In compliance with Art.13 and 14 of GDPR, Maxima S.r.l. gives this notice to all users who access the e-commerce platform on the website www.maximabags.com/ (Website) and use it without making any registration (Visitor User), or, following of the registration process, use the service of e-commerce dedicated to registered users (Registered User).
This notice does not refer to other websites that users can access through the links that may be present on the Site. These other websites will be subject to the regulations set out in their respective privacy policies.
The controller data
The Data Controller is Maxima S.R.L., Social Security and Vat Number 10563310159, with registered office in Milan 11, Via Orobia, email: firstname.lastname@example.org (“Controller”).
Categories of data processed
It’s possible to access the Site without the user being asked to provide any personal data.
However, the computer systems and software used by the Website collect, for the purposes of normal operation, some data the transmission of which is implicit use in the of Internet communication, such as, the IP addresses of the computers used by users who connect to the platform, the URL of the requested resources, the time of the request, etc. These data are used only to collect anonymous statistical informations about the use of the platform and to check its correct operation. These data are deleted immediately after processing without processing of information directly identifying users.
The Data collected through the registration, the creation of an account on the Website and the placing of purchase orders - through the e-commerce service - are the Data necessary to allow the registration of the account and to execute purchase orders. In particular, these are the following Data: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User. Furthermore, Registered Users may spontaneously provide additional Data by entering them in the appropriate "supplementary data" box in the "your addresses" section.
Registered Users and Visitors Users can send messages through the "contact" page: the Data collected will be those communicated by users in order to obtain information in relation to the services / products provided by the Website.
Source of data processing
Personal Data are directly gathered from users or from third parties (cookie).
In relation to the Data gathered from users, in order to allow the Controller to keep the exact and updated Data, we ask the users to communicate any changes of the Data to the contact’s details gave in this notice § 1.
Purposes of the processing
The Data process is carried out by the Controller for the purposes indicated below:
registration and management of the Registered User's account and management of purchase orders and therefore: (a) order processing, (b) supply of products and services, (c) invoicing, (d) handling of the requests by Registered Users also forwarded through the "contact" page of the Website. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Registered User;
handling of the requests by Visitor Users forwarded through the "contact" page of the Website. Data processed are: e-mail address and other Data provided spontaneously by the Visitor User.
comply with all legal obligations, regulations or other national or community legal provisions, namely to provisions issued by relevant authorities, and/or according to supervisory a Control Authority’s requests. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Visitor or the Registered User;
establish, exercise or defend the Controller’s rights out of Court, in Court or administrative place. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Visitor or the Registered User.
The legal ground for the data processing
The Controller processes the Data referred to § 4 point i. and ii., under the following legal basis:
perfomance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract pursuant to Art. 6, par. 1, let. b) of GDPR.
The Controller processes the Data referred to § 4 point iii., under the following legal basis:
compliance with a legal obligation pursuant to Art. 6, par. 1, let. c) of GDPR.
The Controller processes the Data referred to § 4 point iv, iv and v. under the following legal basis:
purposes of the legitimate interest pursued by the Controller pursuant to Art. 6, par.1., let. f) of GDPR.
The Controller processes the Data referred to § 4 point iv, under the following legal basis:
free, informed, specific, unambiguous and always revocable consent pursuing Art. 6, par.1, let. a) of GDPR.
Nature of data provision and possible consequences of refuse
The provision of personal Data can be:
obbligatory according to law, regulation, Community legislation or a contract;
strictly necessary for the conclusion of a contract;
In this case, for the purposes indicated in previous points i., ii. iii. and iv of the § 4, the provision of Data is strictly necessary for the conclusion of the agreement and/or obligatory to comply with legal and contractual obligations. Refusal to provide the Data will not allow to establish and /or to continue the contract with the Controller.
Modalities and times of the processing
The processing of Data is carried out under the principles of lawfulness, fairness, transparency, necessity, relevance, proportionality, accuracy, integrity and confidentially planned by GDPR. The Controller doesn’t adopt any automated decision-making, including profiling.
Processing is carried out by authorised personnel and/or by external parties bound to the Controller through specific act of appointment as Data Processor, if necessary, (for example professionals as such obliged to secrecy, like consultants, Accountants, Lawyers etc; suppliers; agents; services companies, professionals and consultants responsible for agreements’ managing, operations of storage, sorting and postal and/or freight transport; computer companies and system’s safety; managers of the infrastructures software used by the Controller what bases for the dispatch of email; companies responsible for credit’s recovery; IT and security systems companies; companies that own the software infrastructures used by the Data Controller as platforms for sending e-mails; companies responsible for debt recovery; banks and credit’s institutions). The list of all the subjects involved in the Processing can be requested to the Data Controller on request of the Data Subject that must be send to the contact details specified in previous § 1.
Your Personal Data will be processed by the Data Controller for the time necessary to achieve the purposes referred to in §4 of this notice. In particularly, in order to determine the retention period, the Data Controller will consider elements such as: legal, tax and regulatory obligations related to such personal information; the relationship in progress with the User.
Specifically, for the purposes of § 4, point iv. Your Data will be conserved for all the agreement’s duration and, after, for all the duration of the non-judicial procedure and/or judicial procedure. For the purposes of § 4 points iv. and v. your Data will be conserved for all the newsletter registration’s period and till you will decide to unsubscribe from the service of newsletter.
After the above terms of conservation, Data will be destroyed, erased or anonymised, compatibly with erase’s and backup’s technical procedures.
Place of processing and data transfer
Personal Data are processed in the Controller’s headquarters and in all locations of those involved in the Processing, as specified in the previous § 7 and exclusively for the purposes of § 4 of this notice.
The Data will not be transferred to outside the European Union. In any case, it is understood that the Controller, if necessary, will have the right to move the server location to another country of the European Union and/or to non-EU countries. In this case, the Controller hereby ensures that the transfer of non-EU data will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
Personal data provision and dissemination
Even without your express consent (Art. 6, let. b) and c) of GDPR), Controller can disseminate your Data, for the purposes referred to § 4, to the subjects to whom dissemination is mandatory by law. These subjects will process the Data in their capacity of independents controllers.
Data will not be disclosed.
Right of the data subject
GDPR grants to the data subject the right to:
obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and obtain information (right of access - Art. 15 GDPR);
obtain the rectification of inaccurate personal data and to have incomplete personal data completed (right to rectification - Art. 16 GDPR);
obtain the erasure of data processed in GDPR’S cases referred, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Right to erasure - ‘right to be forgotten’ - Art. 17 GDPR). The request for removal may not be granted for GDPR’s cases referred, even when the processing is necessary to fulfil a legal obligation or exercise a legal right;
obtain the restriction of the processing of data if the accuracy of the personal data is contested, and only for the period necessary for the controller to verify the accuracy of these personal data, or in the case of unlawful processing, or when even if the personal data are no more necessary to the purposes of processing, they are anyway necessary for the interested part in the assessment, exercise and right’s defence in judicial, or in the event that the interested part had exercise the opposition right to personal data process only for the period necessary to the verify concerning the Controller’s prevalence good cause over those of the interested part. (right to restriction of processing - Art. 18 GDPR);
receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability - Art. 20 GDPR).
object to the processing for reasons related to the particular situation of the data subject, to personal data processing necessary for the execution of a public interest job or for the pursuing of controller or third parties’ legitimate interest. However, controller may continue to process the data if demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing (right to object - Art. 21 GDPR).
request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject except in cases where profiling is necessary for the conclusion of an agreement, is authorized by the Union’s right or member State which the Controller is subject, is based on the explicit consent granted by the data subject (Art. 22 GDPR).
withdraw consent at any time without effecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on let. a) of Art. 6 paragraph or let. a) of Art. 9 paragraph 2 of GDPR;
lodge a complaint to supervisory authority (Art. 77 GDPR).
All the data subject’s requests can be addressed to the Controller, in writing and with a copy of the valid identification document, to the contact’s details gave in this notice § 1. The Controller facilitates the Data subject’s requests and is committed to provide a match within a month of receiving the communication.
Furthermore, the Controller, pursuant to Art.19 GDPR, shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 paragraph 1 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Pursuant to Art. 2-undecies, par. 1 and 3, Italian Legislative Decree no. 196/2003, laying down dispositions on national compliance to the GDPR’s dispositions, rights whose Art.15 to 22 GDPR may not be exercise with request to the controller or with complaint pursuant to Art. 77 GDPR when exercising those rights can to produce an effective and concrete prejudice, moreover: to the interested ones protected on the basis of the provisions relating to recycling; on the conduct of the defensive investigations or to a right exercising in judicial; to the identity privacy of the employee that notes pursuant to Law no. 179/2017, the unlawful of which has been made aware on account of his job.
In these cases, rights can be exercised in accordance with legal provisions or GDPR that regulate the matter.
In any case the exercising of the same rights can be delayed, restricted or excluding with a motivated communication to give to data subject with no delay, that unless the communication can compromise the purpose of restriction, for the time and the limits to which this represents a necessary and proportional measure, considering fundamental rights and legitimate interests of the data subject. In these cases, data subject’s rights can be exercise even by the supervisor authority with the modalities whose Art.160 of which Italian Legislative Decree no. 196/2003.
What is a Cookies Policy?
The Cookies Policy is the notice that specifically describes the methods of processing personal data of users who visit an website.
This Cookies Policy applies exclusively to the Maxima S.r.l Website, www.maximabags.com/it/, therefore, it is not valid for other websites that may be consulted trough the links present on our Website.
What are Cookies?
Cookies are small text files that save some information regarding the user's browsing. By accepting the installation of the cookie they will memorize some details that will facilitate the browsing experience.
At the same time, cookies help to understand some relevant details about the use of our Website - for example, they allow us to understand which pages are most visited, and for how long. Through the cookie we can make the Website more corresponding to user requests and easier the browsing.
Cookies are stored, according to user preferences from a single browser on the specific device being used (computer, tablet, smartphone).
What kinds of cookies do we use?
The Website uses technical cookies. Technical cookies in use in this Website are navigation cookies or session cookies. These cookies include the feature cookies that allows the user to browse selected criteria (for example, language) in order to improve the service rendered to the same. Technical cookies on the Website can be divided into: navigation or session cookies. These cookies include functionality cookies, which allow you to memorize the choices made by the user on the website (for example, the language), in order to improve the service provided to the user.
Cookie in use in this Website are the following first part and third part technical cookies.
Cookie Name: PrestaShop
Purposes: memorize the browsing language, time zones and other preferences, purchase of selected products
Place of processing: Italy
Duration: 19 days
These cookies do not require the prior consent of the users.
Moreover, the Website uses the following third part analytics cookies
Cookie Name: Google Analytics with anonymized IP (Google Inc.).
Purposes: Google Analytics is a web analysis service provided by Google Inc. "('Google'). Google uses the Personal Data to track and examine the use of the site, compile reports and share them with other services developed by Google. These cookie collect aggregate information that does not trace back to the individual user’s identity. Anonymisation works by shortening the IP address of the Users within the borders of the member states of the European Union or in other countries participating in the agreement on the European Economic Area. Only in exceptional cases, the IP address will be sent to Google’s servers and shortened within the United States.
Place of processing: United States
Duration: Some cookies remain active only until you close the browser or when logging out. Other cookies “survive” when you close the browser and are also available on later visits made by the user.
These cookies are called persistent and the server sets their duration when they are created. In some cases, an expiry date is set; in other cases duration is unlimited. However, these are cookies that do not trace the user's profile and do not collect data on the user's behavior:
Cookie name: ga - Duration: 2 years
Cookie name: gid – Duration: session
Cookie name: gat - Duration: session
The user can disable Google Analytics in selective mode by installing the Opt-out Add-on provided by Google on their browser. To disable Google Analytics, please refer to the link shown below: https://tools.google.com/dlpage/gaoptout?hl=it
“Social plugin” are present in this Website. These refer to parts of the visited page generated directly from the abovementioned sites and integrated into the page of the host site. The most common use of social plugins is to share the contents on social networking sites. The appearance of these plugins involves transmitting cookies to and from all the sites operated by third parties. The handling of information collected by “third parties” is governed by relevant rules, to which we kindly ask you to refer. To ensure greater transparency and ease, web addresses on all types of information and how to manage cookies of the main social networking sites are shown below:
Google plus https://policies.google.com/technologies/cookies?hl=it
The Website does not use profiling cookies.
Nature of data provision
The user authorizes use of the cookies by continuing to navigate the Site, after reading the banner. The provision of Data is optional.
The user can manage cookie settings from his browser: You can then modify the settings so that cookies are deleted or not saved on your computer or mobile device without your explicit consent. Since each browserhas different settings, you will have to check the “Help” menu of your browser to understand how to correctly change cookies-related settings.
Check the following link for more information on setting up your browser:
Safari per OSX:support.apple.com/kb/PH17191?locale=it_IT
Safari per iPhone, iPad o iPod:support.apple.com/kb/HT1677?viewlocale=it_IT
Some final indications
The informations here made may be subject to revision following:
changes to the privacy legislation, for the aspects of interest here;
technological implementations of the site that impact on current treatment methods;
organizational changes in the privacy structure of the Controller that may affect the user.
Users are kindly invited to periodically visit this Policy so as to be constantly updated on the characteristics of the treatment.