pursuant to EU Regulation 679/2016 (“GDPR”)
The processing of personal data is carried out by Bakery Princi S.r.l. (hereinafter the “Company”), Via Speronari No. 6, 20123 – Milan (MI), Tax Code and VAT No. 12125380159, and entered with the Companies’ Register of Milan – Monza Brianza – Lodi at No. MI – 1530153, which acts as the Data Controller.
The categories of personal data that the Company collects and processes when browsing or purchasing at www.princi.it, are as follows:
a. personal data necessary to conclude and execute the purchase at www.princi.it such as first and last name, e-mail address, shipping address, billing address, telephone and payment information;
b. e-mail address when the user subscribes to the newsletter service;
c. personal data provided to Customer Care for requested assistance;
d. with the user’s consent, personal data are collected and used for commercial communications;
e. for registration at www.princi.it, the Company collects the user’s first and last name, e-mail address, password and date of birth. In case of registration, the Company collects information about the user’s accesses to the restricted area of the site. With the express consent of the user, through the analysis of personal data the Company may process information regarding interests and preferences with respect to the products and services offered, in order to present proposals and offers in line with the user’s tastes;
f. information on the browsing of www.princi.it, such as pages visited and interaction with the individual page; information saved on the Company’s servers.
Use of personal data
The Company collects and processes users’ personal data for the following purposes:
a. to enter into and perform the contract for the purchase of products offered on www.princi.it. When the user completes a purchase, the Company requests personal data necessary for contract performance activities such as payment, anti-fraud checks if he/she chooses to pay by credit card, invoicing, product shipment, and possible return management.
b. registration to the Site and enjoyment of the services offered to registered users. Registration to the Site is possible through the input of certain personal information, which is necessary to ensure the performance of services offered to registered users.
c. provision of the proposed services at www.princi.it. To this end, the Company needs to collect, in relation to each service and its characteristics, the personal data necessary to carry out the specific service requested by the user.
d. handling requests to Customer Care, which uses the personal data provided by the user to satisfy his/her requests for information and requests for assistance.
e. statistical analysis and surveys. The Company uses certain information about users’ use of the Site, methods of browsing and use of related services, to conduct statistical analysis and surveys in order to improve offerings and services.
f. sending commercial communications following the purchase of a product, so-called soft spam. Following the purchase of a product on the Site, the Company will send communications containing commercial proposals on related products and services to the e-mail address that the user provided when concluding the order.
g. with the express consent of the user, the Company may use the contact details provided by the user for commercial communications on products and services, in order to update the user on news, exclusive products, offers and promotions. In addition, again with prior consent, it may use user’s contact details in the context of conducting market research and satisfaction surveys in order to improve services and relations with users.
h. only with the user’s consent, the Company may customise the registered user’s experience at www.princi.it, proposing previews and offers in line with the tastes expressed and sending commercial communications customized according to the interests shown. Customisation will be done by analysing previous purchases and other information described in the ‘Data collected’ section above.
Should the user wish to authorize the activities referred to in (g) and (h) above and subsequently he/she does not wish to receive further communications from the Company or wishes to limit the manner in which being contacted, he/she may at any time discontinue these communications by simply clicking on the appropriate ‘unsubscribe’ link at the bottom of each communication, or he/she may always contact the Company via the Customer Care. However, the user may receive additional communications from the Company even after the submission of the unsubscribe request, as some mailings may have already been scheduled, and the systems may take some time to process the request.
In connection with all of the above activities, users’ personal data will be processed mainly by means of computer and electronic tools; the tools the Company uses guarantee high standards of security, in full compliance with the relevant regulations.
On the occasion of the creation of the account, the Company offers the possibility of using the following services:
Account details – management of user data
Orders – shipment progress status and check user’s order history
Payment methods – collection of user’s credit cards information to quickly complete purchases
Addresses – management of user addresses to quickly complete purchases
With the express consent of the user, the Company may use the contact details for commercial communications about products and services, in order to update the user on news, exclusive products, and to conduct opinion polls and market research in order to detect the degree of satisfaction and improve the services offered.
Only with the user’s prior consent will the Company be able to customise the experience based on the interests and the contents of the commercial communications and the offers which the user will view when browsing www.princi.it as a registered user. This activity makes it easier for user to search for products and services that are more to his/her liking and in line with his/her interests, while at the same time enabling to improve the dedicated offer. Customisation is made possible by the analysis of user data held by the Company, described in the section ‘Data collected’ above. Specifically, information about purchases made in the past and information about which sections of the Site are visited most often or which services the user uses most frequently helps the Company to understand which products and services the user is most interested in.
Legal basis for processing
The Company processes personal data only in the presence of one of the legal prerequisites stipulated by current legislation, and specifically:
a. for the signing and performance of a contract. In this case, the Company takes care to use only the minimum information necessary for the performance of the same. This basis legitimises the processing of personal data that takes place in the following activities:
- signing and performance of a contract for the purchase of products offered on www.princi.it,
- site registration and use of services reserved for registered users;
- provision of services offered at www.princi.it,
- handling of user requests by our Customer Care.
b. The provision of the user’s personal data for such activities is a contractual obligation. The user is free to communicate or not his/her data to the Company, but in the absence of the requested data the Company cannot sign or perform the contract and requests. This means that the user will not be able to purchase the products and will not be able to use the Company’s services, and the Company will not be able to handle the user’s requests.
c. to comply with a legal obligation. When signing a contract for the purchase of goods on www.princi.it, the processing of the user’s data will take place to comply with the legal obligations to which the Company is subject. The user is free to decide whether or not to enter into a contract and whether or not to disclose his/her data to the Company, but if he/she enters into a contract his/her data will be necessary and will be processed to comply with the aforementioned legal obligations to which the Company is bound.
d. for legitimate interest of the Company. Some of the user’s personal data when purchasing products at www.princi.it by credit card, may be processed to carry out anti-fraud activities: the Company has a legitimate interest in carrying out this activity to prevent and prosecute possible fraudulent activities.
e. based on the user’s consent. The Company will carry out the following processing operations only if the user has given his or her express consent:
- conducting marketing activities and opinion polls and market research;
- analysis of browsing and consumption habits in the context of using the www.princi.it profile, in order to customise the experience on the Site.
Providing consent for such activities is optional. The user is free to provide consent or not, but without it, it will not be possible for the Company to carry out marketing, opinion polling and market research, and habit analysis activities.
Who will process the data
The user’s personal data will be processed by the Company’s internal staff specifically trained and authorized to process them and will also be transmitted to third parties that the Company uses to provide its services at www.princi.it ; such parties have been adequately selected and offer suitable guarantees of compliance with the regulations on the processing of personal data. These parties have been designated as data processors and carry out their activities according to the instructions given by and under the control of the Company.
The third parties in question belong to the following categories: site operator, banking operators, internet providers, companies specializing in computer and electronic services, couriers, agencies performing marketing activities, companies specializing in market research and data processing.
Users’ data may be transmitted to the police and judicial and administrative authorities, in accordance with the law, for the detection and prosecution of crimes, prevention and protection from threats to public safety, to enable the Company to ascertain, exercise or defend a right in court, and for other reasons related to the protection of the rights and freedoms of others.
Extra-EU data transfer
Some of the third parties listed in the ‘Who will process the data’ section above may be based in countries outside the European Union that nonetheless offer an adequate level of data protection, as established by appropriate decisions of the European Commission (http://www.garanteprivacy.it/home/provvedimenti-normativa/normativa/normativa-comunitaria-e-intenazionale/trasferimento-dei-dati-verso-paesi-terzi#1).
The transfer of the user’s personal data to countries that do not belong to the European Union and that do not ensure adequate levels of protection will be carried out only after specific agreements, containing appropriate safeguard clauses and guarantees for the protection of the user’s personal data, have been entered into between the Company and said parties, so-called ‘standard contractual clauses’, which are also approved by the European Commission, i.e. if the transfer is necessary for the signing and performance of a contract between the user and the Company (for the purchase of goods offered on the Site, for registration on the Site or the use of services on the Site) or for the handling of requests.
Duration of data storage
The Company stores the user’s personal data for a limited period of time, which differs depending on the type of activity involving the processing of personal data. After this period expires, the user’s data will be permanently deleted or otherwise rendered irreversibly anonymous.
The user’s personal data are stored in accordance with the terms and criteria specified below:
a. data collected to sign and perform contracts for the purchase of goods on www.princi.it: until the completion of administrative and accounting formalities. Billing-related data will be stored for 10 years from the date of billing;
b. registered user data: data will be stored until the user requests deletion of his/her account www.princi.it;
c. payment data: until the payment is certified and the relevant administrative and accounting formalities are completed as a result of the expiration of the right of withdrawal and the terms applied to dispute the payment;
d. data collected in the context of the use of services offered on www.princi.it: these data are stored until the termination of the service or the user’s request to unsubscribe from the service;
e. data related to users’ requests to our Customer Care: data useful for assisting the user will be stored until the user’s request is fulfilled;
f. data used for commercial communication towards users who purchase products on www.princi.it (soft spam): this data is stored until the service is terminated or the user exercises opposition by unsubscribing from the service;
g. data provided for commercial communications activities, opinion polls and market research: until unsubscribed from the service or following a request by the user to discontinue the activity and in any case within two years of the user’s last interaction of any kind with the Company;
h. data used to customise the Site and to show customised commercial offers: until the user revokes the consent given for such activity or requests its termination, and in any case within 2 years of the user’s last interaction of any kind with the Company;
In any case, for technical reasons, the termination of the processing and the consequent definitive deletion or irreversible anonymising of the relevant personal data will be final within thirty days of the above deadlines.
At any time the user may exercise his/her rights with reference to the specific processing of his/her personal data by the Company. Below is their general description and how to exercise them.
- Access and change data: the user has the right to access his/her personal data and to request that it be corrected, changed, or supplemented with other information. If he/she wishes, the Company will provide a copy of his/her data in its possession.
- Withdraw consent: the user may at any time withdraw a consent he/she has given for the processing of his/her personal data in connection with any activity with marketing purposes. Upon receipt of the request, it will be the Company’s responsibility to promptly cease the processing of the user’s personal data that is based on such consent, while different processing or processing based on other prerequisites will continue to be carried out in full compliance with current regulations.
- Object to the processing of his/her data: the user has the right to object at any time to the processing of his/her personal data carried out on the basis of legitimate interest by the Company, explaining the reasons justifying his/her request; before granting his/her request, the Company will have to evaluate the reasons for the request.
- Deletion of his/her data: in the cases provided for by current legislation, the user can request the deletion of personal data. Upon receiving and screening the request, if legitimate, it will be the Company’s responsibility to promptly cease processing and delete the personal data.
- Request that the processing of personal data be temporarily restricted: in this case, the Company will continue to store the personal data but will not process them, unless otherwise requested and exceptions provided by law. The user may obtain the restriction of processing when he/she disputes the accuracy of his/her personal data, when the processing is unlawful but he/she objects to the deletion of his/her data, when his/her data is no longer needed by the Company but he/she needs it to exercise a right in court, and when he/she objects to the processing, during the period in which the Company evaluates the grounds for his/her request.
- Request data or transfer it to a party other than the Company (right to data portability). The user may request to receive his/her data processed by the Company based on his/her consent or under a contract with the user in a standard format. If he/she wishes, where technically possible, the Company may at his/her request transfer the data directly to a third party specified by the user.
In order to ensure that users’ data will not be violated or used illegitimately by third parties, before granting a request to exercise any of the rights indicated, the Company may ask for certain information to be certain of the user’s identity.
The Company protects the user’s personal data with specific technical and organizational security measures designed to prevent personal data from being used illegitimately or fraudulently. Specifically, the Company uses security measures that ensure: pseudonymisation or encryption of data; confidentiality, integrity, and availability of data as well as resilience of the systems and services that process them; and the ability to restore data in the event of a data breach. In addition, the Company undertakes to regularly test, verify and evaluate the effectiveness of technical and organizational measures in order to ensure continuous improvement in the security of processing.
If the user believes that the processing of his/her personal data has been carried out unlawfully, he/she may file a complaint with one of the supervisory authorities in charge of ensuring the compliance with data protection regulations.
In Italy, the complaint can be filed with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).
More information on how to file a complaint can be found on the Italian Data Protection Authority’s website at http://www.garanteprivacy.it/.
Amendments to this policy
We therefore invite the user to check its contents periodically: where possible, we will try to inform the user promptly about occurred changes and their consequences.
Legislative references and useful links
The processing of the user’s personal data is carried out by the Company in full compliance with the relevant regulations set forth in the Regulation (EU) 2016/679 General Data Protection Regulation, the Italian personal data processing regulations and the provisions of the Italian Supervisory Authority (http://www.garanteprivacy.it/) and, where applicable, of the foreign competent supervisory authorities.
Last update: June 7, 2022