Royal St. Andrews SA (Operating Sub-holding company, hereafter “RSA”) and BBB S.p.A. (hereafter “BBB”), recognise the importance of maintaining the confidentiality, integrity and security of your non-public Personal Data (hereafter, the “Personal Data”) and inform you that the Personal Data provided by you via the website www.boggi.com, as well as any data provided to the stores of companies controlled by the Sub-Holding Company or by franchisees (hereafter, jointly, also the “RSA Group”) which manage the stores using the brands: Boggi Milano, Boggi Factory Store, Boggi Milano BM39 (hereafter the “Brands”) will be processed in respect of existing European privacy rules, Regulation (EU) 2016/679 (hereafter, the “Regulation”) and specific local regulations applicable from time to time for processing performed outside the European Union, as well as the standards and general rules of conduct contained in the Code of Ethics adopted by RSA.
1. Personal Data Controller
Personal Data Controller are:
• Royal St. Andrews SA based in Bd Grand-Duchesse Charlotte 31, Luxembourg
• BBB S.p.A. based in Via Lancetti 28, 20100 Milan (Italy),
in the persons of their acting legal representatives which, as part of their prerogatives, may use specifically identified processors or officers. The Data Controllers or the Data Protection Officer (DPO), appointed by the Data Controllers, can be contacted at the e-mail address email@example.com or by writing to the operating headquarters.
The responsibilities of Data Controllers for the fulfilment of the obligations established by the Regulation, as defined in Art. 26, were determined by an internal arrangement, available at your request.
2. Type and Source of Data
I. Browsing Data
The IT systems and software procedures that run the Website acquire, during their normal exercise, some Personal Data whose transmission is implicit in the use of Internet communication protocols.
That information is not collected to be associated with identified natural persons but, by its very nature, could, through processing and association with data held by third parties, allow for users to be identified.
This category includes IP addresses (Internet Protocol, numerical label that uniquely identifies a device known as host, which may be a computer, handheld device or smartphone, etc., connected to an IT network that uses the Internet Protocol as a network protocol), or the domain names of the computers used by users who connect to the Website, addresses in URI notation (Uniform Resource Identifier, a sequence of characters that uniquely identifies a generic resource) of the resources requested, the date and time of the request, the method used in sending the request to the server (a high-performance computer that, in a network, provides a service to the other connected computers, known as clients), the size of the file (digital information container) obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc), the geographical position of the user and other parameters relating to the user's operating system and IT environment. Localisation takes place in non-continuous mode when the user allows automatic position detection.
These data are used for the sole purpose of obtaining anonymous statistical information on use of the Website (access frequency, duration of stay, information on items viewed, moved to the cart, or entered in the wish list) and to check its correct functioning.
To improve the service offered and to monitor your behaviour, when you visit the Website, you will be sent Cookies.
Cookies are small text files sent by the Website visited by you to your computer (usually to the browser, a programme that allows you to browse and to view the web pages and material contained therein: images, videos, texts, and other multimedia elements), where they are stored only then to be sent back to the Website at your next visit. Cookies are the means by which your browsing data are stored.
II. Personal Data provided voluntarily
RSA and BBB collect and process the Personal Data provided by you, directly and knowingly, via the Website or to the stores of RSA Group, when registering to the Boggi Privilege loyalty programme, making your order, registering to the newsletter, making a request to our Customer Service, making an appointment request to try an item chosen by you at one of the RSA Group stores.
The Personal Data may be: name, surname, postal address and country, email address, password chosen by you to access your account, telephone number, date of birth, gender, signature, bluetooth address (unique address assigned to the network cards) of your electronic device (handheld device, telephone, etc.), billing address and one or more postal shipping addresses, identification details of one or more of your credit cards and tax code.
In addition, the optional, explicit and voluntary transmission of email via the Website to Customer Services involves the acquisition of the email address, required to respond to requests, as well as any other personal data included in the message sent.
3. Personal Data processing purposes
The Personal Data will be used for the following purposes:
I. Registration to the Boggi Privilege loyalty programme
RSA and BBB collect Personal Data from you directly and knowingly provided when registering to the Boggi Privilege loyalty programme.
When registering to the loyalty programme, BBB creates an account in your name. By accessing the account, you can: collect information on your profile regarding your history of online & offline purchases, the contents of the “wish list” which expresses your preferences on products found on the Website, email addresses of other third parties with which you have shared your wish list; change the personal settings and update the account. By registering to the Loyalty Programme you can, based upon the purchases made, accumulate points to enjoy the benefits provided by the Programme.
You will also be offered the chance to register to the Website via your personal account on Facebook, Google+ or Linkedin. By providing authorisation to proceed, RSA and BBB will collect from the social media account information based upon your profile as well as your email address.
III. Customer profiling
Only following your explicit consent, and provided that you are registered to the Boggi Privilege programme, Personal Data provided by you as well as, the data regarding your past purchases may be processed for profiling activities, which consist of the automated and anonymous processing of data relating to customers, in order to break it down into groups depending on the respective behaviour, with the aim of creating personalised contents and offers. The offering of goods and services is not directed to minors; RSA and BBB undertake to verify and, if necessary, cancel the profiling consent granted by customers who are under the age of 16.
III. Online Purchase
The Personal Data provided will be processed with a view to managing the purchase order with reference, by way of example, to payment, shipment, fraud prevention, acceptance of any returns, customer support, disputes, execution of administrative and accounting activity, fulfilment of obligations provided by existing regulations.
RSA and BBB do not collect information on the payment methods that you intend to use but this is collected directly by the respective suppliers as well as by the e-commerce platform provider and by companies instructed to perform anti-fraud control.
While completing the payment procedure, you will also be offered the chance to register to the Website via your personal account on Facebook, Google+ or Linkedin. By providing authorisation to proceed, RSA and BBB will collect from the social media account information based upon your profile as well as your email address.
IV. Direct Marketing
Only following your explicit consent, the Personal Data provided by you may be used to send you commercial and promotional communications, newsletter, messages, advertising material, as well as catalogues and invitations to events through traditional and automated communication tools both in digital and paper format (mail, email, calls, chat, SMS and MMS).
To withdraw that consent, click on the specific unsubscribe link indicated at the bottom of the e-mails received or write to the address firstname.lastname@example.org.
The offering of goods and services is not directed to minors; RSA and BBB undertake to verify and, if necessary, cancel the consent granted by customers who are under the age of 16.
V. Management of relationship
The transmission by you of a request for support to Customer Services (by email, live chat, forms, telephone) allows RSA and BBB to acquire your email address or telephone number, as well as any other Personal Data and other information entered therein.
VI. Fulfilment of legal obligations:
The Personal Data provided by you may be processed:
a) to satisfy legal, administrative, financial and accounting duties imposed by law and by existing regulations (for example, in terms of tax documentation);
b) to perform activity of organisational nature and/or functional to the fulfilment of contractual obligations;
4. Legal basis for Personal Data processing
Your Personal Data are collected by RSA and BBB only if and to the extent that one of the following conditions is in place:
a) You have expressed consent to the optional processing of your Personal Data for profiling and marketing activities. Any lack of consent involves the impossibility for RSA and BBB to send you direct commercial and promotional communications or in line with your preferences.
b) The processing of your Personal Data is mandatory for the execution of a contract of which you are a party, as in the case of: registration to the Boggi Privilege loyalty programme, online purchase of one or more products and management of the relationship.
For example, in the case of online purchasing, any failure to provide your data involves the impossibility for RSA and BBB to establish, manage, execute and/or conclude the online sale contract; therefore, the impossibility to manage the purchase order with reference, by way of example, to payment, shipment, fraud prevention, acceptance of any returns, customer support, disputes, execution of administrative and accounting activity, fulfilment of obligations provided by existing regulations.
c) The processing of your Personal Data is mandatory to fulfil a legal obligation to which RSA and BBB are subject in the capacity of Data Controllers, as in the case of fulfilments in relation to tax documentation.
Any failure to provide your data involves the impossibility for RSA and BBB to perform a duty carried out in the public interest or for the exercise of public powers.
d) The processing is necessary to pursue the legitimate interest of RSA and BBB, as in the cases of check that your Personal Data are not associated with the unlawful use of a credit card or excessive charge on a credit card and/or transfer of your Personal Data within the RSA Group.
The aforementioned legal bases could, as appropriate, and in whole or in part, be joint between them.
You have the right to withdraw your consents at any time. The withdrawal of consent does not, however, prejudice the lawfulness of the processing based upon consent before the withdrawal.
5. Processing methods
The Personal Data will be processed using paper, IT and electronic tools, according to logics strictly related to the purposes indicated above, for the time strictly necessary to pursue the purposes for which they were collected, in respect of the principle of necessity and proportionality, avoiding processing Personal Data if the operations could be performed using anonymous data or by other methods.
All measures deemed necessary and/or opportune to ensure that the same are processed lawfully, correctly and transparently in relation to you, and to prevent the loss, even accidental, as well as unauthorised access, will be implemented.
In particular, Personal Data processed for profiling and marketing purposes will be entered and stored in the CRM (Customer Relationship Management) system at servers located at RSA Group companies.
6. Duration of processing and Personal Data storage period
Your Personal Data will be processed and stored for the time necessary to carry out the purposes for which they were collected.
• Personal Data collected on the basis of your consent for direct marketing or profiling activities or for the legitimate interest of RSA and BBB will be processed and stored for the period in which you actively interact with RSA and BBB, thereby meaning having purchased in the last three years one or more products at stores of the RSA Group or having visited, during the same period, our Website, or until you withdraw that consent. They will, then, be made anonymous;
• Personal Data collected to execute a contract of which you are a party will be processed and stored until the execution of that contract has been completed;
• Personal Data collected to fulfil a legal obligation will be processed and stored for the period provided by the law in force.
RSA and BBB may be obliged to store your Personal Data for a longer period than that respectively indicated above by order of an authority.
At the end of the storage period, your Personal Data will be erased or made anonymous permanently. Therefore, at the expiry of that period, you may no longer exercise the right to access, right to rectification, right to erasure, right to restriction of processing and right to portability of the Personal Data.
7. Communication and transfer of personal data abroad
The Personal Data will be processed by RSA and BBB's internal personnel authorised to process for that purpose, as part of the conduct of the assigned working duties, designated as processing officers and, possibly, insofar as is necessary and/or instrumental for executing the purposes indicated above, by the Holding Company and by the RSA Group companies (they may even be situated outside the European Economic Area in the countries indicated on the Website and to which the data will be transferred in conformity with Articles 45 and 46 of the Privacy Regulation) and by external entities that perform for BBB specific technical and organisational services connected to the Website and to the management of marketing and communication activities, which will act on behalf of RSA and BBB in the capacity of Processors (e.g. service providers, digital agencies, shipping agents, technicians who perform IT services maintenance, companies used by RSA and BBB for the implementation and/or management of promotional campaigns of its products or services, consultants, etc.). The processing by each Processor will be regulated by a contract or other legal deed which binds it to RSA and BBB and which defines, inter alia, the duration, nature and purposes of processing, the type of Personal Data and categories of data subjects, the obligations and rights of RSA and BBB. Your Personal Data will not be used for purposes of promotional nature of third parties or relating to products, services or initiatives not originating from the RSA Group and will not in any case be disseminated to indeterminate entities. If specifically required by the applicable law, your Personal Data may be provided to the regulatory authorities, judicial authorities, forces of order, tax authorities and other authorities to which investigative powers are assigned. The updated list of Processors may be requested to the Controllers at the addresses indicated in paragraph 1. You have the right to obtain a copy of the Data held abroad outside the European Economic Area and to obtain information on the location in which those Data are stored by making an express request to the address indicated in paragraph 1 of this policy.
8. Your rights
You are entitled, at any time, to exercise the following rights towards the Data Controller:
a) To obtain, in accordance with Article 15 of the Regulation, confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
b) Where personal data are transferred to a third country or to an international organisation, the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation.
c) Obtain a copy of the Personal Data undergoing processing.
d) Obtain, in accordance with Article 16, the rectification of inaccurate personal data concerning you without undue delay; taking into account the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
e) Obtain, in accordance with Article 17, the erasure of Personal Data concerning you without undue delay. The controller has the obligation to erase personal data without undue delay where one of the grounds indicated by paragraph 1 of Article 17 applies.
f) Obtain, in accordance with Article 18, the restriction of processing where one of the circumstances regulated by paragraph 1 of Article 18 applies.
g) Withdraw consent at any time without prejudice to the lawfulness of processing based upon consent provided before the withdrawal.
h) Obtain, in accordance with Article 20, the data portability, or receive the Personal Data concerning you, provided to BBB, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another Controller without hindrance from BBB to which the personal data have been provided if the conditions indicated in Article 20 paragraph 1 are in place. Finally, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
i) Object at any time, in accordance with Article 21, to processing of Personal Data concerning you.
j) Object at any time, in accordance with Article 21, to processing of Personal Data for direct marketing purposes and profiling when certain conditions illustrated in Article 21 of the Regulation are in place.
k) Object in accordance with Article 22, to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, in accordance with the conditions indicated in article 22 of the Regulation.
l) To lodge a complaint with the Data Protection Supervisor when you believe that the processing concerning you violates the Regulation, the lead supervisory authority appointed by the Data Controllers is CNPD,1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette, Luxembourg.
m) To take legal action.
The complete descriptions of your rights are indicated in Articles 6/15/16/17/18/20/21/22/57 of the Regulation.
9. Contact Details
Latest update: 19 February 2019.