- COLLECTION OF PERSONAL DATA
During normal operation, the computer systems and software procedures used to operate this website acquire certain personal data, including IP addresses or domain names of the computers used by users connecting to the Mesauda website, URI(Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.) and other parameters relating to the user's operating system and computer environment.
The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site.
- PURPOSE AND LEGAL BASIS OF PROCESSING
In some sections of the Site, in relation to specific services, some of the Data listed above are requested, which will be processed by the Company for the purposes and legal bases indicated below.
- For theexecution of pre-contractual measures and/or a contract to which you are a party:
- for the purpose of registering a user on the mesaudacosmetics.co.uk website ("Account");
- for the technical management and administration of the website;
- to proceed with the purchase of Mesauda products;
- in order to benefit from services reserved for holders of a personal Account on the Site, such as participation in the loyalty programme, viewing previous purchases, etc;
- to receive and properly process the information and contact requests received (including via live chat or the "my invitation" form).
- On the basis of a legitimate interest of the Owner (soft spam pursuant to art. 130 paragraph 4 of Legislative Decree 196/2003 as updated by Legislative Decree 101/2018 - Personal Data Protection Code), for the promotion via e-mail of services similar to those of the sale, without prejudice to the possibility to object at any time.
Furthermore, subject to your prior consent, which is optional and revocable at any time, the personal data collected may be processed for further purposes, and in particular for:
- Marketing: to send you communications about initiatives, commercial offers, questionnaires and market research of the Controller through digital channels (e.g. by e-mail);
- Profiling: for the analysis of your preferences, habits, behaviour, interests deduced, for example, from online clicks on articles/sections of the Site, in order to send you personalised commercial communications or carry out targeted promotional actions.
In any case, your personal data may also be processed, where necessary, for the following purposes:
- In order to fulfil legal obligations, and in particular to comply with obligations laid down in regulations and in applicable national and supranational legislation (tax compliance, administration, etc.);
- On the basis of a legitimate interest (judicial protection), to ascertain, exercise or defend the rights of the Controller in and/or out of court.
- RETENTION PERIOD
- For the entire duration of the contract and, after termination, for the ordinary limitation period of 10 years, for processing operations whose legal basis is the performance of pre-contractual measures and/or a contract to which the data subject is party;
- Until the exercise of its right to opt-out for the activity of promotion by e-mail of services similar to those of the sale, based on the legitimate interest of the Controller (soft spam);
- For a duration of 24 and 12 months respectively from the date of collection of the data subject's consent for optional marketing and profiling processing;
- For the duration foreseen by the law (10 years for administrative-accounting fulfilment) for processing to comply with legal obligations;
- In the event of litigation, for the entire duration of the litigation, until the time limit for appeals has been exhausted, for the treatment of judicial protection by the Controller on the basis of its legitimate interest.
The personal data in question, once the above-mentioned retention periods have expired, will be destroyed, erased or made anonymous in accordance with the technical procedures for erasure and backup and with the Controller's accountability requirements.
- MANDATORY NATURE OF DATA PROVISION
The provision of the Data processed for the purposes of the execution of pre-contractual measures and/or a contract and the fulfilment of legal obligations is necessary for the conclusion of the various contractual relationships, the execution of the orders and services requested and the fulfilment of legal obligations.
Therefore, any refusal by the interested party will make it impossible for the Controller to provide the requested service.
In relation to optional processing, such as marketing and profiling, the provision of data is entirely optional and the data subject may opt-out at any time.
- RECIPIENTS OF DATA
The Data may be known and processed by the employees of the corporate functions in charge of pursuing the above-mentioned purposes, who have been expressly authorised to process them and have received adequate operating instructions.
Furthermore, the Data may be processed by external parties acting as autonomous data controllers such as, for example, supervisory and control bodies, Public Authorities that expressly request such data for administrative or institutional purposes and, in general, all parties legitimated by current national and European legislation to request such data.
The Data may also be processed, on behalf of the Company, by external parties who may be qualified as data processors (pursuant to Article 28 of the GDPR). Such parties, by way of example, may be:
- companies offering e-mail services;
- companies that provide the service of management and/or maintenance of the Company's website;
- companies offering support in carrying out market studies;
- companies offering services for the management of the information system and telecommunications networks, including electronic mail;
- companies offering services for sending documentation and/or material (post offices, forwarding agents, couriers, etc.);
- banking institutions for the management of collections and payments arising from the execution of contracts.
The full list of data processors is available upon request to the Controller using the contact details given in Section 9 below.
- TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
Your personal data will not be transferred outside the European Union.
Where this is the case, in relation to data collected using cookies, the Data Controller will, to the extent of its competence, adopt appropriate safeguards, including applicable adequacy decisions and Standard Contractual Clauses adopted by the European Commission.
- RIGHTS OF THE PERSONS CONCERNED
Interested parties may ask the Data Controller for access to the Data concerning them, their deletion, the rectification of inaccurate data, the integration of incomplete data, the limitation of processing in the cases provided for, as well as the opposition to processing, for reasons related to their particular situation, in cases of legitimate interest of the Data Controller:
- by contacting the Privacy Office, by mail at via del Cottanello, Nr 13 - Rome 00158, to the kind attention of the Privacy Contact; or
- by e-mail to email@example.com
Moreover, where the processing is based on consent or on contract and is carried out by automated means, data subjects have the right to receive the data in a structured, commonly used and machine-readable format and, if technically feasible, to have them transferred to another data controller without hindrance (so-called right to portability).
Finally, data subjects always have the right to withdraw their consent given for marketing and/or profiling purposes at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the withdrawal) and to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged breach occurred.