Sites-casadei-Site

Legal Area

PRIVACY NOTICE

pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)

This Privacy Notice provides users of casadei.com (the “Website”), including those who merely browse the Website as well as customers purchasing products through the e-commerce service (the “Users”), with the fullest and clearest information regarding the processing of their personal data through the Website pursuant to the General Data Protection Regulation (GDPR) (EU 2016/679) and the Italian Personal Data Protection Code (Legislative Decree No. 196/2003).

In accordance with applicable legal requirements, this Privacy Notice also specifies:

the nature of the personal information processed;
the purposes and means of processing personal information;
the identity and contact details of the Data Controllers;
the contact details of the Data Protection Officer (“DPO”);
any third parties involved in the processing activities;
the retention period applicable to personal information;
the security measures adopted to protect personal information;
Users’ privacy rights.

This Privacy Notice applies exclusively to the Website and does not concern any website or platform to which the Website may link.

Users under the age of 16 (sixteen) may not provide consent to the processing of personal data without parental authorization.

1. Data Controllers

Pursuant to the GDPR, the data controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The joint controllers relating to the processing of data connected with the Website activities are:

CALZATURIFICIO CASADEI S.p.A. – Via XX Settembre 87, 47030 San Mauro Pascoli, Italy, VAT No. 00918440405, email: privacy@casadei.com, telephone: +39 0541 932675;
The Level S.r.l. – Piazza Arcole 4, 20143 Milan, Italy, VAT No. 07234250962, email: privacy@thelevelgroup.com, telephone: +39 02 87287200;

(the “DATA CONTROLLERS”).

Pursuant to Article 26 GDPR, the joint controllers determine, through an internal arrangement, “their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercise of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14.”

2. Data Protection Officer

The Data Controllers make available the contact details of the Data Protection Officer.

For any matter relating to the processing of Data and the exercise of the rights provided for by the GDPR, Users may contact the Data Protection Officer using the following contact details:

Email: privacy@casadei.com Telephone: +39 0541 932675

3. Subject Matter and Purposes of the Processing

The term “personal data” means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4 GDPR).

Personal data is automatically collected by the Website while Users browse the Website, or receive through social media platforms, in order to process online purchases, provide newsletter services, or allow Users to contact the Website owner.

The Website processes personal data for the following purposes:

A) BROWSING DATA

The Website collects non-sensitive browsing data through automatic means in order to enable and improve Users’ browsing experience (for example: IP address, date/time of the visit and related duration, any referring URLs, pages visited on the Website, device used and other information).

The processing of such information allows Users to access the Website and fully benefit from its features and services. In addition, browsing data may be used to verify that the Website functions properly.

From time to time, browsing data may be processed anonymously for statistical purposes.

It is unlikely that browsing data will allow the identification of the relevant data subject.

However, due to its nature, browsing data may allow Users to be identified if associated with other information.

The browsing data described above is stored only temporarily in accordance with applicable law.

B) ORDERS

At checkout, the Website requests Users to provide personal data for the essential purpose of processing purchase orders and fulfilling contractual obligations (for example: first name and surname, email address, delivery address, etc.).

The e-commerce service may include digital payments, account or guest purchases, and online returns.

Such personal data is also essential to enable Customer Service to assist Users with requests and any related need, both before and after the sale (for example regarding delivery status or product returns).

Personal data relating to orders shall be retained for as long as necessary to fulfil contractual obligations and applicable tax and financial reporting obligations.

The Website may also verify the payment instruments used by Users for purchases made through the Website (for example credit or debit cards) primarily in order to prevent fraudulent activities or comply with applicable anti-money laundering laws.

As payment verification activities are fully entrusted to third-party payment processors, the Data Controllers do not process or store Users’ financial information.

Failure to provide the personal data requested at checkout shall prevent Users from completing orders through the Website.

On the basis of the legitimate interest pursued by the Data Controllers pursuant to Article 6(1)(f) GDPR and Article 130, paragraph 4, of the Italian Privacy Code, the Data Controllers may use the email address provided by the User in connection with a purchase made through the Website in order to send commercial communications relating to products or services similar to those already purchased (“soft spam”), without the need for prior consent.

In any case, Users are guaranteed the right to object at any time to such processing, both at the time of data collection and on each subsequent communication, by means of the unsubscribe link included at the bottom of the emails or by contacting Customer Service.

It remains understood that the sending of marketing communications, newsletters or promotional communications relating to products or services other than those already purchased, as well as the carrying out of profiling activities, shall only take place subject to the User’s explicit, free and informed consent, in accordance with sections D) and E) of this Privacy Notice.

C) REGISTRATION ON THE WEBSITE

When Users choose to register a personal account on the Website, they are requested to submit personal data (for example date of birth, gender, etc.). The Website clearly indicates which personal data is mandatory (or not) in order to create a Website account.

Users must provide true and accurate personal data when registering and are invited to keep their personal data updated (should any changes occur) by accessing their personal account and making the necessary amendments.

Users choosing to activate or access their Website account through social media platforms should be aware that, when linking their Website account to a social media account, the Website collects certain personal data already provided to such social media platform (for example email address and public Facebook profile).

The Data Controllers do not supervise or control such social media services or Users’ profiles on such services and do not determine the privacy settings or rules regarding the use of personal information on such services.

Users are strongly encouraged to read all applicable social media privacy policies and notices in order to obtain further information regarding the processing of personal data.

D) NEWSLETTERS AND MARKETING COMMUNICATIONS

On the Website, Users may choose to receive newsletters and commercial communications.

The Website always collects Users’ explicit, free and unambiguous consent before sending newsletters and marketing communications or, more generally, before carrying out electronic marketing activities.

In such cases, Users may be asked to provide personal information in addition to their email address (for example gender, country of residence, etc.) in order to receive marketing communications and newsletters tailored to the User profile.

Users may always easily withdraw their consent to receive newsletters and commercial communications in the following ways:

through their account settings;
by clicking the “unsubscribe” link included in any such email;
by contacting Customer Service.

E) PROFILING

Subject to the Users’ explicit consent, newsletters and marketing communications may be tailored to Users’ “profile”, based on the personal data collected or received by the Website concerning the relevant Users.

The main purpose of profiling is to offer products, services and initiatives that are more in line with Users’ tastes, purchasing habits and interests.

Personal data may also be used for remarketing, retargeting or profiling purposes, including through third parties (for example social networks).

Neither the Website nor the Data Controllers shall ever carry out profiling activities relating to children.

4. Legal Basis for Processing

The legal basis for the processing is constituted:

for the purpose referred to under section A) above, by the legitimate interest pursued by the Data Controller in order to enable and improve Users’ browsing experience on the Website, pursuant to Article 6(1)(f) GDPR;
for the purposes referred to under section B) above, by the performance of a contract to which the Users are party or by the implementation of pre-contractual measures pursuant to Article 6(1)(b) GDPR;
for the purposes referred to under sections C), D) and E) above, by the data subject’s consent pursuant to Article 6(1)(a) GDPR.

5. Cookies

The Website uses cookies, both technical cookies (i.e. to facilitate browsing and use of the Website) and profiling cookies (i.e. to analyse Users and their behaviour and preferences and provide personalised advertising).

Information relating to the cookies used on the Website is available at the following URL: COOKIE POLICY.

6. Sharing and Transfer of Personal Data

The Data Controllers may transfer Users’ personal data to primary third-party providers acting as “data processors” (the “Processors”) in order to perform the business operations necessary to fulfil their contractual obligations.

The Data Controllers shall use their best efforts to ensure that all Processors apply industry best practices to protect personal data and do not use personal data for purposes other than those agreed upon with the Data Controllers.

For example, the Data Controllers may share personal data with the following categories of Processors:

couriers and postal operators;
order fulfilment centres and warehouses;
advertising, digital marketing and social media agencies;
IT service providers;
customer service providers;
payment service providers.

In such cases, the sharing of personal data with the Processors is necessary in order to enable the Data Controllers to fulfil their contractual obligations and improve the Website’s products and services.

Users may request an updated list of the Processors involved in the processing of personal information relating to the Website activities by sending an email to: privacy@thelevelgroup.com.

The Data Controllers shall always reserve the right to disclose Users’ personal data where required by law (for example in response to law enforcement requests) and where necessary to protect the rights of the Data Controllers, their affiliates or third parties.

Furthermore, personal data may be disclosed to other companies within the same corporate group of each of the Data Controllers or to third parties in the event of a corporate restructuring process, in full compliance with applicable law.

In all other cases, the sharing of personal data shall be subject to the Users’ prior and explicit consent, unless the processing is permitted on the basis of an alternative legal basis.

The Data Controllers shall not transfer any personal data outside the European Economic Area (“EEA”), unless Users have explicitly authorised such transfer or the transfer of personal data outside the EEA is permitted by the GDPR on another legal basis.

In order to offer Klarna payment methods, at checkout we may transfer Users’ personal data in the form of contact and order details to Klarna, so that Klarna may assess whether Users qualify for their payment methods and adapt such payment methods to Users’ needs.

The personal data transferred is processed in accordance with KLARNA’S PRIVACY NOTICE.

7. Processing Methods and Security Measures

Users’ personal data is processed by the Data Controllers using IT-based, automated and electronic tools and, in limited cases, paper-based means.

Specific measures are adopted for online transactions, payment encryption and systems suitable for protecting Users’ accounts.

In accordance with the GDPR, specific security measures have been implemented in order to prevent data loss, unlawful or improper use and unauthorized access.

Only authorized employees of the Data Controllers and authorized employees of third-party providers acting as Processors on behalf of the Data Controllers have access to personal data relating to the Website activities.

Data processing agreements are in place with the Processors in order to ensure that they always meet the level of security required under the GDPR when processing personal data relating to the Website activities.

Although the Website adopts primary security measures in order to prevent the loss, destruction or dissemination of personal data, it cannot exclude the security risks inherently connected with online data transmission.

Users acknowledge the risks inherent in providing personal data over the Internet and shall not hold the Website liable for any security breach unless such breach is due to negligence or willful misconduct by the Website.

8. Retention of Personal Information

The Data Controllers shall retain personal data for as long as necessary for the purposes indicated in this Privacy Notice, or in order to comply with legal or tax obligations, or for the minimum retention period prescribed by law.

In order to determine the appropriate retention period for personal data stored by the Website on the basis of Users’ consent, the Data Controllers shall take multiple factors into account in order to ensure that personal data is not retained for longer than necessary or appropriate.

Such criteria shall also include:

the purpose for which the Website holds personal data;
legal, tax and regulatory obligations connected with such personal data;
the type of ongoing relationship with the Users or relevant customer (for example how often Users access their Website account, whether Users continue to receive marketing communications, how regularly they browse or purchase through the Website, etc.);
any specific request by Users connected with the deletion of personal data;
legitimate business interests.

In particular, personal data shall be retained according to the following retention periods:

Browsing data: retained for a maximum period of 12 months from the date of collection, except where necessary for the investigation of cybercrime or requests from judicial authorities.
Data relating to orders and purchase transactions (including identification, contact, shipping and invoicing data): retained for 10 years following completion of the contract, in accordance with civil law, accounting and tax obligations under applicable legislation.
Registered account data: retained for the entire duration of the account and, in the event of account inactivity for a period exceeding 24 months, the account shall be deactivated and the related personal data deleted or anonymized, except where further retention is required by law.
Data processed for marketing and newsletter purposes: retained for up to 24 months from the granting of consent or the User’s last active interaction, unless consent is withdrawn earlier.
Data used for profiling activities: retained for a maximum period of 12 months from collection, unless consent is renewed.
Data relating to assistance requests and contacts with Customer Service: retained for a maximum period of 24 months following closure of the request, unless further retention is necessary for the management of disputes or litigation.

In any case, upon expiry of the retention periods indicated above, personal data shall be deleted, anonymized or aggregated, unless further retention is necessary in order to comply with legal obligations or protect the rights of the Data Controllers before judicial authorities.

Users may at any time exercise the rights provided for by the GDPR, including the right to request deletion of personal data, according to the procedures indicated in this Privacy Notice.

9. Links to Third-Party Websites or Platforms

The Website may contain banners, advertisements and other links to third-party websites or platforms.

The Data Controllers cannot control or be held responsible for the conduct of such third-party websites or platforms in relation to privacy laws.

Users are invited to read the relevant privacy notices in order to verify how such third parties collect and process personal data.

10. Users’ Rights

Users have the right to obtain confirmation as to whether the Data Controllers hold personal data relating to them.

Where this is the case, pursuant to the GDPR, Users also have the right to:

be informed regarding the collection and use of their personal information;
access their personal information free of charge;
obtain the rectification or completion of inaccurate or incomplete personal information;
obtain the deletion of personal information (“right to be forgotten”);
under specific conditions, obtain restriction or suppression of their personal information;
obtain and reuse their personal information for their own purposes across different services where processing is based on a contract or consent and carried out by automated means (“right to data portability”);
under specific conditions, object to the processing of their personal information;
object at any time to the use of personal information for “profiling” or “automated decision-making” purposes;
lodge complaints relating to the collection and processing of personal information with the competent supervisory authority;
withdraw consent to the processing of personal data at any time;
where personal data is processed for direct marketing purposes, object at any time to the processing of personal data concerning them for such purposes, including profiling insofar as related to such direct marketing.

Users may contact the Website for any request and in order to exercise their privacy rights at the following email address: privacy@thelevelgroup.com.

11. Complaints

Users also have the right to lodge a complaint with supervisory authority.

In Italy, the competent supervisory authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), whose contact details are available at www.garanteprivacy.it.

12. Amendments to this Privacy Notice

Any future amendments to this Privacy Notice shall be published on the Website and, where appropriate, notified to Users by email.

Users are invited to regularly review this Privacy Notice in order to verify any updates or amendments.