Privacy Policy eShop
DATA PROTECTION POLICY PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL DATED 27th APRIL 2016 ("GENERAL DATA PROTECTION REGULATION")
1. Premise: the role of SLAM.COM. S.P.A. and CALICANTUS S.R.L. in the processing of personal data collected via the present Website
The following information is intended for all persons who register and/or carry out purchases on the official e-commerce website: SLAM.COM (hereinafter referred to as the 'Website').
On the Website you may purchase SLAM-branded clothing (hereinafter referred to as 'Products').
The Website is owned by SLAM.COM. S.P.A. (hereinafter 'SLAM'), which is also the owner of the domain name and the provider of the registration service to the Website.
The offer and sale of the Products on the Website are carried out by CALICANTUS S.R.L., which, upon SLAM's authorisation and mandate, is in charge of managing the sales and transactions carried out through the Website (e.g.: order management, sale and delivery of products).
SLAM provides the services that allow the access, browsing and registration to the Website, which are necessary in order to be able to purchase Products, as well as accessing related support services.
SLAM and CALICANTUS shall process the personal data provided by you for registering on the Website and respectively, for the conclusion of the purchase contract through the Website as autonomous controllers (each referred to an as "Autonomous Controller" and jointly as "Autonomous Controllers "), in compliance with the provisions of EU Regulation 679/2016 (the "Regulation") and Legislative Decree n. 196 of 30th June 2003 (the "Privacy Code") as amended by Legislative Decree n. 101/2018.
Specifically:
- SLAM will process your personal data, as an Autonomous Controller, in order to manage the access to the Website and to facilitate the purchase of the Products as well as to allow the registration to the Website and the possible conclusion of the purchase contract through the Website and, subject to your consent, for generic marketing and/or profiling purposes;
- CALICANTUS shall process the user's personal data, as an Autonomous Controller, in order to enable the conclusion of the purchase contract, to execute the obligations arising from such contract, to fulfil all legal obligations, including tax and administrative obligations, arising from the same as well as for the other purposes related to such contract and/or the execution of pre-contractual measures, as described in this policy notice.
For any specific exceptions to this policy, please refer to the provisions of the Privacy and Cookie policy of the Website.
2. Identity and contact details of SLAM and CALICANTUS as Autonomous Controllers
2.1 The identification and contact details of SLAM are as follows:
SLAM.COM S.p.A.
Via A. Manzoni, 3 - 20121 MILAN
Management - Mura Santa Chiara 1 - 16128 GENOA; tel. no. +39 010/84201
Fiscal code and VAT no.: 11806840960.
REA MI - 2625579
Website: www.slam.com
E-mail: privacy@SLAM.com
SLAM has appointed:
- Managers (authorised to process personal data). The up-to-date list of data processing managers is kept at the Data Controller's head office.
- Data Processors. The updated list of data processors is kept at the Data Controller's head office.
2.2 The identification and contact details of CALICANTUS are as follows:
CALICANTUS S.R.L
c.a. Customer Service Shop
Via Luigi Mazzon 28-30, 30020 Quarto D'Altino (VE)
Tax code and VAT no: IT037590272
REA VE-335872
Website: https://calicant.us/
E-mail: privacy@calicant.us
PEC: calicantussrl@dadapec.com
CALICANTUS has appointed:
- a D.P.O. (Data Protection Officer) and Data Protection Manager - who can be contacted by e-mail: nicola.ghinello@dpo-rpd.com.
- Managers (authorised to process data). The up-to-date list of data processing managers is kept at the Data Controller's head office.
- Data Processors. The updated list of data processors is kept at the Data Controller's head office.
3. Data processing by CALICANTUS S.R.L. for the purposes of concluding and executing the purchase contract and customer care
CALICANTUS, as an Autonomous Controller, will process your personal data:
- to enable the conclusion of the purchase contract via the Website (e.g. loading Products into the cart and choosing your preferred payment method);
- to perform the obligations incumbent on CALICANTUS under such contract, such as, by way of example, the delivery of the Products sold;
- to enable you to fulfil your obligations arising from the purchase contract concluded through the Website, such as, for example, the online payment of products purchased;
- for general assistance and customer care activities and thus for responding to requests for information from users, or for responding to complaints, reports and objections, provided this lies within the competence of CALICANTUS.
The legal basis for this processing is the fulfilment of the contract in question (Art. 6.1.b) of the Regulation).
For this purpose, CALICANTUS shall process your data for the time strictly necessary to carry out the individual processing activities (e.g.: the data necessary for the execution of the purchase contract, until the delivery of the product or, in case of non-delivery, until the termination of the contract). It is understood that, once this term has expired, CALICANTUS may keep the data for the purposes and for the maximum retention periods illustrated in this policy notice and/or, in any case, in the cases established by the Regulation and/or the current legal framework.
The provision of data for the purpose in question is optional: that is, there is no legal or contractual obligation to communicate the data; it is, however, a necessary requirement for the conclusion of the purchase contract through the Website: failure to communicate the data will therefore make it impossible for the user to conclude such a contract and therefore to make purchases through the Website.
4. Data processing by CALICANTUS S.R.L. for administrative, accounting and tax purposes
CALICANTUS, as an Autonomous Controller, shall process users' data for the purpose of fulfilling administrative and/or accounting and/or tax obligations related to the purchase contract concluded through the Website, such as, by way of example, the keeping of accounting records and the issuance of the sales invoice.
The legal basis for this processing is the fulfilment of legal obligations to which CALICANTUS is subject (Art. 6.1.c) of the Regulation).
The provision of data for this purpose is compulsory, as their processing is necessary to allow CALICANTUS to fulfil its legal obligations. Any refusal to provide data for this purpose shall result in the impossibility for the user to conclude the purchase contract through the Websites.
For this purpose, CALICANTUS shall process the user's data until the expiry of the legal deadlines stipulated for the fulfilment of each administrative-accounting and fiscal fulfilment and/or for the storage periods stipulated by law with regards to the preservation of the related documentation.
5. Data processing by CALICANTUS S.R.L. for payment purposes
CALICANTUS, as an Autonomous Controller, will not store users' credit card data. CALICANTUS has a relationship of a contractual nature with payment service providers and/or acquirers and/or banks in order to provide the order collection service. The association between CALICANTUS as seller, the user as debtor and the Payment Service Providers and/or acquirers and/or banks takes place by means of a secret code ("token"), generated by means of modules and/or plug-ins for the e-commerce software platform of the Website provided directly by the Payment Service Providers and/or acquirers and/or banks.
Users' credit card data may also be stored and managed, subject to the user's consent, by Payment Service Providers and/or acquirers and/or banks in order to facilitate the payment of purchases subsequent to the first transaction, or their reimbursement, if applicable.
Links:
- Braintree https://www.braintreepayments.com/it/legal/data-protection-addendum
- Paypal https://www.paypal.com/it/webapps/mpp/ua/privacy-full
- Stripe https://stripe.com/en-it/privacy
6. Data processing by CALICANTUS S.R.L. for the purpose of enabling the user to exercise their rights
CALICANTUS, as an Autonomous Controller, will process users’ data for the purposes of:
- responding to requests to exercise their right of withdrawal and/or requests to exercise the legal guarantee of conformity and/or other rights arising from the purchase contract concluded through the Website and/or provided by law in relation to said contract;
- carrying out any activities that prove necessary as a consequence of the exercise of such rights and to proceed, where appropriate, to the relevant refunds;
- receiving and responding to requests to exercise personal data protection rights under the Regulation and carrying out all subsequent activities.
The legal basis for this processing is the fulfilment of legal obligations to which CALICANTUS is subject (Art. 6.1.c) of the Regulation).
The provision of data for this purpose is compulsory, as said data’s processing is necessary to allow CALICANTUS to fulfil legal obligations as well as to allow the user to exercise their rights attributed to them by law or contract. Any refusal to provide data for this purpose shall result in the impossibility for the user to exercise such rights.
For this purpose, CALICANTUS shall process the data until the expiration of the legal terms provided for the exercise of such rights (prescription and/or forfeiture period) or, in the event of the exercise of such rights, for the time necessary to process and close the relevant process; in the event rights exercised and provided for by the Regulation, the data shall be processed until the data controller's certification is provided that the request has been fulfilled or until the fulfilment itself, whichever occurs last.
7. Data processing by SLAM for marketing purposes.
SLAM, as an Autonomous Controller, will process the user's personal data in order to send via e-mail, traditional post and/or SMS and/or telephone calls, newsletters, commercial communications and/or advertising material about the Products and/or customer satisfaction surveys.
The legal basis for this processing is the express consent of the user (Art. 6.1.a) of the Regulation), which can be revoked at any time by sending a communication to the following e-mail address: privacy@slam.com. Withdrawal of consent shall not affect the lawfulness of the processing carried out prior to such withdrawal.
SLAM may retain the data for the purposes and for the maximum retention periods illustrated in this policy notice and/or, in any case, in the cases established by the Regulation and/or the pertinent legal framework.
The provision of data for the purpose in question is optional, i.e. there is no legal or contractual obligation to provide such data. Failure to authorise processing, while in no way preventing the use of the Website, may not allow the user to take full advantage of the customer benefits offered through the newsletter and information of a promotional and direct marketing nature.
For this purpose, SLAM will process the user's data for 24 months after registration of the data collected.
8. Data processing by SLAM for profiling purposes.
SLAM, as an Autonomous Controller, will process the user's personal data for the purpose of forwarding information on promotional initiatives modelled on the data provided by the user.
The legal basis for this processing is the express consent of the user (Art. 6.1.a) of the Regulation), which may be revoked at any time by sending a communication to the following e-mail address: privacy@slam.com. Withdrawal of consent shall not affect the lawfulness of the processing carried out prior to such withdrawal.
SLAM may retain the data for the purposes and for the maximum retention periods illustrated in this policy notice and/or, in any case, in the cases established by the Regulation and/or the pertinent legal framework.
The provision of data for the purpose in question is optional: that is, there is no legal or contractual obligation to communicate such data. Failure to authorise their processing, while not preventing in any way the use of the Website, may not allow SLAM to send personalised communications to users.
For this purpose, SLAM will process the user's data for 12 months after registration of the data collected.
9. Data processing by SLAM and CALICANTUS S.R.L. for the purpose of ascertaining, exercising or defending legal rights
SLAM and CALICANTUS, as Autonomous Controllers, will retain users' data for the purpose of establishing, exercising or defending legal rights in all competent legal jurisdictions.
The legal basis for this processing is legitimate interest (Art. 6.1.f) of the Regulation).
It is a legitimate interest of the data controller to pursue remedies to ensure compliance with its contractual rights or to demonstrate that it has fulfilled its obligations arising from the contract with the data subject or imposed on the data controller by law. This legitimate interest is, in turn, based on the constitutionally protected right of self-defence. It may therefore be deemed to prevail over the fundamental rights and freedoms of the data subject, also by reason of the data subject's reasonable expectations.
The user has, in any case, the right to object, at any time, on grounds relating to their personal situation, to the processing of personal data concerning them for the purpose in question (i.e. defence of a right/justice).
The person concerned may exercise their rights by contacting SLAM and/or CALICANTUS at the contact details given in section 2 of this policy notice.
The user is informed that, in particular, SLAM and/or CALICANTUS will store and possibly use the data:
- for the purpose of proving the fulfilment of the purchase contract and/or to initiate or respond to actions relating to such contract before any administrative and/or judicial authority and/or to protect one's rights in the preparatory stages of the legal proceedings and/or other relevant proceedings; for this purpose, the data shall be retained for [10 years from delivery of the product or from termination of the contract, in the event of non-delivery of the product];
- for the purpose of proving that you have consented to the exercise of your rights under the Rules and/or the pertinent legal framework (e.g. right of withdrawal; legal guarantee) and/or the purchase contract and that you have carried out the provisions of the law and/or the contract in this respect (e.g. refund, in the case of exercising the right of withdrawal);
- for the purpose of proving that they have responded to users' complaints and/or allegations;
- in the event of the rights provided for in the Regulation being exercised, the data will be retained for [5 years from the date of acknowledgement of the data subject's request or from such acknowledgement, if later];
- in the event of the rights provided for in the purchase contract or by law being exercised, the data shall be retained for [10 years, starting from the closure of the relative procedure or the performance of the action defining it] (e.g.: refund, in case of withdrawal; or delivery of the replacement product, in case of legal guarantee); closure of the procedure refers to the last correspondence relating to the exercise of the rights in question);
- in the event of complaints and/or reports and/or disputes, the data will be kept for [three years from the closure of the relative procedure], which shall be deemed to be the last correspondence on the matter.
The provision of data for this purpose is optional: there is no legal or contractual obligation for the data subject to provide data for this purpose. For this purpose, data collected initially for a different purpose are used, the further processing of which is allowed as it is based on the legitimate interest of the data controller, given the compatibility of this further purpose with the initial purpose of the collection, while also taking into account the fact that, to the extent that the processing is necessary for the establishment, exercise and defence of a legal right, the data controller is also exempted from the obligation to erase the data, by express provision of the Regulation.
In fact, if the right to object is exercised, the data controller shall refrain from further processing the personal data in question, unless they demonstrate the existence of compelling legitimate grounds for processing which override the interests, fundamental rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
10. Categories of persons to whom SLAM and/or CALICANTUS S.R.L. disclose your personal data (recipients)
The personal data provided by the user may be communicated by the Data Controllers to the categories of recipients indicated below.
The persons to whom the Data Controllers communicate the data act as external data controllers designated by contractual agreement ("Data Processors") or as persons authorised to process personal data under the direct authority of the Data Controllers ("Designated/Authorised Processors") or, in the case of third parties used by the Data Processor, as "Sub-Processors", pursuant to Art. 28.4 of the Regulation, except in cases where the Recipient acts as an independent data controller, such as, for example, in the case of Payment Service Providers, or as in the case of couriers.
Users' personal data may be disclosed by the Controller to the following categories of recipients:
- to employees and/or collaborators of the Controllers, for the performance of administration, accounting and IT functions and logistical support activities;
- to companies, consultants or professionals who may be entrusted with the installation, maintenance, updating and, in general, the management of the Data Controllers' hardware and software, including the providers of cloud computing and chat services, and to third parties whose services they use;
- to companies carrying out logistical support and/or warehousing and/or packaging and/or shipping and delivery or collection of products purchased on the Websites and to third parties whose services they use;
- to the Payment Service Provider and/or acquirer and/or banks for the purpose of enabling payment for purchases made on the Websites or their reimbursement, where applicable and to third parties used by them;
- to all those subjects, including public authorities, who have access to the data by virtue of regulatory or administrative regulatory frameworks and measures.
- to all those public and/or private persons, natural and/or legal persons (legal, administrative and tax consultancy firms), if the communication is necessary or functional to the correct fulfilment of contractual obligations undertaken in relation to purchases through the Websites as well as obligations arising from the law or in the case of ascertainment, exercise or defence of a right.
The list of recipients of each Holder is available at their head office.
11. Transfers to non-EU countries
Users' personal data collected through the Website will not be transferred to countries outside the EU.
12. Data subject’s rights
In all cases provided for in the Regulation, the data subject has the right to obtain from the data controller access to their personal data, rectification, integration, erasure or restriction of processing or to object to processing, as well as the right to data portability (Art. 15 et seq. of the Regulation).
Such a request may be made simply by contacting CALICANTUS and/or SLAM at the addresses provided in section 2 of this policy notice.
A data subject who wishes to make use of their right(s) may find the template for exercising personal data protection rights at the following link: https://www.garanteprivacy.it/home/modulistica-e-servizi-online#diritti
The data subject also has the right to:
- object at any time, on grounds relating to their particular situation, to the processing of personal data concerning him or her carried out for the purposes set out in this notice and based on the legitimate interests of the data controller;
- obtain from the data controller confirmation as to whether or not personal data relating to them are being processed and, if so, to obtain access to the personal data and information set out below;
- obtain from the data controller the rectification of personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, by also providing a supplementary declaration;
- obtain from the data controller the erasure of personal data concerning them without undue delay. The data controller is obliged to erase the personal data without undue delay if one of the following grounds exists:
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject objects to processing based on the legitimate interest of the data controller on grounds relating to their particular situation (and, therefore, in cases of objection to processing for the purposes set out in this notice);
- personal data are unlawfully processed;
- personal data must be deleted to fulfil a legal obligation.
- obtain from the data controller the restriction of processing when one of the following cases occurs:
- the data are inaccurate or unlawfully processed and the data subject objects to their deletion;
- even though the data controller no longer needs the data for processing purposes, the data are necessary for the data subject to assert a right in court.
- receive, in a structured, commonly used and machine-readable format, personal data concerning them as provided to a data controller;
- transmit the data to another controller without hindrance from the controller to whom the data had been provided, if the processing is based on given consent or on a contract concluded with the data subject and is carried out by automated means.
The person concerned may exercise their rights by contacting CALICANTUS and/or SLAM at the contact details given in section 2 of this notice.
In the event of the right being exercised, the data controller shall refrain from further processing the personal data, unless they can demonstrate the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
13. Time and manner of response in the event of the data subject's rights being exercised
The data controller shall provide the data subject with information about the actions taken in relation to a request to exercise the rights recognised by Articles 15 to 22 of the Regulation (i.e. right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object) and referred to in section 12 of this policy notice ("Data Subject's Rights"), without undue delay and, in any case, within one month from receipt of the request. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The data controller shall inform the data subject of this extension, and of the reasons for the delay, within one month of receipt of said request. If the data subject submits the request by electronic means, the information shall be provided, where possible, by electronic means, unless otherwise specified by the data subject.
If the data controller does not comply with the data subject's request, the data controller shall inform the data subject without delay, and at the latest, within one month of receipt of the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial solution.
Communications in response to the exercise of the Data Subject's Rights and actions taken are free of charge. If the data subject's requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the data controller may:
- charge a reasonable fee, taking into account the administrative costs incurred in providing the relevant communications or taking the requested action;
- refuse to comply with the request.
Where the data controller has reasonable doubts as to the identity of the natural person making the request relating to the Data Subject's Rights, they may request further information when necessary to confirm the identity of the data subject.
14. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial solution, a data subject who believes the processing operations concerning them are in breach of the Regulation shall have the right to lodge a complaint with a supervisory authority, specifically within the Member State where they normally reside, work or where the alleged breach has occurred. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status or outcome of the complaint, including the possibility of a judicial solution.