BULGARI VAULT REGISTRATION INFORMATION NOTICE Information notice on processing of personal data pursuant to the REGULATION (EU) 2016/679 (the "GDPR") and to the Swiss Federal Act on Data Protection Act (the "FADP")
WISeKey S.A. and Bulgari S.p.A. (hereinafter also: the "data controllers") gives the following information in relation to your personal data collection and use.
1. Purposes of the processing
Personal data such as those necessary to the production of a public key certificate, for the verification of a digital signature, for the validation of a certificate's status as well as to positively identify a data subject (e.g. name, surname, email address, country of residency ) are collected and processed by WISeKey S.A. for the following purposes:
a) Proving an individual's identity before a digital certificate is issued to them, subsequent registration of users in order to benefit of the services provided on the Bvlgari Vault;
b) Managing administrative and legal operations.
Information about race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual orientation will not be collected and personality profiles (as defined in FADP) will not be established except when specifically required to satisfy the requirements of local legislation.
Personal data (e.g. name, surname, email address, country of residency) are collected and processed by Wisekey S.A. on Bulgari's behalf and in accordance with the GDPR and Swiss applicable data protection laws and pursuant Bulgari S.p.A.'s instructions and recommendation for the following purposes:
c) Creating profiles and analyze the consumption choices of the customers, also using data on retail purchases made at Bulgari stores worldwide.
This processing is carried out in compliance with the guarantees and measures set forth by the Italian Data Protection Authority by the decision of acceptance of the request for prior checking submitted by Bulgari S.p.A. of April 24, 2013.
d) to provide personalized sales services at Bulgari stores worldwide, for example, but not limited to: personal shopping services, support services free of charge, courtesy services and to offer our customers products BVLGARI by sending of advertising material, newsletters, promotional communications also customized and for carrying out market research using automated contact means (e-mail, fax) as well as traditional contact means (paper mail, operator-assisted phone calls).
2. Legal basis
Legal basis of the processing activities referred to in paragraph 1 letter a) is the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal basis of the processing activities referred to in paragraph 1 letter b) is the compliance with a legal obligation to which the controller is subject.
Legal basis of the processing activities referred to in paragraph 1 letters c) and d) is the consent optional and revocable at any time.
3. Provision of data
The provision of data to the purposes referred to in paragraph 1 letters a) and b) is voluntary but shall be mandatory, in case of refusal by a customer WISeKey S.A. will not be able to process your registration to the app and to provide you with the requested goods and services.
The provision of data to the purposes referred to in paragraph 1 letters c) and d) is optional and the use of the data is subject to specific approval by the customer. Any refusal to provide data however will not allow Bulgari S.p.A. to pursue the purposes described above.
It is a data subject's responsibility to ensure that any information they provide to WISeKey S.A. is accurate. If this information subsequently changes, it is the data subject's obligation to inform it promptly. If the data subject becomes aware of any inaccuracies in the personal data held about them, it is its responsibility to advise the entity that processed its personal data.
4. Methods of the processing
Personal data will be processed using electronic or automated systems, computer and internet, or by manual logic processing strictly related to the purposes for which the personal data have been anyhow collected, in order to ensure, in each case, the security of the same.
Personal data processed for the purposes referred to in paragraph 1 letters a) and b), will reside and be stored in Switzerland in a system managed by WISeKey S.A. and third parties contractors of same.
Personal data processed for the purposes referred to in paragraph 1 letters c) and d) will reside and stored in Italy in the CRM system managed by Bulgari S.p.A. and third parties contractors of same.
5. Data entry in the CRM system
The inclusion of personal data in the CRM system is optional and occurs only in the event of release of the data subject's consent to the pursuit of one of the purposes referred to in paragraph 1 letters c) and d).
The inclusion of personal data processed for the purposes referred to in paragraph 1 letters c) and d) in the CRM system will automatically result in the visibility, as well as the possibility of modification and updating of the same, by Bulgari's employees worldwide on a "need to know" basis.
6. Scope of communication, dissemination of data
The processing of personal data is carried out by authorized internal staff of WISeKey S.A. and Bulgari S.p.A.
Personal data collection can be handled by third parties, external data processors, namely by:
- Parent companies, subsidiary or associated with Bulgari S.p.A. in Italy and/or worldwide that manage the sales channels for the pursuit by such companies of the purposes referred to in paragraph 1 letters c) and d) on behalf of Bulgari S.p.A.;
- Companies performing services for mailing of the newsletter, advertising material or promotional communications on behalf of Bulgari S.p.A.;
- Companies doing customer care services on behalf of WISeKey S.A.;
- Companies doing analysis and market research on behalf of Bulgari S.p.A.;
- Companies that perform maintenance services of IT systems on behalf of WISeKey S.A. and of Bulgari S.p.A.
Personal data collected may also be disclosed by the data controllers to third parties, namely to:
- Individuals, companies, associations or professional firms that carry out assistance and advisory services (lawyers, accountants, auditors).
Personal data will never be disseminated.
Any cross-border data transfer (which also includes remote access from a foreign country) to a country without an adequate level of data protection is prohibited, unless there is a sufficient safeguard, in particular a contractual clause such as the EU-Model Clauses, ensuring an adequate level of data protection in the country where the importing company is located and the data subject has been previously informed about the transfer or the transfer could be inferred by the circumstances.
7.Data retention and storage
Personal data shall be retained only for the period required by applicable law or needed for one of the purposes for which it is retained as authorized pursuant to applicable law, whichever is longer.
This being said, personal data collected for the purposes of paragraph 1 letters a) and b) will be stored by WISeKey S.A. for a period of 7 years from the certificate expiry date to provide evidence in the event of a challenge on the validity of a certificate or a digital signature. Such period may be extended with regard to specific records and information upon request by the data subject of special archiving services. In all cases, the records may be archived in paper or electronic form. Personal data collected for the purposes referred to in paragraph 1 letters c) and d) will be stored by Bulgari S.p.A. until the data subject revokes the consent to the processing of data. Data relating to the details of purchases processed for profiling and marketing purposes, can be retained for 10 years in accordance with the decision of the Italian Data Protection Authority of 24 April 2013, or if earlier until the data subject revokes the consent to the processing of data. After the expiration of the retention period Personal data will be automatically deleted or made anonymous permanently.
8. Rights of the data subject
Data subject is entitled to exercise the rights referred to in Article 8 of FADP and in GDPR (both detailed below), requesting, inter alia, written information at any time on the processing of and the content of the collected personal data by Bulgari S.p.A., addressing a specific request to Bulgari S.p.A. - Data processor, Lungotevere Marzio 11 00186 Roma (RM), or by sending an e-mail to: email@example.com>.
With the same modalities, the data subject may oppose, in whole or in part, without affecting the lawfulness of processing based on consent before its withdrawal, without economic charge and on legitimate grounds, to the processing of his/her personal data or oppose to their processing when performed through automated contact means (e-mail, fax) and require correction or deletion of the collected personal data.
ARTICLE 8 of the FADP
(Right to information)
1. Any person may request information from the controller of a data file as to whether data concerning them is being processed.
2. The controller of a data file must notify the data subject of:
a. all available data concerning the subject in the data file, including the available information on the source of the data;
b. the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
3. The controller of a data file may arrange for data on the health of the data subject to be communicated by a doctor designated by the subject.
4. If the controller of a data file has personal data processed by a third party, the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
5. The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge. The Federal Council regulates exceptions.
6. No one may waive the right to information in advance.
DATA SUBJECTS' RIGHTS UNDER GDPR
In relation to the processing activities carried out by the Data Controllers, data subject may ask Data Controllers for access to his/her personal data, erasure of personal data, rectification of inaccurate data, integration of incomplete data, restriction of the processing in the cases set out in art. 18 of GDPR, and object, on grounds relating to his/her particular situation, to processing in the case of legitimate interests of the controller.
Furthermore, in the case where processing is based on consent or on a contract and carried out with automated tools, data subjects have the right to receive the personal data in a structured, commonly used and machine-readable format, and to transmit the data to another data controller without hindrance.
At any moment, data subject can also lodge a complaint to the competent Supervisory Authority as well as to seek other remedies available under applicable law.
9. Data controllers
The data controllers are:
- WISeKey S.A. - World Trade Center II, 29 route de Pré – Bois, Case postale 853, 1215 Geneva 15, Switzerland. for the purposes described in paragraph 1 letters a) and b).
- Bulgari S.p.A. - Via dei Condotti, 11 - 00186 Rome (RM) – Italy for the purposes described in paragraph 1 letters c) and d).
10. Data Protection Officer
Bulgari’s Data Protection Officer can be contacted by emailing at firstname.lastname@example.org>
11. Data processors
The data processors are:
- the CENTRAL F&A SUPPORT Director so appointed by Bulgari S.p.A.
- the CENTRAL CUSTOMER SUPPORT manager appointed by WISeKey S.A.