Policy regarding the processing of personal data
(pursuant to article 13 of EU Regulation 2016/679 “GDPR”)
As the Controller for the processing of personal data within the meaning of EU Regulation 2016/679 “General Data Protection Regulation”, Ober Alp SPA hereby informs on the following provisions regarding the protection of persons and other subjects as to the processing of their personal data. The processing of personal data is subject to the principles of correctness, lawfulness, transparency as well as the protection of confidentiality and of the rights of the data subject. Personal data may only be collected, processed and used in accordance with the provisions of the aforementioned regulation and the confidentiality obligations contained therein.
1. Data Controller
The Data Controller for the processing of personal data is Ober Alp SPA with offices at Via Waltraud Gebert Deeg n.4, 39100 Bolzano (BZ), tel. +39 0471.242.900, e-mail: firstname.lastname@example.org.
2. Data Protection Officer
The Data Controller has nominated a data protection officer (“DPO”), who can be contacted via e-mail: [email protected].
3. Data subjects
Data subjects are (a) the users of the website and (b) those persons who provide their personal data in the following manner:
• by registering on the websites of the Controller (for example, of the brands Salewa, Dynafit, Wildcountry, LaMunt, Evolv);
• by registering for and using different services;
• by purchasing goods through e-commerce;
• by contacting (via telephone, fax, e-mail, etc.) the Costumer Care department;
• by subscribing to the brands newsletters of the Controller;
• by registering for the periodically organized events by the Controller;
• by participating in online and offline competitions;
• by participating in partnership operations with third-party firms and
• by registering at and using the climbing hall “Salewa Cube”.
4. Purpose, legal basis of the processing and storage times of personal data
The personal data provided might be processed for the following purposes:
- For the users of this website : for the functioning of the website itself.
The computer systems and programs used for the functioning of the website collect some personal data whose transmission is implicit in the use of internet communication protocols (e.g. IP addresses or domain name of computers used by users who connect to the website, URI addresses – Uniform Resource Identifier – of the requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, numerical code about the status of the response made by the server – successful, error, etc. – and other parameters relating to the operating system and computer environment of the user). Although this information is not collected to be associated with identified data subjects, by its nature it could, through processing and association with data held by third parties, allow users to be identified.
This data is used for the sole purpose of obtaining statistical information on the use of the website not associated with any user identification data, to check the correct functioning of the website and is deleted immediately after processing.
The data may be used to establish liability in the event of computer crimes against the website.
The legal basis for the processing is therefore the legitimate interest of the Data Controller in the functioning and safety of the website and the protection of the related rights and the fulfilment of regulatory provisions.
- For those users providing data according to point (b) of the previous point:
a) Use of the services offered and fulfilment of the purchase contracts:
The personal data of the data subjects are processed in order to enable them to use the services and to fulfil and carry out the sales contracts. In particular, the data will be processed for the following purposes:
• customer management;
• execution and fulfilment of the sales contract and/or the providing of services;
• after-sale assistance;
• settlement of complaints/disputes with the data subject;
• customer billing history;
• measurement of customer satisfaction;
• compliance with legal requirements concerning tax and accounting.
The processing of personal data in connection with the purposes mentioned in letter a) is not mandatory. If the data subject does not provide its personal data, the Data Controller may not be able to conduct the above-mentioned purposes and can therefore not guarantee the performance of the service and/or the conclusion or the performance of the contract. The personal data that must be disclosed in order to use the services or to establish the business relationship are labeled with an asterisk.
The legal basis of the processing for these purposes is that it is necessary for the performance of the contract to which the data subject is a party or of the pre-contractual measures adopted at the request of the latter; for the fulfilment of a legal obligation to which the Controller is subject.
The protection of rights, instead, is based on the legitimate interest of the Controller. The legitimate interest of the Controller – in this case the performance of its business activity – also includes those data processing activities (inclusion in the management software or in the address book, analysis of turnover, controls on the quality of service, etc.) which, although not considered an obligation, are closely related to the performance of the contractual relationship.
The data will be stored for the entire duration of the contractual relationship, and, after the termination of the relationship – limited to the data necessary at that point – for the fulfillment of the contractual obligations assumed and of any legal obligations, and for protection purposes which might be related or resulting from it; therefore, in general, personal data will not be stored more than 10 years after the conclusion of the contractual relationship.
b) Market studies and statistical purposes:
For these purposes, the data are processed exclusively in anonymous form, meaning that an identification of the data subject is no longer possible.
c) Direct marketing purposes:
The personal data may also be used for the following marketing activities:
• sending newsletters of the brands owned by the Data Controller and informative newsletters;
• sending periodic commercial communications regarding products and services offered by the Data Controller;
• promotional activities also related to the transmission of advertising and promotional material.
The handover of data for the purposes mentioned under letter c) is not mandatory and the possible refusal by the data subject to consent to the processing for this purpose will have no negative impact on the business relationship with the Data Controller. The legal basis for such processing is the consent of the data subject, which may be withdrawn at any time.
For the purposes of direct marketing, the personal data of the data subject are stored until the previously given consent is revoked and, in any case, not longer than 48 months from the consent.
d) Video surveilling:
Where specifically indicated, the respective areas are subject to video surveillance. The purposes are the protection of company property and the reconstruction of claims involving data subjects. The legal basis for processing those personal data is the legitimate interest of the Data Controller. Images are stored for 24 hours, unless otherwise indicated in the relevant area.
5. Processing methods
The personal data may be processed in the following ways:
• processing of data through completion of factsheets, coupons and questionnaires;
• processing by computer and/or automated means;
• manual processing through paper-based archives;
• processing of data collected by third parties;
• transfer to third parties for processing operations.
With reference to marketing purposes, it is specifically pointed out that personal data may also be processed by means of:
- electronic communications via e-mail, instant messages or other means of messaging;
- the use of the telephone with operator and mail.
It is also specified that the withdrawal of consent or the refusal of the processing (see point 7 below) carried out through automatic means of contact (electronic communications made by e-mail, instant messages or other types of messaging) will be understood as extending to the traditional ones (mail, call with operator), but it is still possible to exercise this right only in part, refusing, for example, only the sending of promotional communications through automated systems.
The data will always be processed in accordance with the principles set out in art. 32 GDPR.
The personal data provided will be kept at the headquarter of the Data Controller and will only be passed on to persons who are in a position to provide the necessary services for the correct handling of the business relationship with the data subject and the fulfilment of the contract, always under guarantee of the protection of the rights of the data subject.
The personal data provided will be processed only by personnel expressly authorized by the Data Controller and specifically by the following categories of processors:
• Group Administration and Central Services;
• Group IT;
• Group Brand & Marketing;
• Group Business Development;
• Group Logistics;
• Group Retail BU;
• Group Distribution BU;
• Salewa Cube personnel.
Within the scope of its activity and for the purposes previously mentioned, the Data Controller may use the services of third parties who act either as autonomous data controllers or as data processors on behalf and under the direction of the Data Controller itself. Personal data may be transferred only for this reason to such third parties, and specifically to:
• forwarding agents, carriers, delivery services, mailing providers, logistics firms;
• consultants and professionals, also in an associated form;
• banks and credit institutions;
• providers of IT services;
• commercial partners.
The personal data may be transferred and disclosed to public bodies such as financial administration, police, or judicial authorities, only to the extent required by law. The personal data transferred will not be disclosed.
In principle, personal data will not be transferred outside the territory of the European Union. Should a transfer outside the European Union be necessary, the Data Controller guarantees the protection of the data subject’s personal data by entering into appropriate contracts.
7. Rights of the data subject
The data subject has the right to obtain access, communication, rectification, integration, updating, cancellation and portability of personal data concerning him/her from the Data Controller, as well as the general right to exercise all the rights provided for in chapter III of the GDPR, as indicated below:
a. access to personal data: the right to obtain information free of charge about the personal data held by the Data Controller and the processing of said personal data, as well as to obtain a copy in an accessible format;
b. rectification of data: the Data Controller will correct or supplement incorrect or inaccurate data, including data which has become incorrect or inaccurate due to a non-carried out update, on the basis of a notice received by the data subject in this regard;
c. withdrawal of consent: if the processing is carried out on the basis of a consent previously given by the data subject, the latter may withdraw consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal;
d. deletion of data (“right to be forgotten”): the data subject may request, for example, to delete the data when those data are no longer necessary for the purposes for which they were collected or processed or when they have been processed unlawfully, when they have to be deleted in order to fulfil a legal obligation, when the data subject has withdrawn consent and there is no other legal basis for the processing, or when the data subject objects to the processing;
e. restriction of processing: the data subject may request this in certain cases: where the accuracy of the data is contested, within the time necessary for verification; where the lawfulness of processing is contested with an opposition to its deletion; where there is a need to use the data for the data subject’s rights of defense, while they are no longer useful for the purposes of processing; if there is an opposition to processing, during the time the necessary verifications are carried out. The data will be stored in such a way to allow them to be restored, but, in the meantime, they are not available for consultation by the Data Controller except for the sole purpose to verify the validity of the data subject’s request or its objections;
f. objecting in whole or in part, for reasons related to the particular situation of the data subject, to the processing based on legitimate interest (and in certain circumstances the data subject may nevertheless object to the processing of his/her personal data: if personal data are processed for purposes of direct marketing, the data subject has the right to object at any time to the processing, including profiling to the extent that it is related to such direct marketing. It is however noted that in the specific case the newsletter is sent on the basis of the consent given by the data subject and therefore the simple withdrawal of consent by the data subject is sufficient to stop the processing);
g. data portability: if the processing is based on consent or on a contract and is carried out by automated means, upon request of the data subject, the latter will receive in a structured format, commonly used and machine-readable, the personal data concerning him/her and may transmit them to another data controller, without hindrance by the Data Controller to whom he provided them and, if technically feasible, may obtain that such transmission is made directly by the latter.
The data subject has also the right to lodge a complaint with the Data Protection Authority in case he/she believes that the processing that concerns him/her violates the regulations on the protection of personal data; the Authority can be contacted through the contact details indicated on the Authority’s website “www.garanteprivacy.it”. In any case, we would like beforehand to have the opportunity to address any concerns of the data subject, who may contact the e-mail address [email protected] for any clarification regarding the processing of personal data concerning him/her and for the exercise of his/her rights, including the withdrawal of consent.
The Data Controller reserves the right to update this policy regarding the processing of personal data at any time for organizational reasons or in order to comply with new legal regulations. It is therefore recommended to visit this page regularly and to check the date of the last change indicated at the end of the page.
The last update of this policy was made on the 01/06/2023.