EN/

Privacy Policy

Policy pursuant to Articles 13 and 14 of the EU Data Protection Regulation 2016/679 (GDPR)
Updated May 21st 2024 – Check this website regularly for the latest version

Online Users (LuisaViaRoma website and mobile app)

Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter “GDPR”), LUISA VIA ROMA S.p.A. (hereinafter “LUISAVIAROMA” or the “Data Controller”) VAT no. IT 00607970480, with registered office in Via Benedetto Varchi, 61, 50132, Florence, Italy, in its capacity as Data Controller, informs you that your personal data will be processed by LUISAVIAROMA itself by means of manual processing or electronic or automated, computerized or telematic instruments, on the basis of principles strictly related to the purposes listed below and, in any case, in such a way as to guarantee the security and confidentiality of the data.
Contact details: customerservice@luisaviaroma.com

A Data Protection Officer (DPO) has been appointed: dpo@luisaviaroma.com

 

 

Browsing Data

Purposes of the processingLegal basis of processing (Article 6 of the GDPR)
Use of the web service

To obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.).

To check that the services offered are working properly.

Performance of a contract or of pre-contractual measures.

You must provide your data in order to be able to browse.

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services.

  1. Statistical analysis and optimization of the LUISAVIAROMA corporate website and mobile APP
  2. IT consultancy
  3. Software development support
  4. Cloud

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Using the web service

Obtaining statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.).

Checking that the services offered are working properly.

Common data: the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment.50 months

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Creation of Account

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Creation and management of the accounts of users registered on the Luisaviaroma corporate website and mobile APPPerformance of a contract or of pre-contractual measures.

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to create your account

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Statistical analysis and optimization of the LUISAVIAROMA corporate website and mobile APP
  2. IT consultancy
  3. Software development support
  4. Cloud

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to process the data, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned processing purposes, your personal data are not transferred outside the European Union.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Creating and managing the accounts of users registered on the Luisaviaroma corporate website and mobile APPCommon data: name, date of birth and country of origin – userID – password – IP address – email10 years for customers who have placed at least one order. 36 months for customers who have never placed an order.
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Management of Account Preferences

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
To make the product search experience easier and faster for the userPerformance of a contract or pre-contractual measure.

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to use the service.

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Privilege program management platform
  2. Newsletter management platform that receives data from the privilege program via API
  3. Customer Data Platform

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorises to process the data, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are transferred into the United Kingdom. Such transfer is permitted because the suitability of the United Kingdom has been recognized by a decision of the European Commission (Art. 45 GDPR).

 

Personal data retention period

PurposePersonal data category Deadlines for deletion
Making the product search experience easier and faster for the userCommon data: name, userID – Password, language, gender, sizes (CLOTHING AND SHOES) and further preferences indicated by the user (preferred brands, GOODS CATEGORIES, preferred colors).7 years after their registration

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Newsletter

Purpose of processing Legal basis of processing (Article 6 of the GDPR)
Management of the sending of the promotional newsletter (marketing)Consent
Management of preferences and topics of interest (profiling)Consent

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to subscribe to the newsletter service (consent to marketing) or to personalize its content (consent to profiling).

 

Who we communicate your data to

Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Newsletter management platform that receives data from the privilege program via API
  2. Marketing campaigns on social media

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

We also communicate your data to independent data controllers for the management of marketing campaigns on Facebook.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Management of the sending of the promotional newsletterCommon data: first name, last name, email address, behavioral data, lifestyle, and consumption habits, cookies – IP address.

Furthermore, in order to compare and possibly improve the results of communications, the newsletter and promotional message sending systems are equipped with a reporting mechanism that reports, for example, the number of readers, openings and clicks; the type of device used to read the communication (desktop, mobile); the number of pending users yet to have confirmed their subscription; the number of emails sent by date/time/minute; the detail of emails delivered versus those sent; the list of un-subscribers to the newsletter; email openings and clicks on individual links; message display problems; link tracking (i.e. the number of clicks made on links in the message); click tracking (which links were clicked on). All these data are used in order to compare, and possibly improve, the results of the communications.

For the entire duration of subscription to the newsletter service and for 24 months following un-subscription.After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.
Management of preferences and topics of interest (profiling)Newsletter content choice preferences (Men’s-Women’s-Home-Children’s-Beauty) and Topics of interest (Clothing – Bags – Shoes – Accessories – Jewellery and Watches – Sport)7 years after their registration

 

Automated decision-making process
In pursuing the purposes of processing described above, the data controller carries out profiling (if you have given your consent to profiling, the content of the newsletters may reflect your preferences); however, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

To stop receiving the newsletter, click on the link “If you prefer not to receive future e-mails from Luisa Via Roma S.p.A click here” at the bottom of each newsletter you receive; in case of technical problems, you can send an alert to: customerservice@luisaviarom.com

 

 

Shopping Online

Purpose of processing Legal basis of processing (Article 6 of the GDPR)
Shopping online (handling of sales transactions)Performance of a contract or of pre-contractual measures
Fulfilment of regulatory obligations in tax and administrative mattersPerformance of a contract or of pre-contractual measures and fulfilment of legal obligations
Purchase invoicingPerformance of a contract or of pre-contractual measures and fulfilment of legal obligations
Order Analysis for fraud controlLegitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.

Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. monitoring and help desk on AS/400 systems;
  2. IT consultancy;
  3. cloud for CRM Dynamics;
  4. support in developing CRM software;
  5. VAT compliance services;
  6. logistics provider in charge of the warehouse;
  7. CRM;
  8. Sales Tax Management;
  9. document digitization.

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

Your personal details may also be communicated to:

  • Law enforcement and judicial authorities (for anti-fraud purposes);
  • payment service providers involved in the processing of collection/redemption transactions;
  • auditing firms
  • supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
  • tax authorities (Revenue Office) and customs.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union for anti-fraud purposes only (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Shopping online (handling of sales transactions)Name and shipping address for both logged and non-logged users

Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey – Qatar, Brazil and Indonesia

Phone number for both logged and non-logged users

Email (for both logged and non-logged users)

UserID, and password for logged users only

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Fulfilment of regulatory obligations in tax and administrative matters and purchase invoicingName and shipping address for both logged and non-logged users

For invoicing: name and billing address, tax code

Phone number for both logged and non-logged users

Email for both logged and non-logged users

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Order Analysis for fraud controlName, shipping and billing address

Items purchased

Payment method used and amount of the transaction

IP connection

Cookies

Email

Phone number

Credit card details:

  • first 6 numbers ( BIN)
  • last 4 numbers of the credit card
  • expiration date
  • name of cardholder (as detailed on the card)
Up to 10 years or more in the event of disputes

After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Virtual Gift Card

Purpose of processing Legal basis of processing (Article 6 of the GDPR)
Virtual gift card servicePerformance of a contract or of pre-contractual measures
Fulfilment of regulatory obligations in tax and administrative mattersPerformance of a contract or of pre-contractual measures and fulfilment of legal obligations
Purchase invoicingPerformance of a contract or of pre-contractual measures and fulfilment of legal obligations
Order analysis for fraud controlLegitimate interest: Check for the interception and handling of fraudulent or potentially fraudulent transactions

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.

Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. supervision and help desk on AS/400 systems;
  2. IT consultancy;
  3. cloud for CRM Dynamics;
  4. support in developing CRM software;
  5. VAT compliance services;
  6. logistics provider in charge of the warehouse;
  7. CRM;
  8. Sales Tax Management;
  9. Document digitization.

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

Your personal details may also be communicated to:

  • law enforcement and judicial authorities (for ‘send a gift’ services and anti-fraud purposes);
  • Payment service providers involved in the processing of collection/redemption transactions;
  • Auditing firms
  • supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
  • Tax authorities (Revenue Office) and customs.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union only for anti-fraud purposes (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Virtual gift card servicesName and shipping address for both logged and non-logged users

Tax code or VAT number when issuing invoices for Italian customers.

Name of sender; recipient’s name and email

Phone number for both logged and non-logged users

Email (for both logged and non-logged users)

UserID, and password for logged users only

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Fulfilment of regulatory obligations in tax and administrative matters

and purchase invoicing

Name and shipping address for both logged and non-logged users

Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey – Qatar, Brazil and Indonesia

Name of sender and recipient

Phone number

Email of sender and recipient

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Order analysis for fraud controlName, shipping and billing address

Items purchased

Payment method used and amount of the transaction

IP connection

Cookies

Email

Phone number

Credit card details:

  • first 6 numbers ( BIN)
  • last 4 numbers of the credit card
  • expiration date
  • name of cardholder (as detailed on the card))
Up to 10 years or more in the event of a dispute

After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Send a Gift

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Send a gift servicePerformance of a contract or of pre-contractual measures
Fulfilment of regulatory obligations in tax and administrative matters

Administrative and accounting purposes following the selection and shipping of the product to the recipient in the

Send a Gift process

Performance of a contract or of pre-contractual measures and fulfilment of legal obligations
Purchase invoicingEsecuzione di un contratto o esecuzione di misure precontrattuali e obblighi di legge
Order Analysis for fraud controlLegitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to conclude the sale contract.

Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. asupervision and help desk on AS/400 systems;
  2. IT consultancy;
  3. cloud for CRM Dynamics;
  4. support in developing CRM software;
  5. VAT compliance services;
  6. logistics provider in charge of the warehouse;
  7. CRM;
  8.  Sales Tax Management;
  9. Document digitization.

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

Your personal details may also be communicated to:

  • Law enforcement and judicial authorities (for anti-fraud purposes);
  • Payment service providers involved in the processing of collection/redemption transactions;
  • Auditing firms
  • supplier for activities related to the interception and handling of fraudulent or potentially fraudulent transactions
  • Tax authorities (Revenue Office) and customs.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union only for anti-fraud purposes (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Send a gift serviceName and shipping address for both logged and non-logged users

Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport number in case of shipment to Turkey, Qatar, Brazil and Indonesia

Name (for both sender and recipient), shipping address (for recipient only), home address and country (for sender only)

Phone number both of the sender and of the recipient of the Send a Gift process

Email of sender and recipient

UserID, and password for logged users only

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Fulfilment of regulatory obligations in tax and administrative matters

Administrative and accounting purposes following the selection and shipping of the product to the recipient and purchase invoicing

Name and shipping address for both logged and non-logged users

Tax code or VAT number when issuing invoices for Italian customers. – Tax Code or Passport in case of shipment to Turkey – Qatar, Brazil and Indonesia

Name (for both sender and recipient), shipping address (for recipient only), home address and country (for sender only)

Phone number both of the sender and of the recipient of the Send a Gift process

Email of sender and recipient

UserID, and password for logged users only

Email of sender and recipient

10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation
Order analysis for fraud controlName, shipping and billing address

Items purchased

Payment method used and amount of the transaction

IP connection

Cookies

Email

Phone number

Credit card details:

  • first 6 numbers ( BIN)
  • last 4 numbers of the credit card
  • expiration date
  • name of cardholder (as detailed on the card)
Up to 10 years or more in the event of disputes

After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Customer Service

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Response to enquiries about services provided by Luisaviaroma and the status of specific orders or returnsPerformance of a contract or of pre-contractual measures

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to provide the response requested.

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Supplier Customer Management
  2. Monitoring and help desk service on AS/400 systems
  3. Call Centre Service

Your personal details may also be communicated to providers:

  • of platforms for payment following purchase;
  • anti-fraud systems;
  • social media (e.g. Facebook) if requests to the Customer Service come from users/customers via social media messaging.

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
Your data may be communicated to companies that perform processing outside the European Union:

  • for the management of the Call Centre Service, and such transfer is permitted because the suitability of the country in question has been recognized by a decision of the European Commission (Art. 45 GDPR);
  • for anti-fraud control activities, and this transfer is based on Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Response to enquiries about services provided by Luisaviaroma and the status of specific orders or returnsCommon data: Name, shipping and billing address, tax code (if applicable), items purchased/returned, payment method used and transaction amount, IBAN (only if payment was made by bank wire transfer), email, phone number.10 years from last order placed or longer in the event of litigation

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Handling of Complaints

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Handling of complaints from retail customers purchasing via the website/APP

Fulfilment of regulatory obligations in the area of taxation, administration in the context of sales transaction management (e.g. disputes over bank transactions)

Management of litigation and pre-litigation

Performance of a contract or of pre-contractual measures, legal obligations and legitimate interest (defense in pre-litigation and litigation)

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible to deal with the complaint.

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. CRM Customer Service provider
  2. Monitoring and help desk service on AS/400 systems
  3. Logistics provider
  4. Customer Service provider

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

Your personal details may also be communicated to recipients (autonomous data controllers):

  • of platforms for payment following purchase;
  • anti-fraud systems;
  • logistics providers for shipping goods (DHL, UPS, SDA, EMS);
  • external legal;
  • Law enforcement and judicial authorities;
  • Insurance companies for management of the service.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Trasferimenti extra UE
I tuoi dati potrebbero essere comunicati a società che esegue il trattamento fuori dall’Unione Europea per attività di controllo antifrode, e tale trasferimento si basa su Clausole Contrattuali Standard Titolare autonomo-Titolare autonomo.

 

Transfers outside the EU

PurposePersonal data categoryDeadlines for deletion
Handling of complaints from retail customers purchasing via the website/APP

Fulfilment of regulatory obligations in the area of taxation, administration in the context of sales transaction management (e.g. disputes over bank transactions)

Management of litigation and pre-litigation

Common data: Name, shipping and billing address, tax code (if applicable), items purchased/returned, payment method used and transaction amount, IBAN (only if payment was made by bank transfer), email, phone number.For the entire duration of the litigation.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Privilege Program

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Management of PRIVILEGE PROGRAM (purpose of loyalty marketing – management of LVR points)Performance of a contract
MarketingConsent
ProfilingConsent

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to subscribe to the Privilege Program.

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Privilege Program management platform
  2. Newsletter management platform that receives data from the privilege program via API
  3. Segment
  4. Dynamic Yield

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Management of the PRIVILEGE PROGRAMCommon data: Name, (in addition to those in the account itself and therefore e.g. date of birth) shipping and billing address, items purchased/received, User ID and password, email, telephone number, behavioral data, lifestyle, and consumption habits.24 months from the last time points were used
Management of the PRIVILEGE PROGRAMPrivilege program points, including those obtained via the Avawear Mod4 application challengeThe points confirmed are valid for 12 months: they expire on the last day of the month of the validity period.

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, the Data Controller carries out profiling. However, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

New Sneakers Club

Purpose of processingLegal basis of processing (Article 6 of the GDPR)
Management of the New Sneakers ClubThe processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken on the latter’s request
Anti-fraudLegitimate interest: check for the interception and handling of fraudulent or potentially fraudulent transactions

Provision of your data is voluntary.
However, your refusal to provide the mandatory data will make it objectively impossible for you to participate in the New Sneakers Club

 

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Provider of the Sneakers Club Raffle random draw service.

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

Your personal details may also be communicated to recipients (autonomous data controllers):

  • of payment platforms;
  • anti-fraud systems.

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the purposes of processing described above, your personal data are transferred outside the European Union for anti-fraud purposes only (on the basis of Standard Autonomous Data Controller-Autonomous Data Controller Contractual Clauses).

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Management of the New Sneakers ClubName and email, date of payment6 months from the date the initiative ends
Anti-fraudData on the credit cardholder: name, first 6 numbers (BIN), last 4 numbers of the credit card, expiration date2 years from the moment the transaction failed (where applicable).

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

LUISAVIAROMA X Vestiaire Collective

Categories of data obtained from parties other than the data subject

In pursuing the purposes described in the paragraph Purpose and lawfulness of processing, LUISAVIAROMA processes the following categories of personal data relating to you obtained from third parties:

  • your full name, email address and the resale value of the item.

 

Sources the personal data come from
The personal data referred to in the above paragraph are gathered from the following categories of third party:

  • your data was provided to us by Vestiaire Collective, a company under French law, registered under number 517 465 225 RCS Paris, with registered office at 53 rue de Châteaudun, 75009 Paris, France, within the scope of the LUISAVIAROMA X Vestiaire Collective activity

 

Purpose and legal basis of processing
Your personal data are processed by the Controller in accordance with Article 6 of the GDPR.
The specific purposes of processing and their legal bases are set out below:

Purpose of processingLegal basis of processing
Issuing the multi-purpose voucher (gift card) agreed with VESTIAIRE by linking it to the user’s email addressPerformance of a contract or of pre-contractual measures – Fulfilment of legal obligations

The communication of personal data is a necessary prerequisite for concluding a contract.

 

Categories of parties to which personal data is addressed
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Monitoring and help desk service on AS/400 systems
  2. IT consultancy
  3. Software development support
  4. Cloud service for CRM Dynamics

You can ask LUISAVIAROMA for the list of Data Processors involved in these purposes by writing to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.


Transfers outside the EU
In order to pursue the processing purposes described above, your personal data may be transferred to the recipients indicated above in Italy and abroad.
In no case will your personal data be transferred outside the European Union.

 

Personal data retention period

The personal data processed by LUISAVIAROMA will be kept for as long as necessary for the performance of the contractual relationship.
After this time, your data will be anonymized or deleted, unless it is required to be kept for other, different purposes as expressly provided for by law.

Below are details of the length of the data retention period for the purposes described above, or the criteria used to determine this period:

PurposePersonal data categoryDeadlines for deletion
Issuing the multipurpose voucher (gift card) agreed with VESTIAIRE by linking it to the user’s email addressCommon data: name, email, resale value of the item on Vestiaire10 years from the date of the accounting entry for legal obligations, or longer in the event of litigation

 

Automated decision-making process
In pursuing the aforementioned purposes of processing, no decision based solely on automated processing is taken that produces any legal effects concerning you or significantly affects you in a similar way.

 

 

Soft Spam

Purposes of the processingLegal basis of processing (Article 6 of the GDPR)
To carry out commercial communications on products similar to those purchased pursuant to Article 130(4) of the Privacy CodeLegitimate interest of the data controller pursuant to Article 130(4) of the Privacy Code

The information you provide when you purchase one of our products may be used to promote goods similar to those you have already purchased, without prejudice to your right to object at any time to the use of such information for such purposes, including by using the unsubscribe button at the bottom of promotional emails.

Who we communicate your data to
Your personal data may be processed by the following categories of parties as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 of the GDPR, providers of the following services:

  1. Sending of communications
  2. IT consultancy
  3. Software development support
  4. Cloud

If you would like to see the list of data processors, please write to dpo@luisaviaroma.com

The data will also be processed by persons the Data Controller specifically authorizes to do so, pursuant to the GDPR, such as staff employed by LUISAVIAROMA or seconded to it, trainees and contributors, following specific instructions given by the Data Controller.

The personal data processed by LUISAVIAROMA are not disseminated.

 

Transfers outside the EU
In pursuing the aforementioned purposes of processing, your personal data are not transferred outside the European Union.

 

Personal data retention period

PurposePersonal data categoryDeadlines for deletion
Direct marketing pursuant to Section 130(4) of the Privacy CodeCommon data: name and contact data24 months after registration of the data

 

 

Your Rights

Privacy legislation grants you the following rights, which you can exercise by writing to customerservice@luisaviaroma.com:

  1.  to access and be given confirmation as to whether or not personal data concerning you are being processed, including for the purpose of being aware of the processing and to check that it is lawful, correct and up-to-date. In this case, you will be able to obtain access to your personal data and to information concerning you, in particular information on the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be communicated, the retention period, etc.;
  2. to rectify, where inaccurate, personal data concerning you, as well as to complete them where deemed incomplete, always in relation to the purposes of the processing. During this period, the Data Controller undertakes not to present the data as accurate or definitive, especially to third parties;
  3.  to have deleted the data that concerns you, where the data are no longer necessary for the purposes for which they have been gathered. Please note that to have your data deleted you must give valid reasons.  If the Data controller has communicated data concerning you to other Data Controllers or Data Processors, it is obliged to delete them, taking reasonable measures, including technical measures, to inform other Data Controllers who are processing the personal data in question so that they delete any links, copies or reproductions thereof (the “right to be forgotten”). The data in question cannot be deleted if their processing is necessary, inter alia, for the fulfilment of a legal obligation or the performance of a task carried out in the public interest and for the establishment, exercise or defense of legal claims;
  4.  to restrict the processing. Restricting the processing means, inter alia, the possibility of transferring the data processed to a system that is no longer accessible, for storage only, in which they cannot be changed. This does not mean that the data have been deleted but that the Data Controller must avoid using them in the period during which they are blocked. This would be particularly necessary if persistent use of inaccurate and illegally stored data could harm you. In such a case, you may object to the deletion of your personal data and instead request that their use be restricted. In the case of rectification of the data or opposition to its processing, you may request the restriction of the processing of those data for the period during which the Data Controller is carrying out the rectification or considering the request to oppose the processing. A further case is where the personal data is necessary for you to establish, exercise or defend a legal claim, but the Controller no longer needs it for processing purposes;
  5.  to oppose, at any time, on grounds relating to your particular situation, the processing of personal data concerning you where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller or where the processing is necessary for the purposes of the legitimate interests of the Data Controller or a third party. Finally, the Data Controller undertakes to refrain from processing your data, unless it can prove that there are compelling legitimate grounds for their processing or for the establishment, exercise or defense of a legal claim;
  6.  the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given prior to the withdrawal, only for the purposes whose legal basis is consent.

You may also turn to the DPO (dpo@luisaviaroma.com), in order to swiftly report any circumstances or events from which a breach of personal data (i.e. any breach of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data) may arise, even if only potentially, in order that an immediate assessment can be made and appropriate measures taken.

Please note that you have the right to lodge a complaint with the Data Protection Authority or another supervisory authority.

Policy updated on May 21st 2024

 

Note: In the event of inconsistencies, discrepancies or differences of interpretation between the Italian version and any other language version of this publication, the Italian language version shall prevail.

IP-0A0053CA - 2024-12-25T02:09:32.2820444+01:00