Information on the Processing of Personal Data Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679
Chelsea Turowsky, as the Data Controller (hereinafter: “Chelsea” or “Data Controller”) pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “Regulation”) and Legislative Decree no. 196/2003 (Personal Data Protection Code, hereinafter “Code”) – considers privacy and the protection of personal data as one of the main objectives of its activities. We therefore invite you, before communicating any personal data to the Data Controller, to carefully read this Privacy Policy as it contains important information on the protection of your personal data.
This Privacy Policy:
Is intended for the website https://velella.studio (hereinafter: “Website”);
constitutes an integral part of the Website and the services we offer; is provided, pursuant to Articles 13 and 14 of the Regulation, to those who interact with the web services of the Website, both through simple consultation and through the use of specific services made available through the Website (e.g., product purchases, filling out online forms for information requests or newsletter subscriptions), as well as with other services provided through the Website (telephone assistance and assistance via WhatsApp and Live Chat).
The processing of your personal data will be based on principles of correctness, lawfulness, transparency, limitation of purposes and storage, data minimization, accuracy, integrity, confidentiality, and accountability as per Article 5 of the Regulation.
Therefore, your personal data will be processed in accordance with the laws on personal data protection and confidentiality obligations.For “processing of personal data,” we mean any operation or set of operations performed with or without automated means applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
INDEX
Below is the index of this Privacy Policy so that you can easily find the information related to the processing of your personal data that interests you.
DATA CONTROLLER AND DATA PROTECTION OFFICER
PERSONAL DATA SUBJECT TO PROCESSING
Browsing data
Data voluntarily provided by the user
Data processed due to online services provided
Third-party data voluntarily provided by the user
Special categories of data
Cookies
PURPOSES OF THE PROCESSING
LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING
RECIPIENTS OF PERSONAL DATA
TRANSFER OF PERSONAL DATA
STORAGE OF PERSONAL DATA
DATA SUBJECT’S RIGHTS
COMPLAINT TO THE SUPERVISORY AUTHORITY
CHANGES
CONTACTS
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is Chelsea Turowsky Sonnenallee 94 12045 Berlin Steuer-Nr./USt-Id-Nr.16/565/03872.The Data Protection Officer of Chelsea can be contacted at the Data Controller’s office at the above address and via email at: bookings@velella.studio.
2. PERSONAL DATA SUBJECT TO PROCESSING
We inform you that the personal data subject to processing may include an identifier such as your name, an identification number, location data, an online identifier, or one or more elements characteristic of your physical, physiological, psychological, economic, cultural, or social identity capable of identifying you, depending on the type of services requested (hereinafter “personal data”).The personal data processed through the Website are as follows:
a. Browsing data
The information systems and software procedures used for the operation of the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the Website, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and IT environment. These data are used solely to obtain anonymous statistical information on the use of the Website and to check its correct functioning, to identify anomalies and/or abuses; in any case, they are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes to the detriment of the Website or third parties.
b. Data voluntarily provided by the user
Unless otherwise specified in the specific notices available in the different sections of the Website, this Privacy Policy is also provided for the processing of data voluntarily entered by you in the various forms contained within the Website, such as:the information request form in the “Contact Us” section, where you will be asked to enter your name, surname, and contact details - email address and phone number - as well as to formulate your specific request, which may eventually contain further personal data;the chat and instant messaging service, through which you will be put in contact with a Chelsea operator who can assist you by responding in real time to your information requests.With reference to such types of data, we invite you to enter only the personal data strictly necessary to manage your request within the aforementioned forms, including the chat and instant messaging service, excluding therefore non-relevant information and/or information that may fall within the special categories of personal data referred to in Article 9 of the Regulation ([…] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or a person’s sex life or sexual orientation).
c. Data processed due to online services provided
Unless otherwise specified in the specific notices available in the different sections of the Website, this Privacy Policy is also provided for the processing of data voluntarily provided by you for the execution of online services, with particular reference to the following services:In general, the Data Controller will also process any information related to your purchases (type of product, purchase date, amount spent, as well as your shopping choices, preferences, and browsing behavior on the Website) derived from activities carried out online within the Website for profiling purposes, with or without personalized repercussions, as better specified below; the Data Controller will also process information derived from your choices to customize newsletter content.d. Third-party data voluntarily provided by the userIn using the Website’s services, there may be processing of personal data of third parties, communicated by you to Chelsea (for example, data provided for purchasing products to be shipped to third parties; payments made with third parties’ bank details; for billing purposes; or when you request information within the “Contact Us” section of the Website). Regarding these cases, you act as an independent data controller, assuming all legal obligations and responsibilities. In this sense, you grant the Data Controller the broadest indemnity regarding any dispute, claim, request for compensation for damage from processing, etc., that may be received by the Data Controller from third parties whose personal data have been processed through your use of the Website’s services in violation of the applicable personal data protection rules. In any case, if you provide or otherwise process personal data of third parties in the use of the Website, you guarantee from now on – assuming all related responsibility – that this particular processing is based, where necessary, on the prior acquisition by you of the third party’s consent to the processing of the information concerning them.e. Cookies and other tracking technologiesInformation about cookies served by the Website is available here.
3. PURPOSES OF THE PROCESSING
Your personal data will be processed, with your consent where necessary, for the following purposes, where applicable:
3.1. to allow navigation of the Website, registration in private areas, deactivation of your account – upon your request – for a maximum period of 12 months, and the provision of all other services made available by the Data Controller (such as, by way of example and not limited to, online sales, handling returns and the warranty service, wishlist service, the “Book an appointment” function, the “Contact Us” section – relating to your customer care requests –, checking the status of orders placed, saving your preferred shipping addresses for goods purchased on the Website as well as your preferred boutiques, etc.), including the management of Website security, as well as contractual and administrative-accounting relationships and after-sales services; it should be noted that, with respect to the boutique locator service, the data controller of data related to your geographical location and other information you provide in the context of this service is represented by Google and, regarding China, by Baidu (whose privacy policies are available here and here respectively); it is also noted that through the Website, further assistance services are made available to the Customer including, in particular, telephone assistance and assistance via WhatsApp or LiveChat, through which you can make specific requests and receive assistance from Chelsea customer service; with regard to telephone assistance, it should be noted that, with your prior consent, calls may be recorded to monitor the quality of service and for internal training purposes.
3.2. to respond to specific requests directed to the Data Controller, including after-sales requests, including Customer Assistance and information requests (e.g., regarding the handling of product warranties) sent by filling out the relevant contact forms on the Website as well as through chat and instant messaging services;
3.3. to comply with any legal obligations, regulations, or Community regulations, or to satisfy requests from authorities;
3.4. direct mailing via email and paper mail of advertising material and commercial communications related to products or services similar to those you have purchased, pursuant to Article 130, paragraph 4 of the Code and the provision of the Data Protection Authority dated June 19, 2008, unless you expressly refuse to receive such communications, which you can express during registration on the Website or on subsequent occasions;
3.5. to send you commercial communications and proposals, including newsletters (which you can customize), through automated tools (SMS, MMS, email, instant messaging and chat) and non-automated tools (paper mail, telephone); it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Provision of the Data Protection Authority “Guidelines on promotional activities and combating spam” of July 4, 2013; if you wish to oppose the processing of your data for the marketing purposes carried out with the means indicated here, you may do so at any time by contacting the Data Controller at the contact details indicated in the “Contacts” section of this notice, without prejudice to the lawfulness of the processing carried out before the opposition;
3.6. to analyze your personal data, purchase choices, preferences, browsing behaviors on the Website to be able to send you personalized commercial communications and proposals as well as, in general, for profiling activities;
3.7. for general profiling purposes, without personalized repercussions, through the performance of general analyses (including predictive or strategic orientation) aimed at creating statistical processing and calculation models in relation to the entire customer base; this purpose involves the processing of your data on an aggregated and pseudonymized basis and is directly preliminary and instrumental to the pursuit of the purposes set out in sections 3.5 and 3.6 of this notice, although distinct from them;
3.8. to meet any defensive needs;
3.9. for statistical evaluation and monitoring purposes; this purpose involves an analysis of aggregated information that cannot be traced back to identified or identifiable individuals and, therefore, does not constitute personal data and does not allow the Data Controller to trace back to your identity in any way.Specific security measures are observed to prevent data loss, unlawful or incorrect use, and unauthorized access.
4. LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING
The legal basis for processing personal data for the purposes referred to in sections 3.1 and 3.2 is Article 6, paragraph 1, letter b) of the Regulation ([…] the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), as the processing is necessary for the provision of services. The provision of personal data for these purposes is optional, but failure to provide them would make it impossible to activate the requested services.The purpose referred to in section 3.3 represents a legitimate processing of personal data pursuant to Article 6, paragraph 1, letter c) of the Regulation ([…] the processing is necessary for compliance with a legal obligation to which the controller is subject). Once personal data is provided, in fact, the processing is indeed necessary to fulfill legal obligations to which the Data Controller is subject.The processing carried out for the purposes referred to in sections 3.5 and 3.6 is based on your consent pursuant to Article 6, paragraph 1, letter a) ([…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes) and Article 22, paragraph 2, letter c) of the Regulation. Such consent is revocable at any time without prejudice to the lawfulness of the processing carried out before the revocation in accordance with Article 7 of the Regulation.The provision of your personal data for these purposes is therefore entirely optional and does not affect the use of services. If you wish to oppose the processing of your data for marketing and profiling purposes, you may do so at any time by contacting the Data Controller at the contact details indicated in the “Contacts” section of this notice or, where available, through the Privacy Settings contained within your Personal Area. With reference to the purpose referred to in section 3.4, it is specified that if the Data Controller uses, for direct sale of its products or services, the email or postal addresses provided by the data subject in the context of the sale of a product or service, it may, pursuant to Article 130, paragraph 4 of the Code, not request the consent of the data subject, provided that it concerns products or services similar to those subject to the sale and the data subject, adequately informed, does not refuse such use, initially or during subsequent communications.The processing referred to in section 3.7 is carried out to pursue the legitimate interest of the Data Controller under Article 6, paragraph 1, letter f) of the Regulation.It is also noted that the processing referred to in section 3.8 is carried out to meet the defensive needs of the Data Controller pursuant to Article 6.1.f) of the Regulation.It is noted that the processing referred to in section 3.9, not involving personal data, does not fall under the scope of the personal data protection regulations and may therefore be freely carried out by the Data Controller.
5. RECIPIENTS OF PERSONAL DATA
Your personal data may be shared, for the purposes set out in section 3 of this Privacy Policy, with:5.1. persons authorized by the Data Controller to process personal data pursuant to Articles 29 and 2-quaterdecies of the Code (e.g., sales staff, administration and accounting staff, post-sales assistance, CRM, IT systems management);5.2. third parties who, in the provision of services (e.g., technological services, assistance and consultancy services in accounting, administrative, legal, tax, and financial matters, technical maintenance, transport services, banking and insurance services), typically act as data processors pursuant to Article 28 of the Regulation. The Data Controller maintains an updated list of appointed data processors and ensures that it is made available to the data subject at the Data Controller’s premises or upon request sent to the contact details provided;5.3. entities, bodies, or authorities to which your personal data must be communicated by law or by order of the authorities.These entities are hereinafter collectively referred to as “Recipients.”
6. TRANSFER OF PERSONAL DATA
Some of your personal data is shared with Recipients who may be located outside the European Economic Area. The Data Controller ensures that the processing of your personal data by these Recipients is carried out in compliance with Articles 44 - 49 of the Regulation. Indeed, with regard to the transfer of personal data to third countries, the Data Controller informs you that the processing will take place according to one of the methods allowed by the applicable law, such as the consent of the data subject, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of entities adhering to international programs for the free movement of data or operating in countries considered safe by the European Commission based on an adequacy decision. More information is available by sending a written request to the Data Controller at the contact details provided in the “Contacts” section of this notice.
7. STORAGE OF PERSONAL DATA
Your personal data will be entered and stored, in compliance with the principles of minimization and storage limitation pursuant to Article 5.1.c) and e) of the Regulation, in the Data Controller’s information systems, whose servers are located within the European Economic Area.Personal data processed for the purposes referred to in sections 3.1 and 3.2 will be retained for the time strictly necessary to achieve those same purposes, i.e., for the time necessary to execute the contract, provide legal or conventional warranties, in accordance with mandatory retention periods provided by law (see also, in particular, Article 2946 of the Civil Code and following).Personal data processed for the purposes referred to in section 3.3 will be retained until the time provided by the specific applicable law or regulation.For the purposes referred to in section 3.4, your personal data will be processed until you object to the processing.For the purposes referred to in sections 3.5 and 3.6, your personal data will be retained until you revoke your consent and, in any case, with reference to the purpose referred to in section 3.6 and related activities, no longer than seven years from their registration, in accordance with the provision of the Data Protection Authority accepting the request for prior verification submitted by the Data Controller. Similarly, for the purpose referred to in section 3.7, your data will be retained no longer than seven years from their registration. Upon revocation of consent or the expiration of the retention period of seven years (if earlier), the data processed for the above purpose will be permanently deleted or anonymized.In general, the Data Controller reserves the right to retain your data for the time necessary to comply with any legal obligation to which it is subject or to meet any defensive needs. Indeed, the Data Controller reserves the right to retain your personal data for the period provided and allowed by Italian law to protect its interests (Article 2947 of the Civil Code).It is noted that, in the event of deactivation of your account, your personal data will continue to be processed by Chelsea in compliance with the criteria and principles outlined above for the entire period corresponding to such deactivation (equal to 12 months). It is also noted that, consistent with the aforementioned criteria and principles, Chelsea will retain such data even after the expiration of such period and in case of total removal of your account; it is therefore noted that the expiration of the aforementioned period and the total removal of your account will not necessarily result in the deletion of your personal data or the revocation of the privacy consents you have legitimately provided. For more information regarding data deletion requests and revocation of consents, please refer to section 8 “Data Subject’s Rights” of this notice.More information on the data retention period and the criteria used to determine this period can be requested by sending a written request to the Data Controller at the contact details provided in the “Contacts” section of this notice.
8. DATA SUBJECT’S RIGHTS
You, as the Data Subject, can exercise your rights under Articles 15-22 of the GDPR and revoke the consents provided at any time without prejudice to the lawfulness of the processing carried out before the revocation.In particular, you may request access to your Personal Data pursuant to Article 15 of the GDPR, rectification pursuant to Article 16 of the GDPR, deletion pursuant to Article 17 of the GDPR, restriction of processing in the cases provided for by Article 18 of the GDPR, and to obtain data portability concerning you in the cases provided for by Article 20 of the GDPR.You may formulate an objection to the processing of your data pursuant to Article 21 of the GDPR, providing evidence of the reasons justifying the objection: the Data Controller reserves the right to evaluate your request, which will not be accepted in the event of the existence of compelling legitimate grounds to proceed with the processing that prevail over your interests, rights, and freedoms.Requests should be addressed in writing to the Data Controller at the contact details provided in the “Contacts” section of this notice.
9. COMPLAINT TO THE SUPERVISORY AUTHORITY
If you believe that the processing of your Personal Data carried out by the Data Controller is in violation of the GDPR, you have the right to lodge a complaint with the Data Protection Authority, as provided for by Article 77 of the GDPR, or to take the appropriate judicial actions (Article 79 of the GDPR).
10. CHANGESThe Data Controller reserves the right to modify or simply update the content of this notice, in part or completely, also due to changes in the applicable regulations. The Data Controller therefore invites you to regularly visit this section to take note of the most recent and updated version of the Privacy Policy so that you are always informed about the data collected and how Chelsea uses them.
11. CONTACTSTo exercise the rights mentioned above or for any other request, you can write to the Data Controller at the physical address indicated above, or through the dedicated contact, preferably by including “privacy rights request” in the subject line of the communication.