We are pleased to welcome you to our website www.victorvictoria.com (hereafter referred to as the “website”)
We also invite you to carefully read our Privacy statement.
The processing of data takes place in compliance with applicable legislation on the matter and, in particular, with Regulation (EU) 679/2016 (“General Data Protection Regulation”), Legislative Decree 30.6.2003, no. 196 (“Privacy Code”), as well as the measures of the Data Protection Commissioner (“Privacy Commissioner”).
“Personal data” under art. 4, lett. b), of Legislative Decree no. 196/2003 and art. 4 no. 1 of the General Data Protection Regulation, shall mean any information on any individual who is or may be identified, whether directly or indirectly, by reference to any other information, including a name, a personal identification number, location data, an online ID or one or more characteristics of his/her physical, physiological, genetic, psychic, economic, cultural or social identity.
“Processing of personal data”, under art. 4, lett. a), of Legislative Decree no. 196/2003 and art. 4 no. 2 of the General Data Protection Regulation, shall mean any activity or set of activities carried out with or without the aid of automated processes and applied to personal data or sets of personal data, concerning the collection, registration, organisation, saving, consulting, processing, amendment, selection, mining, comparison, use, interconnection, suspension, communication, circulation, deletion and destruction of personal data.
The Policy principles
Anyone is entitled to the protection of their personal data.
The processing of personal data will be performed in compliance with the rights and fundamental liberties, with special reference to confidentiality, personal identity, protection of personal data, and in compliance with any applicable standard and legislation. The processing of personal data will also be performed in compliance with the principles of art. 5 of the General Data Protection Regulation. In particular, the personal data will be processed in a legal, fair and transparent way towards the data subject and will be collected and processed for set, express and legal purposes; the personal data will be adequate, relevant and limited to what is necessary for the purposes for which it is processed (“data minimization”) as well as exact and, if necessary, updated and stored in a format that allows for the identification of the persons concerned for a period of time not longer than time required to reach the purposes for which it is processed; it will also be processed so as to ensure an adequate security of personal data.
The information systems and computer programmes used are configured so that they reduce the use of personal data and identification data, in compliance with the general principle of “strictly necessary”, under art. 3 of the Privacy Code.
Data controller of your data is company Ca’ Da Mosto S.p.A., with its registered office in Scorzè (VE), Via Venice, 146, Tax-payer’s Code, VAT registration number and Registration with the Company Register of Venice no. 02037210271 – Economic and Administrative Index VE–194234.
“Data controller”, under art. 4 of the Privacy Code and art. 4 no. 7 of the General Data Protection Regulation shall mean an individual, a legal entity, a public administration and any other entity, association or body which is entitled (also together with another data controller) to make decisions on the purposes and manners of processing personal data and the tools used, including security profile.
“Data supervisor”, under art. 4 of the Privacy Code and art. 4 no. 8 of the General Data Protection Regulation, shall mean an individual, a legal entity, a public administration and any other entity, association or body appointed by the data controller to process personal data.
Currently Data supervisors include:
– Ca’ Da Mosto S.p.A. processes your personal data required for server management and maintenance activities;
– Ca’ Da Mosto S.p.A. processes your personal data required for shipping services of the ordered products;
– Ca’ Da Mosto S.p.A. processes your personal data required for website management and maintenance purposes.
A full list of Data supervisors may be requested by sending an email to our Customer Service, email address firstname.lastname@example.org.
The above-mentioned Data supervisors were chosen by the Data controller out of subjects that, for their experience, skill and reliability, are able to supply proper assurance of full compliance with applicable provisions on the processing of personal data, including the security profile.
The Data supervisors shall abide by the instructions given to them by the Data controller.
Personal data subject to processing
– browsing data: just by visiting and browsing the website, also by non-registered users, even if a purchase is not made, the user’s personal data will be collected and processed (so-called browsing data).
“Browsing data” shall mean such data whose transmission to the website occurs automatically, through the use of Internet communication protocols (i.e., by just entering or browsing the website).
This information itself is not associated with subjects that are identified but that, for their own nature, could still allow the users to be identified through processing and associations with third-party data.
This category of data includes for example IP addresses or computer domain names used by users who connect to the website, and other parameters related to the other operating system and the user’s IT environment.
You should be aware that, during standard operation, IT systems and software procedures in charge of operating the website collect the above-mentioned browsing data.
Data supplied by the user
– data willingly supplied by the user: registration on the website or online purchase of products result in the collection and processing of users’ personal data. The user undertakes to supply true data, of which it is the holder and is authorized to use it, for the set purposes, also being able to use it for the purposes of communication to the Data controller.
Processing method and personal data requirements
The processing of personal data is performed on paper or electronic media, in the ways established by art. 34 of the Privacy Code.
Under art. 31 of the Privacy Code, personal data is processed in compliance with applicable security legislation and is saved and controlled, also with respect to the knowledge acquired based on technical progress, its nature and the specific processing characteristics, in order to minimise risks of data destruction or loss, including accidental loss, by adopting proper and preventive security measures, non-authorized access, or non-permitted or non-compliant processing with the purposes of collection.
Under art. 25 and 32 of the General Data Protection Regulation, the data controller implements adequate technical and organizational measures in order to:
1) effectively enforce the principles of data protection, such as minimization, and to integrate in the processing the necessary guarantees to protect the rights of the persons concerned;
2) ensure that only personal data required for every specific processing purpose is processed. That obligation applies to the quantity of the collected personal data, the extent of processing, the period of storage and the accessibility (in particular, said measures ensure that, as a default setting, personal data is not made accessible to an indefinite number of individuals without the intervention of the individual);
3) ensure an adequate level of security proportional to risk, through, if the case may be:
– the pseudonymisation and encoding of personal data;
– the ability to permanently ensure the confidentiality, integrity, availability and resilience of the processing systems and services;
– the ability to promptly recover the availability and access of personal data in case of physical or technical accident;
– a procedure to regularly test, verify and assess the effectiveness of the technical and organizational measures in order to ensure processing security.
A cookie is a small file containing a string of alpha-numerical characters that is sent to the user’s computer when a website is visited and that allows such website to recognize the user’s browser upon subsequent access.
Cookies may be used for different purposes: performance of computer authentications, monitoring of sessions, saving of information on specific settings concerning users accessing the server.
There are two main categories of cookies, “technical” and “profiling” cookies.
– Technical cookies
Under art. 122, 1st paragraph, Privacy Code, technical cookies are only used in order to: “send a communication via an electronic communication network, or to the extent that is strictly necessary to the supplier of a service to supply a service expressly requested by the contracting party or by the user.”.
Technical cookies may be divided into browsing or session cookies, which are necessary to assure standard browsing and use of the website (for example, to make purchases, or to authenticate in order to access reserved areas); analytical cookies, used by the website manager to collect information, for example, on the number of users or how they visit the website; functional cookies, which are necessary for browsing, based on selected criteria (for example, the language, the products one intends to purchase).
For the installation of technical cookies prior users’ content is not requested (Measure of the Data Protection Commissioner, 8 May 2014, no. 229).
– Profiling cookies
Profiling cookies are used to create user profiles and to send advertising messages in line with the preferences shown by the user during internet browsing. Because of the special invasive character of such elements on the private sphere of the users, European and Italian legislation provides that the users should be adequately informed on their use and express their consent.
Art. 122 of the Privacy Code, concerning profiling cookies, provides that: “The filing of information in the computer of a contracting party or a user or the access to already filed information is only allowed on condition that the contracting party or the user has expressed his/her consent after being informed in the streamlined manners laid down in article 13, paragraph 3.”.
The Data protection Commissioner, by Measure dated 8 May 2014, no. 229 concerning the streamlined version of the statement that the website managers shall supply to the users, provided that upon first access of a website home page (or other page), a close-up banner of suitable size shall appear, containing the following indications:
a) that the website uses profiling cookies in order to send advertising messages in line with the preferences shown by the user during internet browsing;
b) that the website also allows for the dispatch of “third-party” cookies (if any);
c) a link to the extended statement, that shall contain the following additional indications on:
– use of technical and analytical cookies;
– opportunity to choose which specific cookies shall be authorized;
d) the indication that on the extended statement page it is possible to refuse consent of the installation of any cookie;
With reference to such important aspects, we inform you that our website can use both technical cookies and profiling cookies.
Your personal data is processed by Ca’ Da Mosto S.P.A. for purposes strictly connected to the use of the website, its services and the online purchase of our products. Data processing may also occur for other purposes, compatible with applicable legislation and compliant with law.
In particular, your data will be processed for the following purposes: in order to complete your registration with our website, to give you the opportunity to use the services offered by accessing the website, such as, for example, the online purchase of our products, the processing of your purchase orders, the making of payments of purchased products, their delivery, as well as to allow you to access (where possible) any reserved areas of our website, for tax and administrative fulfilments, to comply with applicable legislation, and also to improve our website and offered services.
Your data may be also used to send emails, text messages or multimedia messages or other types of messages, for advertising purposes on similar products or services to those purchased, but in this case you are free to refuse to receive said messages, by exercising the right to object, in the manners set forth in section “Rights of the data subject”, of this Statement (art. 130, paragraph 4, Privacy Code).
Additionally, subject to prior consent of the data subject, your data may be used to send advertising or promotional material on different products or services from those purchased, for marketing activities or market surveys, and for profiling activities, based on your shopping habits, in order to send proposals or promotions which take into consideration your specific interest.
Your data will be saved in compliance with applicable legislation, for the time strictly necessary with respect to the purposes for which processing is performed and, in any case, within limits of law.
The processing purposes are, in any case, from time to time, specifically and analytically reported in the privacy statement, that we invite you to read carefully.
Data controller reserves the right to delete registered users or, in any case, not to allow users who use third-party data to access the website or access or use the services (including the possibility to make on online purchase of products), without prior authorization or, in any case, in case of communication of untrue data, or in case of incorrect or illegal use of the website or the communicated data, provided that the user is the only and exclusive responsible for the supplied data, as well as for the conducts held, with indemnity in favour of Data controller, that refuses any responsibility.
Consent to data processing for advertising or marketing purposes, as well as for consumer profiling purposes, based on the shopping habits or choices, is not compulsory.
The communication of the personal data indicated as mandatory, as part of the set procedure for the online purchase of the products, or for the purposes of registration or, again, for access to reserved areas of the website or to certain services is necessary for the completion of said purchases or procedures, as well as to access certain areas or services for which said compulsory data is requested. In case of refusal of the data subject to supply said compulsory data, it may be impossible to complete the online purchase, or to access or use the services for which it is requested.
Without prejudice to the appointment of Data supervisors, as well as people in charge for processing, by the Data controller, for the purposes concerning the operation of the website and the making of online purchases and services, in compliance with applicable legislation, your data will not be assigned to third parties, that the users have not been previously informed of, and subject to their prior consent to assignment, in the cases established by law.
Rights of the data subject
At any time, the user has the possibility to exercise the rights provided for under art. 7 of Legislative Decree 196/2003 and articles 15, 16, 17, 18, 20, 21 and 22 of the General Data Protection Regulation, by sending a written request by registered letter with return receipt to Ca’ Da Mosto S.p.A. – Servizio Clienti, Scorzè (VE), Via Venezia, 146 CAP 30037, or by email, email address email@example.com.
Find below the provisions governing the rights of the data subject:
Art. 7 of Legislative Decree 196/2003 – Right to access personal data and other rights
1. The data subject is entitled to obtain confirmation of the existence of the personal data concerning him/her, even if not yet recorded, and to its communication in an intelligible format.
2. The data subject is entitled to obtain an indication:
a) of the origin of personal data;
b) of the processing purposes and methods;
c) of the logics applied in case of processing made with the aid of electronic instruments;
d) of the identification details of the data controller, the data supervisors and the designated representative under article 5, paragraph 2;
e) of the individuals or the categories of individuals to whom the personal data may be notified or that may become aware thereof as designated representative in the State territory, data supervisors or people in charge of processing.
3. The data subject is entitled to obtain:
a) update, amendment or, if requested, addition to the data;
b) erasure, conversion into anonymous form or suspension of data processed in breach of law, including the data whose saving with respect to the purposes for which it was collected or subsequently processes is not necessary;
c) certification that the above-mentioned activities have been disclosed, also as concerns their content, to the people to whom data has been notified or circulated (unless such a fulfilment is impossible or results in endeavours that are manifestly disproportionate to the protected right.
4. The data subject is entitled to object, wholly or partly:
a) on legal grounds against the processing of personal data which concerns him/her, even if it is relevant to the purpose of collection;
b) against the processing of personal data which concerns him/her in order to send advertising or direct selling materials or for the making of market surveys or business communication.
Art. 8 of Legislative Decree 196/2003 – Exercise of rights
1. The rights set forth under article 7 are exercised with an informal request to the data controller or data supervisor, also through a person in charge, who is given proper feedback without delay.
2. The rights laid down under article 7 may not be exercised with request to the data controller or the data supervisor or with recourse under article 145, if the processing of personal data is performed:
a) based on the provisions of decree-law 3 May 1991, no. 143, converted, with modifications, by law 5 July 1991, no. 197, as amended from time to time, on money laundering;
b) based on the provisions of decree-law 31 December 1991, no. 419, converted, with modifications, by law 18 February 1992, no. 172, as amended from time to time, on supporting victims of extortions;
c) by Parliamentary Boards of Inquiry set up under article 82 of the Constitution;
d) by a different public body from economic public entities, based on express provision of law, for exclusive purposes concerning monetary and currency policy, payment systems, control of brokers and of credit and financial markets, as well as the protection of their stability;
e) under article 24, paragraph 1, letter f), limited to the period during which an actual and real prejudice for the performance of the defensive investigations or the exercise of the right in court could arise;
f) by suppliers of electronic communication services accessible to the audience concerning incoming telephone communications, unless an actual and real prejudice for the performance of the defensive investigations or for the exercise of the right in court under law 7 December 2000, no. 397;
g) for reasons of justice, before judicial offices of any level and proceeding or the supreme council of judicature or other self-government bodies or the Ministry of Justice;
h) under article 53, without prejudice to the provisions established by law 1° April 1981, no. 121.
3. The Commissioner, also following report of the data subject, in the cases set forth in paragraph 2, letters a), b), d), e) and f), takes action in the manners established under articles 157, 158 and 159 and, in the cases set forth in letters c), g) and h) of the same paragraph, takes action in the manners established under article 160.
4. The exercise of the rights under article 7, when it does not concern objective data, may take place unless it concerns the amendment or addition of personal data concerning judgements, opinions or other subjective evaluations, as well as the indication of conducts to hold or decisions to be made by the data controller.
Art. 9 of Legislative Decree 196/2003 – Exercising method
1. Request to the data controller or supervisor may also be sent by registered letter, telefax or electronic mail. The Commissioner may identify another suitable system with reference to new technological solutions. When it concerns the exercise of the rights set forth in article 7, paragraphs 1 and 2, the request may also be made orally and in that case it is written summarily by the person in charge or the data supervisor.
2. When exercising the rights under article 7 the data subject may grant, in writing, proxy or power of attorney to individuals, entities, associations or bodies. The data subject may also be assisted by a trustworthy person.
3. The rights under article 7 referring to personal data concerning deceased people may be exercised by those who have a vested interest or act to protect the data subject or for family reasons deserving of protection.
4. The identity of the data subject is verified on the basis of suitable evaluation elements, also through available deeds or documents or show or attachment of a copy of an identification document. A person acting on behalf of the data subject shows or attaches a copy of the power of attorney, or the proxy signed before a person in charge or signed and submitted together with a non-authenticated photostatic copy of an identification document of the data subject.
5. Request under article 7, paragraphs 1 and 2, is formulated freely and without coercions and may be renewed, subject to the existence of justified reasons, not later than ninety days.
Art. 15 of General Data Protection Regulation – Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Art. 16 of General Data Protection Regulation – Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Art. 17 of General Data Protection Regulation – Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
Art. 18 of General Data Protection Regulation – Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Art. 19 of General Data Protection Regulation – Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Art. 20 of General Data Protection Regulation – Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. Section 4
Right to object and automated individual decision-making
Art. 21 of General Data Protection Regulation – Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Art. 22 of General Data Protection Regulation – Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Links to other websites
The website may, also in the future, contain links to third-party websites. The Data controller refuses any related responsibility, also as concerns the content and purposes of said websites, their reliability and/or seriousness. A user who decides to connect to said websites is aware to take any risk and/or responsibility arising out of said choice.