This policy describes the procedures followed by Merlata Sviluppo S.r.l. (hereinafter the “Data Controller” or the “Company”) in relation to the processing of the personal data collected via the website www.gallerieauchan.it (hereinafter the “Website”).
Unless otherwise specified, this policy is also valid as the note to be provided to those who interact with the Website (hereinafter the “User”) pursuant to Article 13 of EU Regulation no. 2016/679 (hereinafter the “GDPR”.
Detailed notes on the personal data processing are provided, where necessary, on the pages related to the individual services offered via the Website. These notes aim to define the limits and methods of the data processing for each service, based on which the User can freely express his or her consent where necessary and, if applicable, authorise the collection of the data and their subsequent processing.
Data Controller Data Processors.
The Data Controller is Merlata Sviluppo S.r.l. with registered office in Milano, Via Torino, 2 – 20123 (MI), e-mail email@example.com.
The updated list of any Data Processors appointed is available from the Data Controller’s registered office.
Data Protection Officer.
The Data Protection Officer, appointed by the Data Controller (or by the Group), can be contacted by:
– ordinary post, at the address: via Torino, 2 – 20123 Milano (MI) – to the kind attention of the Data Protection Office;
– e-mail, at the address firstname.lastname@example.org
Types of processed data.
The following types of data can be collected and processed via the Website:
• browsing data;
• personal data provided voluntarily by the User in the forms present within the Website.
Purposes and legal basis of the processing.
The personal data collected via the Website will be processed:
a) for managing the requests for information sent by the User;
b) for sending marketing communications about products and services via newsletter, e-mail, sms, mms, fax or similar means and/or by post or operator assisted telephone call;
c) for performing profiling activities instrumental to the execution of the activities described above in point b);
d) for sending communications with the aim of promoting and directly selling similar products or services to those you have already purchased (so-called “soft spamming”), without prejudice to your right to object at any time.
The processing of personal data for the purpose described in point a) does not require the User’s consent since it is necessary in order to fulfil specific requests made by the Data Subject pursuant to Article 6, paragraph 1, point b) of the GDPR.
The processing of personal data for the purposes described in points b) and c) require the User’s consent pursuant to Article 6, paragraph 1, point a) of the GDPR.
The processing of personal data for the purposes described in point d) does not require the User’s consent pursuant to Article 6, paragraph 1, point f) of the GDPR, since it is necessary for the pursuit of the legitimate interest of the Data Controller.
Data conferral and consequences of failure to confer data.
The conferral of a Data Subject’s personal data for the purposes specified above is optional and failure to confer the same will lead, as the sole consequence, to it being impossible for the Data Controller to manage and fulfil the Data Subject’s requests, send marketing communications and perform the indicated activities.
Data recipients and data recipient categories.
The Data can be made accessible, brought to the knowledge of or communicated to the following parties, who will be appointed by the Data Controller on a case-by-case basis as Data Processors or persons in charge of the processing:
a) companies of the group to which the Data Controller belongs (parent companies, subsidiaries and/or associates), employees and/or collaborators in any capacity of the Data Controller and/or companies in the Auchan Group to which the above-mentioned Data Controller belongs (parent companies, subsidiaries and/or associates);
b) public or private parties, natural persons of companies used by the Data Controller for the performance of the activities conducive to the fulfilment of the above-mentioned purposes or to which the Data Controller is obliged to communicate the Data due to legal or contractual obligations.
In any case, the Data shall not be disseminated.
The data shall be retained for a maximum period of time equal to the period of limitation applicable from time to time for the rights that can be exercised by the Data Controller. In case of processing performed for the purposes of marketing, the data shall be retained for a maximum period of 24 months; for profiling purposes the data shall be retained for a maximum period of 12 months.
Rights of access, erasure, restriction and portability.
Data Subjects shall have the rights set forth in Articles 15 to 20 of the GDPR. For example, each Data Subject can:
a) obtain confirmation as to whether or not personal data concerning him or her are being processed;
b) access any personal data being processed and the information about the processing, and request a copy of the personal data;
c) have incorrect personal data corrected and incomplete personal data completed;
d) obtain the erasure of personal data concerning him or her where one of the grounds set forth by Article 17 of the GDPR applies;
e) obtain the restriction of the processing in the cases envisaged by Article 18 of the GDPR;
f) in the cases envisaged by Article 20 of the GDPR, receive the personal data concerning him or her in a structured, commonly used and machine-readable format and request that the data be transmitted to another controller, if technically feasible;
g) if the Data Subject’s consent is required for the processing of the personal data, revoke his or her consent to the processing of the personal data, without compromising the lawfulness of the processing performed based on consent granted prior to said revocation.
Right to object to the processing performed due to legitimate interest.
Each Data Subject can object at any time to the processing of their personal data for the purpose of pursuing a legitimate interest of the Data Controller. Should he or she object, their data will no longer be processed, unless there are legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Right to object to processing performed for marketing purposes.
Each Data Subject is entitled to object at any time to the processing of his or her personal data performed for marketing purposes by writing an email to the address email@example.com. Objections to processing raised by these means also apply to the sending of marketing communications by post or operator-assisted telephone call, without prejudice to the possibility to exercise this right partially, for example by objecting only to the processing performed using automated communication systems.
Right to submit a complaint to the Italian Data Protection Authority.
Additionally, each Data Subject can submit a complaint to the Italian Data Protection Authority should he or she consider that their rights pursuant to the GDPR have been breached, using the methods indicated on the website of the Data Protection Authority, accessible at the address: www.garanteprivacy.it.
Cookies are small text files that the websites visited by a user send to his or her device where they are memorised and later sent back to the same sites when the user visits them again.
The Website uses both its own and third party technical cookies. These being technical cookies, they do not require the prior consent of the User to be installed and used.
Specifically, the cookies used in the Website can be placed in the following sub-categories:
– browsing or session cookies, which guarantee the normal browsing and use of the Website. As these are not saved on the user’s computer, they disappear when the browser is closed;
– analytics cookies, used to collect and analyse statistical information about the number of Website users and their visits;
– social widgets and plug-ins: some widgets and plug-ins provided by the social networks can use their own cookies to facilitate the interaction with the reference website.
The third party cookies installed on the Website are listed below. For each of these, the link to the relative note regarding the personal data processing and the methods for disabling the cookies used is provided. Regarding third party cookies, the Data Controller is only obliged to enter the link to the website of the third party in this policy. Instead, each third party is responsible for issuing a privacy note and indicating the methods, if applicable, for consenting to or disabling the use of the cookies.
• Google Analytics: Privacy Note | Opt Out
• Google Webmaster Tools: Privacy Note
• Facebook: Privacy Note | Cookies policy
• Linkedin: Privacy Note | Cookies policy
• Vuid: Privacy Note | Cookies policy
The User can disable the cookies by modifying their browser settings based on the instructions provided by the relative providers at the links listed below.
– Internet Explorer
– Mozilla Firefox
– Google Chrome
– Apple Safari
How your IP addresses are saved.