The protection of your personal data is very important to the Tod’s Group, so we pay great attention to the collection and management of the personal data that you provide us or that we automatically collect when you navigate any of our websites (hereinafter, “Site”). Thus, we adopt specific measures to guarantee its safety, confidentiality and integrity, in compliance with the provisions of EU Regulation 679/2016 (hereinafter, "Regulation") and any specific local rules applicable to the protection of personal data.
We will provide you with necessary additional information when we ask for your private information in some areas of the Site to help you evaluate each time if you wish to proceed with providing us your personal data for the indicated purpose of processing.
1. Data Controller
The data controller of your personal data is Tod’s S.p.A., with registered office at 1 Via Filippo Della Valle, Sant’Elpidio a Mare (FM), 63811 Italy. Should Tod’s S.p.A. be joint controllers with third parties for certain reasons related to the processing of your personal data, you will be provided with all the necessary information prior to you providing us your personal information.
2. Personal Data
When you navigate the Site, your personal data will be collected either automatically or when you are asked to provide them to access certain areas of the Site.
● Data Collected Automatically from the Site
Web Surfing Data – Data acquired by computer systems and software procedures involved in the normal operation of the Site and transmitted as part of the communication protocols of the Internet.
This refers to information that, although not collected to identify you, by its very nature could lead to your identification if it were to be processed and combined with the data held by third parties. This type of data includes IP addresses or domain names of computers used for browsing and that connect to the Site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and IT environment.
This data will not be disseminated but used for the sole purpose of obtaining anonymous and aggregate data on the usage of the Site and to check its correct functioning and will be retained for the time defined by the relevant legal regulation. The data could, however, be used to ascertain liability in case of possible computer crimes against the Site. Except in the latter case, the data will not be kept for more than fifteen days.
Geolocation Data – Data relating to your physical location that is acquired by the built-in search system of the Site to obtain appropriate search results, such as the location of the nearest boutique. This data is collected only if it is used and if you provide your consent.
Data You Voluntarily Provide
So you can avail of the various services offered by the Site, we will ask you, depending on the service in question, to provide us your personal data, such as your personal information, contact information (telephone numbers, email accounts, home or residence address, etc.), data relating to the payment method, information on purchases and transactions, and others. Providing us your data is entirely voluntary but in some cases failure to do so will prevent us from providing the relevant service.
Data relating to Minors
We would like to point out that the protection of children's safety and privacy is very important to the Tod's Group. Therefore, we do not intend to collect and voluntarily use the personal data of individuals below the age of sixteen (16), or below any other minimum legal age limits in force in your country of residence. Consequently, we ask that you refrain from providing us with any personal data if you are below 16 years of age or if you are not of legal age in your country of residence.
3. Purpose and Legal Basis of Processing
We will acquire and process your personal data always in compliance with the principles of lawfulness established by the law to enable us to:
i. guarantee the smooth navigation of the Site, which necessitates processing to navigate the Site and fulfill legal obligations;
ii. process your request to purchase products from the Tod’s Group or to use the services offered by the Site, which necessitates processing to execute on contractual and/or pre-contractual measures taken upon your request;
iii. reply to your contact requests, which necessitates processing to execute on contractual and/or pre-contractual measures taken upon your request;
iv. conduct marketing activities, if you provide your explicit consent;
Marketing activities can be done by sending newsletters, or through promotions, discounts, incentives, commercial information and other related means, by mail, phone call, direct sales, email, automatic voice calls, sms and/or mms.
In this context, we might also process your personal data to invite you to shows and events, ask you to participate in market research or to report on special initiatives dedicated to TOD'S Group customers, in the manner and period we believe to be most effective for any of the various initiatives mentioned.
v. conduct customer profiling activities, if you provide your explicit consent.
Customer profiling can be conducted by analysing your interests and preferences regarding our products and services, as well as your shopping habits. For example, by understanding the type and frequency of your purchases on our online store when you shop using your personal account or as a "guest,” as well as in our boutiques, we are be able to guarantee a personalized service in your future visits to the TOD'S Group boutiques.
If you also have consented to processing your personal data for marketing purposes, we will be able to send you promotional information and/or invitations to initiatives that fit best your profile, preferences and expectations as a shopper.
Finally, we may also process your personal data to comply with any legal obligations that we may have and to pursue our legitimate interests or that of third parties, in compliance with the conditions and limits set by the current legislation.
We will process your personal data by means of telematic, paper and computer tools, and such processing will be based on the principles of fairness, lawfulness, and transparency to protect your rights and privacy. In particular, the processing of your data, also for purposes of customer profiling, may be automated, for example through a comparative analysis of your purchases (types, quantities, frequency, timing etc.), and through the analysis of the type and number of your requests for product information within a given timeframe.
We will process your personal data in a manner that will minimize the risk of destruction, loss, and unauthorized access to your data or any unauthorized or non-compliant processing.
We will not disseminate your personal data.
We may disclose your personal data, but only for the purposes described above, to other companies within the Tod's Group, as well as to companies directly or indirectly controlled or owned by Tod's S.p.A., with headquarters in countries within and outside the European Union (EU).
Your data may also be accessible to companies, organizations or associations that perform technical and organizational tasks on our behalf, again consistent to attaining the purposes previously described, as well as to public authorities that make it lawful and legally required.
Any transfers of your personal data to entities outside the European Economic Area (EEA) will be made only if the level of protection of personal data, guaranteed by the Regulation, is not compromised.
In the event that we have to transfer your personal data to entities outside the European Economic Area (EEA), such as to companies of the Tod's Group and/or to third parties that perform technical and organizational tasks on our behalf, again consistent with the purposes for which your data has been collected and processed, we will do so only if it is possible to guarantee the same level of data protection as that in the European Union (EU).
In fact, we can ensure that data transfers will take place only if it satisfies at least one of the following security measures, as required by the Regulation:
• inclusion of the country in the list of non-EU countries determined by the European Commission to have adequate data protection standards. For more information, please consult the European Commission’s web page on the Adequacy of the protection of personal data in non-EU countries
• existence of specific standard contractual clauses (EU Model Contract Clauses), approved by the European Commission, that ensures that the processing performed by our partners outside the EEA offers the same guarantees of protection of personal data as those within the EU. For more information, please consult the European Commission’s web page on the "Standard contracts for data transfers to third countries"
• for our partners based in the US, adherence to the EU-US Privacy Shield that guarantees the same level of personal data protection as that provided in the EU.
You may contact us for more information on the specific procedures we use to transfer personal data to countries outside the EEA.
You may also contact our Data Protection Officer (DPO) at the email address below to receive additional information on the guarantees protecting your personal data in the event it is transferred to countries outside the EEA.
At any event, your personal data will be processed only by parties, duly instructed and able to provide adequate technical and organizational safeguards, as well as bound to the strictest confidentiality by the Data Controller.
6. Data Retention Period
We will process your personal data at different times depending on the purpose. At any event, we will retain your personal data only for the period strictly necessary to achieve the purpose for which it was collected and processed, except when specific provisions of the law require longer retention periods.
You may at any time email the Data Protection Officer (DPO) at email@example.com to exercise the following rights provided for by the Regulation regarding the specific processing activities we conduct. Specifically, you have the right to:
a) request access to your personal data, as well as receive information about the purposes of the processing, types of data processed, parties or types of parties your data will be disclosed to, the expected retention period, and application, if any, of customer profiling techniques and automated decision-making processes;
b) request to correct your personal data, as well as update any information relating to you, though in some cases you will be asked to verify first the new data that you provided us.
c) request to delete or remove your personal data when its processing is no longer necessary, when you wish to exercise your right to object to its processing and there are no other legal basis to retain said data, if we have violated any laws related to said processing, or if we are required to delete your personal data to comply with a specific regulatory provision. Please note that due to some legal constraints beyond our control, we may be prevented from satisfying your request at all or to its full extent. In those cases, you will be informed promptly of the reasons behind our complete or partial inability to comply with your request.
d) request to object to the processing of your personal data or terminate in any way the processing according to your wishes. We would like to point out that should we accommodate such request, there may or may not be a lawful basis for doing so.
If you had given your explicit consent to the processing, we will comply with your request to terminate the processing within the time frame set by the Regulation.
Further, you may also withdraw your consent to processing for marketing and/or customer profiling purposes by emailing the DPO as indicated above, or even do so directly from your personal account (if activated) on the Site. Withdrawing your consent does not negate the legitimacy of the processing you had previously consented to.
We also would like to highlight that withdrawing your consent could prevent us from providing certain services or products in the Site and in the boutiques of the Tod’s Group. In those cases, we will alert you so you can fully evaluate the effects of withdrawing your consent.
Finally, if the processing is performed based on our legitimate interests or that of third parties, we reserve the right to evaluate the reasons for your request. If the purposes of processing legitimately override your interests, rights, and freedoms, or if it is necessary for us to process such data to file a claim, execute legal actions, or defend ourselves in court, we will have to reject your request and let you know of the reasons for such a decision.
e) request to restrict or suppress the processing of your personal data in the following cases:
i. if you request us to verify the accuracy of your data;
ii. if the data has been unlawfully processed and you prefer to restrict the processing rather than delete your data;
iii. if you want us to retain your data even if we no longer have to so you may establish, exercise, or defend a legal claim;
iv. if you object to the processing but we have to retain your data to ascertain if our legitimate interests override yours.
f) request to receive your personal data or provide them to a third party of your choosing in a structured, commonly used, machine-readable format. This will be carried out only if it is technically possible to do so, if your personal data was processed by automated means, and if the processing was based on your consent or the performance of a contract.
When processing your request, we reserve the right to ask you in ways we deem appropriate for specific information to help us confirm your identity and be reasonably certain that only you can access your personal data and no unauthorized third party can obtain them.
We are committed to accommodating and following up on your request to exercise one or more rights, where possible, within a month of receiving it. Occasionally, but always in compliance with the terms set by the law, we might take longer to process the request if it is particularly complex or if you have submitted several other requests. In those cases, we will let you know and keep you posted.
The processing of your request is free of charge.
However, if your requests are manifestly unfounded, excessive, or repetitive in nature, we reserve the right to:
a) ask you to pay a reasonable fee based on the administrative costs incurred to action your request;
b) refuse to comply with your request.
Finally, you may decide at any time to file a complaint with the Supervisory Authority if you believe that one or more of your rights or any rules of the Regulation have been violated.
7. Your Rights
You have the right to know which of your personal data we have stored and which ones are being processed, to request to update or correct it, as well as in cases provided for by the law, to delete it, and to restrict or object to the processing even after you have provided your explicit consent. You may also request your personal data to be delivered in electronic format to a third party of your choosing.
You may exercise these rights by sending an email to the Data Protection Officer (DPO) at firstname.lastname@example.org.
Withdrawal of Consent
While you may withdraw your consent for processing your personal data for marketing and/or customer profiling purposes by sending an email to this address: email@example.com, through our newsletter, which contains a web link, you may:
i. deactivate your subscription to our newsletter;
ii. withdraw your consent to processing your personal data for marketing purposes. In which case, we will cease all our advertising and/or promotional communications and automatically deactivate any active subscription to our newsletter (relating to any Tod’s Group brand);
iii. withdraw your consent to processing for customer profiling purposes.
Furthermore, you may at any given time, withdraw (or give) your consent to processing for purposes of marketing and/or customer profiling through your personal account, if you have activated one, on our Site.
Withdrawing your consent does not negate the legitimacy of the processing you had previously consented to.
You can also contact the DPO to request further information or clarification, or to obtain specific information about who is authorized to access your personal data.
8. Updates to this Policy
We may also need to contact you, if legally required, to obtain your consent and allow you to continue to use the services of the Site.
We therefore ask that you to visit this page periodically.