Information on the processing of personal data pursuant to art. 13 of the European regulation 679/2016
1. General principles
1.1. With this information, Brutus S.r.l.s., as Data Controller, pursuant to EU Regulation 679/2016 and subsequent amendments. (hereafter "GDPR") and the current legislation on the protection of personal data, aims to specify the methods, times and purposes for managing the information and data of those who interact with the services offered by the Data Controller and accessible via telematics at www.brutusfactory.com (hereafter also referred to as the "Site").
1.2. Pursuant to art. 8 paragraph 1 of the GDPR and art. 2 quinquies of Legislative Decree 196/2003, as amended pursuant to Legislative Decree 181/2018, if the interested party is under the age of 16, authorisation by a parent or guardian is required to legitimise consent.
1.3. The data will be processed in a lawful, correct and transparent manner, in compliance with the confidentiality requirements and through adopting the most appropriate security measures, in full compliance with the legislation on the protection of personal data.
2. Data Controller
2.1. With regard to the website www.brutusfactory.com, the Data Controller is Brutus S.r.l.s., with registered office in Via Gran Sasso n. 13, 10156 - Turin (TO), VAT number 12311660018, who acts as the legal representative (hereafter the "Owner").
With regard to the processing of the data covered by this information, it is possible to contact the Data Controller at the following addresses: Via Lessolo n. 19, Turin (TO), E-mail: firstname.lastname@example.org, Pec: email@example.com, Tel: 331-1365856.
2.2. The data processing operations will be carried out by employees and collaborators of the Data Controller, by the same appointees who have been duly instructed and operate in compliance with current legislation on the subject, or by third parties who are further identified in the following art. 7.
3. Interested Party
The interested party means the natural person who uses the services offered by the website www.brutusfactory.com, in particular who:
- browses the Site, even if only for consultation;
- registers on the Site by creating a private account or a business account (in this case relating to the personal data of the person who materially registers);
- makes a purchase from the Site with simultaneous registration;
- contacts the Data Controller for requests, information, communications, complaints.
4. Data subject to processing
4.1. The Data Controller processes personal data, both identifying and non-sensitive information (notably; name, surname, tax code, VAT number, e-mail address, telephone number) provided directly by the interested party through:
(I) registration on the Site;
(II) sending communications or requests by e-mail or live chat;
(III) the purchase of products;
(IV) subscribing to the newsletter, sending reviews and/or complaints;
(V) the use of social widgets via social platforms (eg. Facebook, Twitter, Pinterest, etc.).
4.2. In addition to the above, the information systems and software procedures used to operate the Site acquire, during their normal operation - and in any case within the limits of art. 14 paragraph 5 of the GDPR - some data whose transmission is implicit in the use of internet communication protocols (for example: access to the page, quantity of data transferred, Internet protocol address (IP), type of browser, internet service name provider (ISP), date and time of visit, web page of origin of the visitor).
This information is not collected in order to be associated with identified interests, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified.
This data may be used to obtain monitoring information or statistics on the use of the Site, in order to check that it is functioning correctly or for security reasons.
4.3. Unless otherwise specified, requested data will be mandatory in order to fulfil the requests of the interested party and proceed with the registration, purchase or contact request. Failure by the interested party to communicate the aforementioned data will make it impossible to provide the requested service.
In the event that the data is indicated as optional, the interested party will be free to refrain from providing it without this having any consequence on the availability of the service or on its operation.
4.4. It is recommended that the interested party does not send sensitive data (for example, relating to health, religious beliefs or political opinions), which will in any case be immediately deleted.
4.5. The interested party assumes full responsibility for the personal data of third parties obtained, communicated or shared with the owner and guarantees that they have the right to communicate and disseminate this data, thus freeing the owner from any liability to third parties.
5. Purpose of processing the collected data
5.1. The data is collected and processed to allow the Data Controller to provide its Services and for the following purposes:
a) register the interested party and proceed with registration on the Site;
b) contact the interested party to provide information or respond to requests and/or complaints;
c) interact through live chat platforms;
d) fulfil the obligations arising from the purchase contract, as well as inform the interested party about the progress of the order and shipment;
e) fulfil fiscal, tax and accounting obligations deriving from existing relationships;
f) fulfil the obligations established by laws, regulations, community regulations or orders of the Authority;
g) perform tasks of public interest or related to the exercise of public authority;
h) pursue a legitimate interest of the Data Controller or third parties;
i) exercise the rights of the owner (for example, the right to defence in court)
j) optimise the use of the Site and develop internal statistics on its use, as well as profile users to improve the service to the customer.
5.2. The data is collected and processed only with specific consent for the following marketing purposes:
a) subscription to the newsletter and the consequent sending of communications by e-mail;
b) sending commercial communications and/or advertising material on the products or services offered by the Data Controller.
5.3 The interested party may contact the Data Controller to obtain further information on the purposes of the data processing relevant to each purpose.
6. Nature of the provision of data
6.1 The provision of data provided for the purposes described in point n. 5.1 is essential. Therefore, failure to provide the required data will not allow registration on the Site or the execution of the requested service.
6.2 The provision of data for the purposes described in point 5.2 is optional. The interested party may therefore decide not to provide any data or revoke the authorisation for the processing of data previously provided. In this case, the interested party will no longer receive newsletters or commercial communications, but may continue to use the services offered by the Data Controller.
7. Processing methods
7.1. Data Processing is carried out by means of the operations expressly indicated in the GDPR, specifically: collection, registration, organisation, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of Data.
7.2 The Data Controller processes the data according to the principles of correctness, lawfulness and transparency, adopting all the appropriate security measures (technical and organisational) aimed at preventing unauthorised access, disclosure, modification, loss or destruction.
7.3 The processing will be carried out using paper, computer and telematic tools, with organisational methods and rationale strictly related to the specific purposes indicated.
7.4. In addition to the Data Controller, in some cases, other people involved in the organisation of the Data Controller's activities may have access to the data (for example; employees, collaborators, administrative and commercial personnel) or third parties such as lawyers, system administrators, external consultants (for example; suppliers of technical services, payment services, logistics services, hosting providers, IT companies for the management of user reviews, monitoring and statistics, advertising and remarketing services, messaging and live chat, management complaints and customer care, communication agencies) appointed, if necessary, as Data Processors by the Data Controller.
In particular, in order to carry out processing related to the registration and orders placed through the Site, the Data Controller makes use of the support and assistance of companies that provide IT, advertising and commercial services, specifically the following companies:
- Ecommerce School d.o.o. with registered office in Sezana (Slovenia) for the management and assistance of the website and integrated management;
- Gan S.r.l., with registered office in Rovereta (Republic of San Marino) for the allocation of the website and integrated management;
- Wins S.r.l., with registered office in Milan (MI) for order management;
- SendinBlue, with registered office in Paris (France), for communication activities, including for promotional purposes;
- Qaplà S.r.l., with registered office in San Casciano in Val di Pesa (FI), for the management of order dispatch and communication activities, including for promotional purposes;
- Google LLC with registered office in Mountain View, California (United States), for statistical analysis of data relating to the Site and profiling of the interested parties;
- Facebook, Inc., with registered office in Menlo Park, California (United States) for marketing and profiling activities.
The contact details of the aforementioned companies can be found on the respective company websites.
7.5 Even without the express consent of the interested party, the Data Controller may communicate the interested party’s data to judicial authorities as well as to all other subjects to whom the communication is required by law for the fulfilment of legal purposes.
8. Place of processing
8.1. The data is processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For further information it is possible to contact the Data Controller.
8.2 The management and storage of personal data will take place on the server of the Data Controller and/or third-party companies duly appointed as Data Processors, located within the European Union, or in accordance with the provisions of Articles 45 and ss. of the GDPR. The servers are currently located in the European Union.
8.3 Some processing may be necessary to communicate the data outside the European Union, in the event that the Data Processor carries out activities outside the EU and/or in the event that the delivery of the order is outside the EU.
8.4 In any case, it is understood that, should it be necessary to transfer the location of the servers, in Italy and/or the European Union and/or non-EU countries, such movement will always take place in compliance with Articles 45 and ss. of the GDPR. In this case, however, the Data Controller ensures from now on that the transfer of extra-EU data will take place in compliance with the applicable legal provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
9. Retention period
9.1. In compliance with the principles of lawfulness, purpose limitation and data minimisation, pursuant to art. 5 of the GDPR, the data will be processed and stored for the time required by the purposes for which it was collected or, for the period necessary to comply with regulatory obligations, or at the request of the Authority.
In particular, the data will be stored for these purposes and timeframes:
- for navigation, for the duration specified for each cookie;
- for registration, until the interested party revokes their consent to data processing or requests the cancellation of the service;
- for purchases – for orders, for a period not exceeding 24 months from the order date; for billing, for a period not exceeding 10 years from the date of purchase;
- for collection, for profiling or marketing purposes up to the revocation of the consent and in any case for a period not exceeding 2 years.
9.2. In the event that processing is based on the consent of the interested party, the Data Controller may keep the data for a longer time, until such consent is revoked by the interested party.
9.3. At the end of the retention period, the data will be deleted or made anonymous. Therefore, at the end of this term, the rights recognised by the interested party regarding the data can no longer be exercised.
10. Rights of the interested party
Pursuant to the GDPR, the interested party has the right at any time to obtain from the Data Controller information about their data, on the management and storage methods and on processing purposes, by sending a request to the Data Controller, who will respond as soon as possible, and in any case within one month. In the event that a longer term is required to process the request, the Data Controller will communicate to the interested party the reasons for the delay.
In particular, the interested party may exercise the following rights:
• Right of access, pursuant to art. 15 of the GDPR, the interested party has the right to obtain confirmation of the existence of the data, the methods and purposes of processing, the parties to whom it was communicated, the country in which it is located, the storage time and origin. The interested party may request a copy of their data, provided that this does not affect the rights and freedoms of other subjects.
The interested party may request the updating, correction and integration of their data.
• Right of rectification, pursuant to art. 16 of the GDPR. The interested party has the right to have inaccurate data concerning them corrected, or to request that the data be integrated with others, providing their own declaration to that effect.
• Right of cancellation, pursuant to art. 17 of the GDPR. The interested party has the right to confirm that the personal data collected is deleted in one of the following cases: (i) the data is no longer necessary for the purposes for which it was collected; (ii) the interested party has revoked the consent given; (iii) the interested party opposed the processing; (iv) in case of unlawful processing by the Data Controller; (v) the data must be deleted to fulfil a legal obligation to which the Data Controller is subject; (vi) the interested party is under the age of 16 and the people who exercise parental responsibility have not given their consent.
If the Data Controller has made public the personal data of the interested party, they are obliged to delete it and will inform any further parties who are processing the data of the cancellation request. This will be limited to the actual technical and economic possibility of this procedure.
• Right to transferability, pursuant to art. 20 of the GDPR. The interested party has the right to receive personal data concerning themselves in a structured and commonly used format, readable by an automatic device. In the same way, the interested party may request that their data be transmitted to another data controller. However, the exercise of this right cannot harm the rights and freedoms of others.
• Right of limitation, pursuant to art. 18 of the GDPR. The interested party has the right to request the Data Controller to limit the processing of their data to the sole conservation of the same, without further operations being carried out.
• Right to object, pursuant to art. 21 of the GDPR. The interested party has the right to object to data processing in the event that such processing is based on the legitimate interest of the Data Controller or in the event that the data is processed for scientific research or statistical or marketing purposes.
• Right to lodge a complaint with the Guarantor Authority pursuant to art. 77 of the GDPR. The interested party may lodge a complaint with the Guarantor Authority if they believe that the processing of their data is being carried out in violation of the GDPR.
The interested party may withdraw consent to the processing of their data at any time, in the same manner in which they gave their consent or by sending a communication to the Data Controller. The withdrawal of consent will not affect the processing already carried out, but will result in the interruption of the processing in progress and the destruction of the data of the interested party.