1. PERSONAL DATA CONTROLLERS
Your personal data will be processed by Hausmann Cross srl, with registered office in Rome, via dei Condotti 28, email firstname.lastname@example.org, in the person of its legal representatives (hereinafter, the “Company”), an independent controller of the processing of personal data, as well as by Hausmann Service Srl (hereinafter Hausmann Service, which carries out direct marketing processing for the Hausmann & Co. Group) with registered office in Rome, Piazza di S. Lorenzo in Lucina, 4, email: email@example.com, in the person of its legal, also as an independent data controller.
2. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA PROCESSED
2.1 We inform you that personal data means any information which the Data controllers have acquired in relation to the Data subjects for the pursuit of the purposes referred to in paragraph 3 below (“Personal Data”). The processing is envisaged of common personal data not belonging to special categories (hereinafter “Common Personal Data”) as well as the processing of special data as per art. 9 of the GDPR where such information has been provided by the Data Subjects in the context of the invitation to events sponsored by the Companies (hereinafter “Special Personal Data”), and the real time body temperature scan while entering Company’s sites.
2.2 Data Subjects involved in the processing of Personal Data by the Data Controllers are natural persons who are already customers or potential customers who come into contact with the Company and/or Hausmann Service, or those who make the payment on behalf of the customer (hereinafter, the “Data Subjects”).
2.3 The processing of Personal Data relating to criminal convictions and offences is not envisaged.
3. PURPOSE AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA
Processing carried out by the Company
3.1 The Company shall process the Common Personal Data of the Data Subjects within the scope of its business activity, for the purposes indicated below:
a) on the basis of contractual obligations, without the express consent of the Data Subjects, pursuant to and for the purposes of article 6, sub-section 1, letter b) of the GDPR to provide sales and assistance services as regards the purchased products and the carrying out of any activity related to such services, payments included;
b) on the basis of obligations deriving from national laws and regulations, Community legislation, provisions issued by authorities legitimated by law or by other supervisory and control bodies, without the express consent of the Data Subjects pursuant to and for the purposes of article 6, sub-section 1, letter c) of the GDPR;
c) for any defensive activity necessary to assert the Data Controller’s rights in court or at a preliminary stage of the proceedings, in accordance with article 6, sub-section 1, letter f or article 9, sub-section 2, letter f) of the GDPR.
d) the Special Personal Data of the Data Subjects will be processed, following the specific prior consent of the Data Subjects, pursuant to art. 6, sub-section 1, letter a) and art. 9, sub-section 2, letter a) for the processing and communication of Personal Data to catering companies and to companies which organise events sponsored by the Companies or their partner watch manufacturers, in order to meet the specific needs and/or dietary tastes of the Data Subjects;
e) on the basis of the legitimate interest in accordance with article 6, sub-section 1, letter f) of the GDPR of the Companies and watch manufacturers in preventing counterfeiting and the sale of watches on parallel markets;
f) on the basis of obligations deriving from national laws and protocols anti-pandemic derived from COVID-19 or the self-declaration of health and COVID-19 virus exposure;
g) on the basis of contractual obligations in accordance with article 6, sub-section 1, letter b) of the GDPR, for the delivery of specific requests of special or unique watches to watch companies, in order to be examined by them (manifestations of interest).
Processing performed by Hausmann Service
3.2 Hausmann Service, as an independent data controller, will process the Common Personal Data of the Data Subjects for the purposes indicated below:
a) with the prior express consent of the Data Subjects, collected in accordance with the Privacy Legislation, to send advertising or direct sales material or to perform market research or commercial communication on latest products, activities and organised events, carried out using any automated contact tool, including automated call systems without operator (so-called pre-recorded phone calls) or in a manner similar to the former (such as: email, SMS) pursuant to article 130, sub-sections 1 and 2 of Legislative Decree no. 196/2003 (hereinafter, “Privacy Code”). The consent given for the sending of commercial and promotional communications, on the basis of art. 130, sub-sections 1 and 2 of the Privacy Code, also extends to the traditional methods of contact, such as paper mail and/or calls through the operator. Hausmann Service will ensure that direct marketing initiatives are carried out in a proportionate and non-invasive manner, ensuring that only communications which, based on the information in its possession, are deemed to be of interest or relevant (direct marketing) are sent.
b) subject to the specific express consent of the Data Subjects, collected in accordance with the Privacy Legislation, to analyse, including with automated tools, the preferences and habits of each in order to promote and/or offer customised goods and services; (profiling) also in the context of social campaigns such as custom audience and lookalike campaigns, in which Data of the Data Subjects could be used to create Hausmann Service’s campaigns on these social network. If the specific express content has been collected by a third social network, Hausmann Service could address to the interested , through the questioned social network, promotional messages similar to those received by clients or prospects of Hausmann, with the same characteristics as of the Data Subjects;
c) on the basis of the legitimate interest, to communicate their Data to the Brands for their direct marketing purposes;
d) on the basis of contractual obligations, in organising and managing events to which the Data Subject registered.
e) for the generation of proofs of purchase through Fungible Tokens (NFTs) released to the clients,as particular way of execution of the contract.
4. METHODS OF PROCESSING PERSONAL DATA
4.1 In relation to the purposes indicated in paragraph 3 above, the processing of Personal Data is carried out by the Data Controllers in accordance with the Privacy Legislation, in particular:
i. it is carried out using manual media and also with the aid of electronic or automated media, in any case, capable of ensuring the security and confidentiality of the data, and preventing unauthorised access to the Personal Data by third parties;
ii. it is carried out directly by the Data Controllers’ organisation and/or by data processors appointed by them.
4.2 TAll the Personal Data will be kept by the Data Controllers for the time strictly necessary for the pursuit of the purposes for which they were collected, as referred to in paragraph 3 above, respecting the principle of minimization under article 5, sub-section 1, letter c) of the GDPR, without prejudice to any specific legal obligations, including those on the storage of accounting documents. The Special Personal Data will be erased by the Data Controller once the organisation of the event for which they were collected has been completed. In relation to the purposes indicated in section 3.2 letters a) and b), and in consideration of the fact that the sale concerns goods of considerable value the purchase of which is made on average about every decade, in view of the life cycle of the products sold and the value of the same, the storage of Common Personal Data, without prejudice to any objection to processing, any revocation of consent to processing or any invalidation of the legal basis, is 10 years from the collection of the personal data, or from the last event in which the Data Subjects participated or from the last update of the personal data made or requested by them. At the end of such period, the Common Personal Data will be erased or irreversibly anonymised. Concerning purposes indicated in section 3.1 letter f), body temperature measured and Data Subject identity will be registered only in case it is necessary to evidence the reason for not letting the Data Subject entering the store/office, for a limited period of time until the end of national emergency; self-declarations will be kept for a limited period at the end of national emergency.
5. COMMUNICATION OF DATA
5.1 In the pursuit of the purposes referred to in paragraph 3 above, the Common Personal Data may be communicated and/or in any case shared with third parties and consultants or suppliers, for the purpose of organising events and providing services requested by the Data Subjects or for administrative, financial and accounting purposes, as well as with other entities which provide services to the Data Controllers and, on a mediation basis, to the Data Subjects. The Common Personal Data will be communicated to watch manufacturers for the purpose of monitoring any sales of watches on the parallel market. The Special Personal Data may be communicated, with the specific prior consent of the Data Subjects, only to the catering companies and to the companies organising events sponsored by the Companies or their partner watch manufacturers, in order to satisfy the specific needs and/or food tastes of the Data Subjects.
5.2 Some of the entities indicated in paragraph 5.1 above will process the Personal Data in their capacity as data processors of the Data Controllers, by virtue of an appointment as external data processor made by them pursuant to and for the purposes of art. 28 of the GDPR. The list of names of the data processors, pursuant to art. 28 of the GDPR, will be made available to the Data Subjects by the Data Controllers upon request.
5.3 Other entities (such as lawful authorities or other supervisory and control bodies) may process the Personal Data received from the Data Controllers as independent data controllers.
5.4 The natural persons, employees and collaborators of the Data Controllers, authorised to process the Personal Data provided by the Data Subjects, act under the instructions of the Data Controllers and subject to confidentiality constraints.
5.5 Personal Data may be communicated, pursuant to art. 6, sub-section 1, letter f) and Recitals 47 and 48 of the GDPR, to companies belonging to the Hausmann Group for administrative and accounting purposes, meaning those related to organisational, administrative, financial and accounting activities, regardless of the nature of the data processed.
5.6 In case of theft, loss or finding of your watch, the Company could treat your Personal Data in order to send them to watchmaking companies so as to register your request, give you assistance and contact you back in case of necessity.
6. DISSEMINATION AND TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
Personal Data are not subject to dissemination or transfer to countries outside the European Union or international organisations. If such transfer should become necessary and/or inevitable for organisational reasons, it should be noted that it will only be made to countries considered safe by the European Commission or, in any case, in one of the ways permitted by applicable law and in particular in compliance with the appropriate guarantees under article 46 of the GDPR, for example by signing the Standard Clauses approved by the Commission or on the basis of one of the exceptions provided for in article 49, such as the consent of the Data Subjects.
7. RIGHTS OF DATA SUBJECTS
7.2 The Data Subjects may also lodge a complaint with the Supervisory Authority for the Protection of Personal Data, following the procedures and indications published on the official website of the aforementioned authority (www.garanteprivacy.it).
7.3 In order to exercise the rights indicated in this paragraph, as well as for any possible clarification, the Data Subjects may contact the Data Controllers directly by sending an email message or a letter by ordinary mail to the addresses indicated above.