Policy pursuant to and by the effect of Article 13 of the European Regulation 2016/679 concerning the protection of personal data (GDPR)
Participants in the New Sneakers Club initiative
Pursuant to Article 13 of the European Regulation 2016/679 (hereinafter “GDPR”), LUISA VIA ROMA S.p.A. (hereinafter “LUISAVIAROMA or the “Data Controller”) – with registered offices in Via Benedetto Varchi, 61 50132, Firenze, Italia – in the capacity of Data Controller of personal data, represented by the managing director, informs you that your personal data will be processed by LUISAVIAROMA itself by means of manual or electronic or automated processing, through IT or telematic tools, with principles strictly related to the purposes listed below and in any case in such a way as to ensure the security and confidentiality of the data.
Identity and contact details of the Data Controller and Data Protection Officer
The Data Controller is LUISA VIA ROMA S.p.A., represented by the managing director, with registered offices in Via Benedetto Varchi, 61 50132, Firenze, Italia.
The Data Controller has appointed a Data Protection Officer who can be contacted at dpo@luisaviaroma.com.
Purpose, legal basis, and lawfulness of processing
Your personal data are processed by the Data Controller pursuant to article 6 of the GDPR. As stated in aforementioned article, in order for the processing of your personal data to be lawful, it should be based on your consent or on other legitimate basis provided for by law, taking into account the need to comply with the legal obligation to which the Data Controller is subject or of the need to perform a contract to which you are a party or to implement pre-contractual measures adopted on your request. Similarly, processing is lawful even if needed for the pursuit of a legitimate interest of the Data Controller provided that this action does not harm your interests, rights and freedoms.
Specific processing purposes and the relevant legal bases are set out below:
| Purpose for processing | Legal basis for processing |
| Management of New Sneakers Club | Processing is needed for performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken on request of the data subject. |
| Anti-fraud processing | Execution of anti-fraud verification activities for the interception and management of fraudulent or potentially fraudulent transactions |
Nature of provision and consequences of refusal
Providing personal data is mandatory for the fulfillment of legal and contractual obligations and for those processed for a legitimate interest of the Data Controller.
Therefore, any refusal to provide mandatory data will result in the objective impossibility of pursuing the processing purposes referred to in this Privacy Policy (paragraph “Purpose, legal basis and lawfulness of the processing”).
Categories of personal data recipients and Data Controllers
Personal data provided and those relating to execution of the contractual relationship may be disclosed to third parties belonging to the following categories:
- Judicial authorities (in relation to anti-fraud processing)
Personal data will also be disclosed to the external company that manages the initiative in question and which will process such data as a “Data Processor” specifically appointed by LUISAVIAROMA, pursuant to article 28 of the GDPR or as autonomous “Data Controllers”.
Personal data will also be processed by subjects with a specific authorization by the Data Controller pursuant to GDPR. Personal data processed by LUISAVIAROMA are not subject to dissemination.
Transfer of data outside EU
To pursue above processing purposes your personal data may be transferred to above recipients in Italy and abroad.
In no case will your personal data be transferred outside EU.
Personal data retention period
Personal data processed by LUISAVIAROMA shall be retained during the period of time needed to perform the contractual relationship, as well as during the retention period required by civil, tax, and regulatory laws. Subsequently, personal data will be stored until the limitation period with reference to the enforceable individual rights.
At the end of this period your data will be anonymized or deleted, unless expressly required by the law to retain them for different purposes.
Below please find details on duration of data retention period for above purposes and criteria used to determine this period (special personal data categories are indicated in italics):
| Purpose | Category of personal data | Duration period for cancellation |
| New Sneakers Club | Name, address, or other personally identifiable information | 6 months from the date of closure of the initiative |
| New Sneakers Club | 6 months from the date of closure of the initiative | |
| Anti-fraud | Data relating to the credit card holder: name, first 6 digits of the credit card (BIN), last 4 digits of the credit card, expiry date | 2 years from the time the eventual transaction did not conclude successfully |
Automated decision-making process
For the pursuit of above processing purposes, no decision is made exclusively based on automated processing that produces legal effects concerning you or which affects you in a similarly significant way.
Rights of data subjects
Pursuant to GDPR as a data subject you are granted following rights, which you may exercise vis-à-vis LUISAVIAROMA:
a) access and confirmation as to whether or not personal data concerning you is being processed, including for the purposes of being aware of the processing and to verify its lawfulness as well as the correctness and updating such data. In this case, you will be able to obtain access to your personal data and information, in particular to that relating to the purposes of processing, type of personal data concerned, the recipients or categories of recipients to whom personal data have been or will be disclosed, personal data retention period, etc.;
b) rectification of inaccurate personal data concerning you as well as integration of same personal data where deemed incomplete with regard to processing purpose. During this period the Data Controller undertakes not to present personal data as certain or final, especially to third parties;
c) deletion of personal data concerning you where such data are no longer needed with respect to the purposes for which they were collected. Please note that deletion is subject to valid reasons. If the Data Controller has disclosed personal data to other Data Controllers or Data Processors it is obliged to delete them by adopting reasonable measures, including technical measures to inform other data controllers who are processing personal data concerned to delete any link, copy or reproduction thereof (so-called right “to be forgotten”). Deletion may not be performed if processing is needed inter alia to comply to legal obligations or to perform a task in the public interest and for the ascertainment, exercise or defense in a judicial proceeding;
d) restriction of processing. Processing restriction means inter alia transferring processed data to a no longer accessible system for storage purposes only. This does not mean that personal data have been deleted but that the Data Controller must avoid processing them during the period of relevant blocking. This would be particularly needed in the event that persistent use of inaccurate and unlawfully stored data could harm you. In such a case you may object to the deletion of personal data and instead request that the processing of this data be restricted. In the event of data rectification or objection you may request that the processing of personal data be restricted for the period during the period in which the Data Controller is rectifying personal data or is assessing the objection. A further case would be that personal data are needed for you to assess, exercise or defend a right in court, but the Data Controller no longer needs it for processing purposes;
e) the right to object at any time on grounds relating to your particular situation, to the processing of personal data concerning you where the processing itself is needed to perform tasks in the public interest or connected to the exercise of official authority vested in the Data Controller or if processing is needed for the pursuit of a legitimate interest of the same Data Controller or of third parties. Finally, the Data Controller undertakes to refrain from processing your personal data unless he will prove that there are compelling legitimate grounds for processing or for ascertain, exercising or defending a right in a judicial proceeding;
f) the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent provided before withdrawal only for purposes for which legal basis is consent.
Above rights may be exercised by writing to: customerservice@luisaviaroma.com
You may also report to the DPO (dpo@luisaviaroma.com) any circumstances or events from which a personal data breach (i.e. any security breach capable of accidentally or unlawfully causing destruction, loss, alteration, unauthorized disclosure or access to data) may arise in order to allow immediate assessment and where necessary appropriate actions aimed at countering such an event.
Please note that you are entitled to lodge a complaint with the Italian Data Protection Authority or another supervisory authority pursuant to Article 13, paragraph 2, letter d) GDPR.
Amendments to this Privacy Policy
This Privacy Policy may undergo amendments. We therefore recommend you to regularly check this webpage.
Note: In the event of any inconsistency, discrepancy or divergences of interpretation between the English version and any other language versions of this publication, the English language version shall prevail.
