Information for the protection of personal data

Last updated August 2018

The information may undergo changes following the introduction of new rules or as a result of changes to the website, for which we invite you to visit this section periodically updates.
For any clarification, information, exercise of the rights listed in this statement, please contact shop@pepelu.it or – send a registered letter with receipt – to Pepelù in Via Vittorelli n. 36 Bassano del Grappa (VI) 36061.

Index:
1. General Information on Privacy.
2. Definition of personal data and processing of the same.
3. The subject’s privacy of the website.
4. General information on the processing and purposes for which we process the data.
5. User rights.
6. Cookie Information.

1. General Information on Privacy

With this statement the company Silvia Pepoli (henceforth, Pepelù) with registered office in Via Vittorelli n. 36 to 36061 Bassano del Grappa (VI) with VAT number 03560890240 and Tax number PPLSLV80H41A703Z, in the person of the legal representative pro-tempore, as Data Controller, wishes to inform you about the processing of personal data that will be provided by browsing this website.
The Reg. EU 2016/679 establishes the rules to protect and protect natural persons with regard to the processing of their personal data and this information is drafted in accordance with the new regulation.
The Privacy Policy that you are reading is exclusively referable to the website indicated in the epigraph. The Data Controller is not responsible for the management of the processing of personal data carried out by third-party websites linked to the Cookie section, or through any other referral links on the website.
According to the law, the processing of personal data is based on principles of correctness, lawfulness, transparency, protection of the privacy of the user as well as the protection of his rights: Pepelù undertakes to observe the aforementioned principles and, to this end, inform immediately that – except for those treatments which the law provides for your explicit consent – by browsing this website, uploading or providing personal data, you agree and agree to be bound by the conditions and terms set out in this statement.
The Reg. The European Reg. 679/2016 provides for enhanced protection against children under 16, so If you have not yet completed the age of sixteen, your consent to certain treatments will be legitimate only if provided or authorized by the person in charge of the parental responsibility towards you.
In any case, we want to offer you some information on the concept of personal data processing, on the people who manage them, on the main processing activities that we put in place, as well as on your rights as a user.

2. Definition of personal data and treatment of the same

Personal data means all information that identifies or identifies a certain physical person. This is information that directly allows identification of the subject (such as name, surname or social security number) or only indirectly (such as the online ID or profiling cookies). For personal data processing, however, we mean any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

3. The privacy subjects of the web site

The Data Controller is the natural or legal person, public authority, service or other body that, individually or together with others, determines the purposes and means of processing personal data; it also deals with safety profiles. With regard to this website, the Data Controller is the company PEPELU ‘as identified above and for any clarification or exercise of the rights that you may contact it to the addresses already reported in the epigraph to the information.
The person in charge of processing is the natural or legal person, the public authority, the service or other body that processes personal data on behalf of the data controller. With regard to the personal data provided by you while browsing this website, the Data Controller has not appointed any external processing manager.
On the other hand, regarding the person in charge of processing, i.e. the data processor under the control and the management of the Data Controller, Pepelù has appointed, as internal agents, its employees, in particular those who could manage the website. These individuals have been formally appointed and instructed to handle your data with care.
For more information on these individuals, contact the addresses already reported.

4. Purposes for which we treat your data and other treatment information

4.1 General information on the treatments performed through this site

Except for specific exceptions (see the following points), these rules apply to all treatments performed by our company through this website.
First of all, it is advisable to specify that the Data Processor uses only the strictly necessary data, which are marked with the asterisk symbol (*) in the appropriate spaces on the website. The data provided will be used solely and exclusively for the purposes set out in the following points (by way of example: the data provided for pre-contractual purposes will not be used for different purposes, except for the consent of the data subject or the legitimate interest of the Data Controller of the data for different purposes).

On the place of treatment
The processing of your data is carried out at the registered office of the Data Controller or at the headquarters of the Data Processor.
The data collected through navigation will not be disseminated or transferred to international organizations.

On the transfer of data to countries outside the EU
The hosting to which we rely to provide you with the navigation space is located in the EU territory (in Milan, in Italy) for which – in relation to the same service – no data is transferred to countries outside the EU.
It should be noted that our company undertakes not to transfer data to non-EU countries. However, when the Data Controller relies on third-party companies to provide you with specific services (for example, Newsletter service, promotional communications, etc.), some data may be transferred to non-EU countries. This happens because some of the aforementioned companies – or their servers – could be located in non-EU countries. This should not be cause for worry because, if a transfer of data is actually done, this can only be done with the guarantees provided for by the law, therefore on the basis of an adequacy decision adopted by the European Commission, or with the protections provided for by the new European Regulation ( as the presence of binding rules for the company), or – in the absence of the aforesaid conditions – with the consent of the interested party, or in the context of a contract between the data subject and the Data Controller, or in the context of a contract between the Data Controller and a third party to perform a service for the data subject. For any questions or information regarding the transfer of your data to non-EU countries, please contact the addresses already reported.

Methods of processing and legal basis
The treatments are mainly carried out with computerized systems (by email, telephone, use of computer programs), but in some cases also paper (by printing the documents).
Except in cases where the processing requires your explicit consent (that the owner collect through appropriate box to be selected), all the treatments are lawful as carried out on the basis of the legitimate interest of the owner or on the basis of pre-contractual or contractual measures required by user himself.

On data communications to third parties
For the performance of certain services in your favour or for the fulfilment of legislative obligations, some data will be shared with external parties. By way of example, for the delivery of the product, our company could communicate your data to the transport company, or to provide the newsletter service our company could support companies that offer email marketing services and these companies could process your data; moreover, in order to provide you with navigation space, our company relies on a company that offers hosting services: even this company could process some of your data. With regard to communications to third parties based on legal obligations, our company may communicate your data to lawyers, law enforcement agencies or the judicial authorities in the event of the execution of offenses or other legal obligations.

On safety measures
In any case, the Data Controller undertakes to protect the security of all your personal data, taking all the necessary computer and physical measures to protect them. However, it should be pointed out that no security system guarantees this protection with absolute certainty, therefore, without prejudice to cases of liability for fault of the Data Controller, our company is not liable for the fact performed by third parties who illegally access the systems without due authorizations.

On the data of minors under sixteen
This website offers direct services to children under sixteen. The UE Reg. 679/2016 provides for a stronger protection against the latter. In fact, according to the art. 8 the Data Controller may process the data of the less than sixteen years only after consent or authorization from the holder of parental responsibility. Pepelù has adopted tools to legitimately collect such consent or authorization (see the sentences at the bottom of the data collection forms, by which the user is asked to declare to be more than sixteen or to have been previously authorized from the parent / guardian). However, the Data Controller, through this website, will never be able to check if – in reality – this preventive authorization has actually been issued by the parent/guardian. Therefore, first of all it is advised to carefully monitor the actions of their children or those subject to protection, then we ask you to inform us without delay in case of receipt of unsolicited communications because not previously authorized by the parent / guardian: we will proceed to the immediate cancellation of the minor’s data of sixteen. In any case, the Data Controller is not responsible for the possible collection of data from minors of sixteen who have given their consent to the treatment without prior authorization from the parent/guardian. Finally, if the Data Controller considers that some data involuntarily collected refer to individuals under the age of sixteen, it will proceed without delay to the destruction of the same.

4.2 Data processing by simple browsing on the website

No identification data will be collected by simply browsing. However, for the normal operation of the website it is possible that the computer system acquires some information whose transmission is implicit in the internet communication protocols (i.e. log files). Furthermore, through the use of cookies will be collected information that the user does not provide directly (Cookie Policy). In any case, this is information that is not collected for the purpose of an association to identified data subjects, but that nevertheless, given their very nature, could still allow third parties to identify the user, through investigations and associations with other data already in their possession (for example, by the police to comply with specific requests by the judicial Authority could trace back to your IP address or other online identification).

4.3 Treatments carried out for promotional/advertising purposes

The user expresses his desire to receive advertising and promotional communications from our company when he completes the appropriate form on the website and when he gives his consent to receive such communications.
To receive such communications, the user provides his / her personal data, i.e. his / her email, telephone number, address (among these only the data strictly necessary).
The user is not obliged to release the aforementioned data, however, failure to provide it does not allow our company to send him the requested advertising and promotional communications concerning our products and services.
The legal basis of the treatment consists in the release of consent by the user, or – and this only in the case of users already customers of our company who expect to be informed about all the news and promotions related to our products and services – even of the legitimate interest of the Owner.
The processing is carried out through computerized and automated systems (in particular by sending emails, but in some cases also by fax) in some cases managed by third-party companies that provide the email marketing service, as well as through more traditional systems (such as sending ordinary mail or by receiving calls from our operators).
For the possible transfer of data to non-EU countries, see the entry on the transfer of data to countries outside the EU pursuant to art. 4.1. 4.1.
The duration of the treatment depends on the user who, at any time, can revoke the consent previously issued by contacting the addresses already indicated in the epigraph, or by clicking the “unsubscribe” button at the bottom of the email received. In the case of treatment based on the legitimate interest of the Data Controller, the processing terminates with the request for objection by the user, who will be able to assert by contacting the above addresses.
It is allowed to request this service only to the user who has already reached sixteen years of age. For minors under sixteen years see the entry on the data of minors of sixteen years as per art. 4.1. 4.1.

4.4 Treatment carried out by filling out the form “Newsletter”

The following rules of the rules apply to any treatment provided on the website which is specifically aimed at registering for the Newsletter service.
By filling in the aforementioned form, the user provides his / her personal data (email).
The user is not obliged to release such data, however failure to complete it does not allow our company to provide the Newsletter service to the user.
The legal basis of the treatment consists in the release of consent by the user, or – and only in the case of users already customers of our company who expect to be informed about all the news – the legal basis also consists in the legitimate interest of the Owner (sending communications to those who have already expressed interest in our products does not compromise the rights and freedoms of those subjects).
The treatment is carried out through computerized systems (via email).
For the possible transfer of data to non-EU countries, see the entry on the transfer of data to countries outside the EU pursuant to art. 4.1. 4.1.
In any case, for more information, contact the addresses already mentioned.
The duration of the treatment depends on the user’s will, at any time, revoke the consent previously issued by contacting the addresses already reported at the beginning of this information, or by clicking the “unsubscribe” button at the bottom of the email received. In the case of treatment based on the legitimate interest of Pepelù, processing terminates with the request for cancellation from the user, who can rely on contacting the above addresses.
The Newsletter service is allowed to be requested only by users who have reach sixteen years of age. For minors under sixteen years see the entry on the data of minors of sixteen years as per art. 4.1. 4.1.

4.5 Treatments carried out by filling out the form “Registration”/”Login”

By filling out the form called “Registration”, the user provides his personal data (Email).
Once the Registration has been completed, the user entering the data already provided in the “Login” section will be able to access his / her Account.
The user is not obliged to provide such data, however, failure to provide it does not allow the user to create his own Account to proceed with the purchase of products in the online store or to enjoy particular advantages, such as the ability to view recent orders and your wish list (see Article 4 4 for this purpose), manage your shipping and billing addresses, change your password and other account details.
Such processing is lawful as it is done on the basis of the user’s consent or on the legitimate interest of the Data Controller. There is a legitimate interest because, although the service does not fall properly in the execution of the contract, the company believes to provide it in the exclusive interest of the user, who will not in any way be harmed in his rights and his liberties.
This treatment is carried out through IT tools, such as the use of the computer program and the e-mail service.
The duration of the treatment depends on the user who, at any time, can access his account for unsubscription or can directly contact the addresses already reported to expressly revoke the consent previously issued. In the case of non-release of consent and therefore of use of the Account by virtue of the legitimate interest of the Data Controller, the user may object to processing at any time by contacting the addresses already indicated.
Registration is allowed only to the user who has already reached the age of majority: this is because this form is strictly linked to the purchase procedure of the product which, by law, can only be carried out by someone who has already reached the age of majority. Registrations made by subjects without these requisites will be immediately canceled by the Data Controller.

4.6 Treatments carried out using the button for the “Wistlist”

By clicking the “Heart” button located next to the products, the user shows his own tastes and interests that will be stored in the “Wishlist” section of the website.
The user is not obliged to provide such data, however failure to provide it does not allow the user to store certain products and to evaluate their purchase at a later time.
This action could generate two different effects depending on whether the registration referred to in point 4.4 exists or not.

4.6.1 In fact, if the user did not proceed with the registration, the click on the “Heart” will not allow the identification of the user since the data relating to the taste can not be associated with other data available to the owner of the website.

4.6.2 On the other hand, if the user had already registered, the click on the “Heart” would store the preference within the user’s account, thus making it identifiable and revealing a specific taste expressed by the user. The same rules as in art. 4.5.

4.7 Treatments carried out for the purchase through online store (Cart – Cash – Procedure finalized for purchase)

This article regulates the processing of data that the user gives for the purchase of the product in the online store.
The purchase is allowed only to the adult user, who has previously created his own Account (see article 4.5 of this informative note).
To proceed with the purchase, the user must first click on the desired product. The user’s tastes are stored in the “Cart” section. In this section, the user can store more products, choose which ones to buy and which, on the other hand, can be deleted from the Shopping Cart. Once the products to be purchased have been established, the user – by clicking on the “Cash desk” button – accesses the further section aimed at purchasing. In this section, the user must provide the personal data necessary for identification (such as name, surname, address), as well as any promotional code.
Finally, the user must choose the payment methods of the product. The data used for payments will not be processed by the Data Controller, but only by the reference credit institutions. For these reasons, we recommend that you view the privacy statement of the credit institute of the Data Controller (indicated in the epigraph to the form for the collection of such data), the privacy policy of your credit institution, as well as that of PayPal.
The following rules apply to all the aforementioned phases for the purchase of the product.
To proceed with the purchase, the user provides his / her personal data (data relating to his / her tastes, name, surname, address, any other address for the delivery of the goods, telephone number, e-mails, own notes, payment system data, other).
The user is not obliged to provide such data; however, the non-release does not allow the same to purchase the product.
The processing is lawful as it is carried out on the basis of pre-contractual measures (use of data to proceed with the purchase) and contractual (for purchase, for returns, for substitutions, other related to the contracted) requests from the user. In any case, the Data Controller requires the express consent of the user.
The processing is carried out through computer systems (ecommerce platform) and paper (order printing).
The duration of the treatment depends on the conclusion or otherwise of the purchase procedure. In fact, if the user releases the data but does not purchase the asset, his data will not be stored. Instead, in the case of purchase of the asset, the user’s data will be kept for ten years from the conclusion of the contract and this for legal, accounting and tax protection requirements to which the Data Controller is subject by law.
Purchase is allowed only to legal adults. The Data Controller is not responsible in the case of data provided by minors who have used tricks and deception to appear as adults (for example, the child’s use of data and credit cards of parents or guardians).

4.8 Processing following the use of the contact details indicated at the bottom of the website

By contacting the telephone number and e-mail address indicated on the website, you provide your personal data (for example name, surname, telephone number, etc). The provision of such data is optional, but failure to provide data does not allow the Data Controller to find information requests from the user. The legal basis of the processing consists of the execution of pre-contractual measures (requests for information on our activities, estimates, other relevant to the sphere of our work) or in the consent of the user (who by contacting us will expressly) or in the legitimate interest of the owner of the processing (consent or legitimate interest, only if the requested information does not have a pre-contractual or contractual nature). These data will be processed with computer systems or paper and the duration of treatment ends with the evasion of the information service by the Data Controller.

5. User rights

The interested party – i.e. the person who makes their personal data available to the data controller – is entitled to the following rights:

  • the right of the data subject to request the holder to access personal data, i.e. to know which data the holder is dealing with;
  • the right to get their update;
  • the right to obtain correction, i.e. the right to have their data modified if they have changed;
  • the right to add to their data, i.e. the right to integrate data with other information provided by the data subject;
  • the right to limit the processing that concerns them, i.e. to limit the use of data by the data controller;
  • the right to object, for legitimate reasons, to their treatment;
  • the right to data portability, i.e. the right to receive all personal data processed by
  • the data controller in a structured and legible format on an electronic medium;
  • the right to request the cancellation of their data to the holder;
  • the transformation into anonymous form or the blocking of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed;
  • the right to obtain the attestation that, the operations of updating, rectification, integration of data, cancellation, blocking of data, transformation, have been brought to the attention, also as regards their content, of those to whom the data are been communicated or disseminated, except in the case where this fulfilment proves impossible or involves a use of means manifestly disproportionate to the protected right;
  • the right to withdraw at any time the explicit consent previously given, without prejudice to the lawfulness of the treatment established up to that moment;
  • the right to lodge a complaint with the Guarantor for the Protection of Personal Data in case of violations of the law.

For a more in-depth examination of the rights that you are entitled to see the articles. 13 – 15 – 16 – 17 – 18 – 20 – 21 of the EU Reg. 679/2016. Requests can be sent to the Data Controller, without formalities, to the addresses in the epigraph, or alternatively, using the model provided by the Guarantor for the Protection of Personal Data available at the sitehttp://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924

6. Information of Cookies

This website could also use automated tools to send users advertising in line with their tastes and interests. The information on cookies and automated systems similar to cookies are made available to the user by clicking the appropriate link called “Cookie Information” (or “Cookie Policy”) on the website. For completeness, the Data Controller also provides the aforementioned information below.