In compliance with Art.13 and 14 of GDPR, Maxima S.r.l. gives this notice to all users who access the e-commerce platform on the website www.maximabags.com/ (Website) and use it without making any registration (Visitor User), or, following of the registration process, use the service of e-commerce dedicated to registered users (Registered User).
This notice does not refer to other websites that users can access through the links that may be present on the Site. These other websites will be subject to the regulations set out in their respective privacy policies.
The controller data
The Data Controller is Maxima S.R.L., Social Security and Vat Number 10563310159, with registered office in Milan 11, Via Orobia, email: firstname.lastname@example.org (“Controller”).
Categories of data processed
It’s possible to access the Site without the user being asked to provide any personal data.
However, the computer systems and software used by the Website collect, for the purposes of normal operation, some data the transmission of which is implicit use in the of Internet communication, such as, the IP addresses of the computers used by users who connect to the platform, the URL of the requested resources, the time of the request, etc. These data are used only to collect anonymous statistical informations about the use of the platform and to check its correct operation. These data are deleted immediately after processing without processing of information directly identifying users.
The Data collected through the registration, the creation of an account on the Website and the placing of purchase orders - through the e-commerce service - are the Data necessary to allow the registration of the account and to execute purchase orders. In particular, these are the following Data: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User. Furthermore, Registered Users may spontaneously provide additional Data by entering them in the appropriate "supplementary data" box in the "your addresses" section.
Registered Users and Visitors Users can send messages through the "contact" page: the Data collected will be those communicated by users in order to obtain information in relation to the services / products provided by the Website.
Source of data processing
Personal Data are directly gathered from users or from third parties (cookie).
In relation to the Data gathered from users, in order to allow the Controller to keep the exact and updated Data, we ask the users to communicate any changes of the Data to the contact’s details gave in this notice § 1.
Purposes of the processing
The Data process is carried out by the Controller for the purposes indicated below:
registration and management of the Registered User's account and management of purchase orders and therefore: (a) order processing, (b) supply of products and services, (c) invoicing, (d) handling of the requests by Registered Users also forwarded through the "contact" page of the Website. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Registered User;
handling of the requests by Visitor Users forwarded through the "contact" page of the Website. Data processed are: e-mail address and other Data provided spontaneously by the Visitor User.
comply with all legal obligations, regulations or other national or community legal provisions, namely to provisions issued by relevant authorities, and/or according to supervisory a Control Authority’s requests. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Visitor or the Registered User;
establish, exercise or defend the Controller’s rights out of Court, in Court or administrative place. Data processed are: first name, surname, private address and date of birth; phone number, mobile number, Social Security Number and /or Vat number and reference company of the Registered User, as well as, e-mail address and other Data provided spontaneously by the Visitor or the Registered User.
The legal ground for the data processing
The Controller processes the Data referred to § 4 point i. and ii., under the following legal basis:
perfomance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract pursuant to Art. 6, par. 1, let. b) of GDPR.
The Controller processes the Data referred to § 4 point iii., under the following legal basis:
compliance with a legal obligation pursuant to Art. 6, par. 1, let. c) of GDPR.
The Controller processes the Data referred to § 4 point iv, iv and v. under the following legal basis:
purposes of the legitimate interest pursued by the Controller pursuant to Art. 6, par.1., let. f) of GDPR.
The Controller processes the Data referred to § 4 point iv, under the following legal basis:
free, informed, specific, unambiguous and always revocable consent pursuing Art. 6, par.1, let. a) of GDPR.
Nature of data provision and possible consequences of refuse
The provision of personal Data can be:
obbligatory according to law, regulation, Community legislation or a contract;
strictly necessary for the conclusion of a contract;
In this case, for the purposes indicated in previous points i., ii. iii. and iv of the § 4, the provision of Data is strictly necessary for the conclusion of the agreement and/or obligatory to comply with legal and contractual obligations. Refusal to provide the Data will not allow to establish and /or to continue the contract with the Controller.
Modalities and times of the processing
The processing of Data is carried out under the principles of lawfulness, fairness, transparency, necessity, relevance, proportionality, accuracy, integrity and confidentially planned by GDPR. The Controller doesn’t adopt any automated decision-making, including profiling.
Processing is carried out by authorised personnel and/or by external parties bound to the Controller through specific act of appointment as Data Processor, if necessary, (for example professionals as such obliged to secrecy, like consultants, Accountants, Lawyers etc; suppliers; agents; services companies, professionals and consultants responsible for agreements’ managing, operations of storage, sorting and postal and/or freight transport; computer companies and system’s safety; managers of the infrastructures software used by the Controller what bases for the dispatch of email; companies responsible for credit’s recovery; IT and security systems companies; companies that own the software infrastructures used by the Data Controller as platforms for sending e-mails; companies responsible for debt recovery; banks and credit’s institutions). The list of all the subjects involved in the Processing can be requested to the Data Controller on request of the Data Subject that must be send to the contact details specified in previous § 1.
Your Personal Data will be processed by the Data Controller for the time necessary to achieve the purposes referred to in §4 of this notice. In particularly, in order to determine the retention period, the Data Controller will consider elements such as: legal, tax and regulatory obligations related to such personal information; the relationship in progress with the User.
Specifically, for the purposes of § 4, point iv. Your Data will be conserved for all the agreement’s duration and, after, for all the duration of the non-judicial procedure and/or judicial procedure. For the purposes of § 4 points iv. and v. your Data will be conserved for all the newsletter registration’s period and till you will decide to unsubscribe from the service of newsletter.
After the above terms of conservation, Data will be destroyed, erased or anonymised, compatibly with erase’s and backup’s technical procedures.
Place of processing and data transfer
Personal Data are processed in the Controller’s headquarters and in all locations of those involved in the Processing, as specified in the previous § 7 and exclusively for the purposes of § 4 of this notice.
The Data will not be transferred to outside the European Union. In any case, it is understood that the Controller, if necessary, will have the right to move the server location to another country of the European Union and/or to non-EU countries. In this case, the Controller hereby ensures that the transfer of non-EU data will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
Personal data provision and dissemination
Even without your express consent (Art. 6, let. b) and c) of GDPR), Controller can disseminate your Data, for the purposes referred to § 4, to the subjects to whom dissemination is mandatory by law. These subjects will process the Data in their capacity of independents controllers.
Data will not be disclosed.
Right of the data subject
GDPR grants to the data subject the right to:
obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and obtain information (right of access - Art. 15 GDPR);
obtain the rectification of inaccurate personal data and to have incomplete personal data completed (right to rectification - Art. 16 GDPR);
obtain the erasure of data processed in GDPR’S cases referred, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Right to erasure - ‘right to be forgotten’ - Art. 17 GDPR). The request for removal may not be granted for GDPR’s cases referred, even when the processing is necessary to fulfil a legal obligation or exercise a legal right;
obtain the restriction of the processing of data if the accuracy of the personal data is contested, and only for the period necessary for the controller to verify the accuracy of these personal data, or in the case of unlawful processing, or when even if the personal data are no more necessary to the purposes of processing, they are anyway necessary for the interested part in the assessment, exercise and right’s defence in judicial, or in the event that the interested part had exercise the opposition right to personal data process only for the period necessary to the verify concerning the Controller’s prevalence good cause over those of the interested part. (right to restriction of processing - Art. 18 GDPR);
receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability - Art. 20 GDPR).
object to the processing for reasons related to the particular situation of the data subject, to personal data processing necessary for the execution of a public interest job or for the pursuing of controller or third parties’ legitimate interest. However, controller may continue to process the data if demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing (right to object - Art. 21 GDPR).
request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject except in cases where profiling is necessary for the conclusion of an agreement, is authorized by the Union’s right or member State which the Controller is subject, is based on the explicit consent granted by the data subject (Art. 22 GDPR).
withdraw consent at any time without effecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on let. a) of Art. 6 paragraph or let. a) of Art. 9 paragraph 2 of GDPR;
lodge a complaint to supervisory authority (Art. 77 GDPR).
All the data subject’s requests can be addressed to the Controller, in writing and with a copy of the valid identification document, to the contact’s details gave in this notice § 1. The Controller facilitates the Data subject’s requests and is committed to provide a match within a month of receiving the communication.
Furthermore, the Controller, pursuant to Art.19 GDPR, shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 paragraph 1 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Pursuant to Art. 2-undecies, par. 1 and 3, Italian Legislative Decree no. 196/2003, laying down dispositions on national compliance to the GDPR’s dispositions, rights whose Art.15 to 22 GDPR may not be exercise with request to the controller or with complaint pursuant to Art. 77 GDPR when exercising those rights can to produce an effective and concrete prejudice, moreover: to the interested ones protected on the basis of the provisions relating to recycling; on the conduct of the defensive investigations or to a right exercising in judicial; to the identity privacy of the employee that notes pursuant to Law no. 179/2017, the unlawful of which has been made aware on account of his job.
In these cases, rights can be exercised in accordance with legal provisions or GDPR that regulate the matter.
In any case the exercising of the same rights can be delayed, restricted or excluding with a motivated communication to give to data subject with no delay, that unless the communication can compromise the purpose of restriction, for the time and the limits to which this represents a necessary and proportional measure, considering fundamental rights and legitimate interests of the data subject. In these cases, data subject’s rights can be exercise even by the supervisor authority with the modalities whose Art.160 of which Italian Legislative Decree no. 196/2003.