EN/

PRIVACY POLICY

PRIVACY POLICY FOR PERSONAL DATA PROCESSING
Pursuant to Article 13 of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protections Regulation, hereinafter “GDPR”).
As required by the GDPR, Data Subjects (users of LUISAVIAROMA) prior to processing shall be notified that their personal data collected through the website or app shall be processed by LUISA VIA ROMA S.p.A. through IT or other telematic tools for purposes specified in this privacy policy.
To this end users are provided with this privacy policy prepared by LUISA VIA ROMA S.p.A. (hereinafter “LUISAVIAROMA” or “the Company” or “Data Controller”), initiator and promoter of services on LUISAVIAROMA.

Data Controller
Data Controller for personal data is LUISA VIA ROMA S.p.A. with registered offices in 50132 Firenze (Italy) at 61, Via Benedetto Varchi ( Tax ID No 00607970480).
The Company has appointed Ms. Angela Tavaglione, attorney at law as Data Protection Officer (hereinafter “DPO”) pursuant to Article 37 GDPR.
The DPO may be contacted for any queries connected to of personal data processing at: dpo@luisaviaroma.com.
For more information regarding rights of data subject, please read below paragraph “Rights of data subject” of this privacy policy

Information on Processing
Personal data being processed are collected directly by LUISA VIA ROMA S.p.A. or by third parties specifically appointed by the data controller. Personal data may be also disclosed by the Company to such third parties for purposes below.

Legal Basis and Purpose of Processing
Personal data provided by users when browsing the LUISAVIAROMA website and app are processed by the Data Controller in accordance with applicable regulations.
Legal basis for data processing is the provision of services by the Company and managing and operation of the website and app, as well as in entering into, execution and possible termination of online sales contracts.
Processing of personal data by LUISA VIA ROMA S.p.A. is aimed at pursuing the following purposes:

1) SUBSCRIPTION TO THE LUISAVIAROMA NEWSLETTER: In the event of users subscribing to “LUISAVIAROMA Newsletter” upon specific consent, personal data shall be processed by the Data Controller for sending advertising and marketing communications on latest trends, new arrivals, exclusive offers, special events and promotions.
To unsubscribe from newsletter simply click on the unsubscribe link at the bottom of e-mail or by writing to customerservice@luisaviaroma.com

In order to compare and possibly improve  performance of marketing communication, the Data Controller applies reporting systems to newsletters and advertising communication. These system report number of visitors, openings and clicks, kind of device used (desktop, mobile), number of pending users not yet subscribed, number of e-mails by date/time/minute, details of e-mails delivered as compared to those sent, list of unsubscribes from newsletter, number of e-mail openings and clicks on individual links, message displaying problems, link tracking (i.e. number of clicks made on links contained in a message) and click tracking (which links have been clicked upon). All these data are used to benchmark and possibly improve marketing communication performance.

2) REGISTRATION ON LUISAVIAROMA: In the event of users registering on the LUISAVIAROMA website or app  upon specific consent, personal data will be processed by the Data Controller to enable registration to LUISAVIAROMA. In particular, upon provision of personal data such as first name, last name, email address along with access password setting, personal data will be processed to create a personal account as well as to speed up the purchase process and in order to enable users to view the status of their orders and receive updates on their purchases, set and modify their own data and any “settings” that will improve browsing, update their own account, view records of returns and items exchange requests, save favorite items in their Wishlist and offer the opportunity to join the loyalty program, LVR Privilege at a later time, should users so desire.

3) ENROLLMENT IN THE PROGRAM LVR PRIVILEGE: In the event of users joining the loyalty program LVR Privilege upon specific consent, personal data shall be processed by the Data Controller to enable enrollment to the loyalty program (please visit: LVR Privilege Terms & Conditions for thereto related Terms & Conditions) as well as to enable users to collect points requested to redeem rewards provided by the program.

4) ONLINE SHOPPING ACTIVITIES: Personal data provided by users will be used for establishing, executing and terminating online sales contracts. Data so provided will be processed by the Data Controller for the purpose of managing purchase orders with reference to i.e. payments, shipments, returns management, customer support, accounting connected to orders and legal and statutory obligations. In case of payment by credit card, basic information required to execute such transactions (cardholder name, credit/debit card number, expiry date, security code) will be processed by Banca Sella – WorldpayAdyen – Braintree or by companies in charge of anti-fraud controls using encrypted protocols without any third parties having access thereto. Such information shall never be displayed or saved by the retailer LUISA VIA ROMA S.p.A..

5) PROFILING OF THE PHYSICAL PERSON: Only after your express and explicit consent, the personal data you provided may be processed by the Data Controller for profiling activities, or analysis of your preferences aimed at creating personalized content and offers.


Nature of Processing

In connection with purposes referenced in point 1) of the previous section, providing personal data and consent to their processing is optional. Failure to provide consent shall make it impossible for LUISAVIAROMA to enable users to subscribe to the “LUISAVIAROMA Newsletter”, to send commercial or promotional communications, updates on i.e. latest trends, new arrivals, exclusive offers, special events and promotions.

In connection with purposes referenced in point 2) of the previous section, providing personal data and consent to their processing is mandatory.
Failure to provide consent shall make it impossible for LUISAVIAROMA to enable users to register to the LUISAVIAROMA website or app, create a personal account, speed up the purchase process, check orders status and receive updates on purchases, enable users to update personal settings and account preferences, view returns records and change requests, save favorite items in the Wishlist or to subscribe to the loyalty program LVR Privilege, if desired.

In connection with purposes referenced in point 3) of the previous section, providing personal data and consent to their processing is optional.
Failure to provide consent shall make it impossible for LUISAVIAROMA to enable users to enroll in the loyalty program LVR Privilege.

In connection with purposes referenced in point 4) of the previous section, providing personal data and consent to their processing is mandatory.
Failure to provide consent shall make it impossible for LUISAVIAROMA to proceed with establishing, executing and terminating online sales contracts, therefore making it impossible to perform i.e. activities related to payments, shipment, returns management, customer support, accounting connected to orders and legal and statutory obligations.

In relation to the purposes referenced in point 5) of the previous section, providing personal data and consent to  their processing is optional.
Failure to provide consent shall make it impossible for LUISAVIAROMA to perform profiling activities, or to perform analysis of users preferences aimed at creating personalized content and offers.

Personal Data Processing – The Data Controller processes personal data provided by users when browsing LUISAVIAROMA upon registration to services and programs offered by LUISAVIAROMA and purchase of items available by LUISAVIAROMA. Examples of personal data are name, last name and email address in addition to data required to conclude online sales contracts such as functional data for processing payments, shipments and change of purchased items.

Data Processing and Storage – Personal data processing is performed by the Data Controller in compliance with statutory requirements on Privacy. The Data Controller processes personal data using IT and telematic tools with logical procedures strictly related to the purposes specified in this policy as well as by adopting appropriate security measures to prevent unauthorized access, disclosure, modification, loss or abuse of personal data. Despite this, LUISAVIAROMA cannot guarantee that all measures taken for website and app security are capable of limiting or excluding any risk of unauthorized access or loss of data by devices belonging to users. Accordingly, users are advised to ensure that their personal computer is equipped with software suitable to protect network data transmission (such as updated antivirus) and that their Internet provider has adopted appropriate security measures for network data transmission. LUISAVIAROMA also undertakes to process data according to the principles of fairness, legality and transparency, to collect data only to the extent needed for processing and to allow use only by authorized personnel. Management and storage of personal data so acquired will take place in archives or on servers located within EU owned by the Data Controller or by third-party companies appointed as External Data Processor for processing and in any case currently located in Italy.
In connection with the different purposes for which data are collected, personal data will be kept during a limited period of time strictly needed to achieve that purpose pursuant to Laws and regulations in force.
LUISAVIAROMA will in any case prevent an indefinite use of data by periodically verifying the continuing interest of the individual to whom they refer.

Data Processors and Recipients – Data collected shall not be disseminated in any way and processed by LUISAVIAROMA employees on the basis of appropriate operating instructions within the limits and for the purposes specified above (e.g. accounting, sales, marketing, legal, system administrators, etc.). Some data processing may also be performed by third parties, appointed by the Data Controller and entrusted as External Data Processors to manage contractual relationships, the provision of services offered and organizational activities. Data may be in particular disclosed to:

a) Public and private entities entitled to have access to personal data by virtue of a provision of law, regulation or EU legislation, within the limits provided by such rules;
b) Entities requiring access to data for purposes connected with contracts between the parties, within the limits strictly needed to perform auxiliary tasks (such as banks and lenders, technical service providers, hosting providers, IT companies, media agencies, forwarders and shipping companies);
c) Consultants, to the extent required to perform their professional duties.

The updated list of External Data Processors and other individuals entrusted to data processing is available at Data Controller registered office and shall be provided upon request to dpo@luisaviaroma.com.

Transfer of Data Abroad
– Management and storage of personal data shall be performed on servers of the Data Controller and third-party companies duly appointed as External Data Processors located within the EU.
Personal data may be transferred abroad pursuant to applicable laws and regulations, including to non-EU countries.
Data transfer to non-EU countries, in addition to cases in which this is ensured by an Adequacy Decisions by the Commission, is performed in such a way as to provide appropriate and adequate guarantees pursuant to Articles 46, 47 or 49 GDPR.

Rights of the Data Subject – In their quality as Data Subject, users of LUISAVIAROMA may any time exercise the rights provided to in Articles 15, 16, 17, 18, 20 and 21 GDPR granting following rights:

a) pursuant to Article 15 obtain from the Data Controller a confirmation as to whether or not of personal data related to them are being processed and if so, obtain access to the data and information such as: (i) purposes of this processing; (ii) categories of personal data; (iii) recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients located in non-EU countries or International Organizations; (iv) where possible, the expected retention period of personal data provided or if not feasible criteria used to determine such period;
b) pursuant to Article 16 obtain from the Data Controller rectification of inaccurate personal data without undue delay; taking into account the purposes of processing, Data Subjects have the right to have incomplete personal data completed also by providing an additional declaration;
c) pursuant to Article 17 obtain from the Data Controller deletion of their personal data without undue delay. The Data Controller is under obligation to cancel personal data without delay where any of the ground in paragraph 1 of Article 17 exist;
d) pursuant to Article 18 obtain from the Data Controller restriction of processing where any of the circumstances referred to in paragraph 1 of Article 18 applies;
e) pursuant to Article 20 obtain from the Data Controller data portability or receive in a structured, commonly used and machine-readable format. Data Subjects also have the right to transmit such data to another Data Controller without hindrance by the first Data Controller to whom they provided such data if circumstances specified in Article 20 paragraph 1 are met. Finally, Data Subjects have the right to obtain direct transmission of personal data from a Data Controller to another one, if technically feasible;
f) pursuant to Article 21 object in whole or in part to the processing of their personal data.

In order to exercise their rights, users may send their requests to: dpo@luisaviaroma.com.
Also it should be noted that Data Subject are entitled to withdraw their consent at any time without prejudice to the lawfulness of processing based on consent given prior to withdrawal, without prejudice to aforementioned effects of any refusal to provide such personal data. Data subject are also entitled to lodge a complaint with a Control Authority.
Data Subjects can make requests regarding these rights to: dpo@luisaviaroma.com.
LUISA VIA ROMA S.p.A. shall respond to requests made by the Data Subjects within one month, except in complicated cases, for which it may take up to a maximum of three months. The Data Controller shall in any case inform the Data Subject on the reason for the delayed response within one month of the request. The outcome of the request will be provided in writing or in electronic format. In case of request for rectification, cancellation and restriction of processing, the Data Controller shall communicate the outcome of the requests received by the Data Subject to each of the recipients of their data, unless this proves impossible or involves a disproportionate effort.
LUISAVIAROMA specifies that a contribution may be requested from Data Subjects if the applications manifest to be unfounded, excessive or repetitive; in this regard, the Data Controller will provide a register to track requests for actions.

Amendments to this Policy – The Data Controller reserves the right to amend to this Privacy Policy at any time by notifying users on this website www.luisaviaroma.com. Please visit this page regularly, referring to the date of last amendment indicated at the bottom of the policy. In case of non-acceptance of the amendments made to this Privacy Policy, Data Subject may request the Data Controller to delete their personal data. Unless otherwise specified, this Privacy Policy shall continue to apply to personal data collected until then.

Privacy Policy updated on August, 23 2021

Note: In the event of any inconsistency, discrepancy or divergences of interpretation between the English version and any other language versions of this publication, the English language version shall prevail.

IP-0A004FD3 - 2023-11-29T21:01:41.5224723+01:00