Privacy & Cookie Policy
Arts. 13 et seq. General Data Protection Regulation no. 2016/679 (“GDPR”)
Introduction
Dear user, when you access and browse this website (hereinafter the 'Site'), some of your personal data is collected, stored, and processed (technically 'processed') through the device you are using, also through analysis and storage of your IP address, browsing data, "cookies" and other online identifiers such as "pixels".
In light of these processing activities, in compliance with applicable legislation which provides obligations of protection, confidentiality, and security regarding your data, Pettenon Cosmetics S.p.A. SB clarifies below the purposes and means of processing in its capacity as Data Controller.
Data Controller
Personal data processing operations carried out following access to and interaction with the Site will be performed by Pettenon Cosmetics S.p.A. SB as Data Controller, with registered office in San Martino di Lupari (PD), Via del Palù, 7d, VAT and Tax ID 04937500280.
Pettenon Cosmetics S.p.A. SB can be contacted at:
- by sending an email to privacy@pettenon.it
- by phone at +39 049 99888
- by regular mail at the address of the registered office above
Pettenon Cosmetics S.p.A. SB has appointed a Data Protection Officer (“DPO”) contactable by sending an email to dpo@pettenon.it.
Categories of data processed
- information related to the User's navigation on the Site, including online identifiers and device-related data;
- personal identification and contact data freely entered by the User on the Site, such as: first name, last name, email address, phone number;
- personal data obtained from third parties or sources in relation to specific initiatives or purposes promoted by the Data Controller;
- additional personal data, specifically identified, in case of implementation of new functionalities or services.
Purposes, legal bases, and data retention periods
The table below reports the specific purposes for which personal data is processed, along with the corresponding legal basis and the maximum retention period of the data, if it can be specified precisely (otherwise, the retention criterion used to set up the relevant technological tool is indicated).
| Purpose | Legal basis | Retention period |
|---|---|---|
| Provision of the Site’s navigation features, its pages, and contents, such as product catalogs | 6 (1) (b), for the fulfillment of pre-contractual obligations | for the duration of the User’s visit on the Site, up to a maximum of 24 months |
| Responding to contact requests or information inquiries submitted by the User | 6 (1) (f), for the legitimate interest of the Data Controller in maintaining relationships with Site Users | up to a maximum of 10 years from interaction with the User |
| Management of unsolicited contacts from Site Users, via submission of CVs and/or other communications | 6 (1) (b), for the fulfillment of pre-contractual obligations | up to 12 months from the end of the recruitment process, unless further retention needs or User consent apply |
| Analysis of usage statistics and improvement of Site features via technologies involving data processing under Dir. 2002/58/EC | 6 (1) (a), based on User consent | until the expiration of the User’s online identifier retained the longest, unless deletion or anonymization is requested |
| Analysis of usage statistics and improvement of Site features not subject to Dir. 2002/58/EC for technical reasons | 6 (1) (f), for the legitimate interest of the Data Controller to improve its products and services | only for the period necessary for full anonymization of collected data |
| Re-contacting the User following events, occasions or meetings where the Data Controller or third parties collected contact data | 6 (1) (a), based on User consent or alternatively 6 (1) (f), for the legitimate interest of the Data Controller in maintaining contact with interested Users | until consent withdrawal or for a maximum of 3 months from data reception in case of legitimate interest, unless the User exercises opposition |
| Newsletter registration and subsequent management of commercial communications for special offers, promotions and news (marketing purposes) | 6 (1) (a), based on User consent | until consent withdrawal, and in any case no more than 2 months thereafter for technical and procedural purposes of the Data Controller |
| Analysis of User tastes and consumption habits to provide personalized promotions and services (profiling purposes) | 6 (1) (a), based on User consent | until consent withdrawal, and in any case no more than 2 months thereafter for technical and procedural purposes of the Data Controller |
Further information regarding data processing
If the User wishes to obtain further information about the balance between the legitimate interests pursued by the Data Controller and the fundamental rights and freedoms of the individual, they may contact the Data Controller using the provided contact details and are entitled to receive a response as soon as possible and in any case within the legal timeframes. In case of disputes with the User or third parties, or controls by Authorities, retention may be extended until the expiration of the last applicable statute of limitations. Data will not be disseminated in any way, except with express and prior consent from the User and within the limits permitted by law.
Consequences of not providing data
Providing personal data indicated as mandatory on the Site is necessary to achieve the related purposes: failure to provide such data makes processing impossible. Providing other personal data is optional: failure to provide these may result in total or partial inability to access certain Site functions or features. Regarding marketing and profiling purposes, as well as non-merely technical “online identifiers,” consent to processing is optional: there is no legal or contractual obligation to provide such data or to give consent for these purposes.
Automated decision-making processes
No personal data is processed through automated decision-making according to applicable legislation, in particular under Art. 22, paragraphs 1 and 4, of the GDPR. In any case, any automated processing will not produce legal effects on the User or significantly affect them unless specific informed consent is obtained and legal limits are respected.
Categories of entities processing personal data
Within the scope of the obligations, tasks or purposes indicated above, personal data may be processed, made available, and/or communicated to:
- employees and/or collaborators of the Data Controller;
- third parties appointed as Processors (e.g., suppliers of goods or services), including their employees and/or collaborators;
- judicial, administrative and/or public security authorities in accordance with applicable regulations. The complete list of Processors and other third parties can be requested from the Data Controller at any time using the contact details provided.
Transfer of personal data outside the European Economic Area
Personal data may be transferred to countries outside the European Economic Area for technical reasons, to entities based in countries recognized as “adequate” by the European Commission, including EU-US Data Privacy Framework participants, or to entities that have entered into Standard Contractual Clauses approved by the European Commission.
User rights (data subject)
The data subject may exercise the rights provided under EU Regulation no. 2016/679 at any time. Specifically, the data subject has the right:
- to access their personal data;
- to obtain rectification or erasure, or restriction of processing;
- to object to processing, where permitted;
- to obtain data portability, where applicable;
- to withdraw consent: such withdrawal does not affect the lawfulness of processing based on prior consent;
- to lodge a complaint with the supervisory authority: for Italy, the Data Protection Authority (www.gpdp.it).
Exercise of the above rights can be made by sending a request to the Data Controller at the contact details indicated above, in particular the email address in the “Data Controller” section.