EXTENDED INFORMATION NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 RELATING TO THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)

​

The data controller provides below the Information Notice pursuant to articles 12, 13 and, where applicable, 14 of the GDPR relating to the processing of personal data provided by the Customer/data subject through the completion and signing of the Contract to purchase the products/services offered for sale by the data controller itself, by spontaneously uploading personal data to this website (in particular through the completion of forms) or simply by browsing it.

​

1. Data Controller and Contact Details

The data controller is Lavablu di Oswald Mutschlechner, with registered office at Via Claudia Augusta 54, 39100 Bolzano BZ, VAT No. 02734020213, tel. +39 339 4191252, e-mail info@lavablu.it, web https://www.lavablu.com (hereinafter the Site).

​

2. Principles Applicable to Processing

In accordance with the provisions of the GDPR, the data controller constantly endeavors to ensure that personal data are:

a. processed lawfully, fairly and transparently; b. collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d. accurate and, where necessary, kept up to date; e. kept for no longer than is necessary for the purposes for which they are processed; f. processed, by means of appropriate technical and organizational measures, in a manner that ensures their security; g. processed, where based on consent, by decision freely taken by the Customer/data subject, based on a request presented in a manner clearly distinguishable from the rest, in comprehensible and easily accessible form, using simple and clear language.

The data controller adopts appropriate technical and organizational measures to ensure the protection of personal data from design and to guarantee that, by default, only data necessary for each specific processing purpose are processed.

​

The data controller collects and gives the utmost consideration to indications, observations and opinions of the Customer/data subject transmitted to the above-mentioned contact details, in order to implement a dynamic privacy management system that ensures effective protection of persons with regard to the processing of their data.

​

This Information Notice may be subject to modifications, in accordance with the evolution of the reference regulations and the technical and organizational measures adopted from time to time by the data controller; the Customer/data subject is therefore requested to periodically visit this section of the Site, to view the updates and the Information Notice in the text in force from time to time.

​

3. Methods of Processing Personal Data

The processing of personal data is carried out manually and with electronic tools, with logic strictly related to the purposes indicated below and, in any case, in a way that guarantees the security and confidentiality of the data itself.

 

4. Purposes of Personal Data Processing

(4a) Purposes for which data processing is necessary

The personal data provided by the Customer/data subject are mainly processed for the execution of the Contract and credit management and, more generally, of the relationship arising from the Contract itself.

 

The provision of data in the Contract or subsequently, during the contractual relationship, for the processing purposes in question is mandatory; therefore, the failure to provide, partial or inaccurate provision of such data makes it impossible to stipulate and/or execute the Contract and, for the Customer/data subject, to benefit from the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for contractual breach.

 

The personal data provided by the Customer/data subject may also be subject to processing if this is necessary to comply with a legal obligation to which the data controller is subject, for the protection of the vital interests of the Customer/data subject or of another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the Customer/data subject do not prevail; also in these cases, the provision of data is mandatory and, therefore, the failure to provide, partial or inaccurate communication of data may expose the Customer/data subject to any liability and sanctions provided for by the legal system.

 

(4b) Additional processing purposes following specific and express consent of the Customer/data subject

In addition to the processing purposes mentioned above, the personal data provided/acquired may be processed, subject to the consent of the Customer/data subject, to be expressed by selecting the box <<Grant consent>> on the Contract or on the Site (or using other social or web applications of the data controller), also for conducting market research and for making commercial and promotional communications, by telephone (also using the mobile number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), on products/services of the data controller or of companies of the Group to which the data controller may belong.

Consent for the processing purposes referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in the previous point (4a), except as specified below with reference to the legitimate interests of the data controller or third parties.

 

5. Categories of Personal Data Processed

The data controller mainly processes identifying/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, fiscal/billing nature, except others) and, where commercial transactions are provided, financial data (banking nature, in particular current account identifiers, credit card numbers, except others connected to the aforementioned commercial transactions).

​

The processing that the data controller carries out, both for the execution of the Contract and by virtue of express consent of the Customer/data subject, does not generally concern special categories of personal data, known as sensitive (which reveal racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offenses).

​

However, it cannot be excluded that the data controller, in order to execute the obligations arising from the Contract, must preserve and/or has the need to process sensitive, genetic and biometric or judicial data, of the Customer/data subject or third parties, which the Customer/data subject has available as data controller; in the case in question, the processing by the data controller takes place by virtue of, under the conditions and within the limits of the appointment of the same data controller as data processor, by the Customer/data subject.

The data controller processes, as data controller with reference to the Site, and, potentially, as data processor appointed for this purpose (in the terms mentioned above) by the Customer/data subject, also the so-called navigation data. The computer systems and software procedures responsible for the operation of internet sites acquire, during their normal operation, some personal data, whose transmission is implicit in the use of internet communication protocols. This is information that is not collected to be associated with identified subjects, but which, by their very nature, could allow the identification of the data subject. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access or exit was made, information on pages visited by users within the site, access time, stay on individual pages, internal path analysis and other parameters relating to the operating system and computer environment of the user. This is, therefore, information that, by their very nature, allows, through processing and associations even with data held by third parties, to identify users.

On the Site, cookies may be used, both session cookies (which are not stored on the data subject's computer and disappear when the browser is closed) and persistent cookies, for the transmission of information of a personal nature, or in any case systems for tracking data subjects.

​

6. Source of Personal Data

The personal data that the data controller processes are collected directly by the data controller from the Customer/data subject at the time of, and during, their navigation of the Site (or using other social or web applications of the data controller), or, also through their own sales staff, on the occasion of, or subsequent to, the signing of the Contract, during its execution, or from public sources.

As specified above, the data controller, as data processor appointed for this purpose, in order to execute the obligations arising from the Contract, may preserve and/or process data, in particular navigation data, potentially also sensitive, genetic and biometric or judicial data, of third parties, which the Customer/data subject has available as data controller, acquired, with the prior consent of said third parties, at the time of, and during, the navigation of said third parties on the Site (or using other social or web applications referable to the data controller).

 

7. Legitimate Interests

The legitimate interests of the data controller or third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the data controller and the data subject, for example when the data subject is a customer of the data controller. In particular, it constitutes a legitimate interest of the data controller to process personal data of the Customer/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the business Group to which the data controller may belong, or related to traffic, in order to guarantee the security of networks and information, that is, the ability of a network or system to resist unexpected events or illegal acts that may compromise the availability, authenticity, integrity and confidentiality of data.

 

8. Circulation of Personal Data

(8a) Communication of personal data – categories of recipients

In addition to the employees and collaborators in various capacities of the data controller (who are authorized by the data controller to process data by virtue of adequate written operational instructions, in order to guarantee the confidentiality and security of data), some processing operations may also be carried out by third parties, to whom the data controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), therefore both in execution of contractual and legal obligations, among which deserve mention, in any case, inevitably, non-exhaustively: commercial and/or technical partners; companies that provide banking and financial services; companies that carry out document archiving services; debt recovery companies; accounting auditing and balance sheet certification companies; rating companies; subjects that carry out, in favor of the data controller, assistance and professional consultancy activities; companies that carry out customer care activities; factoring companies, credit securitization companies or otherwise assignees of credits; companies of the Group to which the data controller may belong; subjects that provide commercial information; IT service companies. The subjects belonging to the aforementioned categories process the same personal data as autonomous data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the same subjects perform in favor of/in the interest of the data controller; the data controller gives adequate written operational instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of data.

Some processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or parts thereof, also functionally to the purposes referred to in point (4b), among which deserve mention, in any case, inevitably, non-exhaustively: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; subjects that provide assistance and consultancy activities with reference to competitions and prize operations. The subjects belonging to the aforementioned categories process personal data as autonomous data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the same subjects perform in favor of/in the interest of the data controller; the data controller gives adequate written operational instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of data.

Available, upon written request to be sent to the registered office of the data controller, is the list, subject to periodic updating, of data processors with whom the data controller maintains relationships.

Personal data may also be communicated, upon request, to competent authorities, in compliance with obligations arising from mandatory provisions of law.

 

(8b) Transfer of personal data to third countries

The personal data of the Customer/data subject may also be transferred abroad, both to European Union countries and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the framework and with the adequate safeguards provided by the GDPR (therefore, in particular, in the presence of standard contractual clauses for data protection approved by the European Commission), or, outside the cases mentioned above, using one or more of the derogations provided by the GDPR (in particular, by virtue of explicit consent of the Customer/data subject, or for the execution of the Contract concluded by the Customer/data subject, or for the execution of a contract stipulated between the data controller and another natural or legal person in favor of the Customer/data subject, notably for the execution of activities delegated to this by the data controller for the execution of the Contract concluded with the Customer/data subject). In the case of data transfers to countries outside the European Union, the Customer/data subject is allowed, upon written request to be sent to the registered office of the data controller, to know the adequate safeguards, or the derogations, that legitimize cross-border processing. It is understood, in the case of data transfer to countries outside the European Union, that for any request concerning data, including for the exercise of rights recognized by the GDPR to the Customer/data subject, they may always validly contact the data controller.

 

9. Criteria for Determining the Retention Period of Personal Data

For the purposes referred to in point (4a) above, the retention period of personal data provided by the Customer/data subject, and their consequent potential processing, coincides with the limitation period of rights/duties (legal, fiscal, etc.) arising from the Contract: generally 10 years, therefore, except for the occurrence of events interrupting the limitation that could effectively extend said period.

For the purposes referred to in point (4b) above, the retention period of data provided by the Customer/data subject, and their consequent potential processing, ends with the revocation of consent previously given by the Customer/data subject or, failing this, in any case after one year from the cessation of any relationship between the data controller and the Customer/data subject.

10. Rights of the Customer/Data Subject

The data controller recognizes – and facilitates the exercise by the Customer/data subject of – all rights provided by the GDPR, in particular the right to request access to their personal data and to extract a copy thereof (art. 15 GDPR), to rectification (art. 16 GDPR) and erasure thereof (art. 17 GDPR), to restriction of processing concerning them (art. 18 GDPR), to data portability (art. 20 GDPR, where the conditions are met) and to object to processing concerning them (arts. 21 and 22 GDPR, for the cases mentioned therein and, in particular, to processing for marketing purposes or that translates into automated decision-making, including profiling, that produces legal effects concerning them, where the conditions are met).

The data controller also recognizes, to the Customer/data subject, where processing is based on consent, the right to withdraw said consent at any time, without prejudice to the lawfulness of processing based on consent given before withdrawal. To do this, the Customer/data subject can unsubscribe at any time on the Site (or on other social or web applications of the data controller) or using the appropriate link present at the bottom of each commercial communication received, or by contacting the data controller at the contact details indicated above.

 

The data controller also informs the Customer/data subject of the right to lodge a complaint with the Data Protection Authority, as the supervisory authority operating in Italy, and to bring legal proceedings, both against a decision of the Data Protection Authority and against the data controller and/or a data processor.

 

11. Security of Systems and Personal Data

Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing, as well as the risk, in terms of probability and severity, for the rights and freedoms of natural persons, the data controller adopts technical and organizational measures deemed appropriate to guarantee a level of security adequate to the risk, in particular ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in case of physical or technical incident, and adopting internal procedures aimed at regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures employed.

​

In assessing the adequate level of security, account is taken of the risks presented by processing that derive, in particular, from destruction, loss, modification, unauthorized disclosure or access, accidentally or unlawfully, to personal data transmitted, stored or otherwise processed.

​

The data controller ensures that anyone acting under its authority and having access to personal data does not process such data unless instructed to do so by the data controller.

That said, the Customer/data subject acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller is not liable for acts or facts of third parties who abusively, despite adequate precautions adopted, should access the systems without due authorization.

​

12. Automated Decision-Making, Including Profiling

The data controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchase experience, except as specified above with regard to the rights of opposition and withdrawal of consent by the Customer/data subject.

Profiling means any form of automated processing of personal data aimed at evaluating certain aspects relating to a natural person, in particular to analyze or predict aspects concerning, for example, personal preferences, interests or location of said person, also for the purpose of creating profiles, or homogeneous groups of subjects by characteristics, interests or behaviors.

The data controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or that similarly significantly affects their person, unless this is necessary for the conclusion or execution of the Contract, is authorized by law or is based on the explicit consent of the Customer/data subject, in any case always recognizing the latter's right to obtain human intervention, to express their opinion and to contest the decision.