data Controller to comply with legal obligations as well as the user to exercise the rights that the law or the contract gives him/her. Any refusal to provide data for this purpose will make it impossible for the User to exercise these rights.
For this purpose, the Data Controller will process the data until the expiration of the legal terms provided for the exercise of the right (limitation and/or forfeiture period) or, in the case of the exercise of these rights, for the time necessary to manage and close the file; in the case of the exercise of the rights provided for in the Regulations, the data will be processed until the data controller certifies that it has fulfilled the request or until the fulfillment itself, whichever occurs last.
Generic Marketing and Newsletters
The Data Controller will process your personal data for the purpose of sending, exclusively by e-mail, information and communications of a commercial nature concerning commercial offers, news about the Gurmido brand and scheduled events, information about Gurmido products and/or services, including by sending periodic newsletters.
The legal basis is the User’s express consent to the processing of personal data for this purpose (Art. 6.1.a) of the Regulations). Sometimes the legal basis is legitimate interest (Art. 6(1)(f) in conjunction with Recital 47 of the Regulations), for sending transactional email communications (e.g., abandoned shopping cart).
Providing data for this purpose is optional. There is no legal or contractual obligation on you to provide such data for this purpose and/or to consent to the processing of your personal data for this purpose.
In case of non-consent, revocation of the same or exercise of the right to object, the User’s ability to make purchases on the Site will not be affected in any way.
If consent is given, the User may at any time revoke the consent given and/or object to the processing of personal data for generic marketing and newsletter purposes, using the revocation of consent form, found at the following link, or, in case of opposition, the form for the exercise of the rights of the data subject found at the following linkto besent, duly completed and with signature and attachments, to the Controller by email to: firstname.lastname@example.org.
The User may revoke consent or object to processing that has a different legal basis, including through the opt-out link provided in each promotional communication sent by email from the Data Controller.
If consent is withdrawn, processing carried out on the basis of consent given before its withdrawal will still be considered legitimate.
If you withdraw your consent and/or object to the processing of your data for the purpose of generic marketing, your data will no longer be processed for that purpose and will only be retained by the Data Controller in the circumstance that there is another legal basis that legitimizes its processing (e.g., contractual performance; legal obligation; legitimate interest).
For marketing purposes, the Data Controller will process the user’s data until consent is revoked and/or the right to object is exercised and, in any case, no later than 3 years from the collection of the data, reserving the right, before the expiration of this period, to ask the user to renew consent and/or update the data.
The Owner will process the email coordinates, i.e. the User’s email address issued as part of the purchase of products/services through the Site, in order to propose direct sales of similar products/services through commercial communications concerning the same.
This activity does not require the acquisition of prior express consent from the data subject as an activity exercised under Art. 130, paragraph 4, of the Privacy Code (Legislative Decree No. 196 of June 30, 2003), which expressly allows it, provided that the user does not object to such processing in the manner indicated below (so-called soft-spam).
Thus, the legal basis is Art. 130, paragraph 4, of the Privacy Code (Legislative Decree No. 196 of June 30, 2003).
In any case, the user may object to the processing of personal data for soft-spam purposes by using the form for the exercise of data subject’s rights at the following link, to be sent duly filled in and signed and attached to the Data Controller by email to: email@example.com.
Providing data for this purpose is optional: there is no legal or contractual obligation on the user to provide such data for this purpose. Failure to provide data for soft-spam purposes or opposition to such processing will have no effect on the user’s ability to make purchases on the Site.
In the event that you object to the processing of your data for this purpose, your data will no longer be processed by the Data Controller for soft-spam purposes and will be retained by the Data Controller only in the circumstance that there is another legal basis that legitimizes its processing (e.g., contractual performance; legal obligation; legitimate interest).
For soft-spam purposes, the Data Controller will process the user’s data until the right to object is exercised and, in any case, no longer than 3 years after collection, except for the purchase detail which will be kept and processed for soft-spam purposes for a period of 24 months after collection.
Profiling for Marketing Purposes
The Holder, subject to the free and optional consent of the User, will process his/her data in an automated way, to monitor the user’s behavior on the Site, collecting and recording browsing data (e.g.: pages visited, products/services viewed, whether the user purchased or did not purchase, abandoned carts, access device, dwell time) and purchase data (e.g.: type of product/service purchased, frequency of purchases, amounts spent, payment method).
This data may be used to place users within groups (or clusters) of customers with common characteristics, identified by the Owner, and send them personalized offers.
The purpose, therefore, is to offer users personalized and diversified commercial communications corresponding to the users’ profile. Each user can be matched to multiple clusters.
The processing, including the final decision about the promotional communication to be sent or displayed to the user based on the cluster(s) they belong to, is not done in an automated way, i.e., without human intervention.
The legal basis for this processing is the explicit consent of the data subject (Art. 6.1(a) of the Regulation)
Users may revoke the consent given and/or object at any time to the processing of their data for the purpose of profiling for marketing purposes using the revocation of consent form, found at the following link, or, in case of opposition, the form for the exercise of the rights of the data subject found at the following link to be sent, duly completed and with signature and attachments, to the Controller by email to: firstname.lastname@example.org.
For the purpose of profiling for marketing purposes, the Data Controller will process user data until consent is revoked and/or the right to object is exercised and, in any case, no later than 12 months after collection.
The provision of data for the purpose of profiling for marketing purposes is optional: that is, there is no legal or contractual obligation on the user to provide such data for this purpose and/or to give consent to the processing of his or her data for this purpose.
Failure to provide data for the purpose of profiling for marketing purposes, failure to provide consent, revocation of consent, or exercise of the right to object will result in Users’ data not being (any longer) used for this purpose and will only be retained by the Data Controller in the circumstance that there is another legal basis that legitimizes its processing (e.g., legitimate interest).
This will not affect your ability to register with the Site and/or make purchases on it.
Revocation of previously given consent will not affect the lawfulness of processing performed on the basis of consent, prior to its revocation.
It should be noted that with respect to all the different processing purposes identified above in letters A-H, the Data Controller may use personal data collected initially for other purposes and, specifically, for the purposes of registering on the Site and/or concluding and/or executing the online purchase contract and/or browsing on that Site. Further processing should be considered legitimate insofar as it is based, from time to time, on the relevant legal basis indicated in this policy.
5. Communication and dissemination of data
In addition to the Owner, in some cases, they may have access to the Data:
- Categories of Distributors, specially trained for this, involved in the organization of the Website (administrative, sales, marketing, legal, system administrators);
- Public or private entities that can access the Data in compliance with legal obligations;
- Subjects that perform ancillary and instrumental tasks with respect to the Holder’s activity (e.g., payment services), Autonomous Data Controllers.
6. Place of Processing and Transfer of Data Abroad
Data processing takes place mainly in Italy and in the countries of the European Union. Some third-party tools may process the data of users of this website in countries outside Europe (the “Third Countries”).
Should there be a need to transfer data to Third Party Countries, the Owner undertakes to:
– Ensure that the country to which the data will be sent guarantees an adequate level of protection as required by Article 45 GDPR; or
– Use standard contractual Data Protection Clauses approved by the European Commission for the transfer of personal information outside the EEA in accordance with Article 46.2 GDPR.
8. External Personal Data Processing Tools
This Website uses certain third-party tools that may process personal data of users, in the manner and under the terms specifically stated in the privacy policies of each of these services. The following is a list of them.
Statistical services allow the Data Controller to monitor and analyze traffic data and are used to track User behavior. This Site uses the following services:
Google Analytics (Google Ireland Limited)
Google Analytics is an analytics service provided by Google Ireland Limited. Google uses the Personal Data collected for the purpose of tracking and examining the use of this Website, compiling reports, and sharing them with other services developed by Google. Google may use Personal Data to contextualize and personalize ads in its ad network. Google may also transfer this information to third parties where required by law or where such third parties process this information on Google’s behalf. IP address anonymization is enabled on this site. The IP address transmitted by the browser for purposes related to Google Analytics will not be merged with other data already held by Google.
At the following link https://tools.google.com/dlpage/gaoptout?hl=it the browser add-on for disabling Google Analytics is made available by Google. Personal Data Collected: Cookies and Usage Data.
Newsletter services allow the Data Controller to email users promotions and commercial communications. This Site uses the following services:
Mailchimp (The Rocket Science Group LLC)
Mailchimp is an address management and email messaging service provided by The Rocket Science Group LLC.
Personal Data Processed: last name; email; first name.
Facebook Remarketing (Facebook Ireland Ltd)
Facebook Remarketing is a Remarketing and Behavioral Targeting service provided by Facebook, which links this Site’s activity with the Facebook advertising network. This Site makes use of the Facebook Pixel tool in order to measure conversions. Thanks to the Facebook Pixel, you can understand the actions people perform on the Website. The Data you collect can be used to make sure ads are shown to the right people; create audience groups to target ads to; leverage the additional advertising tools of the platform you are advertising on.
(d) Live Chat
Live Chat via the ‘Whatsapp’ channel can be used by users to take advantage of support or customer care services, before, during and after purchase.
e) Interaction With Social Networks
These services allow for interactions with social networks or other external platforms directly from the pages of this Site. Interactions and information captured by this Site are in each case subject to the User’s privacy settings related to each social network. In the event that a social network interaction service is installed, it is possible that, even if Users do not use the service, it will collect traffic data related to the pages where it is installed.
Facebook (Facebook Ireland Ltd.)
Instagram (Facebook Ireland Ltd.)
9. Rights of the Interested Parties
Data subjects have the right to exercise the faculties provided for in Articles 7, 15-22 of the Regulations.
In particular, Users have the right to obtain:
- (a)access,updating, rectification or, when interested,integration of data;
- (b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
- (c) certification that the transactions referred to in subparagraphs. (a) and (b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves the use of means manifestly disproportionate to the right protected.
In addition, Users have the right:
- (d) to withdraw consent at any time if the processing is based on their consent;
- (e) (where applicable) to data portability (the right to receive all personal data concerning them in a structured, commonly used, machine-readable format), the right to restriction of processing of personal data, and the right to erasure(“right to be forgotten”);
- (f) of the right to object:
– in whole or in part, for legitimate reasons to the processing of personal data concerning them, even if relevant to the purpose of collection;
– in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;
– where personal data are processed for direct marketing purposes, at any time to the processing of their data carried out for that purpose, including profiling insofar as it is related to such direct marketing.
Pursuant to the Applicable Regulations, the Holders inform that Users have the right to obtain the indication (i) Of the origin of personal data; (ii) Of the purposes and methods of processing; (iii) of the logic applied in case of processing carried out with the aid of electronic tools; (iv) of the identification details of the Holders and responsible persons; (v) of the individuals or categories of individuals to whom the personal data may be communicated or who may become aware of them in their capacity as managers or appointees.
Data subjects may exercise their rights by sending the data subject rights exercise form, which can be found at this link, to be sent, duly completed and with signature and attachments, to the Data Controller by email to: email@example.com.
Data subjects, should they believe that the processing concerning them violates the Regulations, also have the right to lodge a complaint with the Garante della Privacy as the supervisory authority for the protection of personal data (Garante per la protezione dei dati personali, based at Piazza Venezia no. 11 – 00187 – Rome(http://www.garanteprivacy.it/).