PRIVACY POLICY

on the processing of personal data while browsing the website

(According to EU Regulation 2016/679 and the Italian Privacy Code, as amended)

LVGH S.r.l. (“LVGH”), with registered office at Piazzale Flaminio 9, 00196 Rome (RM), VAT No. 15335861009;

PMC S.r.l. (“PMC”), with registered office at Piazzale Flaminio 9, 00196 Rome (RM), VAT No. 16461641009;

acting as independent Data Controllers, hereby inform you, pursuant to Article 13 of EU Regulation 2016/679 (“GDPR”) and Legislative Decree No. 196/2003 (“Privacy Code”), as amended, that the processing of personal data of users who visit the website www.legraal.com/legraalprivateclubroma will occur in the manner and for the purposes described below.

The Controllers may be contacted at the following email addresses: privacy@legraal.com and privacy@legraalroma.com.

The Controllers have appointed a Data Protection Officer (DPO), who may be contacted at: dpo@legraal.com.

This privacy policy applies exclusively to the website www.legraal.com/legraalprivateclubroma and not to other websites potentially accessed by the user through links. Visiting this website may result in the processing of personal data relating to identified or identifiable natural persons.

The purpose of this privacy policy is to provide maximum transparency regarding the information collected by the website and how it is used.

  1. Object of the processing

Personal data of identified or identifiable natural persons may be processed while browsing the website www.legraal.com/legraalprivateclubroma, including (i) data provided through the contact form and (ii) data provided through newsletter subscription.

  1. Purposes of the processing

Personal data are processed for different purposes depending on the category of data:

- Browsing data: processed automatically to obtain anonymous statistical information and ensure correct functioning of the website. Such data are stored in the server provider’s database.

- Data voluntarily provided by the user, by third parties or collected—within legal limits—from public sources: processed in order to (i) respond to user requests submitted through the contact form; and (ii) send newsletters for promotional and marketing purposes. Such processing includes sending informational, commercial and promotional material relating to the Controllers’ products, services or initiatives, performing direct sales activities, conducting market research and verifying customer satisfaction. Consent is optional and does not affect the relationship with the Controller.

  1. Legal basis for processing

The legal basis for the processing of browsing data lies in the Controller’s legitimate interest in ensuring efficient and secure navigation of the website, including interactive features, pursuant to Article par. 1, lett. f) GDPR.

With regard to the legal basis applicable to the processing of personal data voluntarily provided by the user, it is as follows:

  • the performance of contractual obligations or the handling of requests made by the data subject, pursuant to Article 6, par. 1, lett. b) GDPR, with reference to the purpose described under point (i) above;

  • the explicit consent of the data subject, pursuant to Article 6, par. 1, lett. a) GDPR, with reference to the purpose described under point (ii) above.

Providing consent for the collection and processing of personal data is optional; therefore, the user may refuse or withdraw consent at any time.

However, refusal to provide consent will render the Controller unable to deliver the services that depend on such consent.

In particular, the user may withdraw their subscription to the newsletter at any time by using the unsubscribe procedure available in the footer of each newsletter.

  1. Categories of data and retention periods

Browsing Data

The IT systems and software procedures responsible for the functioning of this website acquire, during their normal operation, certain personal and non‑personal data, the transmission of which is implicit in the use of Internet communication protocols (log files). These data are not collected for the purpose of being associated with identified data subjects; however, by their very nature, they could—through processing operations and association with data held by third parties—allow users to be identified.

This category of data includes: IP addresses or domain names of the computers used by users connecting to the website; URI (Uniform Resource Identifier) addresses of the requested resources; the time of the request; the pages visited; the average time spent on the website; the method used to submit the request to the server; the size of the file returned in response; the numerical code indicating the status of the server’s response (successful outcome, error, etc.); other parameters relating to the user’s operating system and IT environment. These data are used exclusively for the purpose of obtaining anonymous statistical information on the use of the website and to verify its correct functioning, and are deleted immediately once these purposes have been achieved.

The data may be used to ascertain liability in the event of hypothetical cybercrimes committed against the website; except for this circumstance, browsing data do not persist for more than seven days.

Data Voluntarily Provided by the User

The optional, explicit and voluntary provision of personal data by the user through the contact form or for newsletter subscription results in the subsequent acquisition of: first name, last name, email address, telephone number, country/region, preferred language, and any additional personal data voluntarily provided by the data subject through the contact form.

Personal Data collected in relation to requests sent through the contact form are retained only for the time necessary to process and fulfil the request, after which they are anonymised.

Longer retention is permitted where required for compliance with administrative, fiscal or accounting obligations.

Personal Data collected for marketing purposes are processed for a period not exceeding 24 months, without prejudice to the data subject’s right to withdraw consent at any time.

  1. Methods of processing

Personal data are processed in accordance with Article 4 part. 1, n. 2 GDPR: collection, recording, organisation, storage, consultation, processing, modification, use, restriction, communication, erasure and dissemination.

Data are processed using automated tools for the time strictly necessary to achieve the purposes for which they were collected. No automated decision-making processes are used.

Technical and organisational security measures are implemented to prevent data loss, unlawful use and unauthorised access (data breaches).

  1. Access to personal data

Data may be accessed by employees authorised under Article 29 GDPR and by consultants or third‑party companies performing outsourced activities as Data Processors under Article 28 GDPR.

  1. Transfer of data abroad

The personal data will be transferred outside the European Union and the European Economic Area; the Controller hereby ensures that any transfer of data outside the European borders will be carried out in compliance with Articles 44 et seq. of the GDPR and with all applicable legal provisions.

For this reason, personal data transferred outside Europe and the European Economic Area are guaranteed to benefit from the same level of protection as that required under the GDPR.

For further information, and to request the list of third parties to whom the data are transmitted, the data subject may contact the Controller using the contact details provided in this privacy notice.

  1. Rights of the data subject

The data subject has the rights provided for under Article 15 et seq. of the GDPR, and specifically the right to:

  • Obtain confirmation as to whether or not personal data concerning them exist, even if not yet recorded, and to receive such data in an intelligible form;

  • Obtain information regarding: (a) the origin of the personal data; (b) the purposes and methods of the processing; (c) the logic applied in the event that processing is carried out with the aid of electronic tools and the security measures adopted; (d) the identification details of the Controller and of the Processor(s) appointed pursuant to Article 28 GDPR; (e) the subjects or categories of subjects to whom personal data may be communicated, or who may become aware of such data in their capacity as recipients;

  • Obtain: (a) the updating, rectification or, where the data subject has an interest, the integration of the data; (b) the erasure, anonymisation or restriction of data processed in breach of the law, including those data whose retention is unnecessary in relation to the purposes for which they were collected or subsequently processed; (c) certification that the operations carried out pursuant to points (a) and (b) above have been notified, including with regard to their content, to those to whom the data were communicated or disclosed, except where such compliance proves impossible or would involve a manifestly disproportionate effort in relation to the right being protected;

  • Object, in whole or in part: (a) on legitimate grounds, to the processing of personal data concerning them, even where such data are relevant to the purpose of the collection; (b) to the processing of personal data concerning them for purposes of direct marketing.

Where applicable, the data subject also has the rights set out in Articles 18 and 20 GDPR (Right to restriction of processing and Right to data portability), as well as the right to lodge a complaint with the Supervisory Authority pursuant to Articles 77 GDPR and 141 of the Italian Privacy Code, as amended.

  1. Exercising rights

The data subject may exercise their rights at any time by contacting the Controller at privacy@legraal.com and privacy@legraalroma.com or the DPO at the email address: dpo@legraal.com