Revised date: April 2020
The protection of your personal data is very important to the Tod’s Group, so we pay great attention to the collection and management of the personal data that you provide us or that we automatically collect when you navigate any of our websites (hereinafter, “Site”). Thus, we adopt specific measures to guarantee its safety, confidentiality and integrity, in compliance with the provisions of EU Regulation 679/2016 (hereinafter, "Regulation"), of California Consumer Privacy Act of 2018 (CCPA) and any other specific local rules applicable to the protection of personal data.
We will provide you with necessary additional information when we ask for your private information in some areas of the Site to help you evaluate each time if you wish to proceed with providing us your personal data for the indicated purpose of processing.
1. Data Controller
The data controller of your personal data is Tod’s S.p.A., with registered office at 1 Via Filippo Della Valle, Sant’Elpidio a Mare (FM), 63811 Italy (EU).
Should, concerning specific data processing purposes, Tod’s S.p.A. be joint controller with third parties, or third parties are controller for to the processing of your personal data, you will be provided with all the necessary information prior to you providing us your personal information.
2. Personal Data
When you navigate the Site, your personal data will be collected either automatically or when you are asked to provide them to access certain areas of the Site.
● Data Collected Automatically from the Site
Web Surfing Data – Data acquired by computer systems and software procedures involved in the normal operation of the Site and transmitted as part of the communication protocols of the Internet.
Web Surfing Data
This refers to information that, although not collected to identify you, by its very nature could lead to your identification if it were to be processed and combined with the data held by third parties. This type of data includes IP addresses or domain names of computers used for browsing and that connect to the Site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and IT environment.
This data will not be disseminated but used for the sole purpose of obtaining anonymous and aggregate data on the usage of the Site and to check its correct functioning and will be retained for the time defined by the relevant legal regulation. The data could, however, be used to ascertain liability in case of possible computer crimes against the Site. Except in the latter case, the data will not be kept for more than fifteen days.
Geolocation Data – Data relating to your physical location that is acquired by the built-in search system of the Site to obtain appropriate search results, such as the location of the nearest boutique. This data is collected only if it is used and if you provide your consent.
Data You Voluntarily Provide
So, you can avail of the various services offered by the Site, we will ask you, depending on the service in question, to provide us your personal data, such as your personal information, contact information (telephone numbers, email accounts, home or residence address, etc.), data relating to the payment method, information on purchases and transactions, and others. Providing us your data is entirely voluntary but in some cases failure to do so will prevent us from providing the relevant service.
Data relating to Minors
We would like to point out that the protection of children's safety and privacy is very important to the Tod's Group. Therefore, we do not intend to collect and voluntarily use the personal data of individuals below the age of sixteen (16), or below any other minimum legal age limits in force in your country of residence. Consequently, we ask that you refrain from providing us with any personal data if you are below 16 years of age or if you are not of legal age in your country of residence.
3. Purpose and Legal Basis of Processing
We will acquire and process your personal data always in compliance with the principles of lawfulness established by the law to enable us to:
i. guarantee the smooth navigation of the Site, which necessitates processing to navigate the Site and fulfil legal obligations;
ii. process your request to purchase products from the Tod’s Group or to use the services offered by the Site, which necessitates processing to execute on contractual and/or pre-contractual measures taken upon your request;
iii. reply to your contact requests, which necessitates processing to execute on contractual and/or pre-contractual measures taken upon your request;
iv. Performing marketing activities (which do not include the sale of your personal data) both via automatic means (text messages, MMSs, messaging platforms, e-mails, push notifications) and not automatic means (mail, phone with operator), if you provide your explicit consent;
Purpose of Marketing
Marketing activities (which do not include any selling activities) can be done by sending newsletters, or through promotions, discounts, incentives, commercial information and other related means, by mail, phone call, direct sales, messaging platforms, email, automatic voice calls, text messages and/or MMSs.
In this context, we might also process your personal data to invite you to shows and events, ask you to participate in market research or to report on special initiatives dedicated to TOD'S Group customers, in the manner and period we believe to be most effective for any of the various initiatives mentioned.
v. conduct customer profiling activities, if you provide your explicit consent.
Purpose of Customer Profiling
Customer profiling can be conducted by analysing your interests and preferences regarding our products and services, as well as your shopping habits. For example, by understanding the type and frequency of your purchases on our online store when you shop using your personal account or as a "guest,” as well as in our boutiques, we are be able to guarantee a personalized service in your future visits to the TOD'S Group boutiques.
If you also have consented to processing your personal data for marketing purposes (which do not include the sale of your personal data), we will be able to send you promotional information and/or invitations to initiatives that fit best your profile, preferences and expectations as a shopper.
Finally, we may also process your personal data to comply with any legal obligations that we may have and to pursue our rights or those of third parties, in compliance with the conditions and limits set forth by the current applicable laws.
4. Processing Procedures
We will process your personal data by means of telematic, paper and computer tools, and such processing will be based on the principles of fairness, lawfulness, and transparency to protect your rights and privacy. In particular, the processing of your data, also for purposes of customer profiling, may be automated, for example through a comparative analysis of your purchases (types, quantities, frequency, timing etc.), and through the analysis of the type and number of your requests for product information within a given timeframe.
We will process your personal data in a manner that will minimize the risk of destruction, loss, and unauthorized access to your data or any unauthorized or non-compliant processing.
5. Disclosure and Dissemination of Personal Data
We will not disseminate your personal data.
We will not sell your personal data to third parties.
We may disclose your personal data, but only for the purposes described above, to other companies within the Tod's Group, as well as to companies directly or indirectly controlled or owned by Tod's S.p.A., with headquarters in countries within and outside the European Union (EU) and the US.
Your data may also be accessible to companies, organizations or associations that perform technical and organizational tasks on our behalf, again consistent to attaining the purposes previously described, as well as to public authorities that make it lawful and legally required.
Any transfers of your personal data to entities outside the European Economic Area (EEA) or the US will be made only if the level of protection of personal data, guaranteed by the Regulation, is not compromised.
At any event, your personal data will be processed only by parties, duly instructed and able to provide adequate technical and organizational safeguards, as well as bound to the strictest confidentiality by the Data Controller.
6. Data Retention Period
We will process your personal data at different times depending on the purpose. At any event, we will retain your personal data only for the period strictly necessary to achieve the purpose for which it was collected and processed, except when specific provisions of the law require longer retention periods.
i. Data collected and processed for marketing purposes: until your consent withdrawal
ii. Data collected and processed for customer profiling purposes: 7 years from the date you gave consent, automatically renewed each time you make a purchase at any one of the boutiques/points of sale under the Tod’s Group, including its online store.
iii. Data collected and processed to access services on the Site: the retention and processing of your data will take place for the time strictly necessary to allow you access to the service requested. Your data will be stored no more than 7 years from the date you used the service in question.
iv. Data collected and processed to fulfil your request: the retention and processing of your data will take place for the time strictly necessary to respond to your contact request and/or allow us to perform any task related to such request.
v. Data collected and processed to protect our rights or that of third parties: the retention and processing of your data will take place for the time strictly necessary to pursue these rights as they arise.
vi. Data collected and processed in compliance with legal provisions: the retention and processing of your data will take place within the time frame set by the applicable law
7. Your Rights
You have the right to know which of your personal data we have stored and which ones are being processed, to request disclosure of such data and additional details, including its use purposes and any third parties with which such data may have been shared, to update or correct it, as well as in cases provided for by the law, to delete it, and to restrict or object to the processing even after you have provided your explicit consent. You may also request your personal data to be delivered in electronic format (or any other useable format) to you or a third party of your choosing.
You may at any time email the Data Protection Officer (DPO) at email@example.com to exercise the following rights provided for by the Regulation regarding the specific processing activities we conduct. Specifically, you have the right to:
a) request access to your personal data, as well as receive information about the purposes of the processing, types of data processed, parties or types of parties your data will be disclosed to, the expected retention period, and application, if any, of customer profiling techniques and automated decision-making processes;
b) request to correct your personal data, as well as update any information relating to you, though in some cases you will be asked to verify first the new data that you provided us.
c) request to delete or remove your personal data when its processing is no longer necessary, when you wish to exercise your right to object to its processing and there are no other legal basis to retain said data, if we have violated any laws related to said processing, or if we are required to delete your personal data to comply with a specific regulatory provision. Please note that due to some legal constraints beyond our control, we may be prevented from satisfying your request at all or to its full extent. In those cases, you will be informed promptly of the reasons behind our complete or partial inability to comply with your request.
d) request to object to the processing of your personal data or terminate in any way the processing according to your wishes. We would like to point out that should we accommodate such request, there may or may not be a lawful basis for doing so.
If you had given your explicit consent to the processing, we will comply with your request to terminate the processing within the time frame set by the Regulation.
Further, you may also withdraw your consent to processing for marketing (which do not include the sale of your personal data) and/or customer profiling purposes by emailing the DPO as indicated above, or even do so directly from your personal account (if activated) on the Site. Withdrawing your consent does not negate the legitimacy of the processing you had previously consented to.
We also would like to highlight that withdrawing your consent could prevent us from providing certain services or products in the Site and in the boutiques of the Tod’s Group. In those cases, we will alert you so you can fully evaluate the effects of withdrawing your consent.
Finally, if the processing is performed based on our legitimate interests or that of third parties, we reserve the right to evaluate the reasons for your request. If the purposes of processing legitimately override your interests, rights, and freedoms, or if it is necessary for us to process such data to file a claim, execute legal actions, or defend ourselves in court, we will have to reject your request and let you know of the reasons for such a decision.
e) request to restrict or suppress the processing of your personal data in the following cases:
i. if you request us to verify the accuracy of your data;
ii. if the data has been unlawfully processed and you prefer to restrict the processing rather than delete your data;
iii. if you want us to retain your data even if we no longer have to so you may establish, exercise, or defend a legal claim;
iv. if you object to the processing but we have to retain your data to ascertain if our legitimate interests override yours.
f) request to receive your personal data or provide them to a third party of your choosing in a structured, commonly used, machine-readable format. This will be carried out only if it is technically possible to do so, if your personal data was processed by automated means, and if the processing was based on your consent or the performance of a contract.
When processing your request, we reserve the right to ask you in ways we deem appropriate for specific information to help us confirm your identity and be reasonably certain that only you can access your personal data and no unauthorized third party can obtain them.
We are committed to accommodating and following up on your request to exercise one or more rights, where possible, within a month of receiving it. Occasionally, but always in compliance with the terms set by the law, we might take longer to process the request if it is particularly complex or if you have submitted several other requests. In those cases, we will let you know and keep you posted, but in no event such processing will exceed forty-five (45) days, except that we reserve the right to extend such term for additional forty-five (45) days upon your receipt of written notification of such extension.
The processing of your request is free of charge.
However, if your requests are manifestly unfounded, excessive, or repetitive in nature, we reserve the right to:
a) ask you to pay a reasonable fee based on the administrative costs incurred to action your request;
b) refuse to comply with your request specifying to you the reasons of such refusal.
Finally, you may decide at any time to file a complaint with competent authorities if you believe that one or more of your rights or any rules of the Regulation have been violated.
You may exercise these rights by sending an email to the Data Protection Officer (DPO) at firstname.lastname@example.org.
You can also contact the DPO to request further information or clarification, or to obtain specific information about who is authorized to access your personal data.
8. Updates to this Policy
We may also need to contact you, if legally required, to obtain your consent and allow you to continue to use the services of the Site.
We therefore ask that you to visit this page periodically.