Personal Data is defined by Article 4 No. 1) of the GDPR as “any information relating to an identified or identifiable natural person (Data Subject); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, genetic, mental, economic, cultural or social identity” (hereinafter “Personal Data”).
This policy explains how we collect, use and protect the Personal Data of all users (the “Users”) who access the website www.lookalike.shop (the “Site”). The processing of Personal Data will be inspired by lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability according to the general principles defined in Article 5 of the GDPR.
- Data Controller and Data Protection Officer
The data controller is Lookalike S.r.l., with registered office in Via del Gonfalone 3, 20123 Milan (MI), P.I./C.F. 11814320963, pec firstname.lastname@example.org, (the “Data Controller” or the “Company”).
The Company has appointed a Data Protection Officer (DPO) who can be reached at the Company’s address at Via del Gonfalone 3, 20123 Milan (MI) and by e-mail at email@example.com.
- Personal data subject to processing
The Personal Data collected include Personal Data provided voluntarily and automatically collected Usage Data.
Personal Data provided voluntarily includes Personal Data provided to fill in the contact sections on the Site in order to be contacted by the Company.
Automatically collected Usage Data includes the following.
- Personal Data derived from the use of the Site each time Users interact with it such as the IP address used to connect to the Internet with the computer or mobile phone, information about the computer or mobile phone such as the Internet connection, browser type, version, operating system and device type.
- Purpose of processing and legal basis
Personal Data are processed for the following purposes.
- Purposes aimed at allowing the Company to provide all the information related to the performance of its activity through the answers to the requests sent with the different contact forms present on the Site. The processing of Personal Data for this purpose has its legal basis in Article 6(1)(b) of the GDPR, pursuant to which the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request.
- Purposes of fulfilling obligations required by law, regulations or EU legislation such as obligations relating to the protection of Personal Data (such as those relating to the exercise of data subjects’ rights). The processing of Personal Data for this purpose has its legal basis in Article 6(1)(c) of the GDPR, pursuant to which the processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
- Legal defence purposes to enable the legal defence of a right or interest of the Controller before any competent authority or body. The processing of Personal Data for this purpose finds its legal basis in Article 6(1)(f) of the GDPR whereby the processing is necessary for the pursuit of the legitimate interest of the Data Controller. It is the legitimate interest of the Data Controller to pursue remedies to ensure compliance with its contractual rights or to demonstrate that it has fulfilled its obligations arising from the contract with the data subject or imposed on the Data Controller by law.
- Recipients of Personal Data
Personal Data may be communicated by the Controller to the categories of recipients indicated below. The recipients to whom the Data Controller communicates the Data act, according to the legal requirements, as autonomous controllers when they determine the purposes and means of processing, data processors pursuant to Article 28 GDPR when they process the Personal Data on behalf of the Data Controller or as authorised data processors pursuant to Article 2 quaterdecies of the Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018) when they act internally within the structure under the control and direction of the Data Controller.
Without prejudice to belonging to one of the above categories, Personal Data may be shared with the following parties.
- Employees and/or collaborators of the Controller, to enable the Company to respond to contact requests received.
- Employees and/or collaborators of the Data Controller to carry out administration, accounting and IT support activities.
- Companies, consultants or professionals who may be appointed to install, maintain, update and, in general, manage the Controller’s hardware and software.
- All those subjects, including public authorities, who have access to the Data by virtue of regulatory or administrative measures.
In any case, Personal Data shall only be disclosed to parties that have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality. Personal Data will not be disclosed.
- Period of Data Retention and Method of Processing
Personal Data are kept only for the period of time necessary for the purpose for which they are processed or within the terms provided by applicable national and EU laws, rules and regulations.
Personal Data provided when requesting information through the contact forms on the Site will be kept for the time necessary to properly process the request. In any case, Personal Data shall not be kept for a period longer than 12 months from the request for information if no legal relationship develops – from the contacts received. This is without prejudice to the User’s right to request the immediate deletion of Personal Data after they have received feedback and responses to the requests sent.
If legal or commercial relationships develop with the requesting contacts, as well as for the purposes set out in Article 3 lit. b) and c), Personal Data may be retained for the duration of the contract as well as for the next 10 years in order to verify any pending litigation or for compliance with any legal obligation. Thereafter, we will delete the Personal Data in accordance with our data retention and deletion rules or retain it in connection with a continuing legal basis.
- Transfer of Personal Data outside the European Union
Personal Data collected will not be transferred to countries outside the European Union. Any transfer of the Data Subject’s Personal Data to countries outside the European Union will take place, in any case subject to the integration of this information notice, in compliance with the appropriate and suitable safeguards for the purposes of the transfer itself in accordance with the applicable legislation and in particular in compliance with the general principle for the transfer as per art. 44 GDPR, of the existence of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, of adequate safeguards pursuant to Art. 46 GDPR – including the standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR – and in the presence of one of the specific situations of derogation referred to in Art. 49 GDPR including the explicit consent to the transfer by the Data Subject. The User is invited to contact the Data Controller for any further clarification.
- Obligatory nature of personal data communication and consequences of non-communication
For the pursuit of the purposes set out in article 3 letter a), the provision of Personal Data is optional; however, since their processing is necessary to allow the Company to reply to contact requests, failure to provide Personal Data will result in the impossibility for the User to receive replies to such requests.
For the pursuit of the purposes set out in Art. 3 letter b) the provision of Data is compulsory, as their processing is necessary to allow the Data Controller to fulfil its legal obligations.
For the purpose referred to in Art. 3 letter c) the provision of Data is optional. However, it must be borne in mind that, insofar as the processing is necessary for the establishment, exercise and defence of a right, the Data Controller is also exempt from the obligation to delete, by express provision of the GDPR.
- Data Rights
Pursuant to Art. 15 et seq. of EU REG. 2016/679, the User may exercise the following rights: (1) request access to his/her Personal Data pursuant to Art. 15 of the GDPR, (2) obtain rectification and/or integration of the Data pursuant to Art. 16 of the GDPR, (3) request and obtain the deletion of the Data pursuant to and within the limits of art. 17 of the GDPR unless one of the exceptions set out in paragraph 3 of the same art. 17 applies, (4) request and obtain the limitation of the processing pursuant to art. 18 of the GDPR, (5) obtain the portability of the Data pursuant to and within the limits of art. 19 of the GDPR which allows the User to receive the Personal Data provided to the Data Controller in a structured, commonly used and machine-readable format and – under certain conditions – transmit it to another data controller without hindrance, (6) object, in whole or in part, to certain types of processing pursuant to Art. 21 of the GDPR, including processing for marketing purposes, (7) withdraw consent pursuant to Art. 7, paragraph 3 of the GDPR without affecting the lawfulness of the processing based on the consent given before the revocation, (8) to lodge a complaint with the Supervisory Authority (Privacy Guarantor), (9) to receive clear, transparent and easily understandable information on how Personal Data is used and the exercise of rights, which is why the Data Controller provides the information contained in this document (art. 13 GDPR).
The exercise of rights is not subject to any formal constraints and is free of charge. All rights may be exercised by sending an appropriate request to the Data Controller at the following e-mail address: firstname.lastname@example.org.
- Right to object
The User has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her carried out pursuant to Art. 6 para. 1 lit. f) GDPR having as legal basis the legitimate interests of the Data Controller. The Data Controller shall refrain from further processing the Personal Data unless it demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
The Data Controller may need to update this policy in the light of regulatory changes or changes to its services by posting the amended version of this policy on the Site. We therefore invite Users to periodically review the relevant section of the Site in order to check and be aware of the updates made and, where necessary, to directly notify Users of the changes made.