PERSONAL DATA PROCESSING POLICY
Pursuant to Article 13 of the European Privacy Regulation 2016/679

PERSONAL DATA PROCESSING POLICY

Pursuant to Article 13 of the European Privacy Regulation 2016/679

These guidelines refer to how personal data is used by the Data Controller, as well as by appointed Data Processors for this purpose, through the website https://www.atag-europe.com/

In accordance with Article 13 of the European Privacy Regulation 2016/679 (hereinafter, also simply “GDPR”), we shall therefore provide you, as “data subjects” with the information required regarding the purposes and methods of the processing of your personal data, as well as the scope of disclosure and circulation of this data.

By visiting this website, using its services or interacting with the Data Controller, Users confirm that they have understood this privacy policy and accept data processing by the Data Controller. If Users do not accept the information in this privacy policy, they should not: make online purchases, create an account through the “Log In/Register” section, or fill in the form under the “Contacts” section.

The Data Controller is Atag S.p.A., Tax Code 00844980151, with its registered head office in Milan (20128 – MI), Viale Monza, 274.

  1. Purposes of the processing, Legal grounds and Data retention period

The website https://www.atag-europe.com/ is for the general public, however, its services are intended for individuals aged 18 or over. The Data Controller asks that individuals under the age of 18 do not register or provide personal data through the website.

If the Data Controller finds out that it has collected a minor’s data, it shall delete this data.

La maggior parte delle sezioni del sito non richiede alcuna forma di registrazione, permettendo l’accesso e la Most of the sections on the website do not require any form of registration, allowing users to access and browse around the website.

On the other hand, certain areas of the website, for example: “Contacts” and “Log In/Register” might require Users to send personal information in order to use specific features. If Users provide the Data Controller with third-party data (eg. family members, friends, etc), they must make sure that these third parties are aware and have authorised the provision of this data based on appropriate legal grounds that legitimise the data processing in question. In these cases, Users are autonomous data controllers and assume all legal obligations and liabilities. Consequently, if Users provide third-party data, they fully indemnify the Data Controller against any potential dispute, claim or request for compensation for damages made against the Data Controller by them.

The Data Controller shall process the following personal data:

PurposeLegal groundsTypes of dataRetention
Period
Sales of products through the e-commerce website and any activities relating to sales and subsequent issues, as well as the handling of the right of withdrawal, return and legal warranties of the products, customer support, and requests for informationPerformance of a contract (or fulfilling pre-contractual measures adopted at your request) pursuant to Article 6(1)(b) of the GDPR. Legal obligations for the Data Controller pursuant to Article 6(1)(c) of the GDPRidentified data (eg. name and surname) and contact details (eg. e-mail and telephone number), personal details, information on orders and purchases, and payment, shipping and billing detailsUp to 10 years from the last purchase. In the case of litigation, for its entire duration, up until the expiry of the terms for lodging appeals
The creation of a user profile by registering under the “Log In/Register” sectionPerformance of a contract (or fulfilling pre-contractual measures adopted at your request) pursuant to Article 6(1)(b) of the GDPR. Legal obligations for the Data Controller pursuant to Article 6(1)(c) of the GDPR. If you do not provide data, it shall not be possible to purchase products online or proceed with any sales-related activities (withdrawals, returns, warranties or customer support)identified data (eg. name and surname) and contact details (eg. e-mail and telephone number), personal details, information on orders and purchases, and payment, shipping and billing detailsFor the entire duration of the contract and up to 10 years from the last purchase. In the case of litigation, for its entire duration, up until the expiry of the terms for lodging appeals
The purchase of products through the “Basket” (without creating an account)Performance of a contract (or fulfilling pre-contractual measures adopted at your request). Article 6(1)(b) of the GDPR.  Contact information, personal details, debit/credit card details, billing details and/or details required to issue a tax receipt, and order and shipping detailsFor 10 years from the issue of the tax receipt. In the case of litigation, for its entire duration, up until the expiry of the terms for lodging appeals.
Answering requests sent to the “Contacts” SectionPerformance of a contract (or fulfilling pre-contractual measures adopted at your request). Article 6(1)(b) of the GDPRContact information and personal details, information on orders and purchases, financial information, information on products and/or any other request you send usFor the time strictly required to handle the requests and, in any case, for a maximum of 24 months
Sending you advertising material and offers on our products and services, including with automated systems (direct marketing)Consent. Article 6(1)(a) of the GDPR. The provision of data for this purpose is optional, but if you do not provide it, it shall not be possible for the Data Controller to send you direct marketing messagesIdentified data and contact detailsUntil consent is withdrawn and/or up to 24 months from the last purchase made
Browsing the website: information collected through cookies. For more information on cookies, please see the specific cookie policy[EL1] on the website For all non-aggregated analytics and non-technical cookies: consent. Article 6(1)(a) of the GDPRPer tutti i cookie non tecnici e analitycs non aggregati: consenso. Art. 6 n. 1 lett. a) GDPRUser browsingFor the entire duration of browsing the website and/or up until the cookie expires. For more information, please read the specific cookie policy[EL2] on the website.

Please note that data may be processed for direct marketing purposes by the Data Controller through post, e-mail, SMS and/or WhatsApp. In any case, data subjects may withdraw their granted consent at any time and/or withdraw their consent also just for one of the ways of receiving information (post, e-mail, SMS and/or WhatsApp).

Personal data shall be processed in writing and/or on magnetic or electronic media by external employees and Data Processors appointed for this purpose.

Pursuant to Article 5 of the GDPR, personal data shall be processed lawfully and fairly in writing and/or on magnetic or electronic media. Processed data shall be stored for the aforementioned purposes up until the time indicated above, after which it shall be deleted or anonymised, as provided for by existing legislation and shall not be excessive in relation to the purposes indicated in this policy.

If granted consent is withdrawn, the data shall be deleted within 3 months from the request, subject to specific legal obligations on the storage of legal, fiscal, accounting and administrative documentation.

Processing is done through operations or a series of operations as indicated under Article 4(2) of the GDPR and more specifically: the collection, recording, organisation, storage, consultation, processing, amendment, selection, extraction, comparison, use, interconnection, blocking, disclosure, circulation, deletion and destruction of data, even if not recorded in a database.

These operations can be done with or without the use of electronic or automated tools and using methods that fully comply with the purposes pursued.

These operations can be done with or without the use of electronic or automated tools and using methods that fully comply with the purposes pursued.

  • Scope of the disclosure and circulation of data

The data collected on this website shall be disclosed by the Data Controller to legal and tax advisers.

Personal data may also be disclosed to external individuals appointed as Data Processors operating on behalf of the Data Controller. Employees and Data Processors appointed for this purpose shall only process data if necessary to carry out their assigned tasks, for example, to fulfil orders and ship goods, to process payments, etc, all of which while guaranteeing to protect Data Subject rights. The full list of the Data Processors is available, upon request, from the Data Controller.

Moreover, personal data may be disclosed to third-party companies in the event of a merger and/or demerger, acquisition, sale of a company branch and/or other special corporate operations.

Personal data may be disclosed to legitimate recipients pursuant to law or regulations, for example, in the event of requests from relevant public authorities and judicial authorities.

3. Transfer of data abroad

Personal data may be transferred to countries in the European Union.

4. Data subject rights

Pursuant to Articles 15 to 22 of the Regulation, data subjects have the right to:

  • be informed, the right to receive clear, transparent and comprehensible information on the methods we use to process your data and regarding your rights;
  • obtain information on the purposes for which personal data is processed, on the processing period and on the individuals to whom data is disclosed (right to access pursuant to Article 15);
  • have any inaccurate personal data about them amended or supplemented (right to rectification pursuant to Article 16);
  • have any of their personal data deleted in the following cases (a) the data is no longer necessary for the purposes for which it was collected; (b) consent is withdrawn for data processing if this data is processed based on your consent; (c) you object to the processing of your personal data if it is processed for one of our legitimate interests; or the processing of your personal data does not comply with the law. However, please note that the storage of personal data by the Data Controller is legal if it is necessary to allow it to fulfil a legal obligation or to ascertain, exercise or defend a right in a court of law (right to erasure pursuant to Article 17);
  • request that their personal data is only stored without it being used in the following cases (i) the accuracy of personal data is contested, for the period required to allow us to check the accuracy of this personal data; (ii) the processing is illegal but the data subject objects, in any case, to us deleting the personal data and asks that its use is restricted; (iii) personal data is necessary to ascertain, exercise or defend a right in a court of law; (iv) the data subject objects to the processing and is waiting for the potential precedence to be checked of legitimate grounds for the processing of the Data Controller compared with those of the data subject (right to restriction pursuant to Article 18);
  • have the processing stopped if personal data is being processed for direct marketing purposes (right to object pursuant to Article 21);
  • withdraw their consent at any time and/or only to withdraw their consent for one of the ways of receiving information (post, e-mail, SMS and/or WhatsApp), when the processing is based on their consent; in any case, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • receive their personal data in a commonly used, legible format from an interoperable, automatic device, if this data is being processed under a contract or based on consent (right to portability pursuant to Article 20).
  • file a complaint with the Italian Supervisory Authority, Garante Privacy (https://www.garanteprivacy.it/). In any case, data subjects may exercise their privacy rights by contacting the Data Controller.

5. Data Controller contact details

The Data Controller is Atag S.p.A., Tax Code 00844980151, with its registered head office in Milan (20128 – MI), Viale Monza, 274, e-mail: web@atag-europe.com

6. Amendments to this policy

The Data Controller reserves the right to update and/or amend this policy at any time, especially when it is necessary to comply with new regulations.

The Data Controller shall notify of any updates to the privacy policy by publishing it on its website. Users are therefore advised to regularly check the ATAG privacy policy.

Date of last update: 1 August 2021