We also remind you that this privacy disclosure is disciplined by European regulation 2016/679 (hereinafter “the Regulation”, in force since 27 April 2016, and updated on 23 May 2018. The Regulation guarantees that the processing of personal data is made in full compliance with laws on fundamental rights and freedom, as well as of the dignity of the individual concerned, particularly regarding confidentiality, personal identity, and protection of personal data.
1. Owner of personal data
DAMA S.p.A is the owner of personal data (Hereinafter, Paul&Shark), with registered office in Via Piemonte 174, 21100 Varese, Italy.
2. Person responsible for personal data protection
Paul&Shark has chosen an individual responsible for data protection. This person can be contacted at this email address firstname.lastname@example.org for any information regarding personal data processing, and to exercise his or her rights, as follows.
It is also possible to make queries regarding privacy by filling in the contact form in the Customer Service contact section, and choosing the relevant section. The form can be found here: www.paulandshark.com/contact-us.
3. Type and purpose of data processing on the Website - Legal basis for Treatment
The Website collects and treats different kinds of personal data, with different purposes and in different ways. More precisely:
(a) Personal data related to web browsing, treated to guarantee Website functionality, as well as for marketing use. Regarding this, we invite you to read our “Cookie Information”, which can be found here: www.paulandshark.com/cookie-policy;
(b) Personal data voluntarily provided by the user, such as e-mail addresses, personal information, the password provided when filling in the “My Account” registration form or any other type of personal data acquired each time the user interacted with the website, to respond to requests and offer service, assistance and information about products and the world of Paul&Shark;
(c) Personal data provided by the user during the Website registration process; related to the sending of order forms, used to purchase products on the Website’s e-commerce platform, in order to close any e-commerce transactions, and in order to communicate with users for any activities that are functional or instrumental to sales, as well as necessary for any pre-sale and after-sale activities;
(d) With the user’s explicit consent, Paul&Shark will be allowed to utilize the user's personal data for marketing purposes, namely, to send information and product updates, as well as information on sales, promotional campaigns and any events and initiatives promoted by Paul&Shark, to the user (through traditional and electronic tools, such as newsletters, email, sms, MMS and smart messages);
(e) With the user’s explicit consent, Paul&Shark will also be able to process the concerned user’s personal information in order to research patterns and user choices, in order to make products and initiatives more suited to the tastes and needs of its clients.
- The potential consent provided by the user for the purposes listed in points b, c, d and e;
- Paul&Shark’s legitimate interest to provide the Website’s services and to respond to potential client requests, as well as the User’s interest to be able to correctly browse the Website.
As for point 3c, the legal basis for the processing hereby indicated is in the fulfilment of the contract, and in the obligation to fulfil any pre and post contractual obligations. We point out that, on the basis of legitimate interest, Paul&Shark might get in touch with you, in order to offer services and products similar to those you may have already purchased in the past. You will, however, be able to demand that Paul&Shark stops processing your data, at all times. Paul&Shark will comply without undue delay.
We also inform you that our study of user and client behaviour will be carried out using methods that will not be invasive of personal privacy.
4. Source of personal data
Any personal data collected by Paul&Shark is directly provided by the user, when the user registers on the Website, or during the sale process. Browsing data is an exception to this, as mentioned in point 3a.
5. Methods of processing personal data collected by Paul&Shark
Any personal information collected by Paul&Shark will be treated mostly digitally and electronically, while ensuring to set up all the security measures necessary to reduce any risks of destruction or loss (including accidental), of unauthorized access and of processing for which consent has not been granted on the part of the user, or which may not be compliant with the collection purposes indicated in this privacy disclosure. However, these safety measures cannot limit or completely eliminate the risk of unauthorized access or loss of data, due to its online transmission method.
Every purchase made on Paul&Shark’s website is made as safe as possible, thanks to the use of advanced encoding technology methods (SSL.)
6. Mandatory or optional nature of providing data
Providing personal data, in particular personal information, email address, postal address, phone number and bank details (in case of bank payments) is compulsory due to contractual and fiscal reasons.
Furthermore, some of this data might be essential for the Website to provide other services, and might be related to sales (for instance, to pre-sale and after-sale services, such as tailoring services, transport services, returns, etc), or to compliance with any obligations derived from laws and regulations (as, for instance, tax compliance and money laundering legislation.) Failing to provide data might, depending on each case, constitute a legitimate and justified reason why Paul&Shark might not fulfil the purchase agreement on the online e-commerce, or providing any services related to it.
According to circumstances, and where necessary, the mandatory or optional nature of data provision will be indicated by the Website’s placing an asterisk (*) next to the information that must be shared, namely, the data necessary for the company to be able to provide services, and make the purchase of any products on its website possible. Failing to provide optional personal data will not cause any obligation, nor any detriment for the user.
7. Types of recipients of personal data
Paul&Shark only shares the personal data of its Website users in compliance with any limits set by the law, and according to the rules hereby indicated.
Personal data will be shared with:
- Any Paul&Shark employees or consultants, who will work as the subjects formally authorised to process data for internal company organisational purposes;
- Companies of the same Group, as entities responsible for the above mentioned processing of data, in order to carry out activities and contractual services, as well as carrying out specific marketing information;
- Companies who perform specific technical and organisational services related to Website functionality, such as logistics, IT services and marketing services, for Paul&Shark.
Personal data wil also be shared with:
- Other third parties, exclusively in order to carry out the purchase agreement of products on the Website (such as, for instance, credit and debit card issuers, to allow the execution of online payments);
Your data will not be shared, and will only be transferred to other countries when there is a guarantee of suitable levels of protection and safeguard of said data, in compliance with the law. The data centres used by Paul&Shark for the storage and processing of the data provided are all located on EU territory.
In order to allow data processing, for contractual and marketing purposes by societies of the same group, data might also be transferred to the relevant countries (which might also be located outside the EU.) Regarding this issue, Paul&Shark has stipulated Standard Contractual Clauses with its subsidiaries outside the EU, in compliance with national and international data protection legislation.
Personal information can also be provided to IT service providers, in order to allow the companies of the Group to access said data. We also point out that, in this regard, Paul&Shark has stipulated the above-mentioned Standard Contractual Clauses in order to protect the personal data being transferred, previously ensuring that these service providers have the necessary safe measures in place, as the entities responsible for the processing of transferred data.
8. Retention period of personal data
The retention period of personal data varies, depending on the purpose for which the data was collected:
- Data collected to carry out any contractual obligation can be retained for the duration of the contract, but not for over 10 years after the fulfilment of the contract;
- Data collected for operational purposes and all purposes connected to these, as well as for accessing the website, can be retained for the duration of the contract, but not for over 10 years after the fulfilment of the contract;
- Data collected for marketing purposes can be retained for 24 months starting from the day that the User expressed consent for the data to be used for this purpose;
- Data collected for marketing and profiling purposes can be retained for 12 months starting from the day that the User expressed consent for the data to be used for this purpose.
Should Paul&Shark become a defendant, act or bring a claim towards them or third parties, it might retain the personal data that it might reasonably consider necessary for these purposes, for the time necessary until said claim can be resolved.
9. Exercise of the data subject’s rights
Individuals concerned can exercise their rights in compliance with articles 15-16-17-18-19-20-21 of European regulation 679/2016, by filing a request to the person responsible for handling personal data.