Privacy Policy

Data Policy Disclosure on the processing of personal data pursuant to Articles 13 and 14 of EU Regulation 2016/679

TEST-COMPANY pursuant to Regulation (EU) 2016/679 (so-called The General Data Protection Regulation) and Italian Legislative Decree no. 196/2003 (so-called Data Privacy Code) – considers privacy and the protection of personal data as one of its primary business purposes. TEST-COMPANY is responsible for protecting and respecting your privacy. This notices describes what personal data is collected, how it is used and kept safely. 

This Privacy Policy is an integral part of the website www.anna-milan.com and the services it offers. Pursuant to Articles 13 and 14 of the Regulation, it applies to those who interact with the Website services, both during simple consultation and the use of specific services available through the Website (for example, the purchase of products, the compilation of online information request forms or newsletter subscriptions), as well as the use of other services provided through the Website (telephone, email or WhatApp and Online Chat assistance).

1. Data controller and data protection

TEST-COMPANY by email at shop@anna-milan.com

2. Presonal data processed

TEST-COMPANY collects data from you when you visit our Website www.anna-milan.com. The data we collect includes your name, email address, telephone number, shipping/billing address, your date of birth, your favourite items and colors, information regarding your browsing and shopping behaviour.

a) Browsing data

During the normal course of operations, the computer systems and software procedures used to operate this Website acquire certain personal data, the transmission of which is implicit in the use of internet communication protocols. This information is not collected with the intent of associating it with identified users but, by its nature, it could lead to the identification of users through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users who connect to the Website, URI addresses (Uniform Resource Identifiers) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply given by the server (successful, error, etc.) and other parameters regarding the user’s operating system and computer environment. This data is used for the one purpose of obtaining anonymous statistical information on the use of the Website to check its efficiency and functionality, to identify errors and/or abuses; in any case, they are deleted immediately after processing. The data may be used to ascertain responsibility in the event of computer crimes against the Website.

b) Data voluntarily provided by the user

c) Data processed to fulfil online services

With the exception of references to specific information that may be available in the various sections of the Website, this Privacy Policy also addresses the processing of data voluntarily provided by you for the purpose of performing the online services, with particular reference to the following:

  • registration and access to your personal area which stores your personal and contact details, enabling processing (according to the data you have saved) of your shipping and billing addresses, your payment preferences and credit card information and your products. Details of any credit cards saved in your personal area will be handled through an external service provider, in compliance with PCI Regulations;
  • conclusion and execution of purchase contracts (including the order status verification service), in the context of which your personal data, contact details and information related to the delivery address of purchased products will be processed as well as any information concerning your shopping experience. The latter includes confirmation of payment through Google Pay, Apple Pay or PayPal. In regard to the latter, please note that, should you choose Google, Apple and PayPal payment methods, as independent data controllers, these entities notify the payment parameters to TEST-COMPANY together with information necessary for the shipment of the order;
  • handling any returns, in the context of which we shall process your personal data, contact details and information regarding the returned products collection address, as well as any information related to your purchase and return experience;
  • the ‘wishlist’ service, through which you can add items to your list of desired items to purchase.

Furthermore and in general, TEST-COMPANY will process any information relating to your purchases (type of product, date of purchase, amount spent as well as, in general, your purchase choices, your preferences and your browsing behaviour on the Website) and, for profiling purposes, data obtained from your Website online activities, with and without personalised consequences, as better specified below. We will also process information deriving from your choices for personalising newsletter content.

d) Third-party data voluntarily provided by the user

Third parties may process personal data you disclose to TEST-COMPANY when you use Website services, (such as information provided for the purchase of products to be sent to third parties; data related to payments concluded referencing the bank details of third parties; billing information; details you may provide when requesting information in the Website’s “Contact Us” section). In such cases, you become the independent data controller, assuming all the applicable legal obligations and responsibilities. To this effect, you fully indemnify us against any dispute, claim, request for compensation for processing-related damages etc. the Data Controller may receive from third parties whose personal data has been processed, through your use of the Website’s services, in violation of the applicable the personal data protection rules. In any event, if you provide or otherwise process personal data of third parties when using the Website, you hereby and henceforth guarantee that such possible data processing scenario shall be based, where necessary, on the prior acquisition – by yourself – of the third parties’ consent to the processing of their information and you accept all related liability.

e) Cookies and other tracking technologies

Information about cookies used on the Website is available here.

3. Purposes of data processing

Your personal data will be processed, with your consent where necessary, for the following purposes, where applicable:

3.1. to enable navigation of the Website, registration in private areas, the deactivation of your account – following your request – for a maximum of 12 months and the provision of all other associated services provided by the Data Controller (such as, by way of example but not limited to, online sales, product returns, the ‘wishlist’ service, the “Contact us” section in relation to your customer care requests, the verification of order status, the saving of the preferred delivery addresses of the goods purchased on the Website etc.). The above includes the management of Website security, as well as contractual, administrative, accounting and after-sales services. Please also note that the Website provides additional assistance services to the Customer, including, in particular, the telephone, WhatsApp and Chat assistance services through which you can submit specific requests and receive assistance from TEST-COMPANY customer service; with reference to telephone assistance, we remind you that, subject to your consent, calls may be recorded to check the quality of service and for internal training purposes.

3.2. to follow up specific requests addressed to the Data Controller, also in relation to after-sales situations, including requests for Customer Service and information sent by completing the relevant contact forms on the Website as well as through the chat and instant messaging services;

3.3. to fulfil any obligations under applicable laws, regulations or EU legislation, or to satisfy requests from authorities;

3.4. to provide for direct sending via post and email of advertising and promotional material in relation to products or services similar to those purchased by you, pursuant to Article 130, paragraph 4 of the Code and the Provision of the Data Privacy Guarantor Authority of 19 June 2008, unless you deny your consent to receive such material, which you can express during registration on the Website or on subsequent occasions;

3.5. to send you announcements and commercial proposals, including newsletters (the contents of which you can customise), through automated tools (SMS, MMS, email, instant messaging and chat) and otherwise (post, telephone). Please note that we collect a single consent declaration for the marketing purposes described here, pursuant to the General Provision of the Data Privacy Guarantor “Guidelines on promotional activities and counteracting spam” of 4 July 2013. If, in any case, you wish to oppose the processing of your data for marketing purposes carried out with the means indicated here, you can do so at any time by contacting the Data Controller at the addresses indicated in the “Contacts” section of this disclosure, without prejudice to the lawfulness of the processing undertaken prior to your opposition;

3.6. to analyse your personal data, your purchasing choices, preferences, Website browsing behaviour to enable us to send you personalised announcements and commercial proposals as well as, in general, for profiling activities;

3.7. or general profiling purposes, without personal implications, by means of generalised analyses (including predictive or strategic orientation) aimed at creating statistical processing and calculation models representative of the entire customer base. This purpose implies the processing of your data on an aggregate basis, in pseudonymised form, as a direct prerequisite and instrumental means for the pursuit of the purposes referenced in sections 3.5 and 3.6 of this disclosure albeit distinct from them;

3.8. to meet any defensive needs;

3.9. for statistical assessment and monitoring purposes. This purpose implies an analysis of aggregate information not referable to identified or identifiable natural persons and which, therefore, does not constitute personal data and does not in any way enable us to trace your identity.

Specific security measures have been implemented to prevent data loss, illicit or incorrect use of data and unauthorised access.

4. Legal basis and obligatory or optional nature of processing

The legal basis for the processing of personal data for the purposes referenced in sections 3.1 and 3.2 is Article 6, par. 1, point b of the Regulation ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing is necessary for the provision of services. With specific reference to the telephone assistance service referenced in section 3.1, please note that the recording of calls to check the quality of the service can be disabled upon your request. The provision of personal data for these purposes is optional, but failure to provide it would make it impossible to activate the requested services themselves.

The purpose referenced in section 3.3 represents a legitimate processing of personal data pursuant to Article 6, par. 1, point c) of the Regulation ([…]processing is necessary for compliance with a legal obligation to which the controller is subject). In fact, once the personal data has been submitted, the processing must comply with the legal obligations incumbent on the Data Controller.

The processing performed for the purposes referenced in sections 3.5 and 3.6 is based on your consent pursuant to Article 6, par. 1, point a ([…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes) and to Article 22, par. 2, point c of the Regulation. This consent can be revoked at any time without prejudice to the lawfulness of the processing carried out prior to the revocation in accordance with the provisions of Article 7 of the Regulation.

Therefore, the provision of your personal data for these purposes is entirely optional and does not affect the use of the services. If you wish to object to the processing of your data for marketing, profiling or communication purposes, you may contact the Data Controller, at any time, using the contact details provided in the “Contact Us” section of this Privacy Policy disclosure or, where available, via the Privacy Settings found within your Personal Area. With reference to the purpose referenced in point 3.4, please note that if the Data Controller uses details provided by the data subject via post or email for the purposes of direct sales of its products or services. In doing so, it may, pursuant to Article 130, paragraph 4 of the Code, refrain from requesting the consent of the data subject, provided that the products or services are similar to those purchased by the data subject who is properly informed and does not refuse such use, initially or on the occasion of subsequent communications.

The processing referenced in section 3.7 is carried out in order to pursue the legitimate interest of the Data Controller pursuant to Article 6, par. 1, point of the Regulation.

It is also specified that the processing referenced in section 3.8 is carried out to meet any defensive needs of the Data Controller pursuant to Article 6.1.f of the Regulation.

It should be noted that the processing referenced in section 3.9, since it does not address personal data, does not fall under the scope of personal data protection regulations and can therefore be freely undertaken by the Data Controller.

5. Recipients of personal data

Your personal data may be shared, for the purposes set out in section 3 of this Privacy Policy disclosure, by:

5.1. persons authorised by the Data Controller to process personal data pursuant to Articles 29 and 2-quaterdecies of the Code (e.g. staff operating in sales, administration and accounting, after-sales assistance, CRM and IT systems management);

5.2. third parties who, in the provision of services (by way of example: technological services, assistance and consultancy services in accounting, administrative, legal, tax and financial matters, technical maintenance, transport services, banking and insurance services), typically act as data processors pursuant to Article 28 of the Regulation. The Data Controller keeps an up-to-date list of the appointed data processors and guarantees that the same may be viewed by the data subject at the aforementioned office or upon request to the addresses indicated above.

5.3. TEST-COMPANY as independent data controllers for administrative-accounting purposes on the basis of legitimate interest pursuant to Article 6.1.f and Recitals 47 and 48 of the Regulation;

5.4. third parties responsible for carrying out the activities referenced in this Privacy Policy Disclosure with which BC has entered into commercial agreements;

5.5. individuals, entities or authorities who require the disclosure of your personal information as mandated by law or by order of the authorities.

These subjects are collectively defined as “Recipients”.

6. Transfers of personal data

Some of your personal data is shared with Recipients who may be situated outside the European Economic Area. The Data Controller ensures that these Recipients process your personal data in compliance with Articles 44–49 of the Regulation. With regard to the transfer of personal data to third countries, the Data Controller declares that the processing will be undertaken according to one of the methods permitted by current legislation, such as the consent of the concerned party, the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international programmes for the free dissemination of data or operating in countries considered as secure by the European Commission based on an adequacy decision. Further information is available by sending a written request to the Data Controller at the addresses indicated in the Contact Us section of this Privacy Policy Disclosure.

7. Retention of personal data

Your personal data will be entered and stored, in accordance with the principles of minimisation and retention limitation pursuant to Article 5.1.c and e of the Regulation, in the information systems of the Data Controller, whose servers are located within the European Economic Area.

The personal data processed for the purposes referenced in sections 3.1 and 3.2 will be retained for the time strictly necessary to achieve those same purposes, i.e. for the time necessary for the execution of the contract, for the provision of legal or conventional guarantees, in accordance with the conservation required by law (see also, in particular, Article 2946 et seq. of the Italian Civil Code).

Personal data processed for the purposes set out in section 3.3 will be retained for the time stipulated by the specific obligation or applicable law.

For the purposes set out in section 3.4, your personal data will be processed until you present an objection to its processing.

Conversely, for the purposes referenced in sections 3.5 and 3.6, your personal data will be retained until the revocation of your consent and, in any case, limited to the purpose referenced in section 3.6 and the activities connected to it, for no more than seven years, starting from their registration, in accordance with the provisions of the provision of the Data Privacy Guarantor Authority for the protection of personal data in acceptance of the preliminary verification request presented by the Data Controller. Likewise, for the purposes referenced in Article 3.7, your data will be retained for no more than seven years from registration. Upon revocation of consent or expiry of the seven-year retention period (if preceding), the data processed for the purposes referenced above will be permanently deleted or anonymised.

In general and in any case, the Data Controller reserves the right to retain your data for the time necessary to fulfil any regulatory obligation to which it is subject or to meet any defensive needs. In any case, the Data Controller may retain your personal data for the time provided and allowed for by Italian law to protect their interests (Article 2947 of the Italian Civil Code).

It should be noted that, if your account is deactivated, your personal data will continue to be processed by BC in compliance with the criteria and principles highlighted above for the entire period coinciding with this deactivation (equal to 12 months). It should also be noted that, compatibly with the aforementioned criteria and principles, BC will retain such data also after the expiry of this term and in the event of total removal of your account. Therefore, please note that the expiry of the aforementioned term and the total removal of your account will not necessarily involve the deletion of your personal data or the revocation of the privacy consents legitimately provided by you. For more information regarding requests for data cancellation and withdrawal of consent, please refer to point 8 “Rights of data subjects” of this Data Privacy Disclosure.

Further information regarding the data retention period and the criteria used to determine this period may be requested via a written request sent to the Data Controller at the addresses indicated in the “Contact Us” section of this Privacy Policy.

8. Rights of data subjects

As a Data Subject, you can exercise the rights referenced in Articles 15–22 GDPR and revoke the consent given at any time without prejudice to the lawfulness of the processing undertaken before the revocation.

In particular, you may request access to your Personal Data pursuant to Article 15 GDPR, its rectification pursuant to Article 16 GDPR, cancellation of the same pursuant to Article 17 GDPR, restriction of processing in the cases envisaged by Article 18 of the GDPR as well as to obtain the portability of data related to you in the cases envisaged by Article 20 of the GDPR.

You may submit a request for opposition to the processing of your Personal Data pursuant to Article 21 of the GDPR, in which you may evidence the reasons justifying the opposition: the Data Controller reserves the right to assess your request, which may not be accepted if there are legitimate compelling reasons to proceed with the processing that prevail over your interests, rights and freedoms.

Requests should be sent in writing to the Data Controller at the addresses indicated in the “Contact Us” section of this Privacy Policy Disclosure.

9. Complaint the data privacy guarantor authority

If you believe that the processing of your personal data by the Data Controller is undertaken in violation of the provisions of the Regulations, you have the right to lodge a complaint with the Data Privacy Guarantor Authority, as envisaged by Article 77 of said Regulation, or to seek redress through the appropriate legal channels (Article 79 of the GDPR).

10. Amendments

TEST-COMPANY reserves the right to modify or simply update its content, wholly or partially, also as a result of variations in the applicable legislation. Therefore, the Data Controller invites you to regularly visit this section to keep up-to-date with the most recent and updated version of the Privacy Policy in order to always be informed on the data collected and how we use it.

11. Contact us

To exercise the above rights or for any other requests, please write to the Data Controller at the physical address indicated above, or via the dedicated contact details, preferably writing “request for the exercise of privacy rights” in the subject field.