Privacy Policy

This page describes how the website is managed with regard to the processing of personal data of users who consult it.

This information (or “privacy policy”) is provided pursuant to Article 13 of the EU Regulation 2016/679 (personal data collected directly from the data subject), European Regulation on the Protection of Personal Data (hereinafter, ‘Regulation’ or “GDPR”) to those who interact with the web services of the site www.museumofrackets.com.

In any case, the logical and physical security of the data and, in general, the confidentiality of the personal data processed will be guaranteed by implementing all necessary technical and organizational measures adequate to ensure their security.

A). Identity and contact details of the Data Controller.

M.O.R. Racket Museum
Legal representative: Paolo Bertolino
Via Roma, 37 – Baldissero d’ Alba (CN)
Tel. 011.357895 – 339.3515695 – 0172.40019
email: [email protected]

B). Types of data processed

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his/her physical, physiological, genetic, mental, economic, cultural or social identity; (C26, C27, C30 of the “GDPR”).

The personal data collected and processed through this website are as follows:

• Browsing data. The computer systems and software procedures used to operate this website acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its proper functioning.
• Data communicated by the user. This is data entered voluntarily by the user at the contact addresses on the site and involves the acquisition of the sender’s contact data, necessary to respond to requests, as well as all personal data included in communications (request for contact or information).
• Cookies. These are small text files that sites visited by users send to their terminals, where they are stored to be retransmitted to the same sites on subsequent visits. Cookies are used for different purposes, have different characteristics, and can be used either by the owner of the site you are visiting or by third parties.
• What personal data our site uses.

C). Purpose of the processing for which the personal data is intended and its legal basis

Your personal data will be processed:

(i) without requiring consent for the following purposes:

• online account registration, management of orders, purchases, sales and deliveries of products and related monitoring, customer service management, payment management, returns and repairs management, customer contact management, voucher and discount management;
• administrative-accounting management and related fulfilments (issuance of receipts, invoices, preparation of payments) possible protection of credit positions and defense in court;
• internal statistics, analysis and business economic management, as well as, in relation to contact data provided during the contract, sending advertising of similar products with the right of immediate cancellation upon request;

The above processing respectively responds to the following legal bases:

• fulfillment of a contract or pre-contractual measures, satisfaction of a data subject’s request – lawfulness condition Article 6(b) GDPR;
• legal obligation to which the Data Controller is subject – lawfulness condition Article 6(c) GDPR – or for the establishment, exercise or defense of a right in court;
• pursuit of a legitimate interest of the Data Controller – condition of lawfulness Article 6(f) GDPR – relating to the improvement of business operations and market surveys, improvement of services provided to its customers, direct marketing and customer retention. The provision of the data, marked in the form with (*), for the purposes referred to in the previous section (i) is mandatory and the lack of the data and/or any express refusal to process it will make it impossible for the Data Controller to execute the contract or pre-contractual measures, the fulfillment of the obligation with possible default and liability of the data subject also to sanctions contemplated by the legal system.

(ii) with your consent (Article 7, GDPR), for the following purposes:

• marketing activities of various types, including the promotion of products and services, distribution of posters and material of an informative and promotional nature in printed and/or digital form, sending newsletters and commercial communications via e-mail, invitations;
• profiling activities of various types, including the analysis of behavior for promotional purposes, the creation of lists for promotional purposes, commercial communications and sending newsletters, profiling for the provision of services targeted and tailored to the needs of the customer.

The provision of data for the purposes mentioned in section (ii) above is optional, with the consequence that you may decide not to provide your consent, or to revoke it at any time. For such processing, automated processes are used through the use of software that in all cases provide for human decision-making intervention aimed at avoiding undesired consequences for the data subject, always limited to the receipt of communications from the Data Controller.

D). Categories of recipients of personal data
For the purposes mentioned in the previous paragraph, the personal data you provide may be communicated or made accessible to:

• to employees and collaborators of the Data Controller, in their capacity as employees authorized to process the data (or so-called “data processors”); to third parties who carry out activities in outsourcing on behalf of the Data Controller, in their capacity as Data Processors, including: service providers for the management of the information system and telecommunications networks and to the company in charge of the management for e-commerce, service providers for the management of the archiving of paper and/or computerized documentation, service providers for the management of customer service activities, including through websites (e.g. call centers, help desks, etc.), service providers for the management of commercial communication activities;
• freelancers, firms or companies as part of assistance and consulting relationships, including for the control of business organizational management;
  banks and credit and insurance institutions for the performance of economic activities (payments/collections) and insurance;
• subjects who carry out control, audit and certification of the activities carried out by the Museum of the Racket also in the interest of customers;
  to judicial or supervisory authorities, administrations, public bodies and agencies (domestic and foreign).

The complete and updated list of Data Processors can be obtained by written request to [email protected].

E). Storage and transfer of personal data abroad
The management and storage of personal data takes place in the cloud and on servers located inside and outside the European Union owned and/or available to the Data Controller and/or third party companies appointed, duly appointed as Data Processors.

The transfer abroad of data to non-EU countries may occur but only and exclusively in the context of intra-group communications for customer loyalty purposes and in any case in accordance with the provisions contained in Chapter V, GDPR (Article 46).

Your personal data will not be disclosed.

F). Personal data retention period
Personal data collected for the purposes indicated in paragraph (C), section (i) above will be processed and retained for the duration of any contractual relationship established.

From the date of termination of such relationship, for whatever reason or cause, the data will be retained for the duration of the prescriptive terms applicable ex lege, i.e. 10 years.

Personal data collected for the purposes set forth in paragraph (C), section (ii) above will be processed and retained for as long as necessary to fulfill those purposes and in any case for a period not exceeding 24 months for marketing and 12 months for profiling from the date we receive your consent.

Once this retention period has expired, the data will be destroyed or anonymized.

G). Methods of processing personal data
The processing of your personal data is carried out by means of the operations indicated in Article 4, No. 2 GDPR 2016/679 and namely: collection and recording, organization, storage, consultation, deletion and destruction of data. The processing of your data will be based on the principles of correctness, lawfulness and transparency and may also be carried out by means of automated methods suitable for storing, managing and transmitting them and will take place by means of instruments suitable, as far as reasonably possible and in accordance with the state of the art, to guarantee security and confidentiality through the use of appropriate procedures that avoid the risk of loss, unauthorized access, unlawful use and dissemination. Your personal data are subject to both paper and electronic processing.

H). Rights and Methods of Exercise
In accordance with the provisions of Chapter III, Section I, GDPR, you may exercise by simply sending an e-mail request to the Controller’s address [email protected] the rights set forth therein and in particular:

• Right of access – To obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to receive information regarding, in particular: purposes of the processing, categories of personal data processed and period of storage, recipients to whom the data may be disclosed (Article 15, GDPR),
• Right to rectification – Obtain, without undue delay, rectification of inaccurate personal data concerning you and supplementation of incomplete personal data (Article 16, GDPR),
• Right to erasure – Obtain, without undue delay, erasure of personal data concerning you, in the cases provided for by the GDPR (Article 17, GDPR),
• Right to restriction – Obtain restriction of processing, in the cases provided for by the GDPR (Article 18, GDPR)
• Right to portability – To receive, in a structured, commonly used and machine-readable format, personal data concerning you, as well as to obtain that it be transmitted to another controller without hindrance, in the cases provided for in the GDPR (Article 20, GDPR)
• Right to object – To object to the processing of personal data concerning you, unless there are legitimate grounds for the Controller to continue the processing (Article 21, GDPR)
• Right to lodge a complaint with the supervisory authority – To lodge a complaint with the Italian Data Protection Authority, Piazza di Montecitorio no. 121, 00186, Rome (RM).

I). Data Breach (Data Breach) and notification to the Privacy Guarantor and/or communication of the breach to the data subject

In the event of a breach of personal data – to be understood as a breach of security that accidentally or unlawfully results in the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted stored or otherwise processed – where the risk to the rights and freedoms of individuals is to be considered probable and/or high, the Data Controller will notify the Privacy Guarantor without delay and in any case no later than 72 hours by giving a description of the nature of the data breach, including the number of individuals affected and the categories of data affected. The name and contact details of the Data Controller or where applicable the DPO will also be provided.