PRIVACY INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

PURSUANT TO REGULATION (EU) 2016/679 (“GDPR”)

Website www.rizoma.com

1. CONTROLLER

Rizoma S.r.l. (hereinafter “Rizoma” or the “Controller”)

Registered office: via Quarto 30/32/34, Ferno (VA)

Tax Code and VAT no. 02595720125

E-mail address: privacy@rizoma.com

Website: www.rizoma.com (the “Website”)

2. PERSONAL DATA PROCESSED

• Personal identification details (name, surname, home address);

• Contact details (e-mail address, telephone number);

• Details of Website purchases;

• Details of “wish list” products;

• Invoicing data and details of credit/debit cards used to make purchases;

• Browsing data

(together also referred to as the “Data”).

3. COLLECTION OF PERSONAL DATA

Browsing data

The IT systems and software procedures dedicated to the functioning of this Website collect certain personal data as part of their normal operations, including: the IP addresses or domain names of the computers used to visit the Rizoma Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error etc.), and other parameters relating to the operating system and IT environment of the user.

This data is collected using the cookies and metadata described in the cookie policy posted on the Rizoma Website, to which reference is made. Processed solely to obtain anonymous statistical information about use of the Website and to check that it is functioning properly, this data is deleted immediately after the related processing has been completed.

The data may be used to establish responsibility, in the event of hypothetical cyber crimes against the Website.

4. PURPOSES AND LAWFULNESS OF PROCESSING

Some of the Data listed above is requested in certain sections of the Website that relate to specific services. This data will be processed by the Controller for the purposes and on the lawful basis indicated below.

• To execute pre-contractual activities and/or a contract to which you are party:

• in order to register a User Account with the Website www.rizoma.com;

• for the technical administration and management of the Website;

• to enable the purchase of Rizoma products;

• to provide services reserved for the holders of a User Account registered with the Website, such as select products for inclusion in the wish list, display previous purchases, access customer support via the “live chat” channel on the Website etc.;

• to receive contact and information requests and reply to them properly;

• to manage the shipment and delivery of ordered products.

• Based on the legitimate interests of the Controller (“soft spam” pursuant to art. 130, para. 4, of Decree 196/2003, as updated by Decree 101/2018 - Code for the protection of personal data), to promote by e-mail services similar to those sold, without prejudice to the right of the User to object at any time.

In addition, following prior consent from you, which is optional and may be revoked at any time, the personal data collected may be processed for other purposes including, in particular:

• Marketing: to send you information, electronically or otherwise, about initiatives and commercial offers and/or questionnaires and market research of interest to the Controller, using electronic channels (e.g. e-mail);

• Profiling: to analyse your preferences, habits, behaviour and interests as identified, for example, from your on-line clicks on products/sections of the Website, in order to send you customised commercial communications or carry out targeted promotions.

In all cases, your personal data may be processed - when necessary - for the following purposes:

• To comply with legal obligations and, in particular, those deriving from the applicable domestic and supranational rules and regulations (administrative/tax compliance etc.);

• Based on a legitimate interest (legal protection), to establish, exercise or defend the rights of the Controller, whether in and/or out of court.

5. RETENTION PERIOD

• For the entire contractual period and, following termination, for a period of 10 years until the normal time expiry deadline, the data will retained for lawful processing in execution of any pre-contractual activities and/or contracts to which the data subject is a party;

• The data will also be retained until you exercise your opt-out rights regarding the promotion by e-mail of services similar to those sold, based on the legitimate interests of the Controller (soft spam);

• Data collected and processed with consent from the data subject for marketing and profiling purposes will be retained for a period of 24 months and 12 months, respectively, from the collection date;

• Data will be retained for the period envisaged by law (10 years for administrative-accounting compliance purposes), for the processing required by current legislation;

• Data will also be retained for the entire duration of court proceedings, until the final deadline for all challenges has passed, in order to carry out processing to protect the rights of the Controller, based on its legitimate interests.

Once the above retention periods have elapsed, the personal data concerned will be erased, deleted or anonymised, depending on the technical erasure and back-up procedures implemented and the accountability requirements placed on the Controller.

6. MANDATORY PROVISION OF DATA

The provision of data processed for the purpose of executing pre-contractual activities and/or a contract and to satisfy legal requirements is necessary in order to finalise contractual relations, execute the orders and services requested and meet legal requirements.

Accordingly, any refusal by the data subject will make it impossible for the Controller to provide the requested service.

The provision of data for optional processing, such as for marketing and profiling purposes, is entirely optional and the data subject may exercise the related opt-out rights at any time.

With regard to browsing data, see the cookie policy available at the link contained in the sidebar at the foot of the page.

7. RECIPIENTS OF THE DATA

Employees of the business functions responsible for pursuing the purposes indicated above, expressly authorised to carry out processing, may become aware of and process the Data as they have received adequate operating instructions.

In addition, the Data may be processed by external parties operating as independent controllers, such as supervisory and control bodies, public authorities that expressly request the data for administrative or institutional purposes and, in general, all parties entitled to request the data pursuant to current domestic and European regulations.

The data may also be processed, on behalf of the Company by external parties operating as processors (pursuant to art. 28 GDPR). These parties may include, for example:

• companies that administer and/or maintain the Website;

• companies that administer the e-commerce platform;

• companies that provide market research support;

• companies that provide e-mail delivery services and distribute promotional materials;

• companies that provide customer relationship management (CRM) services;

• companies that provide IT system and telecom network management services, including e-mail services;

• companies that provide document and/or product delivery services (post offices, shipping agents, couriers etc.);

• banks and/or payment institutions that manage collections and payments deriving from the execution of contracts.

The full list of processors is available on sending a request to the Controller at the addresses indicated in section 9 below.

8. TRANSFER OF PERSONAL DATA TO NON-EU COUNTRIES

Your personal data will not be transferred outside of the European Union.

Should that occur with regard to the data collected using cookies, the Controller will - to the extent of its responsibilities - obtain appropriate guarantees, including by reference to adequacy decisions and application of the Standard Contractual Clauses adopted by the European Union.

9. RIGHTS OF DATA SUBJECTS

The rights associated with the personal data processed by Rizoma S.r.l. are governed by art. 15 et seq. of Regulation (EU) 2016/679:

• Right to rectification. You can obtain the rectification of personal data relating to you or provided to us by you. Rizoma makes reasonable efforts to ensure that the personal data held is precise, complete, updated and relevant, based on the most recent information available;

• Right to restriction. You can obtain restriction of the processing of your personal data if:

• you contest the precision of your personal data, during the period needed by Rizoma to check its accuracy;

• processing is unlawful and you request the restriction of processing, rather than the erasure of your personal data;

• Rizoma has no further need to retain your personal data, but you need it in order to establish, exercise or defend your rights in court proceedings, or

• you object to processing, during the period needed by Rizoma to check if its legitimate interests prevail over yours.

• Right of access. You can ask Rizoma for information about the personal data held that relates to you, including information about which categories of personal data Rizoma holds or controls, for what purpose it is used, where it was collected (if not directly from you) and to whom it may have been communicated;

• Right to data portability. Following your request, Rizoma will transfer your personal data to another controller, if technically feasible, on condition that processing is based on your consent or is necessary for the execution of a contract.

• Right to erasure. You can obtain the erasure of your personal data by Rizoma:

  • if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed,

  • you are entitled to object to any further processing of your personal data and exercise this right of objection;

  • if the personal data has been processed unlawfully,

unless processing is necessary pursuant to legal or legislative requirements, or to establish, exercise or defend a right in court proceedings.

• Right to object. You can object at any time to the processing of your personal data, on condition that it not based on your consent, but rather on the legitimate interests of Rizoma or third parties. In that case, Rizoma will no longer process your personal data, unless it is possible to show you compelling legitimate grounds for, or an overriding interest in that processing, or in establishing, exercising or defending a right in court proceedings. Should you object to processing, it will be appropriate and useful to specify if you intend to erase your personal data or just restrict its processing.

• Right to lodge a complaint. In the event of an alleged infringement of current privacy laws, you can file a complaint with the competent authority in your country or the place where the alleged infringement took place.

Data subjects can exercise the rights listed and described above:

• by contacting the Privacy Office of the Company by post, at the following address: via Quarto 30/32/34, Ferno (VA)

• by e-mail, at the following address: privacy@rizoma.com

If processing is based on consent or a contract and is carried out using electronic equipment, data subjects are also entitled to receive their data in a structured, commonly used and machine-readable format and, if technically feasible, to transmit it to another controller without hindrance.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State of their habitual residence, place of work or place of the alleged infringement.

8. Amendments to this privacy information

Any future amendments or additions to the processing of personal data described in this privacy information will be notified via the communication channels normally used by Rizoma (e.g. via the website).