Privacy policy

INFORMATION TO DATA SUBJECT ON THE USE OF THE SITE AND SERVICES

 

The site www.uptoyouanthology.com (hereinafter, the Site) is an e-commerce platform on which users can, on the one hand, buy the products for sale on the Site, on the other hand, propose projects for their own products which, once realized, will be offered for sale on the Site. Users can therefore play the role of client, designer or both.

Therefore, in accordance with the legislation on the processing of personal data and, in particular, in compliance with Regulation (EU) 2016/679 (hereinafter, “GDPR”)., UP TO YOU S.r.l. in S.B. (hereinafter, the Data Controller)provides You with the following information regarding the processing of Your personal data in relation to the use of the Site and the services provided. Depending on the role played by the user, the Data Controller processes different personal data for different purposes.

For the processing of personal data relating to navigation (so-called cookies), we invite you to read the Cookie Policy.[link]

 

1) Processed data, purpose of processing and lawfulness

The Data Controller processes the following personal data, provided by You when using the Site, for different purposes:

The personal data shall be processed for the following purposes:

  1. For contractual purposes and/or connected to the execution of pre-contractual measures on your specific request, as well as to fulfil to eventual legal obligation related to those purposes. In this case, the necessity to proceed with the processing in order to perform the agreement and/or to manage the pre-contractual relationship, provides the legal basis;
  2. To send direct marketing communications, newsletters, advertising material, market survey through the use of traditional systems of contact and automated computer systems, commercial or promotional communications included, by means of email or text message. In this case, the consent of the data subject, expressed according to the current information to data subject, provides the legal basis;
  3. For the purposes connected to related legal obligations, whenever a data processing for the purposes of letter a) has been carried out. In this case, the legal obligation of the Data Controller to process those data according to the applicable national law provides the legal basis.

 

2) Optional nature of consent and consequences in case of lack of consent

  • In relation to personal data processed and retained for the purposes referred to in point a), number 1 of this information to data subject (contractual and pre-contractual purposes), the communication of personal data is both a contractual obligation and a necessary requirement for the pre-contractual negotiation performance and for the conclusion of the contract. The data subject has the right to provide personal data; however, in case of failure to communicate such data, it will not be possible to conclude any contract or to perform any contractual negotiation;
  • In relation to personal data processed for the purposes referred to in point b), number 1 of this information to data subject (marketing purposes), the communication of personal data is not a contractual obligation. The data subject has the right to provide personal data; however, in case of failure to communicate such data, it will not be possible to carry out any marketing activity;
  • In relation to personal data processed for the purposes referred to in point c), number 1 of this information to data subject (legal obligations), the communication of personal data is a legal obligation. In this case, the data subject has an obligation to provide personal data; in case of failure to communicate such data, it will not be possible to conclude the contract.

 

3) Recipients of data

For the purposes listed in art. 1, the Data Controller may have to communicate Your personal data to the following subjects, qualified as Persons in charge or Joint Controllers or Data Processors:

  1. employees or collaborators or consultants (eg: accountants, lawyers, auditors, social media managers, etc.) of the Data Controller
  2. collaborators or companies operating in the production of goods marketed on the Site
  3. companies operating in the logistics, transport and shipping sectors
  4. companies operating in the electronic payments sector
  5. IT consultants and technicians
  6. consultants in the field of marketing, communication and market research
  7. credit institutions and insurance companies
  8. public administrations
  9. judicial authorities, judicial operators and police forces
  10. supervisory and financial authorities.

The list of Persons in charge, Joint Controllers and Data Processors is available to data subjects.

The transfer of personal data to the aforementioned subjects, if based in a third country or international organization, is carried out according to a decision of suitability of the European Commission, which evaluates how the third country, the territory or one or more specific sectors in the third country or the international organization ensure an adequate level of protection of the data subject’s rights. In the absence of such decision, the Data Controller – if deemed in any case appropriate – reserves himself the right to conclude specific separate agreements that oblige such subjects to adopt adequate security and also organizational measures, in order to offer appropriate guarantees related to the data subject’s rights. The data may be transferred in the following countries:  U.S.A. In order to obtain a copy of those data or the place where they are made available it is possible to send a request to the Data Processor, at the above-mentioned addresses.

 

4) Methods of processing personal data and storage period

Personal data are processed using IT and telematic methods and tools, adopting organizational and technical measures, adequate to the risks related to the specific treatment and suitable to guarantee, as far as possible, the security and confidentiality of the data. In particular, as regards the processing of personal payment data and payment activities, the Data Controller relies on commercial partners with proven competence and organization.

Specifically:

  • in relation to the personal data, processed and retained for the purposes referred to in point a), number 1 of the current information on data subject (contractual and pre-contractual purposes) the processing will be carried out by paper means, by automated means and through the use of CRM management software which allow a better contractual obligations fulfilment;
  • in relation to the personal data processed for the purposes referred to in point b), number 1 of the current information to data subject (marketing purposes), the processing will be carried out with the use of automatically sending function software of commercial information;
  • in relation to the data processed for the purposes referred to in point c), number 1 of the present information to data subject (to fulfil legal obligations), the processing will be carried out with paper tool, automated logics and CRM management software.

 

5) Personal data retention period

Personal data is processed in accordance with the principles established by EU Reg. 2016/679 (lawfulness, fairness and transparency; determination; adequacy, relevance and limitation; accuracy; security).Except for greater periods of prescription required by law and except for Your right to oppose to the processing (also through the cancellation of the account):

  • The personal data processed and retained for the purposes referred to in point a), number 1 of the current information to data subject (contractual and pre-contractual purposes) are processed for a period of time not exceeding 10 years from the termination of the effects of the contract and, in case of mere pre-contractual negotiations, for a period not exceeding 10 years from the conclusion of negotiations;
  • The personal data processed for the purposes referred to in point b), number 1 of the current information to data subject (marketing purposes) are processed and retained until the related cancellation is requested by the data subject;
  • The personal data processed and retained for the purposes referred to in point c), number 1 (fulfilment of legal obligations) are processed and retained, in case of conclusion of the contract, for a period of time not exceeding 10 years from the termination of the effects of the contract, while, in case of mere pre-contractual negotiations, for a period of time not exceeding 10 years from the termination of the negotiations.

 

6. Modalities for providing the consent

The consent, whenever requested, can be given through the following technologies:

  • by signing a digital document, also by specific flagbox;
  • by signing a paper document.

 

7. The source of personal data

Only the data provided in the respect of the current information to data subject, collected by our locations or by email, will be processed. The data, resulting from public available sources, will not be processed.

 

8. Categories of data

The data subject’s personal data will be processed.

 

9) Children under 16 years old

The Site and the services are not intended for children under 16; therefore, the Data Controller does not intentionally process personal data of children under 16 years.

However, the Data Controller is aware of the impossibility to prevent access to the Site and its use to minors under 16 years in advance; therefore, the Data Controller reserves the right to check the age of the users and to deny them access to the services, if they are under 16 years.

These subjects can access the services only if and to the extent that the consent to the processing of their personal data is provided or authorized by the holder of parental responsibility.

By accepting this information to data subject the user declares to be at least 16 years old.

 

10. Right to object

The data subject has the right to object in the circumstances listed hereinbelow:

  • At any time, in relation to reasons related to your particular situation, to oppose to the processing of personal data concerning yourself, according to point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
  • Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing;
  • Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes;
  • Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, on grounds relating to the particular situation, the data subject shall have the right to object to the processing of personal data concerning itself, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

11. Other rights

The Data Controller shall also inform the data subject about the existence the following rights:

  • The right of access by the data subject: the data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other specific information, pursuant to article 15 of the GDPR;
  • The right to rectification: the data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, pursuant to article 16 of the GDPR;
  • The right to erasure/right to be forgotten and the right of withdrawal of the consent: the data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where the grounds set out in article 17 of the GDPR apply. In relation to the withdrawal of the consent, the data subject has the right to revoke the consent in any moment without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
  • The right to restriction of processing: the data subject shall have the right to obtain from the Data Controller restriction of processing where the grounds set out in article 18 of the GDPR apply;
  • The right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided under the conditions set out in article 20 of the GDPR;
  • The right to object to marketing communications: the contractor has the right to oppose, in every moment, free of charge, to the receipt of commercial communication.

 

12. Exercise of the rights

The request to exercise the rights outlined in this information to data subject must be addressed directly to the Data Controller at the email address indicated, or by register mail indicated.

 

13. Accessibility of the information to data subject

The information to data subject is accessible by the Data Controller. If expressly requested by the data subject, the information may also be orally provided, provided that the identity of the data subject is proven, by means of a telephone call.

 

14) Contact persons

Data Controller: UP TO YOU S.R.L. S.B. (C.F. e P. IVA 10856450969), with registered office in via Maurizio Quadrio n. 20 (20154) Milano.

 

For more information on GDPR see https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32016R0679.

 

UP TO YOU S.R.L. reserves the right to modify and update this document . Therefore, it is advisable to periodically consult the information to data subject  in order to know promptly any changes and updates, provided that the use of the Site, after the publication of such changes and updates, constitutes acceptance of the same

 

Last update: 15/11/2019