LUISAVIAROMA X Vestiaire Collective – Privacy Policy
Updated on 19 May 2022 – Check this web page regularly to always have the updated version.
Pursuant to art. 13 and 14 of EU Regulation 2016/679 (hereinafter “GDPR”), LUISA VIA ROMA S.p.A. (“LUISAVIAROMA”, “LVR” OR “DATA CONTROLLER”) P.IVA IT 00607970480 –Via Benedetto Varchi, 61, 50132, Firenze, Italia (customerservice@luisaviaroma.com) in its capacity of personal data controller, in the person of its legal representative pro tempore, informs you that your personal data will be subject to processing on the part of LVR itself through manual processing or processing with electronic or automatic instruments, computers, or telematic instruments, strictly for the purposes listed below, and in any case in such a way as to guarantee the safety and confidentiality of the data.
The Data Controller has appointed a Data Protection Officer: dpo@luisaviaroma.com
LVR and Vestiaire Collective have agreed on a specific data sharing agreement for the purpose of rendering the Service to the Users (you can write to dpo@luisaviaroma.com for a copy).
To know more about the data processing which is under the responsibility of Vestiaire Collective, please read the Vestiaire Collective’s privacy policy available on the Webform.
Categories of data obtained from subjects other than the Data Subject
For the purposes described in paragraph. “Purposes and lawfulness of data processing”, LVR processes the categories of personal data, defined in paragraph. “Retention period of personal data”, obtained from the User who authorizes the Contents (art. 14).
Origin of personal data
Personal data is provided from Vestiaire Collective, 517 465 225 RCS Paris, 53 rue de Châteaudun, 75009 Paris, France, for “LUISAVIAROMA X Vestiaire Collective” (art. 14 GDPR).
Purposes and lawfulness of data processing
Personal data is processed by the Data Controller pursuant to art. 6 of the GDPR. The specific purposes of data processing and their legal basis are listed below:
| Purpose of data processing | Legal basis of data processing |
| To issue the agreed multi-purpose voucher (gift card) and to enable to link the multi-purpose voucher (gift card) to User’s email address | A) Performance of a contract or performance of pre-contractual measures (art. 6 para. 1, b) of GDPR); B) processing is necessary for compliance with a legal obligation to which the controller is subject |
Nature of data provision and consequences of refusal
The provision of personal data is a requirement necessary to enter into a contract
Categories of recipients of the personal data
The personal data may be processed by the Data Processor specifically appointed by the Data Controller, pursuant to art. 28 of the GDPR.
You have the possibility to request from LUISAVIAROMA the list of data processors involved in these purposes by writing to dpo@luisaviaroma.com
The data will furthermore be processed by subjects specifically authorized by the Data Controller pursuant to the GDPR, such as employees of LVR following specific instructions given by the Data Controller.
Transfers to countries outside the EU
For the pursuit of the processing purposes described above, your personal data may be transferred to the recipients indicated above in Italy and abroad.
In no case will your personal data be transferred outside the European Union.
Retention period of personal data
Personal data processed by LVR will be retained for the time necessary for the performance of the contractual relationship. At the end of such limitations the personal data will be anonymized or deleted except in the case where conservation is necessary for other purposes expressly required by law.
The details concerning the duration of the data retention period for the purposes outline above, i.e. the criteria used for determining such periods, are listed below:
| Purpose | Category of personal data | Required limitation period before deletion |
| To issue the agreed multi-purpose voucher (gift card) and to enable to link the multi-purpose voucher (gift card) to User’s email address | Your full name, email address and the resale value | Ten years from the date of accounting registration by law or more in the event of a dispute |
Automated decision-making
In pursuit of the purposes listed above, no decision will be made based only on automated processing that may cause any legal consequences for the Data Subject or that may similarly have a significant impact on their person.
Rights of the Data Subject
The following rights are recognized that you can exercise towards LUISAVIAROMA by writing to customerservice@luisaviaroma.com:
a) the right to obtain from the Data Controller confirmation of whether or not personal data concerning the Data Subject is being processed and, in such a case, to obtain access to their personal data and any information provided for in art. 15 of the GDPR and specifically those concerning the purposes of data processing, the categories of the personal data in question, or the categories of the recipients to whom the personal data has been or will be communicated, the retention period, etc.;
b) the right to obtain the rectification of any errors in the personal data concerning the Data Subject, as well as the integration of any data that is considered incomplete for the purposes of data processing (art. 16);
c) the right to obtain the deletion (“right to be forgotten”) where one of the grounds provided for in art. 17 of the GDPR applies;
d) the right to restrict data processing where one of the cases provided for by art. 18 of the GDPR applies;
In any case, you can always contact the DPO (dpo@luisaviaroma.com), also to promptly report any circumstances or events from which a breach of personal data may arise, even if only potentially (i.e. any breach of security capable of determine, accidentally or unlawfully, the destruction, loss, modification, unauthorized disclosure or access to data), in order to allow immediate evaluation and, where necessary, the adoption of actions aimed at counteracting such event.
Please note that the Data Subject has the right to lodge a complaint to the Data Protection Authority or any other supervisory authority pursuant to art. 13, para. 2, letter d) of the GDPR.
