- DATA CONTROLLER
MNP LABS Srl (the "Owner" or the "Company")
Address: Via Massimo D'Antona 28 - 23893 - Cassago Brianza (LC)
VAT NUMBER 03958560132
E-mail address: firstname.lastname@example.org
Website: www.mesaudanailpro.it (the "Site")
- PERSONAL DATA PROCESSED
- Personal data (name, surname, residential address, tax code);
- Contact details (e-mail address and telephone number);
- Data relating to purchases made on the Site;
- Billing data and details of debit/credit cards used to make payments;
- Navigation data
(also jointly referred to as the "Data").
- COLLECTION OF PERSONAL DATA
During normal operation, the computer systems and software procedures used to operate this website acquire certain personal data, including IP addresses or domain names of the computers used by users connecting to the Mesauda Nail Pro website, URI(Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.) and other parameters relating to the user's operating system and computer environment.
The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site.
- PURPOSE AND LEGAL BASIS OF PROCESSING
In some sections of the Site, in relation to specific services, some of the Data listed above are requested, which will be processed by the Company for the purposes and legal bases indicated below.
- For theexecution of pre-contractual measures and/or a contract to which you are a party:
- For the purpose of registering a user to the mesaudanailpro.it website ("Account");
- For technical management and administration of the website;
- To proceed with the purchase of Mesauda Nail Pro products;
- In order to take advantage of the services reserved for personal Account holders on the Site, such as participation in the loyalty program, viewing previous purchases, etc., it is necessary to have a personal Account;
- To properly receive and process information and contact requests received (including through live chat or the "my invitation" form).
- Based on a legitimate interest of the Owner (soft spam ex art. 130 paragraph 4 of D. lgs 196/2003 as updated by D. lgs 101/2018 - Code for the protection of personal data), for the promotion by e-mail of services similar to those of the sale, without prejudice to the possibility to object at any time.
In addition, with your prior consent, which is optional and revocable at any time, the personal data collected may be processed for additional purposes, and in particular for:
- Marketing: to send you communications about initiatives, commercial offers, questionnaires and market research of the Controller through digital channels (e.g. by e-mail);
- Profiling: for the analysis of your preferences, habits, behaviour, interests deduced, for example, from online clicks on articles/sections of the Site, in order to send you personalised commercial communications or carry out targeted promotional actions.
In any case, your personal data may also be processed, where necessary, for the following purposes:
- For the need to fulfill legal obligations, and in particular to fulfill obligations under regulations and applicable national and supranational legislation (tax compliance, administrative, etc.);
- On the basis in a legitimate interest (judicial protection), to ascertain, exercise or defend the rights of the Owner in judicial and/or extrajudicial proceedings.
- RETENTION PERIOD
- For the entire contractual period and, after termination, for the ordinary limitation period of 10 years, for processing operations whose legal basis is the performance of pre-contractual measures and/or a contract to which the data subject is party;
- Until the exercise of its right to opt-out for the activity of promotion by e-mail of services similar to those of the sale, based on the legitimate interest of the Controller (soft spam);
- For a duration of 24 and 12 months respectively from the date of collection of the data subject's consent for optional marketing and profiling processing;
- For the duration foreseen by the law (10 years for administrative-accounting fulfilment) for processing to comply with legal obligations;
- In the event of litigation, for the entire duration of the litigation, until the time limit for appeals has been exhausted, for the treatment of judicial protection by the Controller on the basis of its legitimate interest.
The personal data in question, once the above-mentioned retention periods have expired, will be destroyed, erased or made anonymous in accordance with the technical procedures for erasure and backup and with the Controller's accountability requirements.
- MANDATORY NATURE OF DATA PROVISION
The provision of the Data processed for the purposes of the execution of pre-contractual measures and/or a contract and the fulfilment of legal obligations is necessary for the conclusion of the various contractual relationships, the execution of the orders and services requested and the fulfilment of legal obligations.
Therefore, any refusal by the interested party will make it impossible for the Controller to provide the requested service.
In relation to optional processing, such as marketing and profiling, the provision of data is entirely optional and the data subject may opt-out at any time.
- RECIPIENTS OF DATA
The Data may be known and processed by the employees of the corporate functions in charge of pursuing the above-mentioned purposes, who have been expressly authorised to process them and have received adequate operating instructions.
The Data, moreover, may be processed by external parties operating as autonomous controllers such as, by way of example, supervisory and control bodies, Public Authorities that expressly request it for administrative or institutional purposes and, in general, all parties legitimized by current national and European regulations to request such data.
The Data may also be processed, on behalf of the Company, by external parties that qualify as data processors (pursuant to Article 28 of the GDPR). Such parties, by way of example, may be:
- Companies offering e-mailing services;
- Companies that perform the service of managing and/or maintaining the Company's website;
- Companies that offer support in conducting market studies;
- Companies that provide services for the management of the information system and telecommunications networks, including electronic mail;
- Companies offering services for sending documentation and/or materials (post offices, forwarding agents, couriers, etc.);
- Banking institutions for the management of collections and payments arising from the execution of contracts.
The full list of data processors is available upon request to the Controller using the contact details given in Section 9 below.
- TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
Your personal data will not be transferred outside the European Union.
Where this is the case, with respect to data collected using cookies, the Data Controller, to the extent of its competence, will adopt appropriate safeguards, including existing adequacy decisions and Standard Contractual Clauses adopted by the European Commission.
- RIGHTS OF THE PERSONS CONCERNED
Interested parties may ask the Data Controller for access to the Data concerning them, their deletion, the rectification of inaccurate data, the integration of incomplete data, the limitation of processing in the cases provided for, as well as the opposition to processing, for reasons related to their particular situation, in cases of legitimate interest of the Data Controller:
- by contacting the Privacy Office, by mail at via del Cottanello, Nr 13 - Rome 00158, to the kind attention of the Privacy Contact; or
- via e-mail to email@example.com
Moreover, where the processing is based on consent or on contract and is carried out by automated means, data subjects have the right to receive the data in a structured, commonly used and machine-readable format and, if technically feasible, to have them transferred to another data controller without hindrance (so-called right to portability).
Finally, data subjects always have the right to withdraw their consent given for marketing and/or profiling purposes at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the withdrawal) and to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged breach occurred.