Privacy Policy pursuant to and for the purposes of
Article 13 of EU Regulation 2016/679 ("GDPR").
Personal Data is defined by Article 4 No. 1) of the GDPR as "any
information relating to an identified or identifiable natural person (Data
Subject); an identifiable person is one who can be identified, directly or
indirectly, by reference in particular to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to his or her physical, physiological, genetic, mental,
economic, cultural or social identity" (hereinafter the "Personal
Data").
This policy explains how we collect, use and protect the Personal Data
of all users (the "Users") who access Lookalike through the mobile
application downloaded on smartphones or tablets and through the website www.lookalike.it (the
"Platform"). The processing of
Personal Data shall be inspired by lawfulness, fairness, transparency, purpose
limitation, data minimization, accuracy, storage limitation, integrity,
confidentiality and accountability according to the general principles defined
in Article 5 of the GDPR.
It should be noted in advance that Lookalike refers via a link to
third-party Partner websites where Users can purchase products or fashion
items. In such cases, the data protection provisions applied by these
third-party websites will apply in addition to what is contained in this
information notice, and therefore the User is invited to read it.
For the definitions of Tips, Shop, Partner, Product and Platform, Users
are invited to consult our Terms and Conditions.
1.
Data Controller and Data Protection Officer
The data controller is Lookalike S.r.l., with
registered office in Via del Gonfalone 3, 20123 Milan
(MI), P.I./C.F. 11814320963, pec lookalikesrl@pec.it, (the "Data
Controller").
The company has appointed a Data Protection Officer (DPO) who can be
reached at the company's address in Via del Gonfalone
3, 20123 Milan (MI) and by e-mail at dpo@lookalike.shop.
2.
Personal data subject to processing
The Personal Data collected include Personal Data provided voluntarily
and automatically collected Usage Data.
Personal Data provided voluntarily includes the following.
-
Personal data for opening and managing an account,
including for registration via Facebook, such as name, surname, e-mail address,
password and telephone number.
-
Personal data for completing the profile, such as
profile photo, gender, date of birth and information about favourite
products.
-
Email address and contact details for receiving
newsletter service and marketing communications.
Automatically collected Usage Data includes the following.
-
Personal Data derived from the use of the Platform
whenever Users interact with it such as the IP address used to connect to the
Internet with the computer or mobile phone, information about the computer or
mobile phone such as the Internet connection, browser type, version, operating
system and device type.
-
Personal Data derived from "cookies" or
other tracking tools: the Controller uses its own
cookies and those of third parties to make navigation easier for Users, for
statistical purposes and, only with consent, for profiling (please see our
Cookie Policy).
Geolocation data:
subject to Users' consent, the Controller collects real-time location data,
including geographic location data, from the computer or mobile phone to
improve the User experience.
Prohibited data: as established in the Terms and Conditions it is
forbidden to provide Lookalike with any content that contravenes the
prohibitions and limitations established in the Terms and Conditions
(especially with regard to the uploaded images and the prohibition of
processing through this function Personal Data, of the User himself or of third
parties).
The Data Controller only processes the Personal Data of persons aged 18 years
or over and accepts no liability for any misrepresentation provided during
registration and creation of the personal account.
3.
Purpose of processing and legal basis
Personal Data are processed for the following purposes:
a)
Pre-contractual and contractual purposes of fulfilling
the Terms and Conditions of Lookalike in order to access and use the services
offered by the Platform. The processing of Personal Data for this purpose has
its legal basis in Art. 6 par. 1 lett. b) of the
GDPR, according to which the processing is necessary for the performance of a
contract to which the data subject is party or for the performance of
pre-contractual measures taken at the request of the same.
This purpose includes
the processing of Personal Data carried out to:
-
allow Users to use the Platform;
-
allow registration to the Platform
-
maintain and manage the User's account;
-
use the services of the Platform
-
receive notifications of new brands, favourite articles, activities relating to Tips received
and other important messages relating to the operation of the Platform.
b)
Purposes of fulfilling obligations required by law,
regulations or EU legislation, such as obligations under tax, fiscal or
accounting legislation or obligations relating to the protection of Personal
Data (such as those relating to the exercise of data subjects' rights). The
processing of Personal Data for this purpose finds its legal basis in Article
6(1)(c) of the GDPR, pursuant to which the processing is necessary to comply
with a legal obligation to which the Data Controller is subject.
c)
General marketing purposes / newsletter service.
Subject to the User's consent, the Controller shall process the User's Personal
Data to send commercial communications relating to the Products, including the
newsletter and for other activities with the purpose of commercial promotion
and marketing in the broad sense (advertising communication, solicitation of
purchasing behaviour, market research, surveys by
e-mail, sms, post and/or telephone). The processing
of Personal Data for such purposes has its legal basis in Article 6(1)(a) of
the GDPR and is therefore based on consent. The User may revoke at any time the
consent given and/or object, at any time, to the processing of his/her data for
marketing purposes. Withdrawal of consent shall not affect the lawfulness of
the processing based on the consent before withdrawal.
d)
Profiling for marketing purposes. Subject to the
express consent of the User, Lookalike shall process the Personal Data of the
Users, in an automated way, in order to monitor and track the behaviour and the activity of the Users on the Platform,
collecting and recording the data related to the navigation (e.g.: pages
visited, Products viewed, access device, dwell time) and to send the Users personalised offers. The processing of Personal Data for
this purpose finds its legal basis in Article 6(1)(a) of the GDPR and is
therefore based on consent. The User may revoke his/her consent and/or object,
at any time, to the processing of his/her data for profiling purposes for
marketing purposes. Withdrawal of consent does not affect the lawfulness of the
processing based on consent prior to withdrawal.
e)
Legal defence purposes in
order to allow the legal defence of a right or interest
of the Controller before any competent authority or body. The processing of
Personal Data for this purpose finds its legal basis in Article 6(1)(f) of the
GDPR whereby the processing is necessary for the pursuit of the legitimate
interest of the Data Controller. It is in the legitimate interest of the Data
Controller to pursue remedies to ensure that its contractual rights are
respected or to demonstrate that it has fulfilled its obligations arising from
the contract with the data subject or imposed on the Data Controller by law.
4.
Recipients of Personal Data
The Personal Data provided by the User may be communicated by the Owner
to the categories of recipients indicated below. The subjects to whom the Data
Controller communicates the Data act, according to the requirements of the law,
as autonomous controllers when they determine the purposes and means of
processing, data processors pursuant to art. 28 GDPR when they process the
Personal Data on behalf of the Controller or as subjects authorised
to process pursuant to art. 2 quaterdecies of the
Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree
101/2018) when they act internally within the structure under the control and
direction of the Controller.
Without prejudice to belonging to one of the above categories, Personal
Data may be shared with the following entities.
a)
Employees and/or collaborators of the Data Controller,
for the performance of administration, accounting and IT support activities.
b)
Companies, consultants or professionals who may be
responsible for the installation, maintenance, updating and, in general, the
management of the Data Controller's hardware and software.
c)
Companies in charge of sending commercial
communications.
d)
Companies that provide the software to carry out the
activity of tracking, monitoring and profiling for marketing purposes.
e)
All those subjects, including public authorities, who
have access to the Data by virtue of regulatory or administrative provisions.
f)
All those public and/or private subjects, natural
and/or legal persons (legal, administrative and fiscal consultancy firms), if
the communication is necessary or functional to the correct fulfilment of the
contractual obligations undertaken in relation to the services of the Platform
as well as the obligations deriving from the law or in the case of
ascertaining, exercising or defending a right.
Lookalike may share the User's Data at the time of the transfer to third
parties of rights and obligations relating to the contractual relationship
between the User and Lookalike in accordance with the Terms and Conditions, in
particular in the case of transfer of a business sector, merger through the
foundation of a new company, merger by absorption, demerger or any change of
control affecting Lookalike. Before such an event, Lookalike will inform the
User separately about the details of the sharing of his Data and will ask for
his consent, where legally necessary.
In any case, Personal Data will only be communicated to entities that
have committed to confidentiality or have an appropriate legal obligation of
confidentiality. Personal Data will not be disclosed.
5.
Data retention period and processing methods
Personal Data are kept only for the period necessary for the purposes
for which they are processed or within the terms provided by applicable
national and community laws, rules and regulations.
For the pursuit of the purposes under article 3 letters a), b) and e)
Personal Data may be kept for the entire duration of the contract as well as
for the following 10 years in order to verify any pending litigation or to
comply with any possible legal obligation.
In relation to the purpose referred to in Article 3 letter c) Personal
Data shall be stored until the revocation of consent and/or the exercise of the
right to object and, in any case, for a period not exceeding 24 months from the
collection reserving the right, before the expiry of this term, to ask the User
to renew consent and/or update the data.
In relation to the purpose of art. 3 letter. d) Lookalike will process
the user's data until the revocation of consent and / or the exercise of the right
to object and, in any case, not later than 12 months after collection,
reserving the right, before the expiry of this period, to ask the User the
renewal of consent and / or updating of data.
Thereafter, we will delete the Personal Data in accordance with our Data
Retention and Deletion Rules or retain it in connection with an additional
legal basis that still exists.
6.
Method of processing
The processing of Personal Data is carried out by means of paper,
computer and/or telematic tools, with organisational
methods and logics strictly related to the indicated purposes.
The Data Controller undertakes to use adequate security measures in
order to minimise the risks of loss or destruction of
data, unauthorised access or unauthorised
processing without, however, being able to guarantee that the measures adopted
exclude any risk of unauthorised access or
dissemination of data. Users are therefore advised to use access points
equipped with anti-virus software or systems for secure web browsing.
7.
Transfer of Personal Data outside the European Union
For certain processing activities of Personal Data, Lookalike may
transfer such Data to external parties located in countries that do not belong
to the European Union (EU) or to the European Economic Area (EEA) (hereinafter,
"Third Countries"). The list of Third Countries will be updated from
time to time and/or available upon request; the legitimacy of such transfer is,
in any case, carried out in compliance with the appropriate and adequate
safeguards for the purposes of the transfer itself and in particular in
compliance with the general principle for transfer set out in Art. 44 GDPR, the
existence of an adequacy decision of the European Commission pursuant to Art.
45 GDPR, of adequate safeguards pursuant to Article 46 GDPR - including the
standard data protection clauses adopted by the Commission in accordance with
the examination procedure referred to in Article 93(2) GDPR - and in the
presence of one of the specific situations of derogation referred to in Article
49 GDPR, including the explicit consent to the transfer by the Data Subject.
8.
Obligation to communicate personal data and
consequences of non-communication
For the pursuit of the purposes set forth in Article 3 letter a), the
provision of Personal Data is optional; however, since the processing of
Personal Data is necessary in order to access and use the services offered by
the Platform, failure to provide Personal Data will make it impossible for the
User to access and/or navigate the Platform and/or register and use the
services reserved for Users.
For the pursuit of the purposes set out in Article 3 letter b) the
provision of Data is mandatory, as its processing is necessary to allow the
Data Controller to fulfil legal obligations imposed on it. Any refusal to
provide the Data for this purpose will make it impossible for the User to use
the Platform.
For the purposes referred to in Article 3 letters c) and d) the
provision of data is absolutely optional. The non-disclosure of Personal Data
for the purpose of generic marketing and/or profiling and/or the non-provision
of consent to such processing and/or the revocation of such consent and/or the
exercise of the right to object do not have any consequence on the User's
ability to register with the Platform.
The interested party may also freely revoke consent at any time, without
prejudice to the legitimacy of the processing carried out prior to the
revocation, and object to the marketing or profiling processing by sending an
email to: privacy@lookalike.shop.
For the purposes referred to in Article 3 letter e) the provision of
data is optional. However, it must be borne in mind that, to the extent that
the processing is necessary for the establishment, exercise and defence of a right, the data controller is also exempt from
the obligation to erase the data, by express provision of the GDPR.
9.
Ownership shared with Facebook ("Page Insights
data")
Lookalike operates a so-called fan page on the social media platform
Facebook. Facebook and Lookalike are exclusively and jointly Holders for the
processing of the so-called "Insights data" (Art. 26 (1) paragraph 1
GDPR) insofar as these data are used for the creation of the so-called
"Page Insights data" and only for the data collection steps from the
fan page of Lookalike until transmission to Facebook. For the other data
processing, Lookalike and Facebook are separately holders of the respective
processing. Within the scope of their shared ownership, Lookalike and Facebook
have concluded an agreement ("Appendix on the controller for Page
Insights") which is available at the following link https://www.facebook.com/legal/terms/page_controller_addendum.
The purpose of processing the data of visitors to our fan page is to
make the page available and to provide a statistical evaluation of the use of
the page. This evaluation is made anonymous for Lookalike. The legal basis for
the data processing is Art. 6 para. 1 lit. f) of the GDPR.
10.Data Rights
Pursuant to Art. 15 et seq. of EU REG 2016/679, the User may exercise
the following rights: (1) request access to their Personal Data pursuant to
art. 15 of the GDPR, (2) obtain the rectification and/or integration of the
Data pursuant to art. 16 of the GDPR, (3) request and obtain the deletion of
the Data pursuant to and within the limits of art. 17 of the GDPR unless one of
the exceptions referred to in paragraph 3 of the same art. 17 applies, (4)
request and obtain the restriction of the processing pursuant to art. 18 of the
GDPR, (5) obtain the portability of the Data pursuant to and within the limits
of art. 19 of the GDPR which allows the User to receive the Personal Data
provided to the Controller in a structured, commonly used and machine-readable
format and - under certain conditions - transmit it to another data controller
without hindrance, (6) object, in whole or in part, to certain types of
processing pursuant to art. 21 of the GDPR, including processing for marketing
purposes, (7) withdraw consent pursuant to Art. 7(3) of the GDPR without
affecting the lawfulness of the processing based on the consent given prior to
withdrawal, (8) lodge a complaint with the Supervisory Authority (Privacy
Guarantor), (9) receive clear, transparent and easily understandable
information on how Personal Data is used and the exercise of rights, which is
why the Controller provides the information contained in this document (Art. 13
GDPR).
The exercise of rights is not subject to any formal constraints and is
free of charge. All rights may be exercised by sending an appropriate request
to the Data Controller at the following e-mail address: privacy@lookalike.shop.
11. Right to
object
The User has the right to object at any time, on grounds relating to his
or her particular situation, to the processing of Personal Data concerning him
or her carried out pursuant to Article 6 par. 1 lett.
f) GDPR having as legal basis the legitimate interest of the Data Controller.
The Data Controller shall refrain from further processing the Personal Data
unless it demonstrates the existence of compelling legitimate grounds for
processing which override the interests, rights and freedoms of the Data
Subject or for the establishment, exercise or defence
of legal claims.
In case the Data are processed for direct marketing or profiling
purposes, the Data Subject is also entitled to object at any time to the
processing of Personal Data concerning him/her carried out for such purposes.
In this case, the Personal Data shall no longer be processed for such purposes.
The request to object should be made by sending an appropriate
application to the Data Controller at the following e-mail address: privacy@lookalike.shop.
12. Modification
of the Privacy Policy
The Data Controller may need, in consideration of regulatory changes or
changes to its services, to update this policy by inserting the modified
version of the same on the Platform. We therefore invite Users to periodically
view the relevant section of the Platform in order to check and be aware of the
updates that have been made and, where necessary, to communicate the changes
directly to Users.