Policy pursuant to Articles 13 and 14 of the EU Data Protection Regulation 2016/679 (GDPR)
Updated May 21st 2024 – Check this website regularly for the latest version
Online Users (LuisaViaRoma website and mobile app)
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter “GDPR”), LUISA VIA ROMA S.p.A. (hereinafter “LUISAVIAROMA” or the “Data Controller”) VAT no. IT 00607970480, with registered office in Via Benedetto Varchi, 61, 50132, Florence, Italy, in its capacity as Data Controller, informs you that your personal data will be processed by LUISAVIAROMA itself by means of manual processing or electronic or automated, computerized or telematic instruments, on the basis of principles strictly related to the purposes listed below and, in any case, in such a way as to guarantee the security and confidentiality of the data.
Contact details: customerservice@luisaviaroma.com
A Data Protection Officer (DPO) has been appointed: dpo@luisaviaroma.com
Browsing Data
Purposes of the processing | Legal basis of processing (Article 6 of the GDPR) |
Use of the web service To obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.). To check that the services offered are working properly. | Performance of a contract or of pre-contractual measures. |
You must provide your data in order to be able to browse.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services.
- Statistical analysis and optimization of the LUISAVIAROMA corporate website and mobile APP
- IT consultancy
- Software development support
- Cloud
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Using the web service Obtaining statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.). Checking that the services offered are working properly. | Common data: the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. | 50 months |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Creation of Account
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Creation and management of the accounts of users registered on the Luisaviaroma corporate website and mobile APP | Performance of a contract or of pre-contractual measures. |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to create your account
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Statistical analysis and optimization of the LUISAVIAROMA corporate website and mobile APP
- IT consultancy
- Software development support
- Cloud
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to process the data, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned processing purposes, your personal data are not transferred outside the European Union.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Creating and managing the accounts of users registered on the Luisaviaroma corporate website and mobile APP | Common data: name, date of birth and country of origin – userID – password – IP address – email | 10 years for customers who have placed at least one order. 36 months for customers who have never placed an order. After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law. |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Management of Account Preferences
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
To make the product search experience easier and faster for the user | Performance of a contract or pre-contractual measure. |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to use the service.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Privilege program management platform
- Newsletter management platform that receives data from the privilege program via API
- Customer Data Platform
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorises to process the data, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are transferred into the United Kingdom. Such transfer is permitted because the suitability of the United Kingdom has been recognized by a decision of the European Commission (Art. 45 GDPR).
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Making the product search experience easier and faster for the user | Common data: name, userID – Password, language, gender, sizes (CLOTHING AND SHOES) and further preferences indicated by the user (preferred brands, GOODS CATEGORIES, preferred colors). | 7 years after their registration |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Newsletter
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Management of the sending of the promotional newsletter (marketing) | Consent |
Management of preferences and topics of interest (profiling) | Consent |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to subscribe to the newsletter service (consent to marketing) or to personalize its content (consent to profiling).
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Newsletter management platform that receives data from the privilege program via API
- Marketing campaigns on social media
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
We also communicate your data to independent data controllers for the management of marketing campaigns on Facebook.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Management of the sending of the promotional newsletter | Common data: first name, last name, email address, behavioral data, lifestyle, and consumption habits, cookies – IP address. Furthermore, in order to compare and possibly improve the results of communications, the newsletter and promotional message sending systems are equipped with a reporting mechanism that reports, for example, the number of readers, openings and clicks; the type of device used to read the communication (desktop, mobile); the number of pending users yet to have confirmed their subscription; the number of emails sent by date/time/minute; the detail of emails delivered versus those sent; the list of un-subscribers to the newsletter; email openings and clicks on individual links; message display problems; link tracking (i.e. the number of clicks made on links in the message); click tracking (which links were clicked on). All these data are used in order to compare, and possibly improve, the results of the communications. | For the entire duration of subscription to the newsletter service and for 24 months following un-subscription.After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law. |
Management of preferences and topics of interest (profiling) | Newsletter content choice preferences (Men’s-Women’s-Home-Children’s-Beauty) and Topics of interest (Clothing – Bags – Shoes – Accessories – Jewellery and Watches – Sport) | 7 years after their registration |
Automated decision-making process
In pursuing the purposes of processing described above, the data controller carries out profiling (if you have given your consent to profiling, the content of the newsletters may reflect your preferences); however, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
To stop receiving the newsletter, click on the link “If you prefer not to receive future e-mails from Luisa Via Roma S.p.A click here” at the bottom of each newsletter you receive; in case of technical problems, you can send an alert to: customerservice@luisaviarom.com
Shopping Online
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Shopping online (handling of sales transactions) | Performance of a contract or of pre-contractual measures |
Fulfilment of regulatory obligations in tax and administrative matters | Performance of a contract or of pre-contractual measures and fulfilment of legal obligations |
Purchase invoicing | Performance of a contract or of pre-contractual measures and fulfilment of legal obligations |
Order Analysis for fraud control | Legitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- monitoring and help desk on AS/400 systems;
- IT consultancy;
- cloud for CRM Dynamics;
- support in developing CRM software;
- VAT compliance services;
- logistics provider in charge of the warehouse;
- CRM;
- Sales Tax Management;
- document digitization.
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
Your personal details may also be communicated to:
- Law enforcement and judicial authorities (for anti-fraud purposes);
- payment service providers involved in the processing of collection/redemption transactions;
- auditing firms
- supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
- tax authorities (Revenue Office) and customs.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union for anti-fraud purposes only (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Shopping online (handling of sales transactions) | Name and shipping address for both logged and non-logged users Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey – Qatar, Brazil and Indonesia Phone number for both logged and non-logged users Email (for both logged and non-logged users) UserID, and password for logged users only | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Fulfilment of regulatory obligations in tax and administrative matters and purchase invoicing | Name and shipping address for both logged and non-logged users For invoicing: name and billing address, tax code Phone number for both logged and non-logged users Email for both logged and non-logged users | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Order Analysis for fraud control | Name, shipping and billing address Items purchased Payment method used and amount of the transaction IP connection Cookies Phone number Credit card details:
| Up to 10 years or more in the event of disputes |
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Virtual Gift Card
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Virtual gift card service | Performance of a contract or of pre-contractual measures |
Fulfilment of regulatory obligations in tax and administrative matters | Performance of a contract or of pre-contractual measures and fulfilment of legal obligations |
Purchase invoicing | Performance of a contract or of pre-contractual measures and fulfilment of legal obligations |
Order analysis for fraud control | Legitimate interest: Check for the interception and handling of fraudulent or potentially fraudulent transactions |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- supervision and help desk on AS/400 systems;
- IT consultancy;
- cloud for CRM Dynamics;
- support in developing CRM software;
- VAT compliance services;
- logistics provider in charge of the warehouse;
- CRM;
- Sales Tax Management;
- Document digitization.
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
Your personal details may also be communicated to:
- law enforcement and judicial authorities (for ‘send a gift’ services and anti-fraud purposes);
- Payment service providers involved in the processing of collection/redemption transactions;
- Auditing firms
- supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
- Tax authorities (Revenue Office) and customs.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union only for anti-fraud purposes (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Virtual gift card services | Name and shipping address for both logged and non-logged users Tax code or VAT number when issuing invoices for Italian customers. Name of sender; recipient’s name and email Phone number for both logged and non-logged users Email (for both logged and non-logged users) UserID, and password for logged users only | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Fulfilment of regulatory obligations in tax and administrative matters and purchase invoicing | Name and shipping address for both logged and non-logged users Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey – Qatar, Brazil and Indonesia Name of sender and recipient Phone number Email of sender and recipient | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Order analysis for fraud control | Name, shipping and billing address Items purchased Payment method used and amount of the transaction IP connection Cookies Phone number Credit card details:
| Up to 10 years or more in the event of a dispute |
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Send a Gift
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Send a gift service | Performance of a contract or of pre-contractual measures |
Fulfilment of regulatory obligations in tax and administrative matters Administrative and accounting purposes following the selection and shipping of the product to the recipient in the Send a Gift process | Performance of a contract or of pre-contractual measures and fulfilment of legal obligations |
Purchase invoicing | Esecuzione di un contratto o esecuzione di misure precontrattuali e obblighi di legge |
Order Analysis for fraud control | Legitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- asupervision and help desk on AS/400 systems;
- IT consultancy;
- cloud for CRM Dynamics;
- support in developing CRM software;
- VAT compliance services;
- logistics provider in charge of the warehouse;
- CRM;
- Sales Tax Management;
- Document digitization.
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
Your personal details may also be communicated to:
- Law enforcement and judicial authorities (for anti-fraud purposes);
- Payment service providers involved in the processing of collection/redemption transactions;
- Auditing firms
- supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
- Tax authorities (Revenue Office) and customs.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union only for anti-fraud purposes (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Send a gift service | Name and shipping address for both logged and non-logged users Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey, Qatar, Brazil and Indonesia Name (for both sender and recipient), shipping address (for recipient only), home address and country (for sender only) Phone number both of the sender and of the recipient of the Send a Gift process Email of sender and recipient UserID, and password for logged users only | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Fulfilment of regulatory obligations in tax and administrative matters Administrative and accounting purposes following the selection and shipping of the product to the recipient and purchase invoicing | Name and shipping address for both logged and non-logged users Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport in case of shipment to Turkey – Qatar, Brazil and Indonesia Name (for both sender and recipient), shipping address (for recipient only), home address and country (for sender only) Phone number both of the sender and of the recipient of the Send a Gift process Email of sender and recipient UserID, and password for logged users only Email of sender and recipient | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Order analysis for fraud control | Name, shipping and billing address Items purchased Payment method used and amount of the transaction IP connection Cookies Phone number Credit card details:
| Up to 10 years or more in the event of disputes |
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Customer Service
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Response to enquiries about services provided by Luisaviaroma and the status of specific orders or returns | Performance of a contract or of pre-contractual measures |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to provide the response requested.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Supplier Customer Management
- Monitoring and help desk service on AS/400 systems
- Call Centre Service
Your personal details may also be communicated to providers:
- of platforms for payment following purchase;
- anti-fraud systems;
- social media (e.g. Facebook) if requests to the Customer Service come from users/customers via social media messaging.
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
Your data may be communicated to companies that perform processing outside the European Union:
- for the management of the Call Centre Service, and such transfer is permitted because the suitability of the country in question has been recognized by a decision of the European Commission (Art. 45 GDPR);
- for anti-fraud control activities, and this transfer is based on Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Response to enquiries about services provided by Luisaviaroma and the status of specific orders or returns | Common data: Name, shipping and billing address, tax code (if applicable), items purchased/returned, payment method used and transaction amount, IBAN (only if payment was made by bank wire transfer), email, phone number. | 10 years from last order placed or longer in the event of litigation |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Handling of Complaints
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Handling of complaints from retail customers purchasing via the website/APP Fulfilment of regulatory obligations in the area of taxation, administration in the context of sales transaction management (e.g. disputes over bank transactions) Management of litigation and pre-litigation | Performance of a contract or of pre-contractual measures, legal obligations and legitimate interest (defense in pre-litigation and litigation) |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to deal with the complaint.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- CRM Customer Service provider
- Monitoring and help desk service on AS/400 systems
- Logistics provider
- Customer Service provider
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
Your personal details may also be communicated to recipients (autonomous data controllers):
- of platforms for payment following purchase;
- anti-fraud systems;
- logistics providers for shipping goods (DHL, UPS, SDA, EMS);
- external legal;
- Law enforcement and judicial authorities;
- Insurance companies for management of the service.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Trasferimenti extra UE
I tuoi dati potrebbero essere comunicati a società che esegue il trattamento fuori dall’Unione Europea per attività di controllo antifrode, e tale trasferimento si basa su Clausole Contrattuali Standard Titolare autonomo-Titolare autonomo.
Transfers outside the EU
Purpose | Personal data category | Deadlines for deletion |
Handling of complaints from retail customers purchasing via the website/APP Fulfilment of regulatory obligations in the area of taxation, administration in the context of sales transaction management (e.g. disputes over bank transactions) Management of litigation and pre-litigation | Common data: Name, shipping and billing address, tax code (if applicable), items purchased/returned, payment method used and transaction amount, IBAN (only if payment was made by bank transfer), email, phone number. | For the entire duration of the litigation. |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Privilege Program
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Management of PRIVILEGE PROGRAM (purpose of loyalty marketing – management of LVR points) | Performance of a contract |
Marketing | Consent |
Profiling | Consent |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to subscribe to the Privilege Program.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Privilege Program management platform
- Newsletter management platform that receives data from the privilege program via API
- Segment
- Dynamic Yield
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Management of the PRIVILEGE PROGRAM | Common data: Name, (in addition to those in the account itself and therefore e.g. date of birth) shipping and billing address, items purchased/received, User ID and password, email, telephone number, behavioral data, lifestyle, and consumption habits. | 24 months from the last time points were used |
Management of the PRIVILEGE PROGRAM | Privilege program points, including those obtained via the Avawear Mod4 application challenge | The points confirmed are valid for 12 months: they expire on the last day of the month of the validity period. |
Automated decision-making process
In pursuing the aforementioned purposes of processing, the Data Controller carries out profiling. However, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
New Sneakers Club
Purpose of processing | Legal basis of processing (Article 6 of the GDPR) |
Management of the New Sneakers Club | The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken on the latter’s request |
Anti-fraud | Legitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions |
Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to participate in the New Sneakers Club
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Provider of the Sneakers Club Raffle random draw service.
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
Your personal details may also be communicated to recipients (autonomous data controllers):
- of payment platforms;
- anti-fraud systems.
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union for anti-fraud purposes only (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Management of the New Sneakers Club | Name and email, date of payment | 6 months from the date the initiative ends |
Anti-fraud | Data on the credit cardholder: name, first 6 numbers (BIN), last 4 numbers of the credit card, expiration date | 2 years from the moment the transaction failed (where applicable). |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
LUISAVIAROMA X Vestiaire Collective
Categories of data obtained from parties other than the data subject
In pursuing the purposes described in the paragraph Purpose and lawfulness of processing, LUISAVIAROMA processes the following categories of personal data relating to you obtained from third parties:
- your full name, email address and the resale value of the item.
Sources the personal data come from
The personal data referred to in the above paragraph are gathered from the following categories of third party:
- your data was provided to us by Vestiaire Collective, a company under French law, registered under number 517 465 225 RCS Paris, with registered office at 53 rue de Châteaudun, 75009 Paris, France, within the scope of the LUISAVIAROMA X Vestiaire Collective activity
Purpose and legal basis of processing
Your personal data are processed by the Controller in accordance with Article 6 of the GDPR.
The specific purposes of processing and their legal bases are set out below:
Purpose of processing | Legal basis of processing |
Issuing the multi-purpose voucher (gift card) agreed with VESTIAIRE by linking it to the user’s email address | Performance of a contract or of pre-contractual measures – Fulfilment of legal obligations |
The communication of personal data is a necessary prerequisite for concluding a contract.
Categories of parties to which personal data is addressed
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Monitoring and help desk service on AS/400 systems
- IT consultancy
- Software development support
- Cloud service for CRM Dynamics
You can ask LUISAVIAROMA for the list of Data Processors involved in these purposes by writing to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
Transfers outside the EU
In order to pursue the processing purposes described above, your personal data may be transferred to the recipients indicated above in Italy and abroad.
In no case will your personal data be transferred outside the European Union.
Personal data retention period
The personal data processed by LUISAVIAROMA will be kept for as long as necessary for the performance of the contractual relationship.
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Below are details of the length of the data retention period for the purposes described above, or the criteria used to determine this period:
Purpose | Personal data category | Deadlines for deletion |
Issuing the multipurpose voucher (gift card) agreed with VESTIAIRE by linking it to the user’s email address | Common data: name, email, resale value of the item on Vestiaire | 10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Soft Spam
Purposes of the processing | Legal basis of processing (Article 6 of the GDPR) |
To carry out commercial communications on products similar to those purchased pursuant to Article 130(4) of the Privacy Code | Legitimate interest of the data controller pursuant to Article 130(4) of the Privacy Code |
The information you provide when you purchase one of our products may be used to promote goods similar to those you have already purchased, without prejudice to your right to object at any time to the use of such information for such purposes, including by using the unsubscribe button at the bottom of promotional emails.
Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Sending of communications
- IT consultancy
- Software development support
- Cloud
If you would like to see the list of data processors, please write to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
The personal data processed by LUISAVIAROMA are not disseminated.
Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.
Personal data retention period
Purpose | Personal data category | Deadlines for deletion |
Direct marketing pursuant to Section 130(4) of the Privacy Code | Common data: name and contact data | 24 months after registration of the data |
Shopping Muse
Categories of data obtained from parties other than the data subject
In pursuing the purposes described in the paragraph Purpose and lawfulness of processing, LUISAVIAROMA processes the following categories of personal data relating to you obtained from third parties:
- Products shown and clicked following the search on Shopping Muse
Purpose and legal basis of processing
Your personal data are processed by the Controller in accordance with Article 6 of the GDPR.
The specific purposes of processing and their legal bases are set out below:
Purpose of processing | Legal basis of processing |
To execute the AI SHOPPER request | Performance of a contract or of pre-contractual measures |
The communication of personal data is a necessary prerequisite for concluding a contract.
Categories of parties to which personal data is addressed
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:
- Digital guided shopping service
You can ask LUISAVIAROMA for the list of Data Processors involved in these purposes by writing to dpo@luisaviaroma.com
The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.
Personal data retention period
The personal data processed by LUISAVIAROMA will be kept for as long as necessary for the performance of the contractual relationship.
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Below are details of the length of the data retention period for the purposes described above, or the criteria used to determine this period:
Purpose | Personal data category | Deadlines for deletion |
To execute the personal shopper service | Products shown and clicked following the search on Shopping Muse | 6 months |
Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.
Your Rights
Privacy legislation grants you the following rights, which you can exercise by writing to customerservice@luisaviaroma.com:
- to access and be given confirmation as to whether or not personal data concerning you are being processed, including for the purpose of being aware of the processing and to check that it is lawful, correct and up-to-date. In this case, you will be able to obtain access to your personal data and to information concerning you, in particular information on the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be communicated, the retention period, etc.;
- to rectify, where inaccurate, personal data concerning you, as well as to complete them where deemed incomplete, always in relation to the purposes of the processing. During this period, the Data Controller undertakes not to present the data as accurate or definitive, especially to third parties;
- to have deleted the data that concerns you, where the data are no longer necessary for the purposes for which they have been gathered. Please note that to have your data deleted you must give valid reasons. If the Data controller has communicated data concerning you to other Data Controllers or Data Processors, it is obliged to delete them, taking reasonable measures, including technical measures, to inform other Data Controllers who are processing the personal data in question so that they delete any links, copies or reproductions thereof (the “right to be forgotten”). The data in question cannot be deleted if their processing is necessary, inter alia, for the fulfilment of a legal obligation or the performance of a task carried out in the public interest and for the establishment, exercise or defense of legal claims;
- to restrict the processing. Restricting the processing means, inter alia, the possibility of transferring the data processed to a system that is no longer accessible, for storage only, in which they cannot be changed. This does not mean that the data have been deleted but that the Data Controller must avoid using them in the period during which they are blocked. This would be particularly necessary if persistent use of inaccurate and illegally stored data could harm you. In such a case, you may object to the deletion of your personal data and instead request that their use be restricted. In the case of rectification of the data or opposition to its processing, you may request the restriction of the processing of those data for the period during which the Data Controller is carrying out the rectification or considering the request to oppose the processing. A further case is where the personal data is necessary for you to establish, exercise or defend a legal claim, but the Controller no longer needs it for processing purposes;
- to oppose, at any time, on grounds relating to your particular situation, the processing of personal data concerning you where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller or where the processing is necessary for the purposes of the legitimate interests of the Data Controller or a third party. Finally, the Data Controller undertakes to refrain from processing your data, unless it can prove that there are compelling legitimate grounds for their processing or for the establishment, exercise or defense of a legal claim;
- the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given prior to the withdrawal, only for the purposes whose legal basis is consent.
You may also turn to the DPO (dpo@luisaviaroma.com), in order to swiftly report any circumstances or events from which a breach of personal data (i.e. any breach of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data) may arise, even if only potentially, in order that an immediate assessment can be made and appropriate measures taken.
Please note that you have the right to lodge a complaint with the Data Protection Authority or another supervisory authority.
Policy updated on May 21st 2024
Note: In the event of inconsistencies, discrepancies or differences of interpretation between the Italian version and any other language version of this publication, the Italian language version shall prevail.