INFORMATION ON THE PROCESSING OF PERSONAL DATA pursuant to Art. 13 Reg. EU 2016/679

Dear Customer,
in accordance with EU Regulation 2016/679 (hereinafter referred to as the “Regulation”), we hereby provide information on the processing of personal data provided in the process of registering on the Controller’s website or in the course of the contractual relationship with the Controller. On this point, it should be noted that the Regulation applies only to natural persons and not to legal persons.

1. OWNER
The data controller is PDT Cosmetici S.r.l. (VAT NO. 04754730721)
Registered office: Viale Cavalieri del Lavoro, 45/47 – 70017 Putignano (BA)
PEC: pdtcosmeticisrl@pec.it
E-mail: gdpr@pdtcosmetici.it.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

a. Personal data collected when sending requests, registering on the Controller’s websites and in the course of contractual relations with the Controller are processed for the purposes indicated below in accordance with the legal basis set out below. The provision of such data is necessary for the implementation of the contract and any refusal to provide such data will make it impossible to implement the contract, to supply the products requested or to provide the services requested.

Purpose Categories of data processed Legal basis Let’s take an example
a.1 Fulfilment of legal obligations Personal data (mainly personal data, contact data, payment and financial data, data relating to the use of IT systems such as IP address, type of device, operating system type and version, browser language, activities performed) Necessary for compliance with a legal obligation to which the data controller is subject (Art. 6, 1, c. Regulation) For example, we need your details to issue a purchase invoice.
a.2 Management of the contractual relationship or of the requested service Personal data (mainly personal data, contact data, payment and financial data) Necessary for contract implementation or execution of pre-contractual measures (art. 6 (1)(b) Regulation) For example, we need your details and address to deliver your purchase or to handle any returns.
a.3 Litigation management Personal data (mainly personal data, contact data, payment and financial data, data relating to the use of IT systems such as IP address, type of device, operating system type and version, browser language, activities performed) Necessary for the purposes of pursuing the legitimate interests of the data controller or a third party (Art. 6(1)(f) Regulation) For example, we need your data to handle any complaints or legal disputes.
a.4 Security and functionality of information systems Personal data (mainly personal data, contact data, payment and financial data, data relating to the use of IT systems such as IP address, type of device, operating system type and version, browser language, activities performed) Necessary for the purposes of pursuing the legitimate interests of the data controller or a third party (Art. 6(1)(f) Regulation) For example, we need your data to enable the smooth operation of the site or to correct malfunctions.

b. In addition, if you have already purchased products from the Controller, have registered with the site or are otherwise a customer, some data will be processed for the following additional purposes, without prejudice to the possibility to object to the processing. This processing is not necessary for the implementation of the contract and any objection to the processing shall not affect the possibility of performing the contract, supplying the requested products or providing the requested services.

Purpose Categories of data processed Legal basis Let’s take an example
b.1 Sending newsletters and direct marketing Personal data (name, surname, e-mail) The processing is necessary for the pursuit of the legitimate interest of the data controller (Art. 6(1)(f) of the Regulation) and Art. 130(4) of Legislative Decree No. 196/2003. For example, we will send out a regular newsletter.

c. Finally, if you have not already been a customer, some data will be processed for the following optional and additional purposes. This processing is not necessary for the implementation of the contract and any failure to consent to the processing shall not affect the possibility of performing the contract, supplying the requested products or providing the requested services.

Purpose Categories of data processed Legal basis Let’s take an example
c.1 Sending newsletters and direct marketing Personal data (name, surname, e-mail) Consent (Art. 6 (1) (a) Regulation) For example, we need your e-mail address to send you our newsletter. You can unsubscribe from the newsletter at any time.

3. CATEGORIES OF RECIPIENTS
Within the scope of the above-mentioned purposes, the data collected may be communicated to the following subjects:

Recipient Motivation
Public bodies, control and inspection bodies, bodies assimilated to public bodies Fulfilment of a legal obligation
Banks and credit institutions Insurance companies Professionals, consultants or companies working for the Controller Other organisations providing services for the Controller (e.g. IT services, shipping services) Parent, subsidiary or associated companies Instrumental to the execution of the service

4. DISSEMINATION OF DATA
The data will not be disseminated.

5. DATA TRANSFER
The controller may transfer personal data to a third country for regions that are instrumental to the above purposes. In the event that it is necessary to use entities residing outside the European Union, we inform you that the precautions required by the Regulation will be adopted, basing the transfer on:
– adequacy decisions of the recipient third countries expressed by the European Commission;
– adequate guarantees given by the person residing outside the European Union;
– binding corporate rules.

6. DATA RETENTION
The personal data collected will be stored: (i) for the time strictly necessary for the management of the contractual relationship or of the service requested, as well as for the further period prescribed by law, that is up to 10 years from the last registration for the purposes referred to in point a; (ii) until the expiry of the terms of judicial protection and/or appeal actions for the purposes referred to in point 2(a)(3) (iii) until such times as you object to the processing for the purposes referred to in point 2(b)(1); (iv) for two years from the giving of consent for the purposes referred to in point 2(c)(1) (unless you withdraw your consent).

7. RIGHTS OF THE DATA SUBJECT
In relation to the data provided, you may request to exercise the following rights: access, cancellation, rectification, restriction of processing, objection to processing, data portability, revocation of consent given when processing is based on consent.
If you believe that a processing operation is in breach of Regulation (EU) 2016/679, you can also file a complaint with the supervisory authority (data protection authority) of the member state where you reside, work or where the breach occurred.
To exercise your rights, you can send a written request or e-mail to the holder’s addresses listed above (point 1).