BBB S.p.A. (hereinafter “BBB”) recognises the importance of preserving the confidentiality, integrity and security of your non-public Personal Data (hereinafter “Personal Data”) and informs you that the Personal Data you provide through the Site www.boggi.com, (hereafter the “Site”), as well as any Personal Data provided to the points of sale of the companies controlled by the Sub-Holding or by the franchisees (hereafter, the “RSA Group”) which manage the points of sale with the use of the Brands: Boggi Milano, Boggi Factory Store, Boggi Milano BM39 (hereafter the “Brands”) will be processed in compliance with the applicable European privacy regulations, Regulation (EU) 2016/679 (hereafter, the “Regulation”) and the specific local regulations applicable from time to time for processing outside the European Union, as well as the general principles and rules of conduct contained in the Code of Ethics adopted by BBB.
1. Personal Data Controller
The Personal Data Controller is:
• BBB S.p.A. based in Via Lancetti 28, 20100 Milan (Italy),
in the person of its legal representative pro tempore who, within the scope of its prerogatives, may avail him/herself of the services of specifically identified managers or appointees. The Data Processor may be contacted by writing to the operational headquarters or by sending an e-mail to email@example.com.
Similarly, the Data Protection Officer (DPO) appointed by the Data Controller can be contacted at firstname.lastname@example.org@boggi.com.
2. Type and Source of Data
I. Browsing Data
The computer systems and software procedures use to operate the Site acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified physical persons but, by its very nature could, through processing and association with data held by third parties, allow for users to be identified.
This category includes IP addresses (Internet Protocol, a numerical label that uniquely identifies a device called host, which may be a computer or a palmtop or a smartphone, etc., connected to a computer network that uses the Internet Protocol as its network protocol), or the domain names of the computers used by users connecting to the Site, the addresses in URI notation (Uniform Resource Identifier, as a sequence of characters that uniquely identifies a generic resource.) of the resources requested, the date and time of the request, the method used in forwarding the request to the server (high-performance computer that in a network provides a service to other connected computers, known as clients), the size of the file (container of digital information) obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc), the user's geographical location and other parameters relating to the user's operating system and computer environment. Localisation takes place in non-continuous mode when the user enables automatic location detection.
• Personal Data provided voluntarily (name, surname, email, telephone number, any other personal data included in the message or comments)
The collected Personal Data, depending on the purposes of the processing, may be: first name, last name, social security number, postal and country address, email address, password chosen by you to access your account, phone number, username instagram, date of birth, gender, signature, bluetooth mac address (unique address assigned to the network cards) of your electronic device (PDA, phone, etc.), a billing address and one or more mailing addresses, and the identification details of one or more of your credit cards.
3. Purpose of the processing; legal basis; period of storage and nature of the provision of the personal data
|Legal basis||Data storage period||Nature of the provision|
|B) Fulfilment of your request for information/contact||Art. 6, lett. f and Art. 47 of GDPR Legitimate interest||1 year||Necessary to be able to respond to your request|
|C) Sending of unsolicited application||Art. 6, lett. b) GDPR Contract/pre-contract||6 months||Necessary to be able to consider your application|
|D) Purchase of a gift card||Art. 6, lett. b) GDPR Contract||For the time strictly necessary to finalise the purchase. For administrative-accounting purposes, the Data Controller will keep track of the data for the further time required by lawadditional period envisaged by the law||Necessary to be able to process your order|
|E) Creation of a personal account and simultaneous subscription to the Boggi Privilege programme. By creating your account, you can also create and share your wish list. Subsequently, you can also proceed through your personal Facebook, Google+ and Linkedin accounts. By giving authorisation to proceed, the basic information of your profile as well as your email address will be collected through your social media accounts||Art. 6, lett. b) GDPR Contract||For the time strictly necessary to finalise the purchase. For administrative-accounting purposes, the Data Controller will keep track of the data for the further time required by law||Necessary to create your account|
|F) Product purchase for a non-registered user/Checkout as a guest||Art. 6, lett. b) GDPR Contract||The data will be stored for the time envisaged by the law for administrative-accounting purposes||Necessary to be able to process your purchase request|
|G) Returns||Art. 6, lett. b) GDPR Contract||For the time necessary to process your request. For administrative-accounting purposes, the Data Controller will keep track of the data for the further time required by law||Necessary to be able to proceed with your request|
|H) Check order||Art. 6, lett. b) GDPR Contract||For the time needed to process your request||Necessary to enable us to check your order|
|I) Made to Measure||Art. 6, lett. b) GDPR Contract||For the time needed to book an appointment at the store.||Necessary to be able to proceed with your request.|
|J) Live chat||Art. 6, lett. f and Art. 47 of GDPR Legitimate interest||For the time required to process your request and for the subsequent time required for the evaluation of the same chat.||Necessary to respond to your request.|
|K) Direct marketing (commercial and promotional correspondence, newsletters, messages, advertising material as well as catalogues and invitations to events through traditional and automated digital communication tools (e-mail, calls, chats, whatsapp and SMS,Instagram)||Art. 6, lett. a) GDPR Consent of the interested party||The data will be stored for the period for which you actively interact, meaning that you have purchased one or more products in the last three years from the sales outlets of the RSA group or you have accessed, over the same time period, your Boggi Privilege account (or until the consent is revoked, if earlier)||Optional|
|L) Profiling to create personalised content and offers, based on information relating to purchases you have made.||Art. 6, lett. a) GDPR Consent of the interested party||The data will be stored for the period for which you actively interact, meaning that you have purchased one or more products in the last three years from the sales outlets of the RSA group or you have accessed, over the same time period, your Boggi Privilege account (or until the consent is revoked, if earlier)||Optional, on condition that you have subscribed to the Boggi Privilege loyalty programme|
|M) Tell your friend||Art. 6, lett. b) GDPR, Pre-contract||The data of the parties to which BBB will send correspondence, will be cancelled within 6 months of the correspondence being sent if the Interested Party has not subscribed to the Boggi Privilege programme.||The data becomes mandatory only at the time of subscription to the Boggi Privilege programme.|
|N) Abandoned cart reminder||Art. 6, lett.b) and lett. f) and recital 47 GDPR Legitimate interest||For the time necessary to send you reminder e-mails regarding your abandoned cart.||The data becomes mandatory only at the moment of subscription to Boggi Privilege.|
|O) Detection of fraud related to payments||Art. 6, lett. b) and lett. f) GDPR Contract / Legitimate interest||For administrative-accounting purposes, the data will be kept for the time required as by law.The documents requested during the audit will not be retained.||Necessary to enable you to fulfil your request.|
4. Processing methods
The Personal Data will be processed using paper, IT and electronic tools, according to logics strictly related to the purposes indicated above, for the time strictly necessary to pursue the purposes for which they were collected, in respect of the principle of necessity and proportionality, avoiding processing Personal Data if the operations could be performed using anonymous data or by other methods. All measures deemed necessary and/or opportune to ensure that the same are processed lawfully, correctly and transparently in relation to you, and to prevent the loss, even accidental, as well as unauthorised access, will be implemented.
In particular, Personal Data processed for profiling and marketing purposes will be entered and stored in the CRM (Customer Relationship Management) system at servers located at RSA Group companies.
If you use functions and services that envisage the processing of the personal date of third parties that you have voluntarily provided, as in the case of the activation and sending of e-Gift Cards or the management of the request for the same, you are obliged to inform them of the purposes and the procedures used to process their personal data by us.
In order to fulfil the processing purposes indicated above, your data will be processed by BBB's internal personnel authorised to process for this purpose, as part of the conduct of the assigned working duties, designated as processing officers, and by companies contractually related to the Joint Controllers. More specifically, they can be communicated to subjects belonging to the following categories: - subjects that provide services for the management of the website, the communication networks and the information system used by the Joint Controllers; - professional firms or Companies with an assistance or advisory role; - companies that manage marketing and communication activities (e.g. service providers, digital agencies); - of the Holding and of RSA Group companies; - competent authorities for the fulfilment of legal obligations and/or provisions of public bodies, on request. Note that to prevent fraud, the supplier of the e-commerce platform and the company tasked with anti-fraud control, check that your Personal data is not associated with the illegal use of a credit card or excessive credit card debt. The Joint Controllers do not, however, collect information relating to the payment methods that you intend to use. In this regard, note that, in the event of problems relating to the means of payment, the Interest Party will be contacted by authorised BBB personnel with a view to proceeding with a different payment instrument. Only if this is not possible, you will be requested to send an identity document and a selfie for the sole purpose of a security control - also in your own interests - documents which will then be eliminated. The subjects belonging to the above-mentioned categories perform the function of Data Processor, or who operate in full autonomy as separate Data Controllers. A list of the appointed processors is available by contacting the Joint Data Controllers and the Data Protection Officer at the following e-mail address: email@example.com
Your Personal Data shall not be used for promotional purposes of third parties or for products, services or initiatives not originating from the RSA Group and shall in no case be disclosed to unspecified persons.
6. Transfer of personal data abroad
The data will be transferred outside of the European Union. More specifically, for the website and for the CRM Salesforce used. Note that in both cases, the transfer is guaranteed by the provisions of Art. 46 of EU Regulation 2016/679 - transfer to subject with adequate guarantees.
7. Your rights
You are entitled, at any time, to exercise the following rights towards the Data Controller:
a) To obtain, in accordance with Article 15 of the Regulation, confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
b) Where personal data are transferred to a third country or to an international organisation, the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation.
c) Obtain a copy of the Personal Data undergoing processing.
d) Obtain, in accordance with Article 16, the rectification of inaccurate personal data concerning you without undue delay; taking into account the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
e) Obtain, in accordance with Article 17, the erasure of Personal Data concerning you without undue delay. The controller has the obligation to erase personal data without undue delay where one of the grounds indicated by paragraph 1 of Article 17 applies.
f)Obtain, in accordance with Article 18, the restriction of processing where one of the circumstances regulated by paragraph 1 of Article 18 applies.
g) Withdraw consent at any time without prejudice to the lawfulness of processing based upon consent provided before the withdrawal.
h) Obtain, in accordance with Article 20, the data portability, or receive the Personal Data concerning you, provided to BBB, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another Controller without hindrance from BBB to which the personal data have been provided if the conditions indicated in Article 20 paragraph 1 are in place. Finally, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
i) Object at any time, in accordance with Article 21, to processing of Personal Data concerning you.
j)Object at any time, in accordance with Article 21, to processing of Personal Data for direct marketing purposes and profiling when certain conditions illustrated in Article 21 of the Regulation are in place. More specifically, to object only to marketing activities through automated instruments, you can write an e-mail to firstname.lastname@example.org with the subject “NO AUTOMATED MARKETING CORRESPONDENCE”; if instead you wish to object only to marketing activities through traditional instruments (paper mail) you can write an e-mail to email@example.com with the subject “NO TRADITIONAL MARKETING CORRESPONDENCE”. If you wish to object to the processing of your date for profiling purposes, you can write an e-mail to firstname.lastname@example.org with the subject “NO PROFILING”.
k)Object in accordance with Article 22, to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, in accordance with the conditions indicated in article 22 of the Regulation.
l) a) To lodge a complaint with a Data Protection Authority if he considers that the processing concerning him violates the Regulation;
m) To take legal action.
8. Contact Details
Any request relating to your Personal Data referred to in this notice and for the exercise of your rights may contact, free of charge, the Data Controller or the Data Protection Officer (DPO), at the addresses indicated in paragraph 1.
Latest update: 03 April 2023