Last Modified: August 18, 2019
According to European Regulations 2016/679 art. 14
Calmclinic is the tutelage of its real and/or potential customers’ and users’ personal data.
Through this document (hereinafter, the “Policy Privacy”), we intend to renew our task, in order to guarantee that the processing of personal data, which can be made through any procedure (both automated and manual), is compliant with the tutelages and the rights recognized by the Regulation (UE) 2016/679 (hereinafter, the “GDPR” or “Regulation”) and by the further applicable rules on protection of personal data.
With the expression personal data we refer to the definition included in Article 4 (1) of the Regulation, which states that: (i) “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter, “Personal Data”).
The Regulation establishes that, before proceeding to this processing – with this expression we refer to the definition included in Article 4 (2) of the Regulation, which says that: “any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ” (hereinafter, the “Processing”) – of Personal Data, it is necessary to inform the owner of the data about the reason why they are requested and the way, in which they will be used.
In this regard the purpose of this Policy Privacy – written basing on the principle of transparency and on all the elements requested by Article 14 of the Regulation – is to provide you, through a simple and intuitive manner, with all the useful and necessary information, which allow you to give consciously your personal data and to ask and obtain any explanation and/or correction in every moment.
CalmClinic is the company, which will process your Personal Data according to the main purposes explained in section B of this Policy Privacy, and which will have the role of the data controller according to the related definition included in Article 4(7) of the Regulation, which declares that: “the natural or legal person, public authority, agency other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and the means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law” (hereinafter, the “Data Controller”).
CATEGORIES OF PROCESSED PERSONAL DATA AND PURPOSES OF THE PROCESSING
The Data Controller has to collect some of your Personal Data in order to (i) make the purchase of the products available and/or (ii) reply to your information requests which come from the contact forms and/or (iii) consent your registration to the newsletter service.
The Processing of your Personal Data will be managed by the Data Controller who will let you purchase the products, receive the newsletter, send information requests and from time to time use all the other services, offered by every website you have registered or in which you are surfing.
The Processing of your Personal Data will legally base on the contractual relationship that will occur between the Data Controller and you, after you have agreed with the condition of participation you find in the website (see Article 6, Paragraph 1, B of the Regulation).
Personal Data requested, will be those reported in the contact form and in the questionnaire: name, surname, e-mail address, age, gender, height, weight, body fat percentage.
Finally, data related to your health conditions may also be requested for the “prevention” purposes, explained in the subsequent Section C of this Policy Privacy.
In addition to the purposes explained in Section B, your Personal Data may be processed for the following and further purposes:
Prevention: this term means the will CalmClinic to protect your health, more than your privacy. For this reason, before proceeding with the purchase, you will be subjected to a questionnaire through which you will be asked for your personal data belonging to – according to the dictate of Article 9 of the Regulation – “specific” categories, in order to verify whether your health conditions are compatible with our recovery plan.
Direct marketing: this term refers to the will of CalmClinic to carry out promotional and / or marketing activities for you and for your interest, in order to provide you with a better service and to promote products and services of your interest, which are sold and / or provided by CalmClinic.
Profiling: this term refers to any form of automated processing of personal data, which consists in the use of such personal data, in order to evaluate certain personal aspects related to a natural person, and in particular, in order to analyze or predict aspects concerning the professional performance, the economic situation, health, personal preferences, interests, reliability, behavior, location or movement of that natural person.
Transfer of data to third parties: this term refers to the transmission of data collected by the Data Controller to third parties, in order to receive direct communications for marketing purposes from such third parties.
In regard of the purposes of prevention – point i. –, the processing of your Personal Data will take place only after your expressed, free and aware consent, marking the appropriate box at the bottom of the form for the collection of the data.
In regard of the purpose of direct marketing – point ii. –, it should be underlined that, according to Article 6, paragraph 1 (f) of the Regulation, CalmClinic may carry out this activity basing on its legitimate interest and regardless of your consent, unless you oppose to such processing or you limit it (according to Section G letter d. of this Policy Privacy). This is better explained in the “Whereas” (47) of the Regulation: “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This will also be possible following the assessments made by the Data Controller regarding the possible prevalence of your interests, fundamental rights and freedoms that require the protection of Personal Data on your legitimate interest in sending direct marketing communications.
SUBJECTS TO WHICH YOUR PERSONAL DATA WILL BE DISCLOSED
Your Personal Data may be disclosed to specific subjects, who are considered recipients of such Personal Data. Indeed, Article. 4 (9) of the Regulation defines the recipient of a Personal Data: “a natural or legal person, public authority, agency or another body to which the personal data are disclosed whether a third party or not” (hereafter, the “Recipient“).
In this regard and in order to carry out in the correct way all the activities of Processing, which are necessary in order to pursue the purposes examined in this Policy Privacy, the following Recipients may process your Personal Data:
Third parties who carry out part of the activities of Processing, or such activities which are connected with them on behalf of the Data Controller. Anyone of these subjects has been individually appointed as data processor, according to Article 4 (8) of the Regulation, which includes “natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller” (hereinafter, the “Data Processor”).
Natural persons, employees and / or collaborators of the Data Controller, who have been entrusted with specific and / or more processing activities on your Personal Data. Such persons have been given specific instructions about the safety and the correct use of Personal Data and are defined, according to Article 4 (10) of the Regulation: “persons, who under the direct authority of the controller or processor are authorized to process personal data” (hereinafter, the “Authorized Persons“).
If required by law or in order to prevent or suppress the commission of a crime, your Personal Data may be disclosed to public bodies or judicial authorities, without being defined as Recipient. Indeed, Article 4 (9) of the Regulation affirms: “public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or the Member States law shall not be regarded as Recipients”.
COOKIES THAT WE AND OUR SERVICE PROVIDERS USE
Required cookies – used to ensure proper performance of the website, security of customers and their data, provision of high-quality services; Functional cookies – used to enhance the website user experience, analyze the use of the system and in accordance to such improve the provision of services; Advertising cookies – used to observer user online behavior and optimize marketing campaigns according to such information.
WHAT WE USE:
TIME OF PROCESSING AND OF STORAGE OF PERSONAL DATA
One of the applicable principles to the Processing of your Personal Data concerns the limitation of the period for which the personal data have to be stored, governed by Article 5, paragraph 1 (e) of the Regulation that states: “Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”. Basing on this principle, your Personal Data will be processed by the Data Controller only for what is necessary in order to pursue the purposes quoted in Sections B and C of this Policy Privacy. In particular, your Personal Data will be processed for a minimum necessary period of time, as indicated in “Whereas” 39 of the Regulation, namely until the end of the contractual relationship between you and the Data Controller, except for the legitimate interest of the Data Controller in preserving them further, according to “Whereas” 47 of the Regulation. Furthermore, your Personal Data will be processed for a minimum necessary period of time which may be imposed by legal provisions in accordance with “Whereas” 65 of the Regulation.
WITHDRAWAL AND LIMITATION OF THE CONSENT
In accordance with the Regulation, if you have given your consent to the processing of your Personal Data for one or more purposes, explained in sections B and C of this Policy Privacy, you can, at any time, withdraw it totally and / or partially without compromising the lawfulness of the Processing, based on the consent given before the withdrawal. The withdrawal methods of the consent are very simple and intuitive; you have just to contact the Data Controller, using the contact channels, reported in Section G of this Policy Privacy.
DATA SUBJECTS’ RIGHTS
In accordance with Article 15 of the Regulation, you can have access to your Personal Data and ask for their amendment and their updating, if they are incomplete or wrong. You can ask for their cancellation, if their collection has been made in breach of a law or regulation, and you can oppose to the processing for legitimate and specific reasons. In particular, we report below all the rights you can exercise, at any time, against the Data Controller.
According to Article 15, Paragraph 1 of the Regulation, you will have the right to obtain from the Data Controller the confirmation that a Processing of your Personal Data is occurring, and in this case, you will have the right to obtain the access to these Personal Data and to the information: a) the purposes of the processing; b) the categories of Personal Data in question; c) recipients or recipients’ categories, to whom your Personal Data have been communicated or will be communicated, especially if they are Recipients coming from third countries or international organizations; d) when possible, the expected period of the Data storage, otherwise, the criteria used to determine that period; e) the right of the data subject to request the Data Controller to amend or delete Personal Data, to limit or to oppose to their processing; f) the right to make a complaint to a supervisory authority; g) if the Personal Data are not collected from the Data Subject, how the Data Controller has collected them; h) the existence of an automated decision-making processing, including also the profiling, according to Article 22, Paragraphs 1 and 4 of the Regulation and, at least in such cases, significant information about the employed logic, as well as about the importance and the effects of such Processing for the Data Subject.
In accordance with Article 16 of the Regulation, you can obtain the amendment of incorrect Personal Data. Taking into account the purposes of the processing, moreover, you can obtain the integration of your incomplete Personal Data, also by presenting an additional declaration.
In accordance with Article 17, Paragraph 1 of the Regulation, you can obtain the cancellation of your Personal Data without unjustified delay, and the Data Controller will be obliged to delete your Personal Data, if there is just one of the following reasons: a) Personal Data are no longer necessary for the purposes, for which they have been collected, or otherwise processed; b) you have withdrawn the consent, on which the processing of your Personal Data is based and there is no other legal basis for their processing; c) according to Article 21, Paragraph 1 or 2 of the Regulation, you have opposed to the processing and there is any more a legitimate overriding reason to proceed with the processing of your Personal Data; d) your Personal Data has been processed unlawfully; e) it is necessary to delete your Personal Data, in order to comply with a legal obligation, which is provided in a Union or member state law. In some cases, as it is indicated by Article 17, Paragraph 3 of the Regulation, the Data Controller is entitled to collect and not to delate your Personal Data, if their processing is necessary, for example, for the exercise of the right of freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest, for purposes of archiving in the public interest, for scientific or historical research, for statistical purposes, for verification, or for the exercise or the defense of a right before a court.
LIMITATION OF PROCESSING RIGHT
In accordance with Article 18 of the Regulation, you can obtain the limitation of the Processing, in case one of the following hypotheses occurs: a) you have contested the accuracy of your Personal Data (the limitation will continue for a necessary period, in which the Data Controller can verify their accuracy); b) the processing is illegal but you have opposed to the cancellation of your Personal Data, asking, instead, that their use is limited; c) although the Data Controller needs no longer your Personal Data for the purposes of processing, they are necessary for the verification, for the exercise or the defense of a right before a court; d) according to Article 21, Paragraph 1 of the Regulation, you have opposed to the processing and you are waiting for the verification regarding the possible prevalence of the legitimate reasons of the Data Controller than yours. In case of limitation of the processing, your Personal Data will be processed, except for their collection, which is possible only with your consent, then for the verification, for the exercise or the defense of a right before a court, for the protection of the rights of another natural or legal person, or again for reasons of significant public interest. In any case, we will inform you, before this limitation is withdrawn
DATA PORTABILITY RIGHT
In accordance with Article 20, Paragraph 1 of the Regulation, at any time you can request and receive all of your Personal Data, processed by the Data Controller, in a structured format, which is of common and legible use, otherwise you can request their transmission to another Data Controller without any impediment. In this case, it will be your responsibility to provide us with all the exact details of the new Data Controller in a written authorization.
In accordance with Article 21, Paragraph 2 of the Regulation and as also reiterated by “Whereas” 70 of the Regulation, at any time you can oppose to the processing of your Personal Data if these are processed for purposes of direct marketing, of profiling and of transferring the data to third parties.
RIGHT OF MAKING A COMPLAINT TO THE SUPERVISORY AUTHORITY
Apart from your right to appeal to any other administrative or jurisdictional office, if you believe that the processing of your Personal Data, conducted by the Data Controller, breaches the Regulation and / or the applicable legislation, you can make a complaint before the Persona Data Protection Authority.
Your Personal Data will be processed by the Data Controller within the territory of the European Union.
Considering the fact that the Data Controller belongs to the CalmCinic, it may be necessary for technical and / or operational reasons, to cooperate with entities who are located outside the European Union, so that they can respond to your requests. In accordance with and for the purposes of Article 28 of the Regulation, we inform you from now on that these subjects have been specifically appointed as Data Processor, and the transmission of your Personal Data to these subjects, which is limited to specific activities of processing, will be regulated in accordance with “Chapter” V of the Regulation.
All necessary precautions will therefore be taken in order to ensure the whole protection of your Personal Data. As a matter of fact the transmission is based: (a) on adequate decisions of the third country recipients, expressed by the European Commission; (b) in accordance with Article 46 of the Regulation, on appropriate guarantees, expressed by the third party recipient; (c) on the adoption of binding corporate rules; (d) on the adoption of standard contractual clauses, approved by the European Commission.
WHEN WE PROVIDE YOUR DATA TO OTHERS?
We may disclose your personal data to any member of our group of companies (including our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes set out in this notice. Such may include internal administration purposes as well as provision/sharing of IT services or data centers in the group.
We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We may disclose your personal data to our anti-fraud, risks and compliance providers insofar as reasonably necessary for the purposes of protecting your personal data and fulfilling our legal obligations.
We may disclose your personal data to our payment service providers. We will share service data with our payment services providers only to the extent necessary for the purposes of processing your payments, transferring funds and dealing with complaints and queries relating to such payments and transfers.
We may disclose your personal data to other service providers insofar as it is reasonably necessary to provide specific services (including, providers of servers and maintenance thereof, email service providers, service providers used for data analysis, customer satisfaction surveys or market research). We take all the necessary measures to ensure that such subcontractors would implement proper organizational and technical measures to ensure security and privacy of your personal data.
In addition to the specific disclosures of personal data set out in this Section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Persons, indicated in this Section may be established outside the United Kingdom, European Union and European Economic Area. In case we will transfer your personal data to such persons, we will take all the necessary and in the legal acts indicated measures to ensure that your privacy will remain properly secured, including where appropriate, signing standard contractual clauses for transfer of data.
CHILDREN PERSONAL DATA
Our website and services are targeted at persons over the age of 18. If we have reason to believe that we hold personal data of a person under that age in our databases without having consent from the parent rights holder, we will delete that personal data.
THIRD PARTY WEBSITES
In the website you may find links to and from partner sites, information sources and related party websites. Please take note that such third party website that you will visit by clicking on links have their own privacy policies and we take no responsibility regarding such privacy policies. We recommend familiarizing with privacy policies of such websites before providing any personal data to such.