Privacy Policy for Users

 

Candy Hoover Group S.r.l. with sole shareholder and with registered office in Via Comolli, 16 - 20861 Brugherio (MB), Italy, VAT no./Tax Code and Milan Companies Register no. 04666310158 (hereinafter also “CHG”) and Triboo Digitale S.r.l. with registered office in Viale Sarca 336, Edificio 16, 20126 Milan, Italy, VAT no./Tax Code and Milan Companies Register no. 02912880966 (hereinafter also “Triboo” and, together with CHG, the “Data Controllers”), in the capacity of autonomous data controllers of the processing of the personal data of the users (hereinafter the “Users”) who navigate and use services available on this website (hereinafter the “Website” and the “Services”) provide hereunder the privacy policy pursuant to Art. 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter “Regulation”, or also the “Applicable Legislation”).
This Website and the Services are to be used only by subjects who are of the age of 18 or over. The Data Controllers therefore do not collect personal data relating to subjects under the age of 18. Upon the request of the Users, the Data Controllers shall promptly delete all personal data involuntarily collected and relating to subjects under the age of 18.
The Data Controllers hold the right to privacy and to the protection of the personal data of their Users in maximum consideration. For all information in connection with this privacy policy, the Users may contact the Data Controllers at any time using the following methods:

For CHG:

- By sending a registered letter with advice of receipt to the registered office: Via Comolli, 16 - 20861 Brugherio (MB), Italy;
- By sending a message by electronic mail to the address: data.protection@candy-group.com

For Triboo:

- By sending a registered letter with advice of receipt to the registered office: Viale Sarca 336, Edificio 16, 20126 Milan, Italy
- By sending a message by electronic mail to the address: privacy@triboo.it

Users may also contact

- the Data Protection Officer (DPO or RPD) of CHG, whose contact data are given below: data.protection@candy-group.com
- the Data Protection Officer (DPO or RPD) of Triboo, whose contact data are given below: Lapo Curini Galletti (lapo.curinigalletti@triboo.it)

1. Purposes for processing by Triboo
The personal data of the Users shall be processed lawfully by Triboo pursuant to Art. 6 of the Regulation for the following processing purposes:


1.1. Contractual obligations and provision of Services, to execute the Terms and Conditions of Use of the Website, which are accepted by the User during use of the Services and to fulfil specific requests of the User, as well as to provide assistance to the User before and after the Services are provided, except for the logistics activities. The User’s data collected by Triboo for the above-listed purposes include: name, surname and nickname voluntarily chosen, age, province of residence/domicile, gender, email address, and all personal information of the User that they may voluntarily provide. Unless the User gives Triboo a specific and optional consent to process their data for additional purposes, the personal data of the User shall be used by Triboo for the sole purpose of ascertaining the User’s identity (also by validating the email address), in this way preventing possible fraud or abuse, and to contact the User for only service reasons (e.g. sending notifications concerning the Services). Without prejudice to what is provided for elsewhere in this privacy policy, in no case shall Triboo make the personal data of the Users accessible to the other Users and/or to third parties. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter b) of EU Regulation no. 679/2016, that is since the processing is necessary to execute a contract of which the data subject is a party or to execute pre-contractual measures adopted upon their request;


1.2. Administrative-accounting purposes, that is to carry out organisational, administrative, financial and accounting activities, such as internal organisational activities and activities functional for the fulfilment of contractual and pre-contractual obligations. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter b) of EU Regulation no. 679/2016, that is since the processing is necessary to execute a contract of which the data subject is a party or to execute pre-contractual measures adopted upon their request;


1.3. Legal obligations, that is to fulfil obligations established by the law, by an authority, by a regulation or by European legislation. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter c) of EU Regulation no. 679/2016, that is since the processing is necessary in order to fulfil a legal obligation to which the data controller is subject.
The provision of personal data for the processing purposes specified above is mandatory in order to use the requested services and failure to provide them will result in the impossibility for the User to navigate the Website, to register with the Website and to use the Services.


The personal data necessary to pursue the processing purposes described in this paragraph 1 are specified with an asterisk on the registration form on the Website.


2. Purposes for processing by CHG
The personal data of the Users shall be processed lawfully by CHG pursuant to Art. 6 of the Regulation for the following processing purposes.


2.1. Logistics
Should the User purchase a product on the Website according to the Terms and Conditions of Use of the Website, CHG shall process some personal data of the User, such as name, surname, address of residence and email address only for the purpose of planning the sending and to ship and deliver the purchased product as requested by the User. Without prejudice to what is provided for elsewhere in this privacy policy, in no case shall the Data Controller make the personal data of the Users accessible to the other Users and/or to third parties. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter b) of EU Regulation no. 679/2016, that is since the processing is necessary to execute a contract of which the data subject is a party or to execute pre-contractual measures adopted upon their request.


2.2. Registration and navigation on the Website
The personal data of the User shall also be processed in order to permit Website navigation, that is to execute the Term and Conditions of the Website that are accepted by the User at the time of registration on the Website; to meet specific requests of the User. The user’s data collected by the Data Controller for the purpose of registration on the Website, if any, include: name, surname, email address and phone number, and all personal information of the User that they may voluntarily provide. Unless the User gives the Data Controller a specific and optional consent to process their data for the additional purposes set forth in the paragraphs that follow, the personal data of the User shall be used by the Data Controller for the sole purpose of ascertaining the User’s identity (also by validating the email address), in this way preventing possible fraud or abuse, and to contact the User for only service reasons (e.g. sending notifications concerning the services offered on the Website). Without prejudice to what is provided for elsewhere in this privacy policy, in no case shall the Data Controller make the personal data of the Users accessible to the other Users and/or to third parties. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter b) of EU Regulation no. 679/2016, that is since the processing is necessary to execute a contract of which the data subject is a party or to execute pre-contractual measures adopted upon their request.


2.3. Customer assistance to return products
Should the User have made a purchase through the Website and wants to make a return using the methods established by the Terms and Conditions of the Website accepted by the User during registration, CHG shall process the User’s data, voluntarily provided by the User, in order to lend assistance and implement the operations necessary to meet the specific request of the User. Without prejudice to what is provided for elsewhere in this privacy policy, in no case shall the Data Controller make the personal data of the Users accessible to the other Users and/or to third parties. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter b) of EU Regulation no. 679/2016, that is since the processing is necessary to execute a contract of which the data subject is a party or to execute pre-contractual measures adopted upon their request.


2.4. Marketing (sending of advertising, direct sales and sales communication material)
With the free and optional consent of the User, CHG may process the data of the data subject also for marketing purposes (sending of advertising, direct sales and sales communication material), that is so that CHG may contact the User by post, electronic mail, phone (landline and/or mobile, with automatic call or call communication systems with and/or without the intervention of an operator) and/or SMS and/or MMS to offer the User the purchase of products and/or services offered by CHG and/or by third-party companies, to submit offers, promotions and sales opportunities. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter a) of EU Regulation no. 679/2016, i.e. since the data subject has given their consent.


Should consent not be given, the possibility to register with the Website shall in no way be compromised.


Should consent be given, the User may at any time revoke it by requesting revocation from CHG using the methods specified in paragraph 5 below.


The User may also easily object to further sending of promotional communications via email also by clicking the specific link to revoke consent, which is found in each promotional email. After revocation of the consent has been completed, CHG will send the User a message by electronic mail to confirm successful revocation of the consent. Should the User plan to revoke their consent to the sending of promotional communications by phone, in any case continuing to receive promotional communications via email, or vice versa, please send a request to the Data Controller using the methods specified in paragraph 5 below.


CHG informs that after the right to object to the sending of promotional communications via email has been exercised, the User may continue to receive some further promotional messages due to technical and operational reasons (e.g. formation of the mailing lists already completed shortly before CHG receives the objection request). Should the User continue to receive promotional messages after 24 hours have elapsed from the exercise of the right to objection, please report the problem to CHG using the contacts provided in paragraph 5 below.


2.5. Newsletters
With the free and optional consent of the User, some personal data of the User (i.e. name, surname, address, electronic mail address) may be processed by CHG also for the purpose of sending newsletters. Therefore, the User will receive a periodic newsletter from CHG that will contain information on new products and services and promotions found inside the Website and/or CHG initiatives. The legal basis legitimating the processing of personal data for this purpose is found in Art. 6, par. 1, letter a) of EU Regulation no. 679/2016, i.e. since the data subject has given their consent.


Should consent not be given, the possibility to register with the Website shall in no way be compromised.


Should consent be given, the User may at any time revoke it by requesting revocation from the Data Controller using the methods specified in paragraph 5 below.


The User may also easily object to further sending of communications also by clicking the specific link to revoke consent, which is found in each email containing the newsletter. After revocation of the consent has been completed, CHG will send the User a message by electronic mail to confirm successful revocation of the consent.


2.6. Soft spam
CHG may send the User promotional material through electronic mail messages relating to CHG services or products similar to those the User has already purchased. The legal basis legitimating the processing of personal data for this purpose is Art. 6, par. 1, letter f) of the Regulation and Art. 130, par. 4, Italian Legislative Decree 196/2003, since the processing is necessary in order to pursue the legitimate interest of the data controller in exercising an economic activity through promotional tools.


The User may also easily object to further sending of promotional communications via email also by clicking the specific link to revoke consent, which is found in each promotional email. After revocation of the consent has been completed, CHG will send the User a message by electronic mail to confirm successful revocation of the consent. In any case, the User may at any time revoke it by requesting revocation from the Data Controller using the methods specified in paragraph 5 below.


The disclosure of Data is necessary for providing the service requested by the User and is therefore mandatory for the purposes described in points 2.1, 2.2, 2.3 of the policy. In lack thereof, CHG cannot execute the request submitted by the User. The disclosure of Data for the additional purposes under point 2 is optional. In lack thereof, there will be non consequences for the User.


3. Processing methods and data retention time
The Data Controllers shall process the personal data of the Users using manual and electronic tools, with logics strictly related to the same purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data. 


The personal data of the Users shall be stored for the amount of time strictly necessary to accomplish the primary purposes explained in paragraphs 1 and 2 above, or in any case as necessary in order to protect the interests of both the Users and the Data Controllers under civil law. 


In the cases described under paragraphs 2.4 and 2.5 above, the personal data of the Users shall be stored for the time strictly necessary for accomplishing the purposes explained in the same paragraphs and, in any case, for no more than twenty-four (24) months, respectively. The data processed for the purpose described in paragraph 2.6 shall be processed for the entire duration of the User’s registration with this website and with its services.


4. Scope of disclosure and circulation of data
The employees and/or collaborators of the Data Controllers appointed to manage the Website and all services connected with the provision of the Services may become knowledgeable of the personal data of the Users. Said subjects, who have been instructed in this sense by the Data Controllers pursuant to Art. 29 of the Regulation, shall process the data of the Users only for the purposes specified in this policy and in compliance with the provisions of the Applicable Legislation. 


Third parties that may process personal data on behalf of the Data Controllers in the capacity of “Data Processors” may also become knowledgeable of the personal data of the Users. By way of example, they may be providers of computer and logistics services functional for the operation of the Website and/or of the Services, outsourced providers of services or cloud computing, professionals and consultants.


The Users have the right to obtain a list of any data processors respectively appointed by each Data Controller by requesting it from the Data Controller in question using the methods specified in paragraph 5 below.


Furthermore, the personal data of the Users may be disclosed by the Data Controllers within the limitations in which this is necessary and essential in order to execute contractual obligations with autonomous third-party data controllers, such as the managers of payment services and of logistics services necessary for the delivery of the goods sold through the Website. Said autonomous data controllers shall process the User’s data only for the purpose of properly dispatching the orders relating to the Services.


5. Rights of the Data Subjects
The Users may exercise the rights guaranteed by the Applicable Legislation by contacting the Data Controllers using the following methods: 


For processing relating to the activities listed in paragraph 1 of this policy, the Users may contact Triboo using the following methods:

- By sending a registered letter with advice of receipt to the registered office: Viale Sarca 336, Edificio 16, 20126 - Milan, Italy
- By sending a message by electronic mail to the address: privacy@triboo.it

For processing relating to the activities listed in paragraph 2, the Users may contact CHG using the following methods:

- By sending a registered letter with advice of receipt to the registered office: Via Comolli, 16 - 20861 Brugherio (MB), Italy;
- By sending a message by electronic mail to the address data.protection@candy-group.com

Triboo shall comply with the requests of the Users relating to the processing described in paragraph 1, whereas CHG shall comply with the requests of the Users relating to the processing described in paragraph 2.


Pursuant to the Applicable Legislation, the Data Controllers inform that the Users have the right to obtain indication (i) of the origin of the personal data; (ii) of the processing purposes and methods; (iii) of the logic applied if they are processed with the aid of electronic tools; (iv) of the identification details of the Data Controllers and of the data processors; (v) of the parties or categories of parties to whom the personal data may be disclosed or that may come to their knowledge in the capacity of data processors or appointees. 


Furthermore, the Users have the right to obtain:

a) the access, updating, correction or, whenever they like, the integration of the data;
b) the deletion, transformation into anonymous form or the blocking of the data processed in breach of the law, including those of which storage in connection with the purposes for which the data have been collected or subsequently processed is unnecessary;
c) the acknowledgement that the operations listed under letters a) and b) have been made known to those to whom the data have been disclosed or circulated, also as regards their content, except for the case in which said fulfilment proves to be impossible or entails a use of equipment manifestly disproportionate compared to the protected right.


Moreover, the Users have:

a) the right to revoke their consent at any time should the processing be based on their consent;
b) (where applicable) the right to data portability (right to receive all personal data concerning them in a structured, commonly used format that can be read by an automated device), the right to limitation of the processing of the personal data and right to deletion (“right to be forgotten”);
c) the right to object:
i) fully or partially to the processing of personal data concerning them for legitimate reasons, even though pertinent to the purpose of the collection;
ii) fully or partially to the processing of personal data regarding them for the purpose of sending advertising or direct sales materials or to perform market research or sales communication;
iii) if the personal data are processed for direct marketing purposes, at any time to the processing of their data for said purposes, including profiling to the extent in which it is connected with said direct marketing.
d) should they believe that the processing regarding them infringes the Regulation, the right to submit a claim to a control authority (in the member State where they usually reside, in the one where they work or in the one where the alleged infringement occurred). The Italian control authority is the Personal Data Protection Guarantor, with offices in Piazza Venezia no. 11 - 00187 Rome, Italy (http://www.garanteprivacy.it/).


The Data Controllers are not responsible for updating all the links displayed in this Policy, so every time a link is not operational and/or updated the Users acknowledge and accept that they should always refer to the document and/or section of the websites to which said link refers.