Version 1.0 dated 25/04/2019
Privacy statement on the processing of personal data pursuant to Article 13 of
Regulation (EU) 2016/679 (GDPR)

As required by the General Data Protection Regulation of the European Union (GDPR 2016/679, Article 13), the visitor to the Outlet (data subject) is informed that personal data provided will be processed, both in printed and electronic format, for the purposes specified below.

Data Controller and Data Processor

The Controller of the data processing operations is the company Sicily Outlet Village S.R.L., with registered office in Corso Matteotti 10, Milan (MI), Tax Code and VAT No. 06227960967, through its Legal Representative Mr. Nicola Sanfilippo.

The Data Protection Officer is Christian Leblanc and he can be contacted at the following email address dpo@siciliaoutletvillage.com.
The Data Controller guarantees the utmost confidentiality in the processing of personal data, in compliance with the relevant regulations governing the protection of personal data.
Specific safety measures are in place to prevent loss of data, illegal or improper data use and unauthorized access to databases.

Intended Purposes, Nature and Legal Basis of the Processing

The data subject’s personal data shall be processed for the following purposes:
  • - To ensure the safety of persons visiting the Outlet and to safeguard buildings and furnishings: for this purpose, the Data Controller records the digital images taken by the 24-hour video cameras located inside and outside of the Outlet and viewed in real time by the security officers. The video surveillance system does not link, cross-reference or compare the recorded images with other personal data. The lawful basis for the processing of personal data are the legitimate interests of the Data Controller.

Type of Data undergoing Processing

Like one’s name and personal details, the recorded images are personal data that is subject to protection provided under Regulation (UE) 2016/679. The Data Controller collects these types of personal data (images).

Special Category Data

For the above purposes the Data Controller does not process sensitive data regarding the data subject (data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union or political party memberships, biometric data or data concerning physical or mental health, genetic data, data concerning drug dependence or sexual orientation, criminal conviction data or data on criminal proceedings and associated penalties or fines, illegal or questionable conduct and respective penalties or social security or national identification numbers).

Processing Procedures and Data Retention

The data is processed in electronic format, using suitable means intended to ensure the safety and confidentiality of the data, in compliance with the provisions of Chapter II (Principles) and Chapter IV (Controller and processor) of the GDPR.
Processing of personal data may also be carried out by automated means designed to record, process or transmit said data.
In regards to the intended purposes for which the data was collected, the personal data shall be retained for a maximum period of 48 hours.

Recipients of personal data

The personal data that is collected for the purposes stated in this privacy statement may be processed by the following third parties:
  • Individuals from security and surveillance companies (G.S.I. Security Group srl, Sicilia Police srl, GPE Servizi Integrati srl);
  • Individuals from video surveillance system management companies (Elmet srl, Stilo Services SRL);
  • Judicial and law enforcement authorities, who have the right to request the extraction of the video recordings;
  • Sicily Outlet Village S.R.L. sister companies;
The full and updated list of parties who have been given or may be given your personal data is available upon request by sending an email to the address privacy@siciliaoutletvillage.com

Data Transfer Abroad

The handling and retention of personal data shall be via servers, located within the European Union, owned by the Data Controller and/or by third parties appointed and duly nominated as Processors.
The data is not currently subject to transfer outside of the European Union. In any case, it is understood that, if necessary, the Data Controller may move the location of the servers within the European Union and/or in non-EU countries.
In this case, the Data Controller ensures forthwith that the transfer of non-EU data shall be carried out in compliance with Articles 44 et seq. of the GDPR and with applicable laws, if necessary entering into agreements designed to ensure a suitable level of protection.

Rights under Articles 15,16, 17, 18, 20 and 21 of the GDPR

With reference to the data processed by the Controller, we inform you that you may exercise your rights under Articles 15, 16, 17, 18, 20 and 21 of the GDPR at any time.
More specifically:
  1. You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you has been processed and, where this is the case, access to the following information:
    • The purposes of the processing;
    • The categories of personal data concerned;
    • The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular any recipients in third countries or international organizations;
    • The envisaged period for which the personal data will be retained or, if not possible, the criteria used to determine that period;
    • Where the personal data is not collected from the data subject, any available information as to its source;
    • The existence of automated decision-making procedures and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
    • The existence of appropriate safeguards under Article 46 relating to the transfer of personal data to third countries or international organizations.
  2. In addition, you have the right to:
    • Obtain the updating, rectification or integration of your data, the deletion of your data, under the terms of law, or its anonymization, the restriction of processing. You also have the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning you;
    • Obtain the portability of electronically processed data, provided on the basis of consent or a contract;
    • Withdraw your consent, where provided;
    • Lodge a complaint with the Supervisory Authority.
To this end, you are invited to submit your request, free of charge, in writing, including date and signature:
  • By email, to the following address: privacy@siciliaoutletvillage.com
  • By registered mail, to the following address:

    Sicilia Outlet Village
    Autostrada A19 Palermo – Catania
    Uscita Dittaino – 94011 Agira (EN)
The Company undertakes to reply to your application within a period of one month, save in particularly complex cases, which could take up to a maximum of 3 months. In any case, the Company shall explain the reason for the delay in its reply within a month of your request.
The outcome of your application shall be provided to you in writing or electronically. If you have requested the rectification, deletion or a restriction of data processing, the Company shall undertake to communicate the outcome of your request to each recipient to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
The Company points out that you may be asked to make a contribution to expenses if your application proves to be manifestly unfounded, excessive or repetitive; to this end, the Company is equipped with a log to trace your applications for action.

Amendments to this privacy statement

This privacy statement is subject to change. Therefore we recommend you check this statement periodically to review the latest version.