Customers and Prospect Data Policy
Identity and contact data of the Data Controller
Calzaturificio S.C.A.R.P.A. S.P.A., henceforth “SCARPA” or “Data Controller”, head offices at 1 Via Enrico Fermi, Asolo (TV) 31011, which can be contacted via email at info@scarpa.net, certified email (PEC) at calzaturificioscarpaspa@legalmail.it or via telephone at +39 0423 5284.
Data categories and their sources
SCARPA processes general personal data (e.g. personal information, contact information, data related to employment, etc.). This information can be collected from the data subject directly and/or from third parties (e.g., other company contacts).
Purpose and legal basis
A. Pre-contractual management: personal data are processed for all needs associated with the fulfilment of requests for information and/or quotes and estimates.
B. Collection of financial data: personal data are processed to gather information on and verify the economic/financial position and the assets/liabilities of the data subject, including their solidity, solvency and creditworthiness.
C. Content management: personal data are processed for all needs related to the management of the contractual relationship in all its phases (e.g., appointment management, logistical organization, management of client support activities and compliance with the regulatory obligations of the Data Controller).
D. Statistics: the personal data are used to carry out statistical analyses relating to purchasing behaviours.
E. Social Media Marketing: the contact data are communicated to digital platform providers that allow the Data Controller to reach a “look-alike audience”, meaning individuals with characteristics and interests similar to those of the data subject.
F. Legal defence: the Data Controller may need to process personal data for the management of disputes and litigation, in or out of court.
|
Purpose |
Legal basis (general data) |
Legal basis (specific data) |
|
A. |
Completion of pre-contractual activities. |
/ |
|
B. |
Legitimate interest of the Data Controller related to the analysis and creation of business strategies and policies, the identification of individuals with whom to enter into or continue commercial relationships, the terms and conditions of payment and fraud prevention. |
/ |
|
C. |
Contract fulfilment; Compliance with legal obligations. |
/ |
|
D. |
Legitimate interest of the Data Controller in understanding user segments, optimising processes, and assessing commercial performance. |
/ |
|
E. |
Legitimate interest in promoting awareness of its products and services also to other individuals who may have interests similar to those of the data subject. |
/ |
|
F. |
Legitimate interest of the Data Controller to establish, exercise or defend a right. |
Establish, exercise or defend a right. |
Storage of data
|
Purpose |
Duration of storage |
|
A. |
The time period necessary to fulfil the requests received and all subsequent interactions. |
|
B. |
Time period required to carry out verifications. |
|
C. |
10 years from end of contract. |
|
D. |
36 months from the collection. |
|
E. |
Until the right to object is exercised. |
|
F. |
10 years from the definitive resolution of the dispute. |
Nature of the data transfer and consequences of refusal
|
Purpose |
Nature |
Consequences |
|
|
A. |
Necessary |
Inability to receive the information requested and/or to manage commercial negotiations. |
|
|
B. |
Not applicable |
/ |
|
|
C. |
Necessary |
Inability to enter into or continue the commercial relationship. |
|
|
D. |
Necessary |
Inability for the Data Controller to carry out reliable statistical analyses. |
|
|
E. |
Optional |
Inability for the Data Controller to reach a look-alike audience. |
|
|
F. |
Necessary |
Inability to manage disputes. |
|
Scope of disclosure
Data are processed by internal staff members who have been authorized to carry out specific tasks, and shared externally according to the following rules
|
Purpose |
External recipient categories |
|
A. |
Agents, business consultants, brokers. |
|
B. |
Business information companies, agents. |
|
C. |
Insurance companies or credit transfer companies, agents, credit institutions, external consultants, parties to whom disclosure is mandatory by law, commercial partners (customers/suppliers). |
|
D. |
Commercial consultants. |
|
E. |
Companies that operate digital platforms such as Google and Meta. |
|
F. |
Law firms; debt collection and debt transfer companies; Legal authorities. |
Because data are processed with methods that include the use of computerized tools, they may also be accessed by individuals who provide assistance/maintenance for said systems.
Data transfers to third countries or international organizations
The Data Controller carries out transfers of personal data to the countries and under the conditions summarised below:
|
Purpose |
Country |
Lawfulness condition for the transfer. |
|
|
A. |
|
|
|
|
B. |
|
|
|
|
C. |
|
|
|
|
D. |
United States of America |
· Data Privacy Framework · Standard Contractual Clauses |
|
|
E. |
United States of America |
· Data Privacy Framework · Standard Contractual Clauses |
|
|
F. |
|
|
|
Rights of the Data Subject
The individual to whom the personal data refers to has the following rights:
Access: data subjects can find out whether or not their personal data are being processed and, when that is the case, access the personal data and obtain a copy.
Rectification: the data subject can request that their personal data be updated, corrected (if inaccurate) and completed (if incomplete).
Erasure: data subjects can obtain the erasure of their personal data when certain conditions are met (for more information, contact the Data Controller).
Restriction: data subjects can request that their data are marked so as to limit their future processing, when certain conditions are met (for more information, contact the Data Controller).
Objection: it is possible, on grounds relating to one’s individual situation, to object to the processing of personal data when said processing is necessary for the purposes of legitimate interests or for the completion of a task in the public interest or connected to the exercise of public powers vested in the Data Controller.
Portabiliity: data subjects can receive, in a structured format, the personal data provided to the Data Controller and request that said data be transmitted to another data controller when the processing is based on consent or on a contract and is carried out by automated means.
Withdrawal of consent: it is possible to withdraw consent for the purposes for which it was requested, without prejudice to the lawfulness of the processing carried out before withdrawal.
The concrete rights which can be exercised relative to personal data processing which has been carried out are:
|
Purpose |
Right |
||||||
|
|
Access |
Rectification |
Erasure |
Restriction |
Objection |
Portability |
Withdrawal of consent |
|
A. |
X |
X |
X |
X |
|
|
|
|
B. |
X |
X |
X |
X |
X |
|
|
|
C. |
X |
X |
X |
X |
|
X |
|
|
D. |
X |
X |
X |
X |
X |
|
|
|
E. |
X |
X |
X |
X |
X |
|
|
|
F. |
X |
X |
X |
X |
X |
|
|
To exercise the aforementioned rights, please fill in the form found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924 and send it to privacy@scarpa.net. Data subjects can use that same email address to learn more about the information listed herein (e.g., the “balancing test” for legitimate interests or the list of data processors).
It is possible to submit a complaint to the Data Authority. In Italy, that authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali)
