According to USA local data protection applicable laws and the EU Regulation n. 2016/679 “General Data Protection Regulation”, the following data controllers (herein after “Data Controllers”) provide you with the following information on the collection, use, disclosure, or processing of your personal data:
- Dolce & Gabbana S.r.l., based in Via Goldoni 10, 20129, Milan, Italy, an Italian corporation belonging to the Dolce & Gabbana Group, Data Controller for customer loyalty purposes, marketing purposes and profiling purposes and for administrative and accounting purposes if customers purchase in Italy;
- Dolce & Gabbana Usa Inc., based in 546 5th Ave, New York City, NY 10036, USA, the local subsidiary belonging to the Dolce & Gabbana Group where the customer purchases or registers to the CRM system, Data Controller for administrative and accounting purposes, customer loyalty purposes.
Specific information of the subsidiaries belonging to the Dolce & Gabbana Group through which you have the chance to gain detailed information on the different Data Controllers, may be obtained by visiting the following link https://world.dolcegabbana.com/corporate/subsidiaries/ or by writing to email@example.com or to the postal addresses mentioned above.
A. The purposes and legal basis for the processing
A1. The following personal data supplied by you in our stores or on our website: personal information (first name, family surname, date/place of birth); contact details (permanent place of residence, domicile, phone number, e-mail); invoicing and tax free information (nationality, passport number, company name, fiscal code, vat number); information regarding the purchases made by the customer (item, size and color, price, date and shop where the sale takes place) will be collected, used, disclosed or processed:
a.For administrative and accounting purposes: execution of sales contract, accounting and fulfillment of legal obligations, after-sales services. The legal basis for this data processing is the execution of a contract of which you are a party of.
A2. The following personal data supplied by you over time in our stores or on our website: personal information (first name, family surname, date/place of birth); contact details (permanent place of residence, domicile, phone number, e-mail); data regarding the customer profile and his/her preferences (hobbies, cultural interests, preferred magazines/websites, style of life/person, associative/cultural clubs of his/her interest, preferred brands and items purchased) and the total amount of individual purchases and details of the same (item, size and color, price, date and shop where the sale takes place) will be collected, used, disclosed or processed:
a. Subject to your consent, for customer loyalty as such purposes (free personal shopping services, free assistance services (tailoring), free courtesy services (domicile purchases delivery services). The legal basis for this data processing is your consent.
b. Subject to your consent, for marketing purposes: dispatch of advertising material or direct sales material, market research, customer satisfaction surveys, commercial communication even customized regarding Dolce & Gabbana products (bags, accessories, shoes and clothes) with automated (e-mail, other communication systems via communication networks such as, by way of example but not limited to: SMS, instant messaging platforms (WhatsApp, Line, WeChat, Viber, Kakao Talk) and traditional (paper mail, operator-assisted phone calls) contact methods; offering of customized sales services at Dolce & Gabbana stores worldwide. The legal basis for this data processing is your consent;
c. Subject to your consent, for profiling purposes: profiling and analysis of shopping preferences using data provided by the customer and the data related to the retail business at Dolce & Gabbana stores worldwide; (even e-commerce). The legal basis for this data processing is your consent.
B. Data retention period
- The personal data collected for administrative and accounting purposes (paragraph A1, letter a.) shall be stored for the time necessary to perform the contract and or the provision of legal warranties in accordance with the terms of the retention required by the applicable law.
- The personal data collected for customer loyalty purposes (paragraph A2, letter a.) shall be stored until the customer asks to revoke the registration or the consent to the processing of the personal data.
- The personal data collected for marketing and profiling purposes (paragraph A2, letters b. and/or c.) will be stored until the customer asks to revoke the registration or the consent to the processing of the personal data.
- The personal data related to the details of purchases processed with your consent for customer loyalty purposes and/or profiling and/or marketing purposes, which will be retained for 7 years by Dolce & Gabbana S.r.l..
On expiry of the retention, terms indicated above or in case Data Controllers become insolvent and cannot continue processing your personal data, data will be automatically erased or made permanently and irreversibly anonymous.
C. Data Provision
Provide the data is necessary to achieve the administrative or accounting purposes as well as for the completion of the purchase. The provision of data for customer loyalty, profiling, and marketing purposes, and thus the retention in the Customer Relationship Management (CRM) system of Dolce & Gabbana S.r.l. is optional. Any failure in providing data or lack of consent, shall preclude the pursuit of the purposes of profiling and marketing but will not affect the ability to complete the purchase.
There exists risk of personal data leakage and misuse, however, Dolce & Gabbana S.r.l. has implemented several security measures to protect your personal data processed by means of electronic or automated tools, through the CRM system, keeps access logs to the CRM system, of those entitled to use it, with retention of data collected for six months.
D. Data processing methods
The data collected will be processed and stored both on paper and automated tools. In particular, data processed for profiling and marketing purposes, will be stored in the CRM system of Dolce & Gabbana S.r.l., whose server is located in Italy.
You acknowledge that your personal data is being transferred abroad and may become accessible to foreign governments under a lawful order made in that country.
E. Recipients of personal data
Data will be processed by:
- employees and associates of the Data Controllers authorized to the collection, use, disclosure or processing of your personal data;
- employees and associates of the subsidiaries belonging to the Dolce & Gabbana Group worldwide, appointed as external data processors, that manage the traditional or online Dolce & Gabbana stores and that may view, edit and update the data entered into the CRM system;
- employees and associates of subsidiaries belonging to the Dolce & Gabbana Group worldwide, if necessary, appointed as external data processors by any other subsidiary belonging to the Dolce & Gabbana Group, for the purpose of collection and allocation of data which occurs locally;
- third party members or not of the EU, data processors, used by the Data Controllers in particular for acquisition services and data entry of personal information, shipping, distribution of promotional material, after sales support, market research, customer satisfaction surveys, management and maintenance of CRM system and other corporate IT systems.
Your data may be disclosed:
- to entities acting as Data Controllers, such as supervisory and control authorities and any public entity entitled to request the data, such as judicial and/or public security authorities;
- to third parties, independent Data Controllers, in particular professionals or legal or tax advice and assistance firms and companies managing payments made by debit or credit card.
A full list of the recipients of personal data can be obtained by writing to the following address: firstname.lastname@example.org or to the postal addresses mentioned in the epigraph of this information notice.
For the categories of personal data that could be transferred to third parties, please refer to section A of the present information notice.
F. Data transfer outside of the European Union or of the country
Your data will be transferred to other countries in accordance with the safeguards set forth by applicable privacy laws.
A full list of the recipients of personal data established outside of the European Union and a copy of the safeguards adopted by the Data Controllers can be obtained by writing to the following address: email@example.com or to the postal addresses mentioned in the epigraph of this information notice.
G. Data subject’s rights under GDPR
According to applicable laws, you can at any time request information on personal data collected, used, disclosed, or processed by the Data Controllers, as well as request for access to such personal data, ask for their integration, rectification, or erasure, ask for restriction of processing and object to their processing. Data subjects have the right to obtain additional information upon a request, including: the (i) types of personal data being processed; (ii) the decisions taken based on automated processing; (iii) the rules and criteria of the periods for which the personal data will be stored and kept; (iv) and the measures to be taken upon the occurrence of a data breach.
In particular, you have the right to object and withdraw your consent, in whole or in part, to the collection, use, disclosure or processing of your personal data for purposes of profiling or for purposes of dispatch of advertising material, direct selling or for the fulfillment of market surveys, customer satisfaction surveys or commercial communication both automated (e-mail, other systems of distance communication as, by way of example: SMS, instant messaging platforms (WhatsApp, Line, WeChat, Viber, Kakao Talk) and traditional (paper mail, operator-assisted phone calls).
If you prefer that the processing of your personal data is carried out solely by means of traditional contact methods, you may object to the processing of your personal data by means of automated contact methods.
Furthermore, you shall have the right to receive the personal data concerning you, which you have provided to the Controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent or on a contract and the processing is carried out by automated means.
In order to exercise your rights above and/or or submit an inquiries or complaints with regard to the processing of your personal data and/or withdraw your consent, you may send a request to the Data Controllers by writing to this email address: firstname.lastname@example.org or to the postal addresses and contacts mentioned in the epigraph of this information notice.
In addition, you can lodge a complaint with the competent supervisory authority.
For the exercise of your rights under local USA data protection regulations, please refer to the following paragraphs.
H. Data Protection Officer (DPO)
The Data Protection Officer is available at the email address email@example.com.
I. Citizens of United States
If you are a citizen of Connecticut, Colorado, Utah or Virginia, the data protection legislation in force in those states will apply.
Connecticut’s privacy legislation, the Connecticut Data Protection Act (“CDPA”), applies from 1st July 2023.
Colorado’s privacy legislation, the Colorado Privacy Act (“CPA”), applies from 1st July 2023
Utah’s privacy legislation, the Utah Consumer Privacy Act (“UCPA”), applies 31 December 2023
Virginia’s new privacy legislation, the Consumer Data Protection Act (“CDPA”), applies from 1st July 2023.
The rights you may exercise under these legislations are as follows:
- The right to access your personal data collected and processed by the Data Controller;
- The right to correct your personal data;
- The right to delete your personal data, including personal data collected by a Data Controller through a third party;
- The right to obtain a copy of your personal data in a portable and easily usable format that allows you to transfer the data to another Data Controller with ease;
- The right to opt-out:
- to the sale of your personal data;
- to the processing of personal data for the purpose of targeted advertising;
- to profiling that may have significant impact.
Targeted advertising means the display of advertisements to a consumer where the advertisement is selected on the basis of personal data obtained or inferred from that consumer’s activities over time and on unaffiliated Internet sites or online applications to predict that consumer’s preferences or interests.
The law defines the sale of personal data as “the exchange of personal data for monetary or other value consideration by the Data Controller to a third party”.
In the state of Utah and the state of Virginia the definition of sale includes the exchange of personal data only for monetary consideration by a Data Controller to a third party.
Citizens of California
If you are a citizen of California, the data protection legislation that will apply is the California Privacy Rights Act (“CPRA”).
The rights you may exercise under this legislation are as follows:
- The right to delete your information (except in limited circumstances where businesses need to keep the information to complete a transaction, ensure security, exercise free speech etc.);
- The right to correct your inaccurate personal data;
- The right to see what personal information businesses have collected about you, where it came from, why the business is selling it, where it is being disclosed;
- The right to know what personal information is being sold or shared, and with whom;
- Third parties may not resell or re-share personal information unless the consumer has received notice and has the right to opt-out.
- The right to opt-out of the sale of your information, also to opt-out of its sharing for advertising. Guardians of children under 13, and consumers from 13 to 16, must opt-in to the sale of their information;
- The right to limit the use and disclosure of your sensitive personal information, including race, religion, sexual orientation, health, precise geolocation, etc. The only exception is when a business delivers a product to a consumer which the consumer him/herself requested, and when the information would be used in a way reasonably expected by an average consumer.
Dolce & Gabbana, as Data Controller, has not shared or sold your personal data in the last 12 months.