PRIVACY POLICY

on the processing of personal data while browsing the website

(According to European Regulation 2016/679 and the Italian Privacy Code as amended)

LVGH S.r.l. (hereinafter “LVGH” or the “Controller”), with registered office at Piazzale Flaminio 9 - 00196 Rome (RM), VAT No. 15335861009, in its capacity as Data Controller, informs you, pursuant to Article 13 of EU Regulation 2016/679 (hereinafter “GDPR”) and Legislative Decree No. 196/2003 (hereinafter “Privacy Code”), as amended, that the processing of personal data of users who visit the website www.legraal.com will be carried out as described below. The Controller can be contacted at the following email address: privacy@legraal.com

The Controller has appointed a DPO, who can be contacted at: dpo@legraal.com.

This privacy policy applies exclusively to the website www.legraal.com and not to any other websites that the user may access through links. Visiting this website may result in the processing of personal data relating to identified or identifiable natural persons.

The purpose of this privacy policy is to provide maximum transparency regarding the information the website collects and how it is used.

  1. Object of the processing

Visiting this website may result in the processing of personal data relating to identified or identifiable natural persons. Personal data are processed while browsing the website www.legraal.com, through the contact form, or by subscribing to the newsletter.

  1. Purpose of the processing 

The personal data of users browsing the website are processed for different purposes depending on the category of data:

- For browsing data, processing is carried out automatically to obtain anonymous statistical information on the use of the website and to ensure its correct functioning; such data are stored in the server provider's database.

- For data voluntarily provided by the user, processing is necessary (i) to send the newsletter for promotional and marketing purposes and (ii) to respond to user requests submitted via the contact form.

  1. Legal basis of the processing

The legal basis for processing browsing data lies in the Controller's legitimate interest in ensuring efficient and secure browsing on the website, including interactive use, under Article 6, par. 1, lett. f) GDPR.

The legal basis for processing data voluntarily provided by the user is the explicit consent of the data subject under ex art. 6, par. 1, lett. a) GDPR. 

Providing data and consenting to its collection and processing is optional; the user may refuse consent or withdraw it at any time. However, refusal will prevent the Controller from providing services such as newsletter subscription or responding to contact form requests.

The user may unsubscribe from the newsletter at any time using the unsubscribe procedure found in the newsletter footer.

  1. Categories of data processed and retention period

Browsing data

The IT systems and software procedures used to operate this website collect certain personal and non-personal data during normal operation, the transmission of which is implicit in the use of Internet communication protocols (log files).

These data are not collected to identify users; however, they could allow identification through processing and association with third-party data.

This category of data includes IP addresses or domain names of the computers used by users connecting to the website, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, pages viewed, average time spent on the website, the method used to submit the request to the server, the size of the file returned, the numerical code indicating the server response (success, error, etc.), and other parameters regarding the user's operating system and IT environment.

These data are used solely to obtain anonymous statistical information on the use of the website and to verify its correct functioning. They are retained for a maximum period of 24 months. Except in the case of investigations related to cybercrimes against the website, browsing data are not stored for more than seven days.

Data voluntarily provided by the user

The optional, explicit, and voluntary provision of user data via the contact form and for newsletter subscription results in the acquisition of the user's first name, last name, email address, country/region, and preferred language.

Personal data related to contact form requests are retained for the time necessary to fulfil the request, after which they are anonymized. Longer retention periods may apply where required by law for administrative, tax, or accounting obligations.

Personal data collected for marketing purposes are processed for no more than 24 months, without prejudice to the user's right to withdraw consent at any time.

  1. Provision of data

Browsing data is processed automatically once the user accesses www.legraal.com; personal data voluntarily provided by the user is processed once the communication or newsletter subscription request is sent by the user and consent is granted by ticking the appropriate box.

In some cases (not related to ordinary website operations), the Authority may request information concerning personal data protection. In such instances, the Controller must respond under penalty of administrative sanctions.

  1. Processing methods

Personal data are processed according to art. 4, part. 1, n. 2 GDPR: collection, recording, organisation, storage, consultation, processing, modification, use, restriction, communication, erasure, and dissemination of data.

Data are processed using automated tools for the time strictly necessary to achieve the purposes for which they were collected. No automated decision-making or profiling is carried out.

Specific technical and organisational security measures are adopted to prevent data loss, unlawful use, and unauthorised access (data breaches).

  1. Access to personal data

For the purposes described above, personal data may be accessed by the Controller's employees authorised under Article 29 GDPR, consultants, and third-party companies providing outsourcing services as Data Processors under Article 28 GDPR. A list of such third parties may be requested from the Controller.

  1. Transfer of data abroad

Data may be transferred outside the European Union and the European Economic Area. The Controller ensures that such transfers comply with Article 44 et seq. GDPR and applicable law. Personal data transferred outside Europe will be subject to the same level of protection guaranteed by the GDPR. A list of third parties receiving the data may be requested from the Controller.

  1. Data subject rights

The data subject is entitled to exercise the rights set out in Articles 15 et seq. of the GDPR, namely:

  • To obtain confirmation as to whether or not personal data concerning them exist, even if not yet recorded, and to receive such data in an intelligible form.

  • To obtain information regarding: a) the source of the personal data; b) the purposes and methods of the processing; c) the logic applied in the event of processing carried out with the aid of electronic tools and the security measures adopted; d) the identification details of the Controller and of the Processor(s) appointed pursuant to Article 28 GDPR; e) the recipients or categories of recipients to whom the personal data may be disclosed or who may become aware of them in their capacity as recipients.

  • To obtain: a) the updating, rectification, or, where the data subject has an interest, the integration of the data; b) the erasure, anonymisation, or restriction of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which they were collected or subsequently processed; c) certification that the operations referred to in points (a) and (b) have been notified, also with regard to their content, to those to whom the data have been communicated or disclosed, unless such compliance proves impossible or involves a manifestly disproportionate effort compared to the right being protected.

  • To object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning them, even when relevant to the purpose of the collection; b) to the processing of personal data concerning them for direct marketing purposes.

Where applicable, the data subject is also entitled to the rights provided under Articles 18 and 20 GDPR (Right to restriction of processing and Right to data portability), as well as the right to lodge a complaint with the Supervisory Authority (Articles 77 GDPR and 141 of the Italian Privacy Code, as amended).

  1. Exercising rights

The data subject may exercise their rights at any time by sending an email to the Controller at privacy@legraal.com or DPO at dpo@legraal.com