INFORMATION PURSUANT TO ARTICLE 13 – 14 OF EU REGULATION NO. 2016/679 (‘GDPR’)
The following sections of this privacy notice describe which of your personal data are collected by Tristate International SA and by Diana e-commerce corporation S.r.l., for which purposes and how they are processed. Below you will also find the necessary information to enforce your rights provided for by GDPR.
In general, we collect your personal data when you create an account on our online store https://www.cpcompany.com (hereinafter ‘Store’), when you purchase products available for sale on the Store, when you subscribe to the newsletter, when you email or contact us asking for assistance or information regarding the availability of a product. We hereby inform you that the personal data collected during such procedures will be processed in order to reply to your requests, to allow you to benefit from the services offered on the Store through reserved areas (e.g., to process your orders and carry out the related activities, including those required to fulfil tax and administrative obligations, and, whenever requested by you, to send newsletters and information material) as well as to provide better services, marketing and support services for you and other customers, as specified below.
1. Who processes your data: Data Controllers
Diana e-commerce corporation S.r.l., Via San Daniele n. 137/139, Torreglia (PD), Italy, 35038,VAT number 05097740285 (hereinafter ‘Diana’) and Tristate International SA, Riva Albertolli 1, Lugano, CHE 147076577 (hereinafter ‘Tristate’), pursuant to art. 26 GDPR, are joint controllers of the processing of your personal data, and shall process them in order to: manage and process your purchase orders, ship to you the products that you buy, provide you with the required post-sales assistance, process the product returns procedure, keep you informed about the availability of a product on the Store, comply with all obligations arising from tax law and other applicable laws. Pursuant to art. 26 GDPR, you may find out the essential content of the agreement between Diana and Tristate by contacting us via e-mail at firstname.lastname@example.org or email@example.com.
Tristate is the sole controller of your personal data and shall process them for managing your Store account, also in order to consent any possible transfer to a new service provider or to internalize all services provided by Diana, for the Store maintenance, for the management of customers’ requests submitted through Customer Care (either for purchases that you have not made on the Shop or in case of request for information on Tristate's products) and, upon your consent, for marketing purposes, even in profiled mode.
Hereinafter, when we use the expressions ‘Joint Controller’, ‘We’ or ‘Ours’, we will jointly refer to Tristate and Diana together. Vice-versa, if the information only refers to one of the two data controllers, you will find the reference to either Diana or Tristate.
2. Which data we process - Type of processed data
Your contact and purchase data. Tristate and Diana will retain the details you provide us with (e.g., your contact and personal data) when you purchase a product, interact with the after-sales service or ask to be updated on the availability of a product in the Store. Tristate will also keep such data when you create an account on the Store, subscribe to the newsletter, participate in Tristate contests or promotions and/or contact Customer Care.
Your payment and invoicing data. Diana will retain the payment and invoicing data that you provide to us with (e.g., your credit card number, contact and personal data) when you purchase a product, in order to process your order and ship the products.
Information on the use of the website and on your activities on the Store. Your use of the website implies the processing of the browsing data and the device that you are using and your IP address (i.e. the number that identifies a specific device connected to the internet and is required in order for your device to communicate with websites). Moreover, Tristate may analyse the website you browsed from, what you did and what you did not do on our website. In order to send you commercial information about products and proposals tailored to your preferences, Tristate may use your email address and your name, as well as browsing data and website behavioural information to understand better which products you prefer, provided that you have previously authorized such processing.
3. Where do we get your data - Data collection methods:
Directly from you. For instance, if you register in order to make a purchase on the Store, if you create an account, if you participate in a contest, if you ask us a question, subscribe to the newsletter or contact Customer Care.
If you do not provide us with your personal data, you will not be able to register on the Store, and you will not be able to purchase any of the products for sale nor make use of the other services provided.
Third party data provided directly by you. The possible indication (e.g., for the shipment of the product) of personal data and contact details of any third party other than you represents a processing of personal data with respect to which you are a data controller, thus assuming all the obligations and responsibilities provided for by current legislation on personal data. On this regard, you guarantee to Tristate and Diana that any data of third parties that will be indicated by you have been collected by you in full compliance with current legislation on personal data, and that there is an appropriate legal basis that allows the communication of such third party personal data to Tristate and Diana, relieving them from any dispute, claim, request for compensation for damages from any third party resulting from the aforementioned communication that may be received by Tristate and Diana.
4. Why and for how long we process your data - Purpose and legal basis for data processing; data retention period
a) To provide you with the products and services you purchased and to give you information about your orders and payments. Diana and Tristate will use your data to process your order, to confirm your purchase and to manage any service related to it, such as the shipping of purchased products. Without your data, we cannot manage and process your order.
The legal basis of such data processing is the performance of the purchase agreement, which you become a party of since you accept the Store’s general conditions of sale.
The data retention period of your data is equal to the period required to process the order (provided that if other treatments, such as after-sales assistance and management of the administrative position, are applicable, the retention period shall be that indicated in this notice in relation to such treatments).
b) To allow you to register for a Store account. Tristate will use your personal data in order for you to create an account on the Store, whether you make a purchase on the Store or not.
The legal basis of such data processing is the performance of a contractual/pre-contractual request submitted by you.
The retention period of your data, in addition to what is necessary to process your order if any, shall be equal to the period of validity of your account, which shall be in any case deactivated after 24 months from your last access or from the last action taken by you in your account.
c) To give you an update on product availability. Following your explicit request, Diana and Tristate will process your personal data to give you an update on the availability of a requested product on the Shop.
The legal basis of such data processing is the performance of a contractual/pre-contractual request submitted by you.
The retention period of your data is equal to the period necessary to process the request.
d) To provide you with the required after-sales assistance in compliance with the applicable legislation related to the product warranty. Diana and Tristate will use your data to provide you with support, in order to manage the return and/or repair of the products that you purchased from the Store in accordance with applicable law and the Store’s general conditions of sale.
The legal basis of such data processing is the compliance with legal obligations and the data retention period is equal to that required by law (specifically, by the Italian Consumer Code).
e) To manage your administrative status correctly. Diana and Tristate will process your data for accounting, administrative and tax purposes, directly connected to Diana and Tristate’s business activities as required by the applicable legislation.
The legal basis of such data processing is the compliance with the legal obligations and the retention period is equal to that required by law (specifically, civil, tax, anti-money laundering, banking and public security law).
f) To let you to interact with customer care operators. Diana and Tristate may use your personal and contact data to assist you should you require support while using the products purchased from the Store.
The legal basis of such data processing is the performance of the sale and purchase agreement that you executed with Diana when you accepted the Store’s general conditions of sale and the compliance with the obligations provided for by applicable law in terms of warranties and customer care. The retention period is equal to the time necessary to manage your request (provided that, if other process activities are applicable, the retention period shall be that indicated in this notice in relation to such treatments).
Tristate may also process such personal data to assist you with purchases that you have not made on the Store or when you request information about Tristate's products.
The legal basis is the performance of the sales agreement that you have executed with Tristate or the performance of pre-contractual requests. The retention period of your data in relation to such data processing is equal to the time necessary to process your request (provided that, if other processing is applicable, the retention period shall be that indicated in this notice in relation to such treatments).
g) To prevent or control unlawful conducts or to protect and enforce rights. Diana and Tristate may use your data to prevent infringement of their intellectual property rights (e.g., counterfeiting of our trademarks and/or our partners’) or theft (including credit card cloning and theft that we presume may occur during a contest or an event) or other unlawful acts, as allowed by applicable law.
The legal basis for such data processing is the legitimate interest of the Data Joint Controllers.
The period of retention of your data is equal to the time reasonably necessary to enforce our rights from the moment we become aware of the offence or the potential commission of it.
h) For direct marketing purposes / newsletter subscription. Upon your consent, you may be contacted by Tristate by email or other telematic communication means with information or promotions of products and services offered by the Shop, also following your subscription to the newsletter by entering your email address.
The legal basis for such data processing is your explicit consent which, as far as only the subscription to the newsletter is concerned, consists of entering your email address.
The retention period of your data is 24 months from the collection of your data.
i) To send you commercial communications and to offer you products aligned with your preferences. Upon your consent, Tristate analyses your personal data and the data concerning your use of the website, preferences and consumption of the products in order to improve its approach towards you and its customers in general, through automated processing activities, including profiling activities. Tristate does so in order to make better decisions related to services, advertising, products and contents, based on a greater awareness of how its customers use its services and to provide you with a more customized user experience. For such purpose, Tristate may also collect your mobile device’s ID for advertising (i.e. IDFA - Identifier for Advertising - for iOS devices and AAID - Google Advertising ID - for Android devices) so that it can always provide you with targeted and relevant advertisements based on your preferences and interests.
The legal basis of such data processing is your explicit consent.
The retention period of your data is 12 months from the collection of your data.
5. Nature of the provision of personal data
For the purposes of subparagraphs from a) to g) above, the provision of data is necessary to allow you to create an account on the website, make purchases on the Shop and receive other services on the website.
For the purposes of subparagraphs h) and i), the provision of data is optional, a refusal will not cause any prejudice for the purposes of subparagraphs from a) to g). Data subject may withdraw his/her consent at any time, but this shall not affect the lawfulness of processing carried out by Tristate based on consent before its withdrawal.
6. Where your data are processed – Transfer of data
Data shall be processed and stored at the offices and IT systems of Tristate and Diana.
Personal data may also be communicated, as well as to allow you to interact with the customer care service, to third-party service providers – duly appointed as data processors pursuant to art. 28 GDPR – which have their legal office outside the European Union, and in particular, in the United States of America.
Such data transfers shall be authorized either upon:
• an adequate decision, issued by the European Commission pursuant to art. 45 GDPR (e.g., Privacy Shield), referred to the Extra-EU country where personal data are transferred to; or
• appropriate guarantees provided for by articles 46, 47 and 49 GDPR (namely, standard contractual clauses approved by the European Commission, binding corporate rules, contractual or covenant guarantees provided for by the involved data controllers, or by way of derogation to the prohibition of the transfer, which are applicable under certain circumstances), and upon the right to ask to the Data Controller the contacts of the subjects to whom personal data are communicated, from whom you can receive information about how to obtain a copy of the processed data or about where data were made available.
7. Who we share your data with – recipients of personal data
Provided that, where required by law, we will obtain your prior consent and complete any formalities required by law, we may share your data with the following third parties (also acting as data processors):
Our service providers We may share your data with third parties in order for them to provide us with services (e.g., IT service providers for the management of the Store, companies providing us with profiling services and compliance automation, payment gateways and other entities providing banking services, couriers, companies managing warehouses and providing logistics services, legal, tax and accounting advisors), that may operate as sole data controllers or data processors: in such case, we will enter into an agreement with them pursuant to Article 28 GDPR in order to protect your data. These parties will only be in possession of the data required to perform their functions and shall only use them for the purpose of providing services on Our behalf or complying with the law. You may find out the details of such data processors, pursuant to Article 28 GDPR, by sending an email to firstname.lastname@example.org or to email@example.com. Should any of such providers operate outside the EU, before transferring any data to them, we will secure compliance with the relevant conditions under Articles 45-47 GDPR.
Where we deem it necessary in order to comply with legal obligations or to protect Ourselves or third parties from a judicial standpoint. Where permitted or required by law, we may also share the data requested by a government agency or by another authorised third party or organisation, in order to protect or enforce Our rights or those of third parties, or to limit or prevent fraud (including credit card fraud or other fraud, which we believe that may occur during a promotion or an event) and other offences.
Our Store is not intended for minors under the age of 16, but for adults. If you are a parent or guardian and you believe that your child may have sent us some personal data, please contact us.
9. Security Measures
We adopt the security measures required by law.
We adopt security measures to protect your data. The standard security measures that we use depend on the type of data that we process, and such measures meet the requirements provided for by law and by the standards of European government agencies.
10. Your rights
You may contact Tristate and/or Diana in order to request the access to, the rectification or erasure of your personal data, or restriction of the processing, to object such processing and to request the portability of your data; you may also withdraw your consent at any time (and this shall not affect the lawfulness of the processing based on consent granted before such withdrawal).
When you exercise your right of access, you have the right to know whether your data is being processed or not, as well as the purpose of the processing, the categories of data being processed, the recipients or categories of recipients who your data have been disclosed with (and, if they are located in a third country, the guarantees in place), the retention period of your data (or the criteria in order to determine such retention period), whether an automated processing is being carried out or not (e.g., through profiling), the logic involved behind such processing, and the source of the data (when not initially collected by Us).
You have the right to lodge a complaint with the Italian Data Protection Authority and to request to the Data Controller, at any time, information about the processors and the parties that are authorised to process your data.
You may exercise your rights by contacting Tristate or Diana at the above-mentioned address or by sending an email to firstname.lastname@example.org or to email@example.com.
In any case, you may amend or withdraw your consents by changing Store's settings.
You can withdraw your consent to receive marketing communications including newsletters. In order for you to stop receiving marketing communications, you may access your account and change your settings or follow the instructions shown in the promotional message that you receive. Alternatively, you may withdraw your consent by sending an email to firstname.lastname@example.org.
As for marketing emails and data processing through profiling, you may amend your preferences in the privacy settings of your account or by sending an email to email@example.com.
11. Data Protection Officer (DPO)
Diana has appointed a Data Protection Officer (DPO) that may be contacted by sending an email to firstname.lastname@example.org.
12. What happens if we amend this Policy
[Version updated to 10-06-2020]