Doc. IS01-18 

Personal data processing policy
(Articles 13 and 14 EUROPEAN REGULATION No. 679/2016)

Dear User,
the undersigned HENDERSON S.r.l., with registered office at Via Padova, 214 – 30030 Vigonovo (VE), tax ID code and VAT code 02005720285, acting as “Data Controller” informs you, in accordance with articles 13 and 14 of European Regulation no. 679/2016 (hereinafter referred to as EU Regulation), that your data will be processed as follows:

1. Data processing subject
The Data Controller hereby informs you that personal and identifying data (for example, first name, last name, company name, address, telephone, e-mail, payment or bank details, etc.), are hereinafter referred to as personal data or even just data. Such data, relating to you and obtained even verbally, directly or through third parties in the past, as well as those collected in the future, may be processed in full compliance with the EU Regulation. The Data Controller processes data in a lawful way, specifically for the execution of any contracts to which you are party or to perform any contractual measures (e.g. preparing an offer, etc.) you may have requested (article no. 6 of the EU Regulation).

Data processing means any operation or set of operations concerning the collection, registration, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, usage, combination, blocking, communication, dissemination and destruction of data.

2. Purpose and legal basis for processing
Legal basis: EU Regulation no. 679/2016
A) without your express consent (article 6, letters b), c) and e) of the EU Regulation) for the following purposes:
- fulfilment of pre-contractual, contractual, and tax obligations deriving from existing relationships with you; 
- fulfilment of obligations established by law, by regulation, by European Community legislation, or by order of the authorities (for example, relating to anti-money laundering);
- exercising the Data Controller's rights, for example the right to legal protection; 
- for bookkeeping purposes;
- for managerial purposes (invoicing, document management, etc.);
- for credit management;
- for statistical analysis and quality control;
- for insurance operations;
- for technical assistance.

In particular, your data will be processed for purposes related to carrying out the following requirements relative to legislative or contractual obligations:
- technical and operational access to the site: no data is kept after you close your browser;
- advanced browsing purposes or personalised content management;
- statistical and user browsing analysis purposes.

B) only upon your specific and distinct consent (article 7 of the EU Regulation) for the following commercial, marketing and/or profiling purposes:
- sending newsletters, commercial communications and/or advertising material via email, post, SMS and/or phone about products or services offered by the Data Controller and/or results of customer satisfaction surveys on the quality of activities carried out at your request.
- sending commercial communications and/or third-party advertising (e.g. from business partners via e-mail, post, SMS and/or phone.

3. Processing methods
The processing of your data is carried out through the operations indicated in article 4 n. 2) of the EU Regulation, specifically: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and blocking. Your personal data are subject to both physical and electronic and/or automated processing (suitable, however, to guarantee the security and confidentiality of data). 

4. Data retention periods and other information.
The Data Controller will process personal data for as long as necessary for the above-mentioned purposes and for no longer than the period from the termination of the relationship set out by law for the purposes of said relationship.
With reference to personal data being processed for the purposes of marketing or profiling, data will be stored in compliance with the principle of proportionality and only until they have served the purposes of data processing or until specific consent from the data subject has been withdrawn.
Specifically, the Data Controller will process the data for no longer than two years from the collection of data for marketing purposes, and one year for data collected for profiling purposes.
The personal data you provide will be processed “lawfully, fairly and transparently”, protecting your privacy and rights.
A periodic check will be carried out annually on processed data and on the possibility of being able to erase them if no longer required for their intended purposes.

5. Access to data
Your data may be made available for the purposes specified in the previous points 2.A) and 2.B):
- to associates, employees and collaborators of the Data Controller in Italy and abroad, in their roles as internal data processors and/or managers, and/or system administrators.
- to third-party companies or other parties performing outsourced activities on behalf of the Data Controller, in their roles as external data processing managers (e.g. associated offices, solicitors, data processing companies, certification bodies, accounting/tax consultants and generally all organisations in charge of audits and checks regarding the correct fulfilment of the above-mentioned purposes, credit institutions, professional studios, consultants, insurance companies for the provision of insurance services, financial offices, municipal bodies and/or offices, and consultants and service companies for safety in the workplace. These may in turn transmit the data, or grant access to them, to the relevant associates, users and assignees for specific market research. The data collected and processed may also be communicated to subcontractors, suppliers, for the management of information systems, transport companies, freight forwarders and customs brokers in Italy and abroad).

For brevity the detailed list of such parties is available at our registered office and is at your disposal.

6. Data communication
Without the need for express consent (article 6, letters b) and c) of the EU Regulation), the Data Controller may disclose your personal data for the purposes mentioned in the previous point 2.A) to supervisory bodies, legal authorities and insurance companies for the provision of insurance services, as well as to any parties to which disclosure is required by law to fulfil the above-mentioned purposes.
These parties will process the data in their roles as independent data controllers.
During and after browsing your data may be disclosed to third parties, in particular to:
- Google: Advertising Services, Target Audience, Analytics/Measurement, Content Personalisation, Optimisation;
- Google AdWords: Advertising Services, Target Audience, Analytics/Measurement, Content Personalisation, Optimisation;
Google Analytics Target Audience, Analytics/Measurement, Optimization.
Your personal data will not be disclosed.

7. Data transfer
Personal data are stored on devices located at the registered office of the Data Controller or at providers within the European Union. In any case, it is understood that, if necessary, the Data Controller reserves the right to relocate its servers, even to countries outside the EU. In this case, the Data Controller guarantees from now that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the contractual clauses and standard checks stipulated by the European Commission.
Both with regards to data kept on its own devices, and any data kept at the provider, the Data Controller has put adequate technical and organisational measures in place to guarantee an appropriate level of security, in full compliance with the provisions of art. 32 of the EU Regulation.
Web browsing: your browsing data may also be transferred, solely for the above-mentioned purposes, to the following states: - EU countries, - the USA.
Cookies Management: It is always possible to intervene to prevent the creation and reading of cookies in the event that you have doubts or concerns regarding their use. For example, you can change your browser's privacy settings in order to block certain types of cookies.
Since each browser - and often different versions of the same browser - also differ significantly from one another, if you prefer to act independently through browser preferences, detailed information on the necessary procedures can be found in your browser's manual.

8. Nature of data provision and consequences of refusal to provide data
The provision of data for the purposes mentioned in the previous point 2.A) is compulsory. In their absence, we cannot guarantee you the services outlined in 2.A).
The provision of data for the purposes mentioned in the previous point 2.B) is instead optional. You can therefore decide to not provide any data or to subsequently deny the possibility to process data already provided. In this case, you will not be able to receive newsletters, commercial communications and advertising material and/or anything else related to services offered by the Data Controller.
You will, however, continue to be entitled to the services referred to in point 2.A).

9. Data subjects’ rights
In your capacity as data subject, you have rights as per article 15 of the EU Regulation, as listed below and specifically:  
1. You have the right to obtain confirmation from the Data Controller as to whether or not your data is currently being processed and, in such cases, to obtain access to the personal data and the following information:
a) the purposes of data processing;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, particularly if the recipients are in third countries or international organisations;
d) wherever possible, the storage period of personal data provided or, if that is not possible, the criteria used to determine said period;
e) the existence of your right to request from the Data controller the rectification or deletion of personal data, or the restriction of the processing of your personal data, or to object to their processing;
f) the right to lodge a complaint with a supervisory authority (the Guarantor for the Protection of Personal Data);
g) in the event that personal data are not collected from the data subject, all available information regarding their origin;
h) the existence of an automated decision-making process, that includes profiling referred to in article 22, paragraphs 1 and 4 of the EU Regulation, and at least in such cases, meaningful information on the logic used, as well as the importance and the consequences of such processing for the data subject.

2. In the event that personal data is transferred to a third country or an international organisation, you have the right to be informed of the existence of appropriate safeguards in accordance with article 46 of the EU Regulation relating to the transfer.
3. The Data Controller will provide you with a copy of your personal data being processed if you request it.
In the event that you ask for further copies, the data controller may charge a reasonable fee based on administrative costs. If you submit the request by electronic means, and unless otherwise specified, the information will be supplied to you in a commonly-used electronic format.
4. The right to obtain a copy referred to in paragraph 3 must not adversely affect the rights and freedoms of others.

Furthermore, where applicable, you can enjoy the rights referred to in articles 16 to 22 of the EU Regulation and more precisely you have:
- the right to rectification of personal data;
- the right to be forgotten (right of erasure);
- the right to data processing restriction;
- the right to data portability;
- the right to object;
- the right to complain to the Supervisory Authority.

You also have the right to withdraw, at any time, previously-given consent without affecting the lawfulness of processing based on consent given before your withdrawal.

10. How to exercise your rights
You can exercise your rights at any time by sending:
- a registered letter with delivery receipt to the undersigned (see the address in the letterhead);
- an e-mail to info@hendersonshoes.it.

11. Minors
Anything provided by the Data Controller and that forms the basis of our relationship with you does not include the intentional collection of personal information referring to minors. In the event that information about minors is inadvertently recorded, the Data Controller will delete it in a timely manner at the request of the data subject.

12. Personal data not obtained from the data subject
It may be possible that the undersigned is not the Data Controller to whom you have given your personal data but is co-controller of the data or in charge of externally processing data and has therefore subsequently received your data due to a contract that regulates the parties. In this case it is specified that the undersigned will make every effort to ensure that you are informed and have given consent to processing. At any time, you may ask the undersigned to provide the source of your data.

13. Data Controller and processors
Below we provide you with some information that is necessary to bring to your attention, not only to comply with legal obligations, but also because transparency and fairness towards our customers is a fundamental part of our business.
Data controller. The Data Controller of your personal data is HENDERSON S.r.l. on behalf of which signs Mr. Gianluigi Baracco, responsible for the lawful and correct use of your personal data. You may contact him for any information or requests by phone at +39 049 502652, and e-mail at: info@hendersonshoes.it.
Data processors: The updated list of data processors is kept at the registered office of the Data Controller.