PRIVACY POLICY UNDER ARTICLE 13 OF EU REGULATION 2016/679 by ARENA ECOM GmbH
1. Foreword
For Arena Ecom GmbH (henceforth 'Arena') your privacy and the security of your personal data are important.
We treat your data with the utmost care, taking the necessary technical and structural measures to ensure its full security in accordance with European Regulation 2016/679 (hereinafter 'GDPR') and national implementing regulations.
Your personal data acquired as a result of your interaction with our website will be processed by means of manual processing or electronic or automated, computerised or telematic tools.
As we use so-called cookies, we invite you to read the relevant information sheet to find out all the details on this as well. You can do this by going to the following link: https://www.arenasport.com/en_row/cookie-policy
2. Definitions
The following definitions are used in this document.
Personal data: this is any information concerning a natural person which, alone or in combination with other data or by means of computer techniques, makes it possible to identify a person. Examples of personal data are a name, address, identification document number, e-mail address, telephone number.
Processing: is any operation, automated or not, applied to personal data, such as collection, recording, storage, consultation, use, deletion.
Data controller: is the legal person who carries out the processing and determines the purpose and means by which the processing is carried out.
Processor: means the natural or legal person (in some cases a public authority) or other body that processes personal data on behalf of the Controller.
Data subject: means the identified or identifiable natural person to whom the personal data refer.
3. Identity and contact details of the Data controller
The processing of your personal data is carried out by Arena Ecom GmbH, Zielstattstr. 27, 81379 Munich, a subsidiary of Arena S.p.a., Benefit Company, (hereinafter 'Arena S.p.a.') with registered office in Tolentino (MC), Italy, C.da Cisterna 84/85, as Autonomous Controller of the processing. If you have any questions and/or requests regarding the processing of your personal data, please write to : privacy@arenasport.com
We would like to inform you that the parent company Arena S.p.a. uses the support of an external Data Protection Officer (hereinafter referred to as 'DPO'), i.e. a lawyer specialised in privacy protection, who provides the necessary advice on compliance with the laws in this area to ensure our reliability.
If you prefer, you can also contact the DPO of Arena S.p.a. via the email address: dpo@arenasport.com.
4. Type of data and purpose of processing
The personal data Arena processes are those you provide when you place an order to purchase our products (such as, for example, first name, last name, billing and shipping address).
Your personal data, once collected, will be processed for the following purposes:
Purpose | Legal basis | |
---|---|---|
A | Finalise your purchase orders. | These processing operations are necessary for the fulfilment of contractual obligations for which no specific consent is required. |
B | Send you the purchased products. | These processing operations are necessary for the fulfilment of contractual obligations for which no specific consent is required. |
C | Fulfilling obligations under national and European laws and/or regulations or provisions issued by Authorities and Supervisory and Control Bodies. | In these cases, processing is necessary to comply with legal obligations and/or provisions issued by Authorities and Supervisory and Control Bodies and therefore does not require any consent from the data subject. |
The provision of your personal data for the purposes set out in points A and B above is optional, but without it we will obviously not be able to process your purchase order.
5. Categories of recipients of personal data
Your personal data is processed by specifically authorised personnel in accordance with Article 4 paragraph 10 of the GDPR, who process data under precise instructions from the Data Controller.
It may happen that we use third parties and that your personal data are processed by them on our behalf. These parties are appropriately selected by us to ensure that the processing meets the standards of the GDPR.
These individuals have been appointed as Data Processors pursuant to Article 28 of the GDPR and are required to carry out their activities according to specific instructions.
These may be: financial operators, internet providers, companies specialising in IT services, couriers, companies specialising in logistics services.
A specific and up-to-date list of these providers is available on request.
The data may also be passed on to third parties in the event of mergers, acquisitions, transfer of a company or company branch and other corporate transactions, as well as to anyone who is a legitimate recipient of communications required by law or regulations.
For the pursuit of the above-mentioned processing purposes, your personal data may be disclosed to other companies of the Group, which will process the data in accordance with the applicable regulations.
Your data may also be passed on to law enforcement or judicial/administrative authorities for the detection and prosecution of criminal offences, the prevention and protection against threats to public safety, as well as for exercising or protecting your own rights or the rights of third parties before the competent authorities, and for other reasons related to the protection of the rights and freedoms of others.
6. Data transfer to countries outside the European Union
As a general rule, your data will not be transferred outside the European Union or to countries that are not considered adequate to EU protection standards.
Should this happen, the transfer will be carried out in accordance with European regulations and subject to the conclusion of agreements containing the so-called 'Standard Contractual Clauses' made available by the European Commission.
7. Data Retention
Your data will be kept for the shortest possible period of time, which varies according to the type of processing and the specific purpose of processing. In particular:
data collected to conclude and perform contracts for the purchase of goods or services will be retained for ten years from the date of invoicing;
Data provided in connection with requests to our Customer Service will be stored for a period not exceeding five years.
At the end of these periods, your data will be permanently deleted or otherwise irreversibly anonymised.
8. Rights of the data subject
Pursuant to the GDPR, you have the right to:
- Access (Art. 15 GDPR): You have the right to request confirmation as to whether or not your data is being processed, to obtain specific information on any processing that is taking place and to obtain a copy.
- Rectification (Article 16 GDPR): You have the right to ask for your data to be supplemented if they are incomplete or corrected if they are inaccurate.
- Erasure (Art. 17 GDPR): In the cases provided for by current legislation, you may request the deletion of your personal data. Your request will be analysed and processed promptly if it is legitimate.
- Restriction (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data in the event of unlawful processing or if the data are found to be inaccurate.
- Portability (Art. 20 GDPR): You have the right to the transfer of your data to another data controller if it relates to processing based on consent and the processing was carried out in an automated manner, provided that the transfer is technically feasible.
- Objection (Art. 21 GDPR): You have the right to object to the processing of your personal data without specifying the reasons if the processing is carried out for direct marketing activities. You also have this right in other cases but only for reasons related to a particular situation that must be specified in your request.
- Complaint (Art. 77 GDPR): You have the right to lodge a complaint with the Data Protection Authority if you believe your privacy rights have been infringed.
Further information on the rights of the data subject can be obtained by asking the Data Controller for a full extract of the above-mentioned GDPR articles.
9. Security Measures
Arena takes appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness, and availability of your personal data.
Our website uses information encryption systems both on the login page and in the other sections where you can release, view or modify your personal data.
Arena disclaims all liability for the processing of false or otherwise fraudulently submitted data.
10. Amendments to this policy
The constant evolution of our services may entail changes in the characteristics of the processing of your personal data, of which we will inform you as soon as possible. We therefore invite you to periodically check the contents of our information notice, which will always be published on our site with the date of the last update.
Date of last update: 09/09/2024