PRIVACY POLICY

INFORMATION NOTICE PURSUANT SECTION 13, D.LGS. 196/2003

Data controller
This privacy policy applies to Pupa websites www.pupa.it, www.pupastyle.it (together also “Sites”) and to the web application by PUPA Milano. Data controller, pursuant Section 28 D.lgs.196/2003 (hereinafter “Privacy Code” or “Code), is MICYS COMPANY SpA (hereinafter also “PUPA”), with its registered office in Monza, via Appiani 25 and headquartered (hereinafter "HQ") in Casatenovo (LC), via de Gasperi 22, Vat IT02089840967, Tax Code 0208984096, registration number Monza e Brianza Chamber of Commerce No.02089840967. 

The Data Protection Officer (DPO) may be reached at: dpo@pupa.it

Purposes of the processing
As better explained in the sections that allow users to join - by giving their personal information - to services provided for by the Site, users’ data are processed to allow us to respond to their specific requests. In particular, collection and subsequent processing of data are done for the following purposes:

•   Site registration;

•   Subscription to the e-mail newsletter;

•   Purchase of Pupa products;

•   Content sharing over the Site; 

•   Customer relationship management;

•   Submission of resumes;

•   Requests of information; 

•   Registration to myPUPA Community;

•   Entering and participating to promotions, such as fidelity cards and bonuses/coupons offered to the customers;

•   Use of Pupa application available on the Apple Store for iPhone and iPad, or of other Pupa applications developed for different platforms (Facebook, Twitter, etc.).

Providing your personal data is optional, although failure to do so could make it impossible for the Data Controller to provided the requested services/features. Pupa does not request the consent to the processing of personal data for the above mentioned processing (except for what specified futher below) since for the related purposes processing is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" (Article 6.1.b) of the GDPR).

When purchasing products or services in the PUPA e-shop, Micys, as the data controller, may send promotional emails about products or services similar to those purchased by the data subject, who may oppose immediately to the sending of such emails by sending an email to privacy@pec.pupa.it.
Pupa will not use the data provided for purposes other than those provided for the above mentioned service, that the user has requested, or within the specified limits from time to time described in the eventual additional specific information notice for a different and particular service requested by the user.

The GDPR does not apply to the processing of aggregate or anonymous data.

Subjects that process your data
For purposes connected to the provision of services requested by the user, personal data will be made available to third parties, who will act autonomous data controllers in providing their services as requested by the user (for example, companies that delivery purchased products) or to whom the communication of data is required to comply with laws or regulations.
We have appointed data processors. In particular,  we have appointed as external data processor for providing hosting service Salesforce.com, Inc. Address: The Landmark @ One Market Street, San Francisco, CA 94105, USA.
The updated list of data processors is available upon request sent to the data controller.
Personal data will be made available to people expressly authorized by the data controller - and so appointed as persons in charge of the processing, who carry out processing activities necessary for the purposes listed above; such appointed individuals belong to administrative personnel, communication, accounting, legal advice, technical maintenance of information systems, and marketing personnel, depending on the specific request made by the data subject over this Site.
Your data may be transferred abroad, to European Union countries or to other countries deemed as safe by the European Commission, or even to Countries outside the European Union which are not included in the list of safe Countries, with which we will stipulate in advance, the specific agreements for the protection of your privacy, containing standard contractual clauses given by the European Commission decision of 5 February 2010, or that has obtained the Privacy Shield certification for data transfers between EU and US.

How we process your data
All processing activities performed as part of the services available through this Site is made by electronic or telematic means, or by print/manual means.
The data will be processed within the purposes for which they were collected and in compliance with current security standards, for the purposes listed above or specified from time to time in any further information notice given to the user. Personal data will be processed for the time strictly necessary to achieve the purposes for which they are collected.

Types of personal data processed and optionality for provision of personal data
The forms to be filled on this Site provides both for personal data that are strictly necessary to request  which if not given it won’t be possible to proceed with the request, and for personal data that is optional and not strictly necessary to respond to requests.

Navigation data
During their normal operation, the computer systems and software procedures used by this website acquire some personal data, the transmission of which is implicit in the use of internet communication protocols. This is information which is not collected in order to be associated with particular persons, but which by its nature could, through processing and combination with data held by third parties, enable users to be identified. This category includes: IP addresses and domain names of computers utilized by users to connect to the website, addresses of requested resources in URI (Uniform Resource Identifier) notation, the time the request was made, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the state of the response given by the server (successful conclusion, error, etc.) and other parameters relating to the user’s operating system and informatics environment.
This data is used solely to obtain anonymous statistical information on the use of the website and to verify that it is functioning correctly (see also the paragraph on Cookies). The data could be used by the competent authorities to ascertain responsibility in hypothetical cases of computer-related crime resulting in damage to the site.: other than this occurrence, personal data are not stored for more than seven days.

Personal data provided voluntarily by the user
Personal data normally required for the use of services of this Site is constituted by personal records, contact and payment instruments and details. The optional, specific and voluntary sending of e-mail to addresses listed on this Site or filling out electronic forms of contact involves the subsequent acquisition of sender’s address, necessary to respond to requests, and any other personal data included in the message. Specific brief information notices will be provided or displayed on web pages dedicated to specific on demand services. Generally, sensitive data is not processed as per Section 4 D.lgs. 196/2003 (in case of processing of sensitive data for certain services a specific information notice will be given together with the express request for consent by the data subject).

Social plug-ins
Access to the Site and services can be performed by using credentials provided by a third party, such as Twitter, Facebook, or similar services ( "Social Plug-ins"). In this case, the user shall check the service's settings and read carefully the policies of the third party provider, as he may authorize such third party vendor to share his personal information and to authorize Micys to collect information such as contacts, friends and other user personal data. We will store the user's account identification code associated with the third party provider when using it to log in to Pupa or sharing content over the Site; personal data will be stored for as long as necessary to provide the services required. If the user creates a Pupa account or use the Site's services by connecting through social plug-in buttons, we may use the information in the account of origin to complete his profile on the Site. User may update or change the information of the profile and contact information at any time through the social plug-ins. We may also collect information about user and his use of our services through cookies and other similar technologies implemented on the site, in the terms explained in the specific section of this policy. The Company may process your Contact Information to enable you to access your Personal Area of the site and take advantage of the services available through it. If you choose this option, you will be able to access the Personal Area using only your Google data. The Company emphasizes that in this case the only data that will be communicated by Google will be your first name, last name and e-mail address. No other data related to your social profile will be transmitted to the Company, which has implemented this system solely for the purpose of simplifying the registration process.

Cookies

For more information on how Pupa uses cookies and other technologies, please check the information notice available at: https://www.pupamilano.com/cookies.html
 

Data subjects’ rights
You have the right to access your Personal Data at any time in accordance with Articles 15-22 of the GDPR. In particular, you may request the rectification, erasure or restriction of the processing of such data in the cases provided for by Article 18 of the GDPR, you may obtain the portability of Personal Data relating to you in the cases set forth by Article 20 of the GDPR, as well as to lodge a complaint with the competent supervisory authority under Article 77 of the GDPR (Data Protection Authority). You may object to the processing of your Personal Data pursuant to Article 21 of the GDPR in which you give evidence of the reasons for your objection: the Controller reserves the right to evaluate your request, which will not be accepted if there are legitimate grounds for the processing which override your interests, rights and freedoms.
Requests shall be made in writing and sent to the Controller at the following address: privacyIT@pupa.it