PRIVACY POLICY

This information - provided pursuant to art. 13, EU Regulation 2016/679 ("General Data Protection Regulation") - describes the management and processing methods applied to the personal data of users who interact with our website www.brumsmilano.com (hereinafter the "Site") and/or use one or more of the services conveyed through the same Site.

The Information is provided for the Site only and does not extend to other websites that may be accessible and consultable by the user via hypertext link. Likewise, this information does not apply to the processing of data connected to the operation of the so-called "cookies", which are subject to specific and proper information.

This information may be subject to updates; we therefore invite users to periodically check the content of this document in its latest version made available online.

1. THE DATA PROCESSING OWNER

The Data Controller is Brums Milano Srl, (tax code / VAT number 12273870969), with registered office in (20122) Milan, via Freguglia n. 8/A, Italy. The Data Controller can be contacted by ordinary mail, or by email at the email address: brumsmilanosrl@legalmail.it.

2. DATA PROTECTION OFFICER

The Data Protection Officer (or DPO) of Brums Milano Srl can be contacted via email at the email address: dpo@brumsmilano.com.

3. TYPE OF PROCESSED PERSONAL DATA

By interacting with our site and/or using one or more of the services conveyed through it, the following types of personal data may be processed:

  • technical navigation data (such as the IP address of the device accessing the Site, the addresses in URI notation of the requested resources, the date and time of the requests forwarded, as well as other information relating to the operating system and the IT environment used by the interested party or the method used in submitting requests to our servers) - "common" personal data
  • data relating to the geographical location (such as data relating to the location of the device accessing the Site) - "common" personal data
  • personal data (such as, for example, name, surname, tax code, date of birth) - "common" personal data
  • contact data (such as, for example, email address, telephone number, place and address of residence) - "common" personal data
  • authentication data (such as email address and password) - "common" personal data
  • identification data of any particular customer status (such as, for example, the registration number for the fidelity program) - "common" personal data
  • transactional data and data relating to purchased products (such as, for example, data relating to the payment instruments used, information relating to purchases made, orders, and any returned products) - "common" personal data
  • curricular data (such as, for example, information relating to qualifications obtained, previous professional experience, languages ​​spoken) - "common" personal data
  • cookies (i.e. small text files carrying some information relating to the user's interaction with the Site) - "common" personal data
  • data provided on the user's initiative (such as, for example, additional information forwarded when requesting support, data spontaneously sent by the user when applying for a job).

The use of the Site and related services does not - under any circumstances - involve the processing of personal data attributable to the "particular" categories identified by art. 9, EU Regulation 2016/679.

4. PURPOSE OF THE TREATMENT, LEGAL BASIS, NATURE OF THE PROVISION AND DATA CONSERVATION PERIOD

In order to illustrate - with the utmost clarity and transparency - the various processing operations that the Data Controller may carry out within the scope of operation of the Site, the following table identifies, for each service or process provided, the types of data processed, the purposes of data processing, the related legal bases, the mandatory or optional nature of the provision of data, and the respective retention times.

The management of cookies and the related data processing take place, as mentioned, in compliance with what is defined in the specific "Cookie Policy", accessible directly from the Site.

SERVICE

PROCESSED DATA

PURPOSE OF THE TREATMENT

LEGAL BASIS

NATURE OF THE PROVISION OF DATA

CONSERVATION PERIOD

a) Ordinary consultation of the Site

technical navigation data

guarantee and monitor the correct functioning of the Site, as well as process anonymous statistical information on the use of the same

the processing is necessary for the pursuit of a legitimate interest of the Data Controller, in accordance with the provisions of art. 6, par. 1, lit. f), EU Regulation 2016/679

if the user intends to consult the Site, the provision of data is to be understood as mandatory. Failure to provide data will make it impossible to consult the Site

the data are processed only for the time strictly necessary to guarantee and monitor the correct functioning of the Site. Any statistical information on the use of the Site, which may be further stored over time, will be completely anonymous and will not include any personal data

b) Store Locator

technical navigation data

geographical location data

identify the geographical location of the user in order to be able to find the request forwarded by the same relating to the indication of the nearest points of sale

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to receive the requested information concerning the indication of the nearest points of sale, the provision of technical navigation data and those relating to the geographical location is to be understood as mandatory. Failure to provide data will make it impossible to identify the user's geographical location and to respond to the related requests

the data are processed only for the time strictly necessary to guarantee the operation of the requested service. Any statistical information on the geographical location of users who consult the Site, which may be further stored over time, will be completely anonymous and will not include any personal data

c) User registration on the Site

personal data

contact details

authentication data

data relating to any customer status

identify and authenticate the user in order to grant him access to specific services on the Site

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to register on the Site, the provision of personal, contact and authentication data is to be understood as mandatory. Failure to provide data will make it impossible to complete the registration process

the provision of data relating to any customer status is optional as part of the registration process. Failure to provide data, however, will make it impossible to access the services for which a particular customer status is required (e.g. loyalty programmes)

the data is kept until the interested party wishes to keep his registered user on the Site active

the interested party can, at any time, through a specific function on the Site, revoke the consent to the processing of data and request the cancellation of his/her account

d) Customer Service

personal data

contact details

transactional data

data provided on the user's initiative

take charge of and respond to requests for assistance submitted by the user

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to submit requests to customer service, the provision of personal and contact data is to be understood as mandatory. Failure to provide data will make it impossible to identify the user and respond to the related requests

the provision of transactional data and any further data on the user's initiative is optional. Failure to provide it, however, could make it impossible to process particular requests for assistance relating, for example, to the management of specific orders

the data, also for the purpose of continuously managing any requests for assistance, are kept for a period of 24 months starting from the date of receipt of the request forwarded by the user

the interested party can, at any time, by contacting the Data Controller, withdraw consent to the processing of data and request its cancellation. The withdrawal of consent and the deletion of data could make it impossible to fulfill the request for assistance

 

e) e-Commerce

personal data

contact details

authentication data

data relating to any customer status

transactional data

 

manage all processes related to the purchase of products, including taking charge of the order, managing the payment process and related legal and fiscal obligations, managing the shipment, and managing the related contact processes and conversation with the customer

 

fulfill specific legal obligations connected, for example, to the management of economic transaction processes

the processing is necessary for the provision of services requested by the interested party, and of which he is a part, in accordance with the provisions of art. 6, par. 1, lit. b), EU Regulation 2016/679

 

 

the processing is necessary to fulfill a legal obligation to which the Data Controller is subject

if the user intends (on a voluntary basis) to purchase products through the e-commerce service, the provision of personal, contact and transactional data is to be understood as mandatory. Failure to provide it will make it impossible to complete the buying and selling process and fulfill the order.

the provision of authentication data is optional and may have the sole purpose of simplifying the data entry process by the user, if the requested information is already associated with the registered user's profile. Failure to provide data does not imply any consequence.

the provision of data relating to any customer status is optional. Failure to provide data, however, makes it impossible to benefit from any promotions or services for which a particular customer status is required (e.g. loyalty programme)

the data relating to each order are kept for a period of 24 months starting from the date of stipulation of the sales contract

 

 

further storage times may be applied where prescribed by specific laws

f) Fidelity Program

personal data

contact details

data relating to any customer status

transactional data

manage the processes connected to the fidelity program, such as the attribution of scores for the products purchased and the related conferral of prizes or other benefits in favor of users adhering to the initiative

the processing is necessary for the provision of services requested by the interested party, and of which he is a part, in accordance with the provisions of art. 6, par. 1, lit. b), EU Regulation 2016/679

if the user intends (on a voluntary basis) to join the fidelity program, the provision of personal data, contact details, relating to any customer status, and transactional data, is to be understood as mandatory. Failure to provide it will make it impossible to manage the processes connected to the loyalty programme.

the provision of further data, such as the name, gender, and date of birth of one or more children associated with the fidelity program is entirely optional and has the sole purpose of allowing more personalized communications to be sent within the fidelity program (for example, on a child's birthday). Failure to provide data does not affect enrollment in the fidelity programme, but only prevents the sending of personalized communications.

the data is kept as long as the interested party wishes to continue participating in the loyalty programme

 

g) Newsletters

contact details

contact the user and send him the newsletter to which he subscribed

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to receive our newsletter, the provision of contact data is to be understood as mandatory. Failure to provide data will make it impossible to send the newsletter.

 

the data is kept until the data subject wishes to continue receiving the newsletter

the interested party can, at any time, through a specific function present on the Site or indicated in the communications sent to him, revoke the consent to the processing of data and ask not to receive the newsletter anymore

h) Sending the user profiled communications of a commercial, promotional and market research nature

personal data

contact details

data relating to any customer status

transactional data

profiling and tracking cookies

send the user profiled communications of a commercial, promotional and market research nature

communications can be sent by ordinary mail, e-mail, and through push notification systems on mobile communication devices

in order to send communications that are pertinent and responsive to the user's presumed interests, the treatment in question involves a profiling process, through the analysis of the user's data, aimed at relating him to a particular cluster of consumers

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to receive profiled communications, of a commercial or promotional nature relating to products and services, and relating to market surveys, the provision of personal data, contact data relating to any customer status, transactional, and collected through profiling and tracking cookies, is to be understood as mandatory. Failure to provide it will make it impossible to carry out the data processing processes connected to the sending of the considered communications.

the data, including the user profiles elaborated through the treatment in question, are kept as long as the interested party wishes to continue receiving communications.

the interested party can, at any time, through a specific function present on the Site or indicated in the communications sent to him, revoke the consent to the processing of the data and ask not to receive the communications anymore

i) Work with us

personal data

contact details

curriculum data

data provided on the user's initiative

 

manage the acquisition and evaluation process of the application spontaneously submitted by the user to fill a job position, including contact and communication activities with the user

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to submit his/her candidacy to fill a job position, the provision of personal, contact and curricular data is to be understood as mandatory. Failure to provide data will make it impossible to acquire and manage the user's application.

the provision of any further data on the user's initiative is optional. Failure to provide it, however, could make it impossible to fully evaluate the suitability of the application with respect to a particular job position.

the data, also in order to be able to evaluate the application spontaneously submitted by the user over time, are kept for a period of 24 months from the date of their receipt.

the interested party can, at any time, by contacting the Data Controller, revoke consent to the processing of data and request its cancellation

l) Open your shop

personal data

contact details

data provided on the user's initiative

manage the process of acquiring and evaluating the expression of interest spontaneously submitted by the user to open a shop, including contact and conversation activities with the user

the interested party has given specific consent to the processing of their personal data, in accordance with the provisions of art. 6, par. 1, lit. a), EU Regulation 2016/679

if the user intends (on a voluntary basis) to submit his/her expression of interest in opening a shop, the provision of personal and contact data is to be understood as mandatory. Failure to provide data will make it impossible to acquire and manage the user's expression of interest.

the provision of any further data on the user's initiative is optional. Failure to provide data, however, could make it impossible to fully evaluate the expression of interest forwarded by the user.

the data, also in order to be able to evaluate over time the expression of interest spontaneously forwarded by the user to open a shop, are kept for a period of 24 months from the date of their receipt

the interested party can, at any time, by contacting the Data Controller, revoke consent to the processing of data and request its cancellation

 

 

The data retention periods indicated in the table above represent the maximum (or last) retention times of the information, as the data may also be subject to shorter retention periods determined - for example - by the positive response provided to a specific request of exercising one's rights forwarded by the interested party.

Once the respective retention periods have elapsed, the data, except for any legal obligations, will no longer be subject to further processing operations and will be canceled or destroyed by adopting secure processes that guarantee the definitive unintelligibility of the information.

METHOD OF TREATMENT

The data will mainly be processed by means of IT tools, without prejudice to the possibility of processing carried out also with the aid of traditional analogue resources. All processing operations will take place in full compliance with the security measures required by law, in accordance with the principle of necessity, and only for the time strictly required for the achievement of the purposes pursued.

RECIPIENTS AND SCOPE OF DATA COMMUNICATION

The data will be processed exclusively by the Data Controller, by any Data Processors (such as, for example, companies providing IT, logistics and shipping services, customer assistance, on behalf of the Data Controller) specifically appointed in accordance with the current provisions of the law and within the limits of the tasks and functions assigned to them, and by the respective specifically authorized and trained personnel, in relation to the purposes and methods of processing.

The data will not be communicated to third parties (unless in fulfillment of any legal obligations) and will not be disclosed in any way.

TRANSFER OF DATA TO THIRD COUNTRIES

For the provision of services made accessible through the Site, the Data Controller makes use of the collaboration of renowned IT service providers (for example, e-commerce platforms or for the management of newsletters) acting as Data Processors. Some of the considered Managers operate on IT infrastructures also located outside the Community territory (United Kingdom, Canada, United States, Australia), which is why the provision of services may also involve the transfer of data to third countries.

All data transfer operations take place in full compliance with the provisions of the law in force regarding the protection of personal data, subject to verification of the effective level of protection guaranteed to the interested party.

In particular, the transfer of data takes place to countries whose level of data protection is guaranteed by a specific adequacy decision by the European Commission, or subject to the assumption of adequate guarantees consisting in the adoption of the contractual clauses within the service contracts standards (SCS) defined by the European Commission, or again, in the absence of the considered guarantees, given the potential reduction of protections in favor of the interested party, subject to the expression by the latter of a specific and explicit consent to the processing of data.

RIGHTS OF THE INTERESTED PARTY

Each user of our Site, as an interested party in the processing of data, has the right to exercise, in the cases and within the limits expressly provided for by law (articles 15, 16, 17, 18, 20, 21 and 22, Regulation EU 2016/679), the following rights:

  • ask the Data Controller for access to personal data concerning him, and/or their eventual rectification or cancellation;
  • ask the Data Controller to limit the processing that concerns him, or oppose the processing;
  • request the so-called "portability" of the data (i.e. their communication in a structured format, in common use, and readable by an automatic device), also in order to be able to communicate your personal data to another data controller;
  • revoke, at any time, the consent to the processing of data concerning him (if the processing is carried out on a consensual basis, and without prejudice to the lawfulness of the processing carried out before the withdrawal of consent);
  • lodge a complaint with a supervisory authority (in Italy, the Guarantor for the protection of personal data).

The rights in question can be exercised by contacting the Data Controller directly, also at the email address privacy@brumsmilano.com