Joint Data Controller Agreement
The EXOR Group, consisting of companies operating under the name ‘Tiziana Fausti’ and ‘10 Corso Como’, considers the protection of personal data of its and/or potential Customers, Users and Visitors to be of fundamental importance, respecting the rights recognised under Regulation (EU) 2016/679 (hereafter ‘the Regulation’) and other applicable personal data protection regulations.
The following are the individual companies belonging to the EXOR Group and their respective websites:
|EXOR INC. SRL||www.tizianafausti.com|
|10CC GLOBAL SHOP SRL||www.10corsocomo-theshoponline.com|
Each of these companies is the Data Controller, as defined in Article 4, Paragraph7 of the Regulation, ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’ for the handling of personal data relating to the use of the Websites, while also acting as Joint Data Controller pursuant to and for the purpose of Article 26 of the Regulation exclusively for marketing and profiling purposes (primarily for sending newsletters and specific marketing communications.
To this end, the Joint Data Controllers have entered into a joint ownership agreement which provides for:
- the joint definition of how to process the personal data of data subjects for marketing and profiling purposes
- the joint definition of the procedures for providing timely feedback concerning the exercising of rights as provided for in Articles 15, 16, 17, 18, 20 and 21 of the Regulation.
In order to facilitate the relationship between the Data Subject and each Data Controllers in terms of the exercising of the rights and for the aforementioned purposes, the Exor Group has established a ‘privacy contact person’ who can be contacted using the following email address: email@example.com
In any case, the ‘Privacy’ section of the Websites, which contains all the informations concerning the use and processing of personal data, the references for each website and information about contact and channels of communication made available to the Data Subjects by the Data Controller, will be available for consultation at all times.
Information on the processing of personal data by TFC SRL relating to the website www.10corsocomo.com
The Data Controller is TFC SRL, with its registered office in Corso Como n. 10 – 20154 Milan, Italy.
Personal data collected through the website www.10corsocomo.com are processed by TFC SRL using IT and/or telematic tools for the purposes listed below.
The personal data being collected is processed by TFC SRL directly, indirectly as Join Controller along with the other Data Controllers EXOR INC. SRL and 10CC Global Shop Srl exclusively for the aforementioned marketing and profiling purposes expressly authorised by TFC SRL, or communicated by the Company to third parties for the purposes described below.
Personal data provided by users when browsing the website www10corsocomo.com are processed by the Data Controller in compliance with current personal data protection regulations. The legal basis of this processing is the provision of services by the company itself in the management and consultation of the website.
The processing of personal data by TFC SRL is in pursuit of the following purposes:
- Subscription to the Newsletter
In the event of the using deciding to subscribe to the ‘Newsletter’ of the Exor Group, and more specifically the Tiziana Fausti and 10 Corso Como newsletters (hereafter the “Newsletter”), only after giving eventual and explicit consent, personal data will be processed by the Data Controller/Joint Control for sending commercial or promotional communications and updates relating to the latest trends, new arrivals, exclusive offers, special events and promotions. To unsubscribe to the newsletter, simply click the unsubscribe link at the bottom of any email received from the email addresses firstname.lastname@example.org or email@example.com
- Profiling of a natural person
Only after giving eventual and explicit consent, the personal data provided may be processed by the Data Controller and/or Joint Controller for the purposes of profiling user activity or analysing preferences in order to create personalised content and offers.
Nature of Data Processing
Regarding the purposes listed in point 1) – ’Newsletter’-, the provision of personal data and consent to its processing is optional. Failure to provide consent means that subscribing to the ‘Newsletter’, the sending commercial or promotional communications and receiving updates relating to the latest trends, new arrivals, exclusive offers, special events and promotions is not possible.
If the user decides to subscribe to the newsletter through the section of the website solely dedicated to this, the provision of personal data and consent to its processing is compulsory.
Regarding the purposes referred to in point 2) – Profiling -, the provision of personal data and consent to their processing is optional.
Personal data processed by the Data Controller is that which is provided by the user when browsing the website www.10corsocomo.com for the aforementioned purposes, this data including name, surname and email address.
Methods of Data Processing and Storage
The processing of personal data is carried out by the Data Controller in compliance with the provisions of current Privacy legislation. The Data Controller will process personal data using IT and/or telematic tools and using organisational and logical methods strictly relating to the pursuit of the purposes listed in this policy, as well as taking appropriate security measures to prevent unauthorised access to or the disclosure, modification or destruction of personal data or their loss and misuse. However, the Company cannot guarantee that the measures taken for the security of the website and the transmission of data and information on the website can limit or prevent all risk of unauthorised access or leaking of data by devices belonging to the user. Users of the website are therefore advised to ensure that their computer is equipped with software suitable for the protection and transmission of data within a data network (such as up-to-date antivirus software) and that their Internet Provider has taken appropriate measure for the security of data transmission over this network. The Company also undertakes to process data in compliance with the principles of correctness, lawfulness and transparency, to collect it to the exact extent necessary for processing and to restrict its use to only authorised staff. The management and storage of any personal data acquired will be carried out in archive storage facilities or servers located within the European Union owned by the Data Controller and/or third-party companies appointed as External Data processors currently located in Italy.
Regarding the different purposes for which they are collected, personal data will only be kept for the amount of time necessary to achieve these purposes and will ultimately be processed in accordance with applicable legal provisions.
In any case, the Company will take steps to avoid the use of the data for an indefinite period of time by, on a regular basis, confirming if there is ongoing interest in the subject that this data is related to.
Recipients and Data Processors
The data collected will not be distributed or disseminated in any way, but will be processed within the limits and for the purposes described by Company employees on the basis of appropriate operating instructions (these including administrative, commercial, marketing, legal, system administrators, etc.). Some data processing may also be carried out by third parties appointed as External Data Processors, which the Data Controller uses or can use within the context of managing the contractual relationship, the provision of the services offered and for the organisational needs of its business activities. In particular, the data can be communicated to 1) public and private entities that can access this data in accordance with the law, regulations or EU policies within the limits established by said rules; 2) advisers, to the extent necessary for carrying out their professional duties.
The updated list of External Data Processors and other approved data processors is kept at the registered office of the Data Controllers and is available to the Data Subject upon request via email at firstname.lastname@example.org or email@example.com
Transfer of data abroad
The management and storage of personal data will be done on severs belonging to the Data Controller and/or third-party companies appointed as External Data Processors located within the European Union.
Personal data may be transferred abroad in accordance with the provisions of current legislations, even to countries outside the European Union. Transfers to non-EU countries, apart from cases in which this is guaranteed under European Commission Adequacy Decisions, are carried out in such a way as to provide appropriate and pertinent guarantees pursuant to Articles 46, 47 or 49 of the Regulation.
Rights of data subjects
As a Data Subject, a user may at any time exercise the rights provided for in Articles 15, 16, 17, 18, 20 and 21 of the GDPR, which more specifically confer the right to:
a) obtain confirmation from the Data Controller, pursuant to Article 15, that personal data is being processed or not and, if so, obtain access to the data and information such as: (i) the purposes of the processing; (ii) the categories of personal data; (iii) the recipients or categories of recipients to whom the personal data has or will be communicated, particularly if the recipients are located in Third Countries or International Organisations; (iv) when possible, the planned retention period of the personal data or, if not possible, the criteria used to determine this period;
b) obtain from the Data Controller, pursuant to Article 16, the correction of any inaccurate personal data concerning them without undue delay; taking into account the purposes of the data processing, the Data Subject has the right to have their incomplete personal data completed, including by means of providing a supplementary statement;
c) obtain from the Data Controller, pursuant to Article 17, the deletion of personal data concerning the data subject without undue delay. The Data Controller is obliged to delete personal data without undue delay if one of the reasons listed in Paragraph 1 of Article 17 is applicable;
d) obtain from the Data Controller, pursuant to Article 18, a restriction of the data processing when one of the hypothesis governed by Paragraph 1 of Article 18 applies;
e) obtain from the Data Controller, pursuant to Article 20, the portability, i.e. receiving this is in a structured, commonly used format that is readable by an automatic device, of any personal data concerning the Data Subject provided to a Data Controller. The Data Subject also has the right to transfer this data to another Data Controller without the obstruction of the first Data Controller to whom they provided this data, if the conditions listed in Article 20 Paragraph 1 are met. Finally, the Data Subject has the right to obtain the direct transmission of personal data from one Data Controller to another, if this is technically feasible;
f) object, pursuant to Article 21, in whole or in part to the processing of personal data concerning the Data Subject.
It should be noted that the Data Subject has the right to revoke their consent at any time without prejudice to the legality of the data processing based on the consent given before the revocation, without prejudice to the aforementioned consequences regarding any refusal to provide said personal data. The Data Subject also has the right to a file a complaint with a Supervisory Authority.
The Data Controller undertakes to respond to the Data Subject’s requests within the period of one month, except in particularly complicated cases which may take up to a maximum of three months. In any case, the Data Controller will provide the Data Subject with evidence of the reasons for the delay within one month of the request. The outcome of the request will be provided in writing or electronically. In the event of a request for modification, deletion or limitation of processing, the Data Controller undertakes to communicate the results of the requests received from the Data Subject to each recipient of their data, unless this proves to be impossible or requires disproportionate effort.
The Company specifies that the Data Subject may be asked for a The Company specifies that a possible contribution may be requested if the applications are manifestly unfounded, excessive or repetitive; in this regard the Company shall track your requests for intervention.