4. OTHER PROCESSING PURPOSES
4.1 Marketing
Some of the User’s personal data, such as name, surname, e-mail address, may also be processed by the Data Controller for marketing purposes (e.g. sending of advertising material, direct sales, commercial communication, sending newsletters containing information in relation to news relevant to the sector relating to the activities of the Data Controller and/or services and promotions relating to the contents of the Website/App and the services offered through the Website/App by the Data Controller), or in order for the Data Controller to contact the User through mail to propose to the User the purchase of products and/or services offered by the Data Controller and/or by third parties, to present offers, promotions and business opportunities by the Data Controller and/or by third parties.
In case of lack of consent, the possibility to using Service will not be in any way affected.
In case of consent, the User may at any time revoke the same, making a request to the Data Controller in the manner indicated in paragraph 8 below.
The User can also easily oppose further sending of promotional communications via e-mail by clicking on the appropriate link for the revocation of consent, which is present in each promotional e-mail. Once the consent has been revoked, the Data Controller will send the User an e-mail message confirming the revocation of the consent. If the User intends to revoke his or her consent to the sending of promotional communications via telephone, while continuing to receive promotional communications via email, or vice versa, please send a request to the Data Controller using the methods indicated in paragraph 8 below.
The Data Controller informs that, following the exercise of the right of opposition to the sending of promotional communications via e-mail, it is possible that the User continues to receive further promotional messages due to technical and operational reasons (e.g. formation of contact lists already completed shortly before the Data Controller’s receiving of the opposition request).
Should the User continue to receive promotional messages after 24 hours from the exercise of the right of opposition, please report the problem to the Data Controller, using the contacts indicated in paragraph 8 below.
4.2 Communication of data to the Data Controller’s Partners
With the User’s free and optional consent, some of the User’s personal data (such us name, surname, gender, date of birth, city and e-mail address) may be conveyed by the Data Processor to the following categories of third-party companies: (i) clothing, (ii) automotive, (iii) retail, (iv) credit and insurance, (v) electronics, (vi) information technology, (vii) information, (iix) health and wellness, (ix) sport, (x) entertainment, (xi) tourism, (xii) online digital services and (xiii) recruitment (collectively referred to as the “Data Controller’s Partners”). The Data Controller's Partners, as independent data controllers, will process the personal data of the User for marketing purposes (direct sales, sending of advertising material and commercial communication), and may contact the User by post or e-mail to propose to the User the purchase of products and/or o services offered by the same categories of third-party companies and/or by other companies and to present offers, promotions and business opportunities to the User.
Pursuant to Article 14, paragraph 3 of the Regulations, after successful transfer, the Data Controller’s Partner will be responsible for providing the Users all the information provided for by Article 14 of the Regulations.
In case of lack of consent, the possibility to register on the Website will not be in any way affected.
In case of consent, the User may at any time revoke the same, making a request to the Data Controller in the manner indicated in paragraph 8 below.
The Data Controller informs that the User's personal data will be processed by the Data Controller’s Partners as autonomous data controllers, on the basis of the specific information that will be issued by the Data Controller's Partners to Users. Any requests not to receive further commercial communications from the Data Controller’s Partners to whom the data has already been communicated by the Data Controller, must therefore be addressed directly to them.
5. LEGAL BASIS FOR PROCESSING
Provide the Service (as described in the previous paragraph 3, letter a)): the legal basis consists of art. 6, paragraph 1, lett. b) of the Regulations, or the processing is necessary for the performance of a contract to which the User is party or in order to take steps at the request of the data subject prior to entering into a contract.
With regard to data belonging to particular categories pursuant to art.9 of the Regulations (specifically information that may reveal the orientation and the sexual life of the User), the legal basis consists of art.9, paragraph 2, lett. a) of the Regulations, or the provision by the data subject of an explicit consent of their data for a specific purpose.
Administrative and accounting purposes (as described in the previous paragraph 3, letter b)): the legal basis consists of art. 6, paragraph 1, lett. b) of the Regulations, as the processing is necessary for performance of a contract to which the User is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligations (as described in the previous paragraph 3, letter c)): the legal basis consists of art. 6, paragraph 1, lett. c) of the Regulations, as the processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
Other processing purposesfor the processing relating to marketing purposes, (as described in the previous paragraph 4.1) and for that relating to the communication of data to the Data Controller's Partners (as described in the previous paragraph 4.2), the legal basis consists of art. 6, paragraph 1, lett. a) of the Regulations, or the provision by the data subjects of consent to the processing of their personal data for one or more specific purposes. For this reason, the Data Controller asks the User to provide specific free and optional consent, to pursue each of the purposes mentioned in this paragraph.
6. PROCESSING MEANS AND DATA RETENTION PERIOD
The Data Controller will process the personal data of Users using manual and IT tools, with logic strictly related to the purposes themselves and, in any case, in order to guarantee the security and confidentiality of the data.
The personal data of Website/App Users will be retained for the time strictly necessary to carry out the main purposes explained in paragraph 3 above up to a maximum of 6 months period from the end of the contractual relationship with the Data Controller, or, in any case, as necessary for the protection in civil law of the interests of both the Users and the Data Controller.
In the cases referred to in paragraphs 4.1 and 4.2 above, the personal data of Users will be retained for the time strictly necessary to carry out the purposes described therein and, in any case, up to a maximum of 12 months from the date of consent or, if earlier, until the User withdraws his consent.
In any case, any retention terms provided for by law or regulations are reserved.
If the User decides to block and/or delete their profile, all stored data relating to the User is deleted. If the complete deletion of User data is not permitted or required by law, the data is limited for further processing.
7. TRANSMISSION AND DISSEMINATION OF DATA
The User's personal data may be transferred outside the European Union and the UK and, in this case, the Data Controller will ensure that the transfer takes place in accordance with the Applicable Regulation and, in particular, in accordance with Articles 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to adequate guarantees) of the Regulations.
The employees and/or collaborators of the Data Controller who are in charge of carrying out Website and App maintenance may become aware of the personal data of the Users. These subjects, who are formally appointed by the Data Controller as "in charge of processing", will process the User's data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Regulation.
The personal data of the Users may also be disclosed to third parties who may process personal data on behalf of the Data Controller as "Data Processors", such as, for example, IT and logistic service providers functional to the operation of the Website, outsourcing or cloud computing service providers, professionals and consultants.
Users have the right to obtain a list of any data controllers appointed by the Data Controller, making a request to the Data Controller in the manner indicated in paragraph 8 below.
In addition, other Users may also become aware of the User's personal data, considering the nature of the Service described above and what is specified in the General Terms and Conditions in this regard.
8. RIGHTS OF THE DATA SUBJECTS
Users may exercise their rights granted by the Applicable Regulations by contacting the Data Controller as follows,
Directly online:
Through the postal letter:
Sending a registered letter with return receipt to the registered offices of the Data Controller (Via Comelico, 3, 20135 Milano);
If you are a User who uses the Website/App and you are resident in an EU country
Users may also contact the Data Protection Officer (RPD or DPO) of the Data Controller for any information or request to the following contact details: company Shibumi Srl, e-mail: dpo@iumob.it.
If you are a User who uses the Website/App and resides in the UK
Pursuant to Article 27 of the UK GDPR, the Data Controller, being established outside the United Kingdom, has appointed GDPRLocal Ltd. as its Representative in the United Kingdom, who may be contacted by UK Users for matters relating to the processing of personal data:
GDPRLocal Ltd.
Telephone number: + 441 772 217 800
Address: GDPRLocal Ltd. 1st Floor Front Suite 27-29 North Street, Brighton, England BN1 1EB
Pursuant to Applicable Regulation, the Data Controller informs that Users have the right to obtain indication (i) of the origin of personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) of the identification details of the data controller and processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may come to aware of them as processors or agents.
Furthermore, Users have the right to obtain:
a) Access, updating, rectification, or, when interested, integration of data;
b) The cancellation, transformation into anonymous form or the restriction of data processed in breach of the law, including data that does not need to be stored in relation to the purposes for which the data was collected or subsequently processed;
c) Certification to the effect that notification has been supplied of operations as per letters a) and b), as regards their content, to those to whom the data was communicated or disseminated, except for the case where notification proves impossible or requires the use of means clearly disproportionate to the right being protected.
Moreover, the Users have:
a) The right to withdraw consent at any time if the processing is based on their consent, without the revocation affecting the lawfulness of the processing carried out prior to the revocation;
b) The right to data portability (the right to receive all personal data concerning them in a structured format, commonly used and readable by automatic device);
c) The right to oppose to: