Norr S.r.l., the company that manages the portal http://www.norrgatan.com (hereinafter also referred to as the "Website"), has for years considered the protection of the personal data of its users or potential users to be of fundamental importance, ensuring that the processing of personal data, whatever the means used, whether automated or manual, is carried out in full compliance with the protections and rights acknowledged by the EU Regulation 2016/679 (hereinafter also referred to as the "GDPR"- EU General Data Protection Regulation [GDPR]), regarding the protection of natural persons with respect to the processing of their personal data as well as the free circulation of such data and in compliance with any further applicable laws on the subject of personal data protection.
With the term "personal data" reference is made to the definition contained in art. 4, point 1), of the GDPR and that is “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (hereinafter also referred to as "Personal Data").
The GDPR provides that, before proceeding with the processing of Personal Data, meaning, by this definition, according to art. 4, point 2) of the GDPR “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" (hereinafter also referred to as the "Processing") the person to whom the Personal Data belongs (hereinafter also referred to as the "Interested party") must be informed as to the reasons for which this information is requested and how it will be used.
The purpose of this document is therefore to provide you, in a simple and intuitive way, with all the useful and necessary information so that you may confer your Personal Data in a conscious and informed way and, if necessary, request and obtain clarifications and /or rectifications regarding the same.
1. Who will process your Personal Data?
The company that will process your Personal Data for the purposes indicated in the clauses No. 2 and 3 below and that will therefore play the role of Controller of the Processing, is Norr S.r.l., with registered office in (20900) Monza, Via Aliprandi, 19 (hereinafter also referred to as the "Controller").
2. For what main purposes will your personal Data be processed?
The Controller requires to collect some of your Personal Data, as requested in the forms that are available on the Internet Site in order to allow:
a) your registration on the Website, if the possibility to register is provided, the execution of your purchase order online and the fulfilment of all the management and operating activities connected with the same, as well as the forwarding any requests of information by using the contact forms,
b) the fulfilment of any legal requirements, and in particular the ones related to accounting and taxes.
The Processing of your Personal Data will be conducted by the Controller to consent it to respond and meet any of your requests and to allow you to access your profile, to send requests of information, to provide a follow up to your online order and to carry out all the order management activities, as well as to allow you each time to take advantage of all the other services offered by the Website on which you are registered and/or browsing; The processing of your Personal Data will be juridically based on the contractual relationship established between you and the Controller following your acceptance of the conditions that are present on the Website.
In order to allow the Controller to carry out the Processing activities for the purposes stated above it will be necessary to provide the Personal Data marked with the symbol (*). The lack of even only one of the marked data, will prevent the processing of your Personal Data and consequently you will not be allowed to complete your purchase order online or your registration on the Internet Site and/or to take advantage of the services provided by the same requiring the provision of Personal Data.
The Personal Data that you will be requested to provide in order to attain the above stated purposes will be the ones indicated in the registration and/or contact forms and/or in the forms indicated when purchasing online and that is, by way of example and by no way of limitation: name, surname, username, date of birth, address of domicile/residence, email address, landline and/or mobile telephone numbers, gender.
3. Additional purposes
Subject to your free and unequivocal consent expressed according to art. 6, paragraph 1, point a), of the GDPR, the Controller may use your Personal Data for the following additional purposes:
c) Direct marketing purposes: this term means the intention of the Controller to carry out promotional and/or marketing activities with you. Falling under this category are all the activities carried out to verify the customers' level of satisfaction or to promote products (also by sending newsletters), services, sold and/or provided by the Controller based on its legitimate interest to achieve its corporate purpose.
d) Indirect marketing purposes: this term means the intention of the Controller to carry out promotional and/or marketing activities towards you on behalf of third parties. Falling under this category are all the activities carried out to promote products, services, sold and/or provided by third parties with whom the Controller has juridical relationships without there being in this case any data communication.
e) Profiling purposes: this term means the intention of the Controller to draw up your profile, that is to evaluate your tastes, preferences and consumer habits also related to market surveys and statistical type analyses. Falling under this category is any kind of Personal Data automated processing evaluating certain personal aspects such as , by way of example and by no way of limitation, personal preferences, interests, reliability, behaviour, location or movements.
The processing of your Personal Data for the purposes referred to in points c), d) and e) is optional and it cannot be done without obtaining your consent which will have to observe the conditions laid down in art. 7 of the GDPR, thus determining in this manner the lawfulness of the Processing of your Personal Data.
Regarding the direct marketing purpose referred to in point c), it is important to specify that, by virtue of art. 6, paragraph 1, point f) of the GDPR, the Controller may carry out this activity basing itself on its legitimate interest, regardless of your consent as better made clear in the Recital 47 of the EU Reg. 679/2016 where it is specified that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest".
The contact methods for the purpose of direct and indirect marketing and of profiling as referred to in the above points c), d) and e), can be both the automated (emails, sms, faxes, phone calls without operators), and traditional (phone calls with operators, letters sent). In any case, and as better specified below in clause No. 6, it will be possible for you to revoke your consent, also partially, for instance by giving your consent only to the traditional contact methods.
Regarding the contact methods which include the use of your telephone contacts, we remind you that the direct marketing activities by the Controller will be carried out after having checked that you are not registered in the "Do Not Call" Registry as established pursuant to and in accordance with the D.P.R. (Presidential Decree) No. 178 dated 7th September 2010 and subsequent amendments.
4. To which subjects can your Personal Data be disclosed?
Your Personal Data can be disclosed to specific subjects considered the recipients of your Personal Data. On this matter, we point out, in fact, that art. 4 point 9), of the GDPR, defines as the recipient of a Personal Data "the natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not" (hereinafter also referred to as the "Recipients").
In this perspective, in order to carry out correctly all the Processing activities that are necessary to achieve the purposes contained in this information notice, the following Recipients may find themselves in the condition of processing your Personal Data:
• third parties that carry out part of the Processing activities and/or activities that are connected with or necessary for the services provided by the Controller through the Website;
• single individuals, employees and/or collaborators of the Controller, entrusted with specific and/or several Processing activities of your Personal Data: these individuals have received specific instructions on the subject of security and the correct use of the Personal Data (hereinafter also referred to as "Authorized Persons");
• when requested by the law or to prevent or repress the commission of a criminal offence, your Personal Data may be disclosed to public entities or to the judicial authority.
5. For how long will your Personal Data be processed?
Your Personal Data will be processed by the Controller for a period not exceeding the purposes for which they were collected and subsequently processed.
In any case, you can notify us at any time, using one of the methods provided for in this information notice, of your intention to revoke the consent to one or all the purposes for which it was requested from you. Any revocation of consent will, de facto, require the Controller to cease the processing activity of your Personal Data for those purposes.
6. Is it possible to revoke the consent given and how can it be done?
As provided for by the GDPR, if you have given your consent to the processing of your Personal Data for one or more purposes as requested from you, you can, at any time, revoke it totally and/or partially without affecting the legality of the Processing based on the consent given before its revocation.
The methods of revoking the consent are very simple and intuitive, simply contact the Controller using the contact channels reported in clause No. 7 of this information notice.
7. What are your rights?
As provided for in art. 15 of the GDPR, you shall have the right to access your Personal Data, to request their rectification and update, when incomplete or wrong, to request their cancellation if these have been collected in violation of a law or of a regulation, and to object to the Processing for legitimate and specific reasons.
In particular, we report hereunder all the rights you can exercise, at any time, with respect to the Controller:
• Right of access: in accordance with art. 15, paragraph 1 of the GDPR, you shall have the right to obtain from the Controller confirmation as to whether or not Personal Data concerning you are being processed and, where that is the case, access to the Personal Data and to the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the recipients or categories of recipient to whom your Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations; d) where possible, the envisaged period for which the Personal Data will be stored or, if not possible, the criteria used to determine that period; e) the existence of the right of the Interested Party to request from the Controller the rectification or erasure of Personal Data or the restriction of the Processing of the Personal Data concerning him/her or to object to such Processing; f) the right to lodge a complaint with a supervisory authority; g) where the Personal Data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making process, including profiling, referred to in art. 22, paragraphs 1 and 4 of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the data subject. You can find all this information in this disclosure notice which will always be available to you in the Privacy section of the Website.
• Right to rectification: in accordance with art. 16 of the GDPR, you shall have the right to obtain the rectification of your Personal Data that turn out to be inaccurate. Moreover, taking into account the purposes of the Processing, you shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
• Right to erasure: in accordance with art. 17, paragraph 1 of the GDPR, you shall have the right to obtain the erasure of your Personal Data without undue delay and the Controller shall have the obligation to erase your Personal Data, where even only one of the following grounds applies: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you have withdrawn the consent on which the Processing of your Personal Data is based and where there is no other legal ground for their Processing; c) you have objected to the Processing pursuant to art. 21, paragraphs 1 or 2 of the GDPR and there are no overriding legitimate reasons for the Processing of your Personal Data; d) your Personal Data have been unlawfully processed; e) it is necessary for your Personal Data to be erased to comply with a legal obligation provided for by a Community law or by a national law. In some cases, as provided for in art. 17, paragraph 3 of the GDPR, the Controller is legitimated not to erase your Personal Data when their Processing is necessary, for example, to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, for the establishment, exercise or defense of legal claims.
• Right to restriction of processing: in accordance with art. 18 of the GDPR you shall have the right to obtain the restriction of the Processing where one of the following cases applies: a) you have contested the accuracy of your Personal Data (the restriction will last for the period that will enable the Controller to verify the accuracy of the Personal Data); b) the Processing is unlawful but you have opposed the erasure of your Personal Data and requested the restriction of their use instead; c) although the Controller no longer needs them for processing purposes, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the Processing pursuant to art. 21, paragraph 1 of the GDPR pending the verification as to whether the legitimate grounds of the Controller override yours. In case of a restriction of the Processing, with the exception of storage, your Personal Data shall be processed only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest. In any case, we shall inform you before such restriction is revoked.
• Right to data portability: in accordance with art. 20, paragraph 1 of the GDPR you shall have the right to request and receive, at any time, all your Personal Data processed by the Controller in a structured, commonly used and machine-readable format or to request them to be transmitted without hindrance to another Controller. In this case, you will provide us with the exact details of the new Controller to whom you intend to transfer your Personal Data giving us a written authorization.
• Right to object: in accordance with art. 21, paragraph 2 of the GDPR and as confirmed by the recital 70, you shall have the right to object at any time to the processing of your Personal Data where these are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
• Right to lodge a complaint with the supervisory authority: without prejudice to your right to any other administrative or judicial remedy, if you consider that the processing of your Personal Data carried out by the Controller infringes the GDPR and/or the applicable legislation, you may lodge a complaint with the competent supervisory authority for the protection of Personal Data.
To exercise all your rights as identified above, simply contact the Controller according to the following methods:
• by registered/return receipt letter sent to Norr S.r.l. - Att. Person in charge of Data Processing, in (20900) Monza, Via Aliprandi, 19
• by sending an e-mail to the following e-mail address hello@norrgatan.com
8. Where will your Personal Data be processed?
Your Personal Data will be processed by the Controller inside the territory of the European Union.
Should it be necessary for technical or operational reasons to have recourse to subjects located outside the European Union, you are hereby informed that these subjects will be appointed Processors pursuant to and in accordance with art. 28 of the GDPR and that the transfer of your Personal Data to these subjects, to the extent required to carry out specific Processing activities, will be regulated in accordance with chapter V of the GDPR and, in particular, there will be taken all the necessary precautions to ensure the full protection of your Personal Data by basing the transfer:
a) on the decisions regarding the adequacy of the third country recipient expressed by the European Commission;
b) on appropriate safeguards expressed by the third country recipient pursuant to art. 46 of the GDPR;