Privacy statement on the processing of personal data pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data (GDPR) and to Article 13 of Italian Legislative Decree 196/2003 – Personal Data Protection Code
As required by the General Data Protection Regulation of the European Union (GDPR 2016/679, Article 13), prior to processing any personal data, the customer/visitor to the website is informed that personal data provided at the time of purchase of the products or services offered will be processed, both in printed and electronic format, for the purposes specified below.
To this end, data subjects are provided with this Privacy Statement prepared by Sicily Outlet Village S.R.L. (hereinafter, also the Company or Data Controller).
Data Controller and Data Processor
The Controller of the data processing operations is Sicily Outlet Village S.R.L., with registered office in Corso Matteotti 10, Milan (MI), Tax Code and VAT No. 06227960967, through its Legal Representative Mr. Nicola Sanfilippo.
The Data Controller guarantees the utmost confidentiality in the processing of personal data, in compliance with the relevant regulations governing the protection of personal data.
Specific safety measures are in place to prevent loss of data, illegal or improper data use or unauthorized access to the databases.
Intended Purposes, Nature and Legal Basis of the Processing
The data subject’s personal data shall be processed for purposes strictly related to the purchase of a product and/or service. More specifically:
- for VIP Club membership;
- for operational or management requirements;
- for the fulfillment of legal, regulatory and EU requirements or instructions issued by regulatory or supervisory authorities;
- in anonymous form for statistical purposes as well.
Furthermore, if expressly authorized, the personal data may be processed for:
- Marketing Purposes; the sending of communications by the Data Controller, even through independent Data Processors, for marketing activities, intended as including the sending of communications of a commercial nature, the organization of events, the dispatch of advertising material and completion of market research, opinion polls and data analysis;
- Profiling Purposes – Omnichannel Program: the omnichannel program involves all current and future VIP club members; by presenting your VIP card, at the time of purchase you will participate in the collection of points proportional to the amount of the purchase. The points will entitle you to acquire member status valid for 2 years (e.g. Gold, Platinum, etc.), and can then be converted to rewards/services offered by us. The data collected will enable the profiling of members in clusters for the purpose of sending communications.
Please note that the processing of your personal data for the purposes set out in points 1) to 4) is mandatory for the completion of the respective purposes; any refusal by you to provide the data or an incorrect communication of any of the mandatory data will result in: a) the inability to register for VIP Club membership at Sicilia Outlet Village; b) the possible inconsistency of the data handling results with the fiscal, administrative or business obligations that the data processing addresses.
The processing of your personal data for the purposes referred to in points 5) – 6) is optional and the respective data handling requires your express consent; any refusal by you to give your consent in no way affects your VIP Club membership. However, failure to give your consent will make it impossible for you to receive communications regarding the above purposes from Sicily Outlet Village S.R.L..
Processing operations are based on the granting of the data subject’s express consent to the processing of personal data for the respective handling purposes.
Types of Data undergoing Processing
The Data Controller collects and processes the data subject’s personal data that are required for VIP Club membership, for example: name, surname, contact details such as email address and mobile phone number, place of residence or domicile.
Processing Procedures and Data Retention
Data are processed in electronic and printed format, using suitable means intended to ensure the safety and confidentiality of the data, in compliance with the provisions of Articles 31 et seq. of the Privacy Law and its respective Annex B (“Technical regulations regarding minimum security measures”), as well as in compliance with the provisions of Chapter II (Principles) and Chapter IV (Controller and processor) of the GDPR.
Processing of personal data may also be carried out by automated means designed to record, process or transmit said data and, in any case, it shall be performed in compliance with the provisions of the Privacy Law, the relevant implementation regulations and the GDPR.
The processing of your personal data is carried out by means of the operations indicated in Article 4 of the Privacy Law and in Article 4, no. 2 of the GDPR, to which you should refer for all relevant purposes.
In relazione alle diverse finalità e agli scopi per i quali sono stati raccolti, i dati personali saranno conservati per il tempo previsto dalla normativa applicabile, per un periodo di tempo non superiore a quello necessario al conseguimento delle finalità sovra indicate, e nello specifico relative all’esecuzione del contratto, ed in seguito per un periodo di dieci anni (termine oltre il quale saranno prescritti i diritti sorti dal contratto).
With regard to the different purposes for which the information was collected, personal data shall be retained for the period of time provided for by the relevant laws, for no longer than is necessary for the purposes indicated above, for a maximum period of ten years (after which time the rights arising from the VIP Club membership contract shall have lapsed).
In regards to processing operations for marketing purposes, your personal data shall be retained for a maximum period of five years from the date of collection, unless they are transferred into an anonymized form that prevents the identification of the data subject, even indirectly or by linking other databases.
In regards to processing operations for profiling purposes, your personal data shall be retained for a maximum period of twelve months from the date of collection.
At the end of the retention period, the data shall be deleted automatically, in whole or in part (under the applicable rules), or rendered anonymous such that it is not possible to identify the data subject, even indirectly or by linking other databases.
Recipients of personal data
The personal data that are collected shall not be disseminated and may be accessed, to the extent necessary and for the purposes as indicated, by Company employees and external consultants, as Authorized persons according to Article 29 of the GDPR. The data may also be disclosed to the following third parties, nominated by the Data Controller as independent Processors under Article 28 of the GDPR, by means of a specific deed of appointment, which indicates the methods of data processing and the security measures that they shall be required to adopt for the handling and retention of personal data of which the Company is Controller.
- External organizations, including private companies, that perform inspections of varying nature;
- External consultants appointed in advance;
- External organizations that carry out activities within the Outlet Village;
- Sicily Outlet Village S.R.L. sister companies;
- Stores present in the Outlet Village;
- Company suppliers that carry out data processing on behalf of Sicily Outlet Village S.R.L. and consultants that provide services to the same.
Personal data may also be transmitted to law enforcement authorities, upon request, and to judicial authorities, if necessary.
The full list of parties who have been given or may be given your personal data is available upon request by sending an email to the address firstname.lastname@example.org
Data Transfer Abroad
The handling and retention of personal data shall be via servers, located within the European Union, owned by the Data Controller and/or by third parties appointed and duly nominated as Processors.
The data are not currently subject to transfer outside of the European Union. In any case, it is understood that, if necessary, the Data Controller may move the location of the servers within the European Union and/or in non-EU countries.
In this case, the Data Controller ensures forthwith that the transfer of data Extra-UE shall be carried out in compliance with Articles 44 et seq. of the GDPR and with applicable laws, if necessary entering into agreements designed to ensure a suitable level of protection.
Rights under Articles 15, 16, 17, 18, 20 and 21 of the GDPR and under Article 7 of the Privacy Law
With reference to the data processed by the Company, you may exercise your rights under Articles 15, 16, 17, 18, 20 and 21 of the GDPR at any time.
(a) You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you have been processed and, where that is the case, access to the following information:
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular any recipients in third countries or international organizations;
- The envisaged period for which the personal data will be retained or, if not possible, the criteria used to determine that period;
- Where the personal data are not collected from the data subject, any available information as to their source;
- The existence of automated decision-making procedures and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- The existence of appropriate safeguards under Article 46 relating to the transfer of personal data to third countries or international organizations.
(b) In addition, you have the right to:
- Obtain the updating, rectification or integration of your data, the deletion of your data, under the terms of law, or their anonymization, the restriction of processing, and you have the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning you;
- Obtain the portability of electronically processed data, provided on the basis of consent or a contract;
- Withdraw your consent, where provided,
- Lodge a complaint with the Supervisory Authority.
To this end, you are invited to submit your request, free of charge, in writing, including date and signature:
- by email, to the following address: email@example.com
- by registered mail, to the following address:
Sicilia Outlet Village
Autostrada A19 Palermo – Catania
Uscita Dittaino – 94011 Agira (EN)
The Company undertakes to reply to your application within a period of one month, save in particularly complex cases, which could take up to a maximum of 3 months. In any case, the Company shall explain the reason for the delay in its reply within a month of your request.
The outcome of your application shall be provided to you in writing or electronically. If you have requested the rectification, deletion or a restriction of data processing, the Company shall undertake to communicate the outcome of your request to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
Please bear in mind that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Company points out that you may be asked to make a contribution to expenses if your application proves to be manifestly unfounded, excessive or repetitive; to this end, the Company is equipped with a log to trace your applications for action.
Amendments to this privacy statement
This privacy statement is subject to change. Therefore we recommend you check this statement periodically to review the latest version.