Two entities are processing your personal data on the website www.acquadiparma.com (‘Website’):
- Acqua di Parma S.r.l. (“Acqua di Parma”), a limited liability company with headquarters located at Via Giovanni Spadolini 7 Building B 20141 Milan, Italy registered in the companies register under no. 04215670375, VAT number 04215670375;
- Diana E-Commerce Corporation S.r.l. (“Diana”), with registered office at Via San Daniele 137/139, 35038, Torreglia (PD), Italy, enrolment number in the Register of Enterprises of Padua, tax code and VAT number 05097740285, e-mail firstname.lastname@example.org.
Pursuant to Art. 26 of Regulation (EU) 2016/679 (“GDPR”), Acqua di Parma and Diana are joint data controllers for the management of products sales on this Website and the related activities, such as order processing, payment management, delivery of the products and after-sales activities (returns, refunds and complaints), as set forth in article IV), below.
The essence of the arrangement according to art. 26 GDPR between Acqua di Parma and Diana is available by a specific request that you may send through the contact details reported in article IX).
For all other purposes, as set forth in article IV), below, Acqua di Parma is the data controller of personal data collected on the Website in the sense of regulations applying to personal data, in particular GDPR.
Acqua di Parma and Diana pay particular attention to the processing, confidentiality and safety of your personal data.
I. What is personal data?
Personal data is any information about an identified physical person or a physical person that may be directly or indirectly identified via an identification number or one or more elements particular to them, such as their last name, first name, date of birth, customer number, order number, photo, etc.
II. When can we collect your personal data?
We can collect your personal data when you:
- create a customer account on this Website;
- order goods from this Website (recurring orders included);
- agree to receive marketing communications from us by email, telephone, SMS or post, depending on your selection;
- interact with Acqua di Parma via its official pages on social networks;
- contact our customer service;
- send requests for information to Acqua di Parma;
- take part in an event we organise;
- browse on the Internet using cookies or when you click on advertisements for our products;
- reserve an appointment online through the MyAccount, eventually using the social login plugin;
- reserve an appointment online through the MyAccount, eventually using the social login plugin;
- reserve an appointment online through the Facebook page of Acqua di Parma.
III. What personal data might we collect?
(i) As part of the services we provide, we may need to collect certain data directly from you using electronic forms on this Website for a range of purposes (see IV for a list of processing purposes).
Information we might collect includes:
• Your identity;
• Your gender;
• Your contact details (e.g. email address, phone number, postal adress);
• Your personal preferences in relation to the products we market or to this Website (language);
• Customer’s purchase history;
• Information relating to your orders, their tracking and your purchase invoices;
• Browsing data on the Website;
• Information you may provide for our customer service;
• Specific information if you notify us of any undesirable side-effects concerning any of Acqua di Parma products;
• Your bank details if you place an order via this Website.
(ii) We may also collect certain data generated by your purchases of products or services, online or in stores, particularly information regarding the amount and type of your purchases.
IV. For what purpose is your personal data collected and used?
Acqua di Parma requires to use your data for purposes defined according to the nature of our relationships. Therefore, depending on the context in which your data is collected, it may be used for one or more of the following purposes:
a) allowing you to create a customer account on this Website;
b) managing your access to your customer account;
c) recording purchases made on this Website;
d) managing your requests with respect to any requests for information or complaints you may send us via this Website, customer service or social network pages (not related to after-sales service);
e) tracing and managing any alerts you may send us as part of our cosmetovigilance obligations;
f) management of the Website;
g) management of personalized content, communications and tailored services to optimise your customer experience;
h) management and improvement of our products and services, image and reputation;
i) management of events in which you have signed up to participate;
j) manage your reservation for an appointment received through this Website or Acqua di Parma’s Facebook page;
k) with your explicit consent (when required), using your personal data to send you personalized communications (newsletters, offers, invitations and surveys) and analyse your preferences and habits using third-party services to customize your profile, anticipate your needs from your customer account. You can receive our personalized communications by means of emails, postal letters, SMS or calls according to the communication preferences that you have indicated to us and your consumer profile (when authorized).
As joint data controllers, Acqua di Parma and Diana process your data to:
• manage the sale of products through the Website (recurring orders included), including:
- order processing (processed by Diana and Acqua di Parma);
- payment for the products (processed by Diana);
- anti-fraud checks (processed by Diana);
- anti-fraud checks (processed by Diana);
- invoicing of products sold (processed by Diana);
- delivery of the products through couriers appointed (processed by Diana and Acqua di Parma);
- after-sales activities (returns, refunds and complaints) regarding the products (processed by Diana and Acqua di Parma);
• management of customer requests relating to the performance of the sales contract and after-sales activities (processed by Diana and Acqua di Parma).
Personal data necessary to Acqua di Parma and/or Diana to respond to your request and/or provide you with the requested services and/or purchases is marked with an asterisk on all personal data collection forms on this Website. If you do not fill in these compulsory fields, Acqua di Parma and/or Diana will probably be unable to respond to your request and/or provide you with the requested services and/or purchases. Other information, such as the one related to direct marketing and/or profiling activities, is optional and the processing of said data by Acqua di Parma shall be done only with your prior explicit consent. Any refusal to provide the requested data prevents us to get to know you better and improve our communications and services with respect to you however, does not prevent you from creating and managing a customer account, making a purchase, contacting Acqua di Parma and/or Diana and receiving other services offered by Acqua di Parma.
V. What legal grounds legitimise the processing of your data?
Acqua di Parma ensures the legal basis for the processing of your data according to the purpose(s) concerned, which may be, depending on the context in which it is collected:
• your explicit consent: for example, for the purposes of direct marketing and/or profiling activities, managing our personalized commercial offers, our sales prospection, your browsing data via cookies under the conditions defined by our Cookies Policy;
• the implementation of a contract, for example for your access to your customer account;
• a legal obligation when processing is required by law, for example, regarding fiscal obligations, keeping purchase invoices to prevent fraud and cosmetovigilance with regard to Regulation (EU) 1223/2009 of 30 November 2009 on cosmetic products;
• its legitimate interest: for example, to improve our products and services, securing our Website other tools, combacting fraud.
As joint data controllers, Diana and Acqua di Parma ensure the legal basis for the processing of your data according to the purpose(s) concerned, which may be, depending on the context in which it is collected:
• the implementation of a contract, for example the processing and follow-up of your orders, after-sales activities;
• our legitimate interest: for example, to secure the Website, combacting fraud or to defend or assert a right and/or for the prevention of fraud and other crimes or offences;
• a legal obligation when processing is required by law, for example, regarding fiscal obligations, keeping purchase invoices to prevent fraud and cosmetovigilance with regard to Regulation (EU) 1223/2009 of 30 November 2009 on cosmetic products.
VI. How long do we keep your data?
In general, your personal data is stored in our database according to the relation we have with you:
• regular customer (having your customer account on the Website) for 5 years from your last contact with us, customer care included (call for assistance, complaints or information), or until you request to cancel your account or, in order to comply with applicable laws, for example, regarding fiscal obligations, for 10 years from the end of the commercial relationship;
• prospect (i.e. who receive information on our offers, news and events and/or personalized newsletter but doesn’t have a customer account) for 3 years from your last contact with us, customer care included (call for assistance, complaints or information), or until you request to cancel your subscription;
• guest customer (who make a purchase on the Website without logging into a customer account) only for the duration of the transaction until the delivery of the order or in order to comply with applicable laws, for example, regarding fiscal obligations, for 10 years from the end of the commercial relationship;
• customer care not related to after-sales service (excluding calls), for the management of the request and in an Intermediate archive for 5 years from the end of the management of the request;
• customer care (included call for assistance, complaints or after-sales services) for the management of the request and in an Intermediate archive for 5 years from the end of the management of the request or in order to comply with applicable law, for example, regarding civil law obligations, for 10 years from the end of the commercial relationship.
All the information related to the cosmetovigilance activities and the invoices are stored for 10 years after the date of the transactions concerned.
When we no longer need to use your personal data, it is removed from our systems and records or anonymized within 60 days from the terms indicated above, so that you can no longer be identified from it.
VII. Who are the recipients of your personal data?
Your personal data are processed by the personnel of Acqua di Parma and the personnel of Diana.
We ensure that only authorised people within Acqua di Parma or Diana have access to your personal data when this is necessary for the purpose of managing our commercial relations or meeting our legal obligations.
We may also share your personal data with:
• other entities of the LVMH Group, acting as data processors;
• subcontractors, such as
- site hosting and maintenance service providers and the providers of our electronic personal data collection solutions at counters and in stores;
- IT service providers;
- logistic service providers;
- marketing solution service providers;
- sales prospection and social network communication service providers;
- customer service providers;
- service providers for managing cosmetovigilance alerts;
- event organisation service providers;
- Diana, as data processor itself, concerning:
•management of the Website & maintenance;
•registration of site users (customers and prospects) on the Website;
•Customer care services (not related to after-sales service);
- firms and other subjects that provide assistance, advice and services of a legal, fiscal, accounting, economic-financial, technical-organizational, data processing and communication nature;
- subjects that provide banking, financial, insurance and debt collection services;
- subsidiaries, parent companies, investee companies and affiliated companies;
- third-party companies in the context of mergers, acquisitions or disposals of the company or a business unit;
• third parties wishing to know your main interests to constitute similar audiences and target prospects that match your profile. In the context of this specific data processing, Acqua di Parma is not the Data Controller relating to prospecting and you will not be subject to prospecting, your data is only used to constitute profiles similar to yours.
In order to offer you Klarna’s payment methods, we might in the checkout pass your personal data in the form of contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own privacy notice here.
Lastly, Acqua di Parma or Diana may need to share your personal data with third parties to meet its legal, regulatory or treaty obligations, or to respond to requests from authorised legal authorities.
The updated list of the data processors of personal data is available by a specific request to Acqua di Parma and Diana through the contact details reported in article X).
VIII. Transferring data abroad
Given the presence of Acqua di Parma in many countries around the world and in order to provide you with personalized service worldwide, some of your data may be collected, accessible or stored outside your country of residence. Some recipients of your personal data may be located abroad, including outside of the European Economic Area, such as in the United States of America. You should be aware that data protection and security requirements differ from place to place and may not offer the same level of protection as those of your country of origin. However, Acqua di Parma, Diana and other LVMH companies have taken measures to guarantee an adequate level of protection of your data, regardless of their location, for example by using standard data transfer clauses, or any other method approved by the European Commission (where data protection legislation is considered to be the most effective in the world) and / or the National Data Protection Authorities. We also ask our third party partners to comply with the applicable data transfer obligations, for example by contractual clauses, with regard to the personal data they receive on our behalf.
IX. What are your rights and how can you exercise them / How can you contact Data Protection Officer (DPO)?
Under current regulations, particularly the GDPR, you have the right to access and correct your personal data, request erasure, object to processing on legitimate grounds and obtain limitation or portability, insofar as this is applicable. You also have the right to withdraw consent at any time for data processing based on consent.
To exercise your rights or for any other questions relating to the collection and processing of your data by Acqua di Parma you can contact directly Acqua di Parma by sending an email to the Acqua di Parma’s Data Protection Officer at DPO@acquadiparma.it or a non-registered postal letter Acqua di Parma S.r.l. Via Giovanni Spadolini 7 Building B 20141 Milan, Italy, including a copy of a document proving your identity.
If, at any time, you no longer wish to receive details of our offers, news and events, you can unsubscribe using the hypertext link provided for this purpose in each mail we send you. You can also send us a non-registered letter Acqua di Parma S.r.l. Via Giovanni Spadolini 7 Building B 20141 Milan, Italy.
To exercise your rights or for any other questions relating to the collection and processing of your data by Diana, you can contact the Diana’s Data Protection Officer at email@example.com or a non-registered postal letter to Diana E-commerce Corporation, Via San Daniele 137/139, 35038 Torreglia (PD), Italy, including a copy of a document proving your identity.
You may also lodge a complaint with the Autorità Garante per la protezione dei dati personali, Piazza di Montecitorio n. 121, 00186, Rome, Italy.