EXTENDED INFORMATION PURSUANT TO ARTT. 12, 13 AND, IF APPLICABLE, 14 OF GDPR REGULATION (EU) 2016/679 ON THE PROTECTION OF INDIVIDUALS, WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)
​
The data controller reports, below, the information pursuant to art. 12, 13 and, if necessary, 14 of the GDPR regarding the processing of personal data provided by the Customer/ interested party through the completion and signing of the Contract to purchase the products/ services offered for sale by the controller, by voluntarily uploading personal data on this website (in particular by filling out forms) or simply browsing it.
​
1. Data controller and contact details
The data controller is ROBERTO PERILLI (L'AMENILLE®), based in ROMA (RM), VIA MANTOVA ,14 - 00198P.I. 15318841002, Tel. +39 06 83 84 5600 - email info@lamenille.com
​
2. Principles applicable to processing
In accordance with the requirements of the GDPR, the data controller constantly ensures that personal data is:

    1. treated in a lawful, fair and transparent manner;
    2. collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes;
    3. appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    4. accurate and, where necessary, updated;
    5. stored for no longer than the purposes for which they are processed;
    6. treated, by appropriate technical and organisational measures, in such a way as to ensure their safety;
    7. processed, if by consent, by decision freely taken by the Customer/ interested party, on the basis of a request submitted in a clearly distinguishable way from the rest, in an understandable and easily accessible form, using simple and clear language.
The controller takes appropriate technical and organisational measures to ensure that personal data is protected by design and processed by default, only the data necessary for each specific processing purpose.
The data controller collects and takes into the utmost consideration indications, comments and opinions of the Customer/interested party transmitted to the above addresses, in order to implement a dynamic privacy management system that ensures effective protection of individuals, with regard to the processing of their data.
This Information may be modified, in accordance with the evolution of the reference legislation and technical and organizational measures adopted by the data controller; the Customer/interested party is, Therefore, please visit this section of the Site periodically to review the updates and the Information in the text time by time.
​
3. Processing of personal data
The processing of personal data is carried out manually and with electronic means, with logics strictly related to the purposes indicated below and, in any case, in order to guarantee the security and confidentiality of the data.

4. Purpose of processing personal data
(4a) Purposes for which the data processing is necessary
The personal data provided by the Customer/interested party is mainly processed for the execution of the Contract and the credit management and, more generally, the relationship arising from the Contract itself.
The provision of data in the Contract or later, in the course of the contractual relationship, for the purposes of processing in question is mandatory; therefore, the failure to provide such data, either partially or incorrectly, makes it impossible to conclude and/or execute the Contract and, for the Customer/interested party, use the products/services offered by the data controller, potentially exposing the Customer/interested party to liability for breach of contract.
The personal data provided by the Customer/interested party may also be processed if this is necessary to comply with a legal obligation to which the controller is subject, to safeguard the vital interests of the Client/data subject or another natural person, for the performance of a task in the public interest or related to the exercise of public authority with which the controller is entrusted, or for the pursuit of the legitimate interest of the data controller himself or third parties, provided that the interests or fundamental rights and freedoms of the Customer/ interested party do not prevail; even in these cases, the provision of data is mandatory and, therefore, the failure to provide, partial or incorrect data may expose the Customer/ interested party to any liability and penalties provided by the legal system.  
(4b) Further purposes of the processing following specific and express consent of the Customer/interested party.
In addition to the processing purposes mentioned above, personal data provided/acquired may be processed, subject to the consent of the Customer/interested party, to be expressed by selecting the <<Give consent>> box on the Contract or on the Site (or using other social or web applications of the data controller), also for conducting market surveys and to carry out commercial and promotional communications, by phone (also using the mobile number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), on products/services of the data controller or companies of the Group to which the data controller may belong.
Consent for the purposes of processing referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in point (4a) above, except as specified below with reference to the legitimate interests of the controller or third parties.

5. Categories of personal data processed
The data controller mainly processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/ billing nature, except others) and, where commercial transactions are planned, financial data (of a banking nature, in particular current account identifiers, credit card numbers, except for others related to such commercial transactions).  
The processing that the data controller carries out, both for the execution of the Contract and by virtue of the express consent of the Customer/interested party, does not generally concern particular categories of personal data, known as sensitive (revealing racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).
However, it cannot be excluded that the data controller, in order to perform the obligations arising from the Contract, must retain and/or have the need to process sensitive, genetic and biometric or judicial data of the Customer/interested party or third parties, of which the Customer/interested party has as data controller; in this case, the processing by the data controller takes place under the under the conditions and within the limits set out in the appointment of the same data controller as data processor, by the Customer/interested party.
The data controller also processes, in its capacity as data controller with reference to the Site and potentially as data processor commissioned (within the terms mentioned above) by the Customer/interested party, so-called navigation data. The computer systems and software procedures used to operate the websites acquire, in the course of their normal operation, certain personal data, the transmission of which is implied by the use of internet communication protocols. This is information that is not collected to be associated with identified persons, but which, by its very nature, could allow the identification of the data subject. This category of information includes geolocation data, IP addresses, type of browser, operating system, domain name and addresses of websites from which the access or exit was made, information on the pages visited by users within the site, Access time, permanence on the single page, internal path analysis and other parameters related to the operating system and computer environment of the user. It is, therefore, information that, by their very nature, allow through processing and associations with data held by third parties, to identify users.
On the Site can then be made use of cookies, both session (which are not stored on the computer of the interested party and disappear with the closure of the browser) that persistent, for the transmission of personal information, systems for the tracing of data subjects.


6. Source of personal data
The personal data that the controller processes are collected directly by the controller of the processing itself at the customer/ interested at the time, and during the navigation of this on the site (or using other social or web applications of the data controller), or, even through its own commercial, on the occasion of, or after the signing of the Contract, in the execution of the same, or from public sources.
As stated above, the data controller, as a processor entrusted to this purpose, in order to perform the obligations arising from the Contract, may store and/ or process data, especially navigation, potentially also sensitive, genetic and biometric or judicial, of third parties, of which the Customer/interested party has as the data controller, acquired, with the consent of said third parties, at the time of, and during, the navigation of the same third parties on the Site (or using other social or web applications that are related to the Controller).   the ability of a network or system to withstand unforeseen events or unlawful acts that could compromise availability, and the authenticity, integrity and confidentiality of data.

7. Legitimate interests
Legitimate interests of the controller or third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the controller and the data subject, for example when the data subject is a client of the controller. It is in particular the data controller’s legitimate interest to process personal data of the Customer/interested party: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the Business Group to which the controller possibly belongs, or traffic related, in order to guarantee network and information security, the ability of a network or system to withstand unforeseen events or unlawful acts which may compromise the availability, authenticity, integrity and confidentiality of data.

8. Circulation of personal data
(8a) Disclosure of personal data - categories of recipients
In addition to employees and collaborators in various capacities of the data controller (who are authorised by the data controller to process pursuant to appropriate written operating instructions, in order to ensure the confidentiality and security of the data), certain processing operations may also be carried out by third parties, to whom the Data Controller entrusts certain activities, or part of them, for the purposes referred to in point (4a), therefore both in execution of contractual and legal obligations, of which mention should be made, by way of example, inevitably not exhaustive: commercial and/or technical partners; companies providing banking and financial services; companies providing document storage services; debt collection companies; audit and financial statement certification firms; rating firms; persons providing professional assistance and advice to the controller; customer care firms; factoring firms, of securitisation of the credits or other title transferees of the credits; Group companies to which the data controller possibly belongs; subjects who provide commercial information; IT services companies. Entities belonging to the above categories process personal data themselves as independent controllers or as processors, with reference to specific processing operations that are part of the contractual services which they perform for/in the interest of the controller; The controller shall give adequate written operational instructions to processors, with particular reference to the adoption of minimum security measures, in order to be able to ensure the confidentiality and security of data.
Some processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, even functionally to the purposes referred to in point (4b), among which they deserve mention, however, inevitably, Not exhaustive: commercial and/or technical partners; companies that provide marketing services to institutions; advertising agencies; entities that provide assistance and consultancy activities in relation to competitions and prize transactions. Persons belonging to the above categories process personal data as independent controllers, or as processors, with reference to specific processing operations which are part of the contractual services that the entities themselves perform for/in the interest of the controller; The controller shall give adequate written operational instructions to processors, with particular reference to the adoption of minimum security measures, in order to be able to ensure the confidentiality and security of data.
The list of data processors with whom the data controller has a relationship is available upon written request to be sent to the controller’s office, subject to periodic updating.
Personal data may also be disclosed, if requested, to the competent authorities, in fulfilment of obligations arising from mandatory legal provisions.
(8b) Transfer of personal data to third countries
The personal data of the Customer/interested party may also be transferred abroad, either to countries within the European Union or to countries outside the European Union and, in the latter case, or on the basis of an adequacy decision, within the scope and with the appropriate guarantees provided by the GDPR (therefore, in particular, in the presence of contractual clauses type of data protection approved by the European Commission), or, outside the above mentioned hypotheses, making use of one or more of the exceptions provided for by the GDPR (in particular, by virtue of the explicit consent of the Customer/data subject, or for the execution of the Contract concluded by the Customer/data subject, or for the performance of a contract concluded between the controller and another natural or legal person on behalf of the Customer/data subject, in particular for the execution of activities commissioned by the controller to perform the Contract concluded with the Customer/interested party). In the case of data transfers to countries outside the European Union, the Customer/interested party is allowed, upon written request sent to the controller’s office, to know about the appropriate guarantees, or derogations, which legitimize cross-border processing. It is understood, in the event of transfer of data to countries outside the European Union, that for any request relating to the data, also for the exercise of the rights granted by the GDPR to the Customer/interested party, this may always validly address to the data controller.

9. Criteria for determining the retention period of personal data
For the purposes referred to in point (4a) above, the period of retention of personal data provided by the Customer/interested party, and the consequent potential processing thereof, coincides with the period of limitation of rights/obligations (legal, tax, etc.) descendants of the Contract: tending to 10 years, therefore, except for the occurrence of events interrupting the prescription that could extend, in fact, this period.
For the purposes referred to in point (4b) above, the retention period of the data provided by the Customer/interested party, and the subsequent potential processing thereof, ends with the revocation of the consent previously granted by the Customer/interested party itself or, in the absence of this, however one year after the termination of any relationship between the data controller and the Customer/interested party.
​
10. Rights of the Customer/data subject
The data controller acknowledges - and facilitates the exercise, by the Customer/interested party, of - all the rights provided for by the GDPR, in particular the right to request access to their personal data and to extract a copy (art. 15 GDPR), to rectification (art. 16 GDPR) and to the deletion of the same (art. 17 GDPR), to the limitation of the processing concerning it (art. 18 GDPR), to the portability of the data (art. 20 GDPR, if the conditions are met) and to oppose the processing concerning it (art. 21 and 22 GDPR, for the cases mentioned therein and, in particular, to the processing for marketing purposes or that results in an automated decision-making process, including profiling, which produces legal effects concerning you, where the conditions are met).
The data controller also grants the customer/data subject, if the processing is based on consent, the right to revoke this consent at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation. To do this, the Customer/interested party can unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the data controller at the above addresses.
The data controller also informs the Customer/interested party of the right to submit a complaint to the Supervisory Authority for the Protection of Personal Data, as a supervisory authority operating in Italy, and to propose a judicial remedy, against a decision of the Authority, as against the controller and/ or a processor.

11. Security of systems and personal data
Taking into account the state of the art and the costs of implementation, as well as the nature, subject matter, context and purpose of processing, as well as the risk in terms of likelihood and severity for the rights and freedoms of natural persons, the controller takes appropriate technical and organisational measures to ensure a level of security commensurate with the risk, in particular by ensuring confidentiality on a permanent basis, the integrity, availability and resilience of processing systems and services (including through encryption of personal data where necessary) and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and adopting internal procedures to test, verify and regularly evaluate the effectiveness of the technical and organisational measures employed.
In assessing the appropriate level of security, account shall be taken of the risks posed by processing resulting, in particular, from destruction, loss, alteration, unauthorised disclosure or access, whether accidental or illegal, to personal data transmitted, stored or otherwise processed.
The controller shall ensure that any person acting under his authority and having access to personal data does not process such data unless instructed to do so by the same controller.
Having said this, the Customer/interested party acknowledges and accepts that no security system guarantees absolute protection in terms of certainty; therefore, the data controller is not liable for acts or facts of third parties that improperly, despite the appropriate precautions taken, access to systems without the necessary permissions.
​
12. Automated decision-making, including profiling
The data controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the shopping experience, except as specified above with regard to the rights of opposition and withdrawal of consent by the Customer/interested party.
Profiling means any form of automated processing of personal data aimed at assessing certain aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, personal preferences, the interests or location of that person, including in order to create profiles, or homogeneous groups of subjects by characteristics, interests or behaviour.
The data controller does not carry out any automated processing that produces legal effects affecting the customer/data subject or that similarly significantly affect his person, unless this is necessary for the conclusion or execution of the Contract, is authorized by law or is based on the explicit consent of the Customer/interested party, in any case always recognizing the latter’s right to obtain human intervention, Express your opinion and challenge the decision.