Privacy Policy

PRIVACY POLICY STATEMENT 

Legal references

Directive 2002/58/EC - on ‘the processing of personal data and the protection of privacy in the electronic communications sector’.

Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/ec (General Data Protection Regulation). 

The Data Controller

After consulting this Website, data relating to identified or identifiable persons may be processed. ARCADIA Srl, with registered office in Corso Buenos Aires, 54 - 20124 Milan, tax code and VAT number 06710600963 - Italy, is the ‘Data Controller’ and can be contacted at: privacy@dondup.com. 

TYPES OF DATA PROCESSED

Browsing data  

The computer systems and software procedures used to operate this Website acquire, during normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified Data Subjects, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes the IP addresses or domain names of the computers used by Users connecting to the Website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User’s operating system and computer environment. This data is used solely to obtain anonymous statistical information on the use of the Website and to check its correct operation, and is deleted immediately after processing. 

Data provided voluntarily by the User 

The User’s optional, explicit and voluntary submission of personal data in the registration forms on this Website or by calling any phone numbers listed on the Website, entails the subsequent acquisition of the data provided by the sender, which are necessary to provide the service or information requested. 

Anonymous or aggregated data 

Anonymisation takes the form of processing intended to prevent the identification of the Data Subject. Data rendered anonymous does not fall within the scope of data protection legislation. Aggregated data may derive from personal data provided by the User but are not considered personal data since, as specified, they do not allow either the direct or indirect identification of the Data Subject. 

Cookies

Please refer to the Cookie Policy accessible at www.dondup.com/it/cookie for more information on the cookies we use. 

Optional provision of data

Apart from what is specified for browsing data, the User is free to provide their personal data. However, failure to provide it may make it impossible to obtain what they have requested. 

Control over your personal data

Please note that you may at any time choose to restrict the collection or use of your personal data. For example, if you have previously given your consent for us to process your personal data for marketing purposes, you can change your mind at any time by writing or emailing us at privacy@dondup.com. 

Arcadia will not sell or distribute the collected personal data to third parties unless it has obtained explicit and free consent from the Data Subjects or unless this is expressly required by law. Subject to the consent of the persons concerned, personal data may nevertheless be used to send promotional information also about third parties.

Links to other websites

This Website may contain links or references to other websites. Please note that the Data Controller does not check the cookies or other tracking technologies of such websites to which this Policy does not apply. We therefore suggest that you consult the individual privacy policies of those websites. 

Processing methods and retention times

Personal data is processed, including by automated tools, for the time strictly necessary to fulfil the purposes of collection. 

Specific security measures are observed to prevent data loss, unlawful or incorrect use and unauthorised access. The Data Controller has taken all appropriate security measures and is guided by the main international standards to minimise the risks concerning the confidentiality, availability and integrity of the personal data collected and processed. 

Data sharing, communication and disclosure

The processing operations connected with this Website’s web services take place at the above-mentioned premises of the Data Controller and are only carried out by staff expressly authorised by the latter. The data collected may be shared, transferred or communicated to other companies for activities strictly connected with and instrumental to the service’s operation, such as managing the computer system, or to any third-party suppliers entrusted with occasional maintenance operations. In said cases, the Data Controller shall appoint such third parties as Data Processors pursuant to Article 28 of the GDPR. Apart from these cases, personal data will not be disclosed to third parties unless provided for by contract or law, or unless specific consent is requested from the person concerned. In this sense, personal data may be passed on to third parties, but only and exclusively if: 

(a) there is explicit consent to share the data with third parties; 

(b) there is a need to share information with third parties to provide the requested service; 

c) this is necessary to comply with requests from the Court or Public Security Authorities. 

No web service data is disclosed. 

Transfer of personal data to third countries

Personal data will also not be transferred to third countries, meaning countries not belonging to the European Union or the European Economic Area. Where this occurs, the Data Controller declares and guarantees that it complies with the provisions of Articles 44 et seq. of the GDPR.  

Rights of Data Subjects

Personal data protection legislation expressly provides for certain rights of the Data Subject. In particular, pursuant to Articles 15 et seq. of Regulation (EU) 2016/679, each Data Subject shall have the right to obtain confirmation as to whether or not data relating to them exist, to be informed of the source of the data and the purposes and methods of the processing, to object to the processing, to have the data updated, rectified or supplemented, and to have the data erased if processed unlawfully or if one of the grounds specified in Article 17 of Regulation (EU) 2016/679 applies. 

Data Retention

Arcadia Srl informs you that the data collected will be retained only for the time necessary to fulfil the specific purposes indicated. Any further storage of Data or part of the Data may be required to assert or defend your rights in any possible forum and in particular in the courts, and to respond to explicit requests by the Data Subject, such as requests to receive promotional material where express consent has been given. 

Data collected through profiling cookies will be retained in full for 13 months from the date of collection and/or installation of the relevant cookie. 

Changes to this privacy policy

The Data Controller periodically checks its privacy and security policy and, if necessary, revises it in relation to regulatory, organisational or technological changes. If the policies change, the new version will be published on this page of the Website. 

Exercise of Rights

For any communication regarding privacy policies, how our company processes personal data, or to assert your rights under data protection legislation, you may contact the Data Controller in writing to the contact email addresses given above. 

Without prejudice to any other administrative or legal remedy, a Data Subject who considers that the processing relating to them is in breach of the GDPR has the right to lodge a complaint with a Data Protection Authority, specifically in the Member State where they normally reside, work or where the alleged breach has occurred.