clock Today Saturday stores open   from   10:00   to   21:00   |  Food court open from   10:00   to   23:00

PRIVACY POLICY FOR THE PROTECTION OF PERSONAL DATA – VALMONTONE CARD APPLICATION

DATA CONTROLLERS 

The Data Controller for the purposes of creating accounts and registering for the App (a), issuing, selling, and managing cards (b), administrative, accounting, and tax purposes (c), and defending its rights and interests (i) is Promos S.r.l. (hereinafter also referred to as Promos), with registered office in Brescia (BS), Via San Zeno, 173, VAT and Tax Code: 03123920179 – Phone: +39 030 2422862 – Fax: +39 030 2422870, Email: privacy@promosgroup.it.

The Data Protection Officer (DPO), pursuant to Article 37 of the Regulation, can be contacted at the following email address: dpo@promosgroup.it.

The Data Controller for the purposes of displaying the nearest stores to the user (d), loyalty programs (e), marketing (f), profiling (g), soft spam (h), and defending its rights and interests (i) is DWS Grundbesitz GmbH (hereinafter also referred to as DWS), with registered office in Frankfurt am Main, Mainzer LandstraBe 11,17 (Germany), acting through its branch office, with registered office in Milan (MI), via Filippo Turati n. 25/27, VAT and Tax Code 12650270155, acting on behalf of the German real estate fund named “grundbesitz Europa,” through its legal representative, Email: privacy@valmontoneoutlet.com.

Regarding the purposes of the processing for which DWS is the data controller, Promos is the Data Processor, as it is responsible for commercial management, promotion, and relations with the stakeholders of the Outlet.

PERSONAL DATA PROCESSED 

The APP collects the following categories of personal data:

Identifying and contact information – information regarding surname, first name, date of birth, email address (data necessary for registration), telephone/mobile number, address (postcode) (optional data for registration purposes).

Other personal data – information provided regarding gender (optional data for registration purposes) and information concerning purchases both in detail and with reference to the overall spending volume progressively realized in relation to the purchase history (data collected during the use of the APP at Outlet stores). 

Geolocation data – information regarding the user’s location during the download of the APP with optional activation or when opening the APP at any time (data processed with prior consent); Usage

Data of the Cards – information regarding the ways in which cards are used by the user at Outlet stores; as well as participation in invitations and initiatives proposed by the data controller. 


HOW PERSONAL DATA IS COLLECTED 

The data controller collects the user’s personal data for issuing the cards in the following circumstances: 

if the user downloads the APP via smartphone; 

if the user uses the kiosks at the Outlet to pay and activate the dematerialized cards; 

if the user goes to the Outlet’s infopoint for any need and to receive assistance.

PURPOSES AND LEGAL BASIS OF PROCESSING 

The collected data will be processed for the following purposes: 

a) Account creation and registration 

Purpose: the data provided by users are processed to allow the creation of their account and registration for obtaining the issuance of cards and having access to all related services and offers. Legal basis: necessity to perform the contract and respond to specific user requests. Nature of provision: providing data for account creation and registration is necessary if one wishes to receive and use the cards. At any time, the user can delete the account with the “Delete” button. With the deletion of the account, the cards are also deleted, and the transactions recorded therein are anonymized.

b) Issuance, sale, and management of cards 

Purpose: the data provided by users are processed to complete the sale or issuance of Outlet cards and their management also in conjunction with third-party partners.

Legal basis: necessity to execute the contract and respond to specific user requests.

Nature of provision: providing data for the issuance and use of cards, although optional, is still necessary if one wishes to obtain and benefit from the associated advantages.

c) Administrative and Tax Purposes 

Purpose: To enable the data controller to fulfill the necessary administrative and tax obligations and reporting of the cards.

Legal basis: Legal and regulatory obligations.

Nature of provision: Providing data is necessary if one wants to avail themselves of the cards and use them.

d) Display of Nearest Stores to the User 

Purpose: To display the nearest store to the user based on geolocation data if consent has been given for the detection of their location in the browsing browser. Such geolocation data is never saved and is used in real-time, solely to order the list of stores from nearest to farthest from the user. They are never sent to the server. There is, therefore, no continuous tracking, but rather pinpoint detection, performed exclusively by the device, without the data controller having access to the location data and thus knowing the user’s whereabouts. Geolocation can be disabled at any time.

Legal basis: Consent. Failure to provide it does not prevent the issuance of cards and the use of related services and benefits. Consent can always be revoked using the settings of the APP or the phone.

Nature of provision: Providing data is optional.

e) Loyalty 

Purpose: To enjoy the benefits and initiatives reserved for users, as well as to enjoy any additional services requested by them, including participation in discounts, events, and contests.

Legal basis: Necessity to execute the contract and respond to specific user requests.

Nature of provision: Providing data is necessary if one wants to participate in the loyalty program underlying the purchase or issuance of cards.

f) Marketing 

Purpose: To receive newsletters and other informative communications from the data controller about promotions, offers, initiatives, etc., or for market research and analysis, via email, SMS, MMS, or other means, as well as through traditional methods (telephone calls by operator, postal mail). Legal basis: User consent. Once consent has been given, users can revoke or oppose receiving promotional communications at any time. To do so, they just need to use the appropriate functionalities in their account and select the “do not consent” option. Nature of provision: Providing data is optional.

g) Profiling 

Purpose: To define purchasing choices and analyze users’ consumption preferences to develop statistics or create individual and group profiles in order to send them targeted commercial offers consistent with the identified profiles.

Legal basis: User consent. Once consent has been given, users can revoke or oppose profiling activities at any time. To do so, they just need to use the appropriate functionalities in their account and select the “do not consent” option.

Nature of provision: Providing data is optional.

h) “Soft Spam” 

Purpose: The data controller may conduct email marketing towards users who have purchased cards and used its services, to propose card renewal and/or similar services to those they have used (so-called soft spam). For this treatment, user consent is not necessary, but users can still communicate their opposition at any time. To do so, they just need to use the appropriate functionalities in their account and select the “do not consent” option.

Legal basis: Legitimate interest of the data controller.

Nature of provision: Providing data is necessary.

i) Defense of the Rights and Interests of the Data Controllers 

Purpose: The user’s personal data may be processed by the data controllers to defend their own rights, take legal action, or assert claims against the user or third parties.

Legal basis: Legitimate interest.

Nature of provision: Providing data is necessary.

PROCESSING METHODS 

Users’ personal data are collected and processed using electronic tools and, to a lesser extent, also through manual tools and only for the time necessary to achieve the purposes of the data controllers. The processing logic and procedures are related to the specific purposes specified for the use of this APP. Depending on the specific purpose of processing, personal data are accessible to authorized personnel for processing, as well as to data processors. Fully automated decision-making processes that produce legal effects for users or significantly affect their persons are not used.

DURATION OF PROCESSING 

User data that are no longer necessary, or for which there is no longer a legal basis for processing and retaining them, are irreversibly anonymized or securely deleted.

  • For account creation and registration purposes: data processed for these purposes can be deleted using the “Delete” button. With the deletion of the account and registration, the cards can no longer be used.
  • For card issuance, management, and loyalty purposes: after a period of at least 5 (five) years from the date of card issuance without their use or after at least 5 (five) years from the last use of the cards, the data controller will proceed with the anonymization or deletion of the related personal data.
  • For marketing purposes: personal data processed for marketing purposes are processed until the user revokes consent or objects.
  • For profiling purposes: for profiling purposes, data are used until consent is revoked or objected to and in any case for a maximum period of 5 (five) years, after which they will be anonymized or deleted.
  • For “Soft Spam” purposes: personal data processed for this purpose are processed until the user objects, to be exercised using the methods described above and which will also be indicated in the section relating to the exercise of data subjects’ rights.
  • For geolocation purposes: geolocation data is never saved. They are used in real-time and are never sent to the server.
  • For administrative, tax, and defense of rights and interests of the data controllers purposes: once the main purpose for which the data are processed is fulfilled, they are kept for 10 years.

Recipients of Data 

The data may be disclosed to third parties involved in the issuance and use process of the cards, who will handle the data as data controllers or independent data controllers. Specifically, the data will be processed by the following subjects or categories of subjects: 

  • Companies affiliated with the owner or partners providing IT and payment services;
  • Service providers acting on behalf of the owner based on contractual agreements, in order to carry out activities related to the administrative, commercial, and advertising management of the Outlet;
  • Companies and consultants, in the field of legal, accounting, and tax assistance and consultancy;
  • Competent authorities for the fulfillment of legal obligations;
  • Stores and refreshment points adhering to the Outlet. Data processed for marketing and profiling purposes are not disclosed to third parties, but may be processed by external companies acting as data controllers, pursuant to Article 28 of the Regulation. All the aforementioned subjects are required to use the information received only for the processing purposes indicated above, to keep them confidential, intact, and unavailable to unauthorized third parties. The data of the data subjects are not disclosed.

Data Transfer 

The data of the data subjects may be transferred outside the European Union if the servers of the parties with whom the controllers have entered into specific contracts are located there. In such cases, the controllers will adopt adequate safeguards, as prescribed by the Regulation, for the protection of the personal data of the data subjects.


Rights of Data Subjects 

Articles 15 to 22 of the Regulation grant users the exercise of specific rights. Article 15 recognizes users’ right to access their personal data and obtain a copy thereof. The right to obtain a copy of the data must not infringe upon the rights and freedoms of others. With the request for access, users have the right to obtain from the controllers confirmation of whether their personal data is being processed, to know the purposes and categories of data processed, the third parties to whom the data are communicated, and whether the data are transferred to a non-European country with adequate guarantees. Users also have the right to know the retention period of their personal data, with respect to the aforementioned purposes. With regard to their personal data, users have the right to request rectification of inaccurate data and integration of incomplete data, deletion (right to be forgotten) under the conditions indicated in Article 17 of the Regulation, limitation of processing, and data portability. Data subjects also have the right to object at any time or revoke their consent to processing carried out for marketing and profiling purposes. To stop receiving marketing communications (e.g., newsletters, emails, SMS) or “Soft Spam” or revoke consent for profiling, it will be sufficient to use the appropriate features available in one’s account and select the “do not consent” option. The controllers will also provide users with certification that the operations following the requests mentioned above have been brought to the attention of those to whom the data may have been communicated, except where such compliance is impossible or involves the use of means manifestly disproportionate to the protected rights.

To exercise the aforementioned rights (excluding cases of opposition and/or withdrawal of consent), you can contact:

  • Promos, at the email address privacy@promosgroup.it, or at its headquarters at Via San Zeno, 173 – 25124 Brescia (BS);
  • DWS, at the email address privacy@valmontoneoutlet.com, or at the Outlet’s headquarters at Via della Pace, Pascolaro – Valmontone – 00038 Rome.

To provide a response, it may be necessary to identify the data subjects by requesting a copy of their identity document. The controllers will provide a written response without undue delay and, in any case, no later than one month from the receipt of the request.

COMPLAINT TO THE DATA PROTECTION AUTHORITY 

Users who believe that the processing of their personal data violates the provisions of the Regulation or internal regulations on personal data protection have the right to lodge a complaint with the Data Protection Authority based in Rome, pursuant to Article 77 of the Regulation, as well as to take action before the competent judicial authority.