BULGARI VAULT REGISTRATION INFORMATION NOTICE Information notice on processing of personal data pursuant to the Italian Data Protection Code - Legislative Decree No. 196 of 30 June 2003 (the "DPC") and to the Swiss Federal Act on Data Protection Act (the "FADP")
WISeKey S.A. and Bulgari S.p.A. (hereinafter also: the "data controllers") gives the following information in relation to your personal data collection and use.
1. Purposes of the processing.
Personal data such as those necessary to the production of a public key certificate, for the verification of a digital signature, for the validation of a certificate's status as well as to positively identify a data subject (e.g. name, surname, email address, country of residency ) are collected and processed by WISeKey S.A. for the following purposes:
a) Proving an individual's identity before a digital certificate is issued to them, subsequent registration of users in order to benefit of the services provided on the Bvlgari Vault
b) Managing administrative and legal operations
Information about race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual orientation will not be collected and personality profiles (as defined in FADP) will not be established except when specifically required to satisfy the requirements of of local legislation.
Personal data (e.g. name, surname, email address, country of residency, ) are collected and processed by Wisekey S.A. on Bulgari's behalf and in accordance with the Italian and Swiss applicable data protection laws and pursuant Bulgari S.p.A.'s instructions and recommendation for the following purposes:
c) Creating profiles and analyze the consumption choices of the customers, also using data on retail purchases made at Bulgari stores worldwide.
This processing is carried out in compliance with the guarantees and measures set forth by the Italian Data Protection Authority by the decision of acceptance of the request for prior checking submitted by Bulgari S.p.A. of April 24, 2013.
d) to provide personalized sales services at Bulgari stores worldwide, for example, but not limited to: personal shopping services, support services free of charge, courtesy services and to offer our customers products BVLGARI by sending of advertising material, newsletters, promotional communications also customized and for carrying out market research using automated contact means (e-mail, fax) as well as traditional contact means (paper mail, operator-assisted phone calls).
2. Provision of data
The provision of data to the purposes referred to in paragraph 1 letters a) and b) is voluntary but shall be mandatory, in case of refusal by a customer WISeKey S.A. will not be able to process your registration to the app and to provide you with the requested goods and services.
The provision of data to the purposes referred to in paragraph 1 letters c) and d) is optional and the use of the data is subject to specific approval by the customer. Any refusal to provide data however will not allow Bulgari S.p.A. to pursue the purposes described above.
It is a data subject's responsibility to ensure that any information they provide to WISeKey S.A. is accurate. If this information subsequently changes, it is the data subject's obligation to inform it promptly. If the data subject becomes aware of any inaccuracies in the personal data held about them, it is its responsibility to advise the entity that processed its personal data.
3. Methods of the processing
Personal data will be processed using electronic or automated systems, computer and internet, or by manual logic processing strictly related to the purposes for which the personal data have been anyhow collected, in order to ensure, in each case, the security of the same.
Personal data processed for the purposes referred to in paragraph 1 letters a) and b), will reside and be stored in Switzerland in a system managed by WISeKey S.A. and third parties contractors of same.
Personal data processed for the purposes referred to in paragraph 1 letters c) and d) will reside and stored in Italy in the CRM system managed by Bulgari S.p.A. and third parties contractors of same.
4. Data entry in the CRM system
The inclusion of personal data in the CRM system is optional and occurs only in the event of release of the data subject's consent to the pursuit of one of the purposes referred to in paragraph 1 letters c) and d).
The inclusion of personal data processed for the purposes referred to in paragraph 1 letters c) and d) in the CRM system will automatically result in the visibility, as well as the possibility of modification and updating of the same, by Bulgari's employees worldwide on a "need to know" basis.
5. Scope of communication, dissemination of data
The processing of personal data is carried out by internal staff of WISeKey S.A. and Bulgari S.p.A. for that purpose appointed, from time to time, as persons in charge of the processing or data processors.
Personal data collection can be handled by third parties, external data processors, namely by:
- Parent companies, subsidiary or associated with Bulgari S.p.A. in Italy and/or worldwide that manage the sales channels for the pursuit by such companies of the purposes referred to in paragraph 1 letters c) and d) on behalf of Bulgari S.p.A.;
- Companies performing services for mailing of the newsletter, advertising material or promotional communications on behalf of Bulgari S.p.A.;
- Companies doing customer care services on behalf of WISeKey S.A.;
- Companies doing analysis and market research on behalf of Bulgari S.p.A.;
- Companies that perform maintenance services of IT systems on behalf of WISeKey S.A. and of Bulgari S.p.A.
Personal data collected may also be disclosed by the data controllers to third parties, namely to:
- Individuals, companies, associations or professional firms that carry out assistance and advisory services (lawyers, accountants, auditors).
Personal data will never be disseminated.
Any cross-border data transfer (which also includes remote access from a foreign country) to a country without an adequate level of data protection is prohibited, unless there is a sufficient safeguard, in particular a contractual clause such as the EU-Model Clauses, ensuring an adequate level of data protection in the country where the importing company is located and the data subject has been previously informed about the transfer or the transfer could be inferred by the circumstances.
6.Data retention and storage
Personal data shall be retained only for the period required by applicable law or needed for one of the purposes for which it is retained as authorized pursuant to applicable law, whichever is longer.
This being said, personal data collected for the purposes of paragraph 1 letters a) and b) will be stored by WISeKey S.A. for a period of 7 years from the certificate expiry date to provide evidence in the event of a challenge on the validity of a certificate or a digital signature. Such period may be extended with regard to specific records and information upon request by the data subject of special archiving services. In all cases, the records may be archived in paper or electronic form. Personal data collected for the purposes referred to in paragraph 1 letters c) and d) will be stored by Bulgari S.p.A. until the data subject revokes the consent to the processing of data. Data relating to the details of purchases processed for profiling and marketing purposes, can be retained for 10 years in accordance with the decision of the Italian Data Protection Authority of 24 April 2013, or if earlier until the data subject revokes the consent to the processing of data. After the expiration of the retention period Personal data will be automatically deleted or made anonymous permanently.
7. Rights of the data subject
Data subject is entitled to exercise the rights referred to in Article 8 of FADP and in article 7 of DPC (both detailed below), requesting, inter alia, written information at any time on the processing of and the content of the collected personal data by Bulgari S.p.A., addressing a specific request to Bulgari S.p.A. - Data processor, Lungotevere Marzio 11 00186 Roma (RM), or by sending an e-mail to: --firstname.lastname@example.org>.
With the same modalities, the data subject may oppose, in whole or in part, without affecting the lawfulness of processing based on consent before its withdrawal, without economic charge and on legitimate grounds, to the processing of his/her personal data or oppose to their processing when performed through automated contact means (e-mail, fax) and require correction or deletion of the collected personal data.
ARTICLE 8 of the FADP
(Right to information)
1. Any person may request information from the controller of a data file as to whether data concerning them is being processed.
2. The controller of a data file must notify the data subject of:
a. all available data concerning the subject in the data file, including the available information on the source of the data;
b. the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
3. The controller of a data file may arrange for data on the health of the data subject to be communicated by a doctor designated by the subject.
4. If the controller of a data file has personal data processed by a third party, the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
5. The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge. The Federal Council regulates exceptions.
6. No one may waive the right to information in advance.
ARTICLE 7 of the DPC
(Right to Access Personal Data and Other Rights)
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State's territory, data processor(s) or person(s) in charge of the processing.
A data subject shall have the right to obtain
a) Updating, rectification or, where interested therein, integration of the data;
b) Erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part,
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
8. Data controllers
The data controllers are:
- WISeKey S.A. - World Trade Center II, 29 route de Pré – Bois, Case postale 853, 1215 Geneva 15, Switzerland. for the purposes described in paragraph 1 letters a) and b).
- Bulgari S.p.A. - Via dei Condotti, 11 - 00186 Rome (RM) – Italy for the purposes described in paragraph 1 letters c) and d).
9. Data processors
The data processors are:
- the CENTRAL F&A SUPPORT Director so appointed by Bulgari S.p.A.
- the CENTRAL CUSTOMER SUPPORT manager appointed by WISeKey S.A.