ARTICLE 1. PARTIES TO THIS ACT Between the undersigned: 1°) SONORA BOOTS SRL, a limited company with a capital of €10,000, registered with the Milano Monza Brianza Lodi Trade and Companies Registry under number MI-2615878, and whose registered office is located at Via Luigi Amedeo Melegari 4 Cap 20122 Milan, ITALY and whose VAT number is 11635460964 (hereinafter "SONORA"), Hereinafter referred to as the "DATA CONTROLLER", ON THE ONE HAND, And 2°) Any individual Navigating on the website of the Data Controller. Hereinafter referred to as the "DATA SUBJECT", ON THE OTHER HAND, It was outlined and agreed as follows:
ARTICLE 3 - DEFINITIONS - CONSENT means any free, specific, enlightened and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that Data concerning him/her may be processed by the Data Controller. - COOKIE means a file that allows the Data Subject to trace his or her path on the Site. - RECIPIENT means any individual or legal person, public authority, service or other body that receives communication of the Data, whether or not it is a Third Party. However, public authorities that are likely to receive communication of the Data, including in the context of a fact-finding mission, are not considered as Recipients within the meaning of this definition. - DATA means any information relating to the Data Subject. - FILE means any structured set of Data accessible according to determined criteria, whether this set is centralised, decentralised or distributed in a functional or geographical manner. - BROWSING means the consultation, the knowledge taking, the order and/or the purchase of Products on the Site by the Person concerned. - DATA SUBJECT means any individual who browses the Site, as soon as he or she can be identified, directly or indirectly, including by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his or her physical, physiological, genetic, psychological, economic, cultural or social identity. - PRODUCTS means the products offered for sale on the Site by the Data Controller to the Data Subject. - DATA CONTROLLER means the company SONORA BOOTS SRL, a simplified joint stock company with a capital of €10,000, registered with the Milano Monza Brianza Lodi Trade and Companies Registry under number MI-2615878, and whose registered office is located at Via Luigi Amedeo Melegari 4 Cap 20122 Milan, ITALY and whose VAT number is 11635460964 (hereinafter "SONORA"), - SITE refers to the infrastructure developed by the Data Controller according to the computer formats that can be used on the Internet, including data of various kinds, in particular texts, sounds, still or animated images, videos and databases, intended to be consulted by the Data Subject to find out about, reserve, order and/or purchase Products (www.sonoraboots.it) - DATA PROCESSOR means any individual or legal person, public authority, service or other body other than the Data Controller who processes the Data on behalf of the Data Controller. - THIRD PARTY means any natural or legal person, public authority, service or other body other than the Data Controller, the Processor and the persons who, under the direct authority of the Data Controller or the Processor, are authorised to process the Data, and in particular tour operators, travel agencies and reservation systems. - PROCESSING means any operation or set of operations, whether or not carried out using automated processes and applied to the Data or sets of Data, such as collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, limitation, erasure or destruction. AGREEMENT ARTICLE 4. PRINCIPLES RELATING TO THE PROCESSING In accordance with the Legislation, the Data Controller undertakes to comply with the following principles for each Processing: - Lawfulness; - Loyalty; - Transparency; - Purpose limitation; - Data minimisation; - Accuracy; - Storage limitation; - Integrity; - Confidentiality; - Accountability.
ARTICLE 5. PROCESSED DATA In the context of Browsing, the Data Controller is required to collect and process a certain number of Data, in particular: Personal information (surname, first name, height, gender, postal address, email address, telephone number, date of birth, age, date of registration and unsubscription to the client account and to the newsletter of the Data Controller, messages exchanged with the Data Controller); Banking information (means of payment, credit card number); Information about your order (product ordered, delivery address, delivery tracking number, order price, purchase and delivery history); Technical information (browsing behaviour on the Site, IP address, products added to the basket, collection of Consent).
ARTICLE 6. CONTEXT OF THE PROCESSING The Data may be collected and processed by the Data Controller on various occasions, and in particular: Purchase of Products on the Site; Contact with the Data Controller; Subscribing to the newsletter; Creation of a client account; Publication of notices relating to Products; Browsing on the Site.
ARTICLE 7. DATA PROCESSOR AND CONTROLLER Under the GDPR, the controller is the subject that, alone or jointly with others, determines the purposes and means of the processing of personal information. The controller for the data processing related to the activities of the Site are: • SONORA BOOTS S.r.l., with registered offices in Milano (MI), Via Luigi Amedeo Melegari, 4 - 20122, Italy; contact: firstname.lastname@example.org (the "Controller") There is a designated Data Protection Officer to ensure that the Site processes personal information in compliance with the GDPR. The DPO can be contacted for any enquiries at the following email address: email@example.com With respect to personal information of non-registered users who have opted to receive newsletters and marketing communications, SONORA acts both as the sole Controller and processor of these activities.
ARTICLE 8. PERSONAL INFORMATION. PURPOSES OF PROCESSING. “Personal information” means any information relating to users and that identifies them personally, either alone or in combination with other information. Personal information is collected automatically by the Site or received via multiple sources: forms, chat, e-mail, apps, devices, social media and other means. The Site processes personal information in various shapes for the following purposes: • BROWSING DATA The Site collects non-sensitive browsing data by automatic means in order to enable and improve user navigation (e.g., IP address, date/time of the visit and its length, any referring URL, the pages visited on the Site, the device used and other information). The processing of such information allows users to access the Site and fully enjoy its features and services. Furthermore, browsing data may be used to verify that the Site is functioning properly. From time to time, browsing data are processed anonymously for statistical purposes. Browsing data are unlikely to allow identification of the relevant data subject. However, by their very nature, browsing data may allow identification of the users if associated with other information. The browsing data described above are stored only temporarily in compliance with the applicable law.
ORDERS At checkout, the Site asks users to provide personal information for the essential purpose of fulfilling their purchase orders and comply with contractual obligations (e.g., name and surname, e-mail address, delivery address, etc.). Such personal information is also essential for the Customer Service to assist customers on enquiries and for any related necessity, before or after the sale (for instance, with respect to the order delivery status or on product returns). Personal information related to orders will be stored as long as required to comply with contractual obligations and with the applicable tax and financial reporting obligations. The Site may also verify the payment instruments used by customers to purchase on the Site (e.g. credit or debit card, etc.) for the main purpose of preventing fraudulent activities or pursuant to the applicable anti-money-laundering laws. As full reliance for payment verification is given to third party payment processors, the Controllers do not process or store any financial information belonging to customers. Failure to provide the personal information required at checkout will prevent users from completing an order on the Site. Based on its legitimate interest to improve its relationship with customers, the Site will send to the latter email, communications with product suggestions, discounts, feedback requests or other updates. Customers are always free to unsubscribe from such email communications (for instance, by clicking on the “unsubscribe link” at the bottom of each email). • SITE REGISTRATION When users opt to register a personal Site account, they are asked to submit personal information (e.g., date of birth, gender, etc.). The Site clearly indicates which personal information is mandatory (or not) to set up a Site account. Users must submit personal information that is true and accurate at the moment of registration and are invited to maintain their personal information up-to-date (if any modification occurs) by logging into the personal account to make all relevant changes. Users who choose to enable or log in to their Site account via social media, should be aware that when they connect their Site account to a social media account, the Site collects certain personal information the User has already provided to that social media (for example, the email address and public profile on Facebook). The Controller does not oversee or control such social media services or the user’s profiles on these services, and do not establish privacy settings or rules for how personal information on those services will be used. Users are highly encouraged to read all policies and information regarding the applicable social media services to learn more about how they process personal information. • NEWSLETTER AND MARKETING COMMUNICATIONS On the Site, users can opt to receive newsletters and commercial communications. The Site always collects the explicit, free and unambiguous consent of users prior to submitting newsletters and marketing communications to these users or, more in general, before undertaking electronic marketing initiatives dedicated to them. In such cases, users may be invited to submit personal information in addition to their e-mail address (e.g., gender, country of residence, etc.) for the purpose of having newsletter and marketing communications tailored to the user profile. Users can always easily withdraw their consent from receiving newsletters and commercial communications in the following ways: • Through their account settings; • By clicking on the ‘unsubscribe’ link in any of such email; • By contacting our Customer service. With respect to personal information of non-registered users who have opted to receive newsletters and marketing communications, SONORA S.r.l. acts both as the Controller and processor of these activities. • PROFILING Under the explicit user’s consent, newsletter and marketing communications may be tailored to the user “profile”, based on the personal information the Site collects or receives about the concerned user. With respect to the customers of the Site, it is in the Site’s legitimate interest to process personal information to offer more interesting products, to improve the Site and to personalize the products offered on the Site. The main purpose of profiling is to propose products, services and initiatives more responsive to the tastes, shopping habits and interests of users and customers. Personal information may be also used for remarketing, retargeting or profiling purposes, including via third parties (e.g., social networks, etc.). Neither the Site nor the Controllers will ever carry out any profiling activities relating to children.
SHARING AND TRANSFER OF PERSONAL INFORMATION The Controller may transfer personal information of customers to primary third-party suppliers, acting as “data processors” (the “Processors”), for the purpose of performing business operations in order to fulfil their contractual obligations. The Controller will make their best effort to ensure that all Processors will apply their industry best practice to protect personal information and that they will not use personal information for any other purposes than those agreed with the Controllers. For instance, the Controllers may share personal information with the following categories of Processors: • Couriers and postal operators; • Fulfilment centers and warehouses; • Advertising, digital, marketing and social media agencies; • IT service providers; • Customer care service providers; • Payment service providers; • Persons, companies or professional firms that provide assistance and advice to the Holders in accounting, administrative, legal, tax and financial matters; • Subjects, bodies or authorities to whom it is mandatory to communicate personal data for purposes of compliance, abuse or fraud, or by order of the Authorities. In such cases, sharing personal information with the Processors is necessary for the Controllers to fulfil their contractual obligations and, also, to improve the Site’s products and services. Users can request an updated list of the Processors involved in the processing of personal information relevant to the Site’s activities by writing an email to: firstname.lastname@example.org The Controllers must always reserve the right to disclose personal information about users as required by law (for instance, in response to law enforcement requests), and where needed to protect the rights of the Controllers or their affiliates or third parties. Moreover, personal information may be disclosed to other companies within the same corporate group of each of the Controllers, or to third parties in the event of a corporate restructuring process, in full compliance with the applicable law. In any other cases, the sharing of personal information will be conditional upon the preliminary and explicit consent of the user, unless processing is allowed under an alternative legal basis. The Controllers will not transfer any personal information outside the European Economic Area (EEA), unless the user has explicitly authorized such transfer or the transfer of personal information outside the EEA is allowed by the GDPR on another legal basis.
ARTICLE 10. PROCESSING METHODS AND SECURITY MEASURES Personal information of users is processed by the Controllers with IT, automated and electronic tools and, in limited cases, by using documentary means. In accordance with the GDPR, specific security measures have been implemented to prevent data loss, unlawful or improper use, and unauthorized access. Only authorized employees of the Controllers, and authorized employees of the third-party suppliers, acting as Processors on behalf of the Controllers, have access to personal information related to the Site activities. Data processing agreements are in place with the Processors to ensure that they always meet the level of security required by the GDPR while processing personal information related to the Site activities. While the Site adopts primary security measures to prevent loss, destruction or dissemination of personal information, at the same time it cannot exclude the safety risks that are naturally involved by online transmission of data. The user accepts the inherent risks of providing personal information over the internet and will not hold the Site responsible for any breach of security, unless this breach is due to the Site’s negligence or willful default.
ARTICLE 11. RETENTION OF PERSONAL INFORMATION The Controllers will store personal information for as long as it is needed to provide users and customers with the required services or to meet legal or tax obligations or for the minimum period prescribed by the law. In order to determine the appropriate retention period for personal information stored by the Site under user consent, the Controllers will take into account multiple factors to ensure that personal information is not stored for longer than the necessary or appropriate period. Such criteria will also include: • The purpose for which the Site holds personal information; • Legal, tax and regulatory obligations in relation to that personal information; • The type of ongoing relationship with the concerned user or customer (how often the user logs into their Site account, whether users continue to receive marketing communications, how regularly they browse or buy on the Site, etc.); • Any specific user request in relation to the deletion of personal information; • Legitimate business interests. The Site will promptly delete or anonymize personal information that is no longer needed or retained according to the law.
ARTICLE 12. CONNECTION TO THIRD-PARTY WEBSITES OR PLATFORMS The Site may contain banners, advertising messages and other links to third-party websites or platforms. The Controllers cannot control or be held responsible for the conduct of such third-party websites or platforms with respect to privacy law. Users are encouraged to read their privacy policies to verify how they collect and process personal information.
ARTICLE 13. THE RIGHTS OF USERS Users are entitled to receive confirmation as to whether the Controllers hold any personal information about them. If this is the case, under the GDPR, users also hold the rights to: • Be informed about the collection and use of their personal information; • Access their personal information at no cost; • Have inaccurate personal information rectified, or completed (when it is incomplete); • Have personal information erased (“the right to be forgotten”); • Under specific conditions, obtain the restriction or suppression of their personal information; • Obtain and reuse their personal information for their own purpose across different services when processing is based on a contract or on consent, and the processing is carried out by automatic means (“the right to data portability”); • Under specific conditions, to object to the processing of their personal information; • Object at any time to the use of personal information for “profiling” or “automated decision-making” purposes. • The right to submit complaints related to the collection and processing of personal information to the competent supervisory authority; • The right to withdraw consent to the processing of personal information at any time. Users can contact the Site for any enquiry and to exercise their privacy rights at the following email address: email@example.com
WHAT COOKIES ARE Cookies are small text strings sent from the Site to your device, where information is stored for various purposes. In particular, cookies allow the Site to recognize users on subsequent visits or enable other websites to recognize such users for particular purposes.
WHAT KIND OF COOKIES WE USE ON OUR WEBSITE The Site uses various types of cookies for different purposes:
TECHNICAL COOKIES Technical cookies are cookies that allow users to navigate the Site or enjoy its basic functionality. These cookies are automatically installed on the user's device by the Site as a result of the user's access to the Site and do not require any specific consent from the user.
In fact, consent is not required by law in the event that a cookie is: • used exclusively to carry out the transmission of a communication; and • strictly necessary for the provider of a digital service expressly requested by the user to provide such a service. The technical cookies used by the Site include: • Browsing cookies: to ensure normal navigation and use of the Site, through different options or services; • Functional cookies: to save user preferences and facilitate the browsing experience based on a set of selected criteria (e.g. language, browser type, etc.) The Site also collects your IP address or any other identifying information on your device needed to operate the Site, diagnose server problems and fulfill other legitimate purposes.
Disabling technical cookies may limit the ability of users to navigate the Site and enjoy its features or services.
OTHER COOKIES All cookies other than technical cookies are set or activated only if the consent is given in advance by the users with the function "opt-in" (activation).
On their first visit to the Site, users are shown a cookie banner on the screen or interface. This banner will disappear once the user has accepted or refused the cookies used on the Site.
Activation can be expressed in a general way, for example by closing the banner or clicking on the OK button or scrolling the page or clicking on any of its elements; activation can also be provided selectively.
User activation is tracked and recorded in order to make their subsequent visits to the Site more effective. However, users can always revoke all or part of their previous consents.
DEACTIVATING COOKIES You can disable cookies by changing your browser. Almost all browsers are configured to accept Cookies but almost all (Google Chrome, Internet Explorer, Safari, Mozilla Firefox, etc..) allow you to disable Cookies through the browser setting. Disabling browsing cookies or functional cookies may limit the service we offer or cause the Site to malfunction. To learn more, please visit the website www.youronlinechoices.com
CONTACTS Users who wish to contact the Site for any question relating to cookies are encouraged to write to: firstname.lastname@example.org