Royal St. Andrews SA (Operating Sub-holding company, hereafter “RSA”) and BBB S.p.A. (hereafter “BBB”), recognise the importance of maintaining the confidentiality, integrity and security of your non-public Personal Data (hereafter, the “Personal Data”) and inform you that the Personal Data provided by you via the website www.boggi.com, (hereafter the “Website”), as well as any data provided to the stores of companies controlled by the Sub-Holding Company or by franchisees (hereafter, jointly, also the “RSA Group”) which manage the stores using the brands: Boggi Milano, Boggi Factory Store, Boggi Milano BM39 (hereafter the “Brands”) will be processed in respect of existing European privacy rules, Regulation (EU) 2016/679 (hereafter, the “Regulation”) and specific local regulations applicable from time to time for processing performed outside the European Union, as well as the standards and general rules of conduct contained in the Code of Ethics adopted by RSA.
1. Personal Data Controller
Personal Data Controller are:
• Royal St. Andrews SA based in Bd Grand-Duchesse Charlotte 31, Luxembourg
• BBB S.p.A. based in Via Lancetti 28, 20100 Milan (Italy),
in the persons of their acting legal representatives which, as part of their prerogatives, may use specifically identified processors or officers. The Data Controllers or the Data Protection Officer (DPO), appointed by the Data Controllers, can be contacted at the e-mail address firstname.lastname@example.org or by writing to the operating headquarters.
The responsibilities of Data Controllers for the fulfilment of the obligations established by the Regulation, as defined in Art. 26, were determined by an internal arrangement, available at your request.
2. Type and Source of Data
I. Browsing Data
The IT systems and software procedures that run the Website acquire, during their normal exercise, some Personal Data whose transmission is implicit in the use of Internet communication protocols.
That information is not collected to be associated with identified natural persons but, by its very nature, could, through processing and association with data held by third parties, allow for users to be identified.
This category includes IP addresses (Internet Protocol, numerical label that uniquely identifies a device known as host, which may be a computer, handheld device or smartphone, etc., connected to an IT network that uses the Internet Protocol as a network protocol), or the domain names of the computers used by users who connect to the Website, addresses in URI notation (Uniform Resource Identifier, a sequence of characters that uniquely identifies a generic resource) of the resources requested, the date and time of the request, the method used in sending the request to the server (a high-performance computer that, in a network, provides a service to the other connected computers, known as clients), the size of the file (digital information container) obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc), the geographical position of the user and other parameters relating to the user's operating system and IT environment. Localisation takes place in non-continuous mode when the user allows automatic position detection.
• Personal Data provided voluntarily (name, surname, email, telephone number, any other personal data included in the message or in the observations)
The Personal Data, depending on the purposes of the processing, may be: name, surname, postal address and country, email address, password chosen by you to access your account, telephone number, username instagram, date of birth, gender, signature, bluetooth address (unique address assigned to the network cards) of your electronic device (handheld device, telephone, etc.), billing address and one or more postal shipping addresses, identification details of one or more of your credit cards and tax code.
3. Purpose of the processing; legal basis; data storage period and nature of the provision of the personal data
|Legal basis||Data storage period||Nature of the provision|
|B) Fulfilment of your request for information/contact||Art. 6, lett. f and Art. 47 of GDPR Legitimate interest||1 year||Necessary to be able to respond to your request|
|C) Sending of unsolicited application||Art. 6, lett. b) GDPR Contract/pre-contract||6 months||Necessary to be able to consider your application|
|D) Purchase of a gift card||Art. 6, lett. b) GDPR Contract||For the time strictly necessary to finalise the purchase. For administrative-accounting purposes, the Controllers will maintain a trace of the data for the additional period envisaged by the law||Necessary to be able to process your order|
|E) Creation of a personal account and simultaneous subscription to the Boggi Privilege programme. By creating your account, you can also create and share your wish list. Subsequently, you can also proceed through your personal Facebook, Google+ and Linkedin accounts. By giving authorisation to proceed, the basic information of your profile as well as your email address will be collected through your social media accounts||Art. 6, lett. b) GDPR Contract||Until such time as the Interested Party/User cancels the same or if the account and the Boggi Privilege programme to which the same is subscribed has not been accessed/used for 3 years.||Necessary to create your account|
|F) Product purchase for a non-registered user/Checkout as a guest||Art. 6, lett. b) GDPR Contract||The data will be stored for the time envisaged by the law for administrative-accounting purposes||Necessary to be able to process your purchase request|
|G) Returns||Art. 6, lett. b) GDPR Contract||For the time needed to process your request||Necessary to be able to proceed with your request|
|H) Check order||Art. 6, lett. b) GDPR Contract||For the time needed to process your request||Necessary to enable us to check your order|
|I) Made to Measure||Art. 6, lett. b) GDPR Contract||For the time needed to book an appointment at the store.||Necessary to be able to proceed with your request.|
|J) Live chat||Art. 6, lett. f and Art. 47 of GDPR Legitimate interest||For the time needed to process your request and for the additional time needed to evaluate the chat.||Necessary to provide a response to the request you made|
|K) Direct marketing (commercial and promotional correspondence, newsletters, messages, advertising material as well as catalogues and invitations to events through traditional and automated digital communication tools (e-mail, calls, chats, whatsapp and SMS,Instagram)||Art. 6, lett. a) GDPR Consent of the interested party||The data will be stored for the period for which you actively interact, meaning that you have purchased one or more products in the last three years from the sales outlets of the RSA group or you have accessed, over the same time period, your Boggi Privilege account (or until the consent is revoked, if earlier)||Optional|
|L) Profiling to create personalised content and offers, based on information relating to purchases you have made.||Art. 6, lett. a) GDPR Consent of the interested party||The data will be stored for the period for which you actively interact, meaning that you have purchased one or more products in the last three years from the sales outlets of the RSA group or you have accessed, over the same time period, your Boggi Privilege account (or until the consent is revoked, if earlier)||Optional, on condition that you have subscribed to the Boggi Privilege loyalty programme|
|M) Tell your friend||Art. 6, lett. b) GDPR, Pre-contract||The data of the parties to which BBB will send correspondence, will be cancelled within 6 months of the correspondence being sent if the Interested Party has not subscribed to the Boggi Privilege programme.||The data becomes mandatory only at the time of subscription to the Boggi Privilege programme.|
4. Processing methods
The Personal Data will be processed using paper, IT and electronic tools, according to logics strictly related to the purposes indicated above, for the time strictly necessary to pursue the purposes for which they were collected, in respect of the principle of necessity and proportionality, avoiding processing Personal Data if the operations could be performed using anonymous data or by other methods. All measures deemed necessary and/or opportune to ensure that the same are processed lawfully, correctly and transparently in relation to you, and to prevent the loss, even accidental, as well as unauthorised access, will be implemented.
In particular, Personal Data processed for profiling and marketing purposes will be entered and stored in the CRM (Customer Relationship Management) system at servers located at RSA Group companies.
If you use functions and services that envisage the processing of the personal date of third parties that you have voluntarily provided, as in the case of the activation and sending of e-Gift Cards or the management of the request for the same, you are obliged to inform them of the purposes and the procedures used to process their personal data by us.
In order to fulfil the processing purposes indicated above, your data will be processed by RSA and BBB's internal personnel authorised to process for that purpose, as part of the conduct of the assigned working duties, designated as processing officers, and by companies contractually related to the Joint Controllers. More specifically, they can be communicated to subjects belonging to the following categories: - subjects that provide services for the management of the website, the communication networks and the information system used by the Joint Controllers; - professional firms or Companies with an assistance or advisory role; - companies that manage marketing and communication activities (e.g. service providers, digital agencies); - of the Holding and of RSA Group companies; - competent authorities for the fulfilment of legal obligations and/or provisions of public bodies, on request. Note that to prevent fraud, the supplier of the e-commerce platform and the company tasked with anti-fraud control, check that your Personal data is not associated with the illegal use of a credit card or excessive credit card debt. The Joint Controllers do not, however, collect information relating to the payment methods that you intend to use. In this regard, note that, in the event of problems relating to the means of payment, the Interest Party will be contacted by authorised BBB personnel with a view to proceeding with a different payment instrument. Only if this is not possible, you will be requested to send an identity document and a selfie for the sole purpose of a security control - also in your own interests - documents which will then be eliminated. The subjects belonging to the above-mentioned categories perform the function of Data Processor, or who operate in full autonomy as separate Data Controllers. A list of the appointed processors is available by contacting the Joint Data Controllers and the Data Protection Officer at the following e-mail address: email@example.com
Your Personal Data will not be used for purposes of promotional nature of third parties or relating to products, services or initiatives not originating from the RSA Group and will not in any case be disseminated to indeterminate entities.
6. Transfer of personal data abroad
The data will be transferred outside of the European Union. More specifically, for the website and for the CRM Salesforce used. Note that in both cases, the transfer is guaranteed by the provisions of Art. 46 of EU Regulation 2016/679 - transfer to subject with adequate guarantees.
7. Your rights
You are entitled, at any time, to exercise the following rights towards the Data Controller:
a) To obtain, in accordance with Article 15 of the Regulation, confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
b) Where personal data are transferred to a third country or to an international organisation, the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation.
c) Obtain a copy of the Personal Data undergoing processing.
d) Obtain, in accordance with Article 16, the rectification of inaccurate personal data concerning you without undue delay; taking into account the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
e) Obtain, in accordance with Article 17, the erasure of Personal Data concerning you without undue delay. The controller has the obligation to erase personal data without undue delay where one of the grounds indicated by paragraph 1 of Article 17 applies.
f)Obtain, in accordance with Article 18, the restriction of processing where one of the circumstances regulated by paragraph 1 of Article 18 applies.
g) Withdraw consent at any time without prejudice to the lawfulness of processing based upon consent provided before the withdrawal.
h) Obtain, in accordance with Article 20, the data portability, or receive the Personal Data concerning you, provided to BBB, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another Controller without hindrance from BBB to which the personal data have been provided if the conditions indicated in Article 20 paragraph 1 are in place. Finally, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
i) Object at any time, in accordance with Article 21, to processing of Personal Data concerning you.
j)Object at any time, in accordance with Article 21, to processing of Personal Data for direct marketing purposes and profiling when certain conditions illustrated in Article 21 of the Regulation are in place. More specifically, to object only to marketing activities through automated instruments, you can write an e-mail to firstname.lastname@example.org with the subject “NO AUTOMATED MARKETING CORRESPONDENCE”; if instead you wish to object only to marketing activities through traditional instruments (paper mail) you can write an e-mail to email@example.com with the subject “NO TRADITIONAL MARKETING CORRESPONDENCE”. If you wish to object to the processing of your date for profiling purposes, you can write an e-mail to firstname.lastname@example.org with the subject “NO PROFILING”.
k)Object in accordance with Article 22, to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, in accordance with the conditions indicated in article 22 of the Regulation.
l) To lodge a complaint with the Data Protection Supervisor when you believe that the processing concerning you violates the Regulation, the lead supervisory authority appointed by the Data Controllers is CNPD, 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette, Luxembourg.
m) To take legal action.
9. Contact Details
Latest update: 16 July 2020