Privacy Notice for the Purchase of Tax-Facilitated Products

In accordance with Article 13 of EU Regulation No. 679/2016 (GDPR)

DB S.r.l. (hereinafter, the Data Controller), as the data controller, informs you that the personal data you provide within the scope of processing related to the management of the sale of products under tax facilitation on the website www.dorelan.com (hereinafter the "Website") will be processed in full compliance with EU Regulation No. 679/2016 (GDPR).

The purpose of this information is to provide you with a clear and detailed explanation of how, when, and why we collect and use your data. It has been designed to transparently present our policy on personal data protection and to explain how to effectively exercise your rights.

INDEX:

  • Who is the data controller for my data?
  • Who is the DPO?
  • When do you collect my data?
  • What data will you process?
  • For what additional purposes may you use my data?
  • With whom will you share my data?
  • How will you process my data?
  • Are my data processed outside the European Economic Area?
  • How long will you keep my data?
  • What are my rights and how can I protect my privacy?
  • Can I file a complaint?
  • How can I contact the Data Controller?

1. Who is the data controller for my data?
Who is the DPO? The data controller, who determines the means and purposes of processing your personal data, is DB S.r.l., with registered office in Forlì - 47121 (FC), Corso della Repubblica no. 19, Tax ID and VAT number: 02620630984 (hereinafter, the "Data Controller"), subject to direction and coordination by the company B&T S.p.A. with registered office in Forlì - 47122 (FC) at Via Due Ponti no. 9, Tax ID: 00903510402. The Data Controller has appointed a Data Protection Officer (DPO) to whom data subjects can address their requests regarding the exercise of their rights and to request information about personal data concerning them processed by the Data Controller. The DPO can be contacted at the following email address: dpo@dorelan.it

2. When do you collect my data?
The Data Controller will collect information directly provided by you:

  • When you make a purchase on the e-commerce platform and request tax benefits for the purchase of products;
  • When you have questions or advice to submit and use the dedicated sections.

3. What data will you process?
For the purchase of products with tax benefits, the Data Controller will process the following types of data:

  • Personal data. This data includes the information present in your identity document.
  • Tax data. This data consists of your tax code and billing address.
  • Data related to health status. This data includes the information contained in the medical and/or administrative certificate sent to the Data Controller.

Purpose pursued: verification of compliance with the requirements required by the relevant regulations for the application of any requested tax benefit and related activities necessary for the purchase of products with a 4% VAT.

Legal basis for processing: the explicit consent of the user (Article 9, paragraph 2, letter a, GDPR), freely given and revocable at any time by sending a communication to the Data Controller at the contact details provided in the information.

The provision of data for the purpose described in paragraph 3) is optional. However, the refusal to provide them, or their partial provision, will make it impossible for the Data Controller to proceed with the application of the 4% VAT on the purchased products.

4. For what additional purposes may you use my data?
Your personal data may also be processed for the following purposes:
4.1 Compliance with legal obligations and requests from public and governmental authorities;
4.2 Handling any disputes or litigation and defending the Data Controller's rights, both in judicial and out-of-court proceedings.

In such cases, the legal bases for processing will be:
a. compliance with a legal obligation in the case of point 4.1 (Article 6, paragraph 1, letter c, GDPR);
b. the legitimate interest of the Data Controller in protecting its rights, properly balanced with the rights of the data subject, in the case of point 4.2 (Article 6, paragraph 1, letter f, GDPR).

5. With whom will you share my data?
In accordance with the purposes outlined in this privacy notice, the Data Controller's staff may be authorized to process your data in order to provide you with the requested services, information, or support. Furthermore, the Data Controller shares your data with the company B&T S.p.A., located in Forlì – 47122 at Via Due Ponti no. 9, as its parent company and part of the same corporate group. Therefore, access to your personal data will be expressly authorized by the Data Controller, who may, if necessary, appoint the entities to whom it turns for the provision of services and for activities within its competence as Data Processors in accordance with Articles 28 and 29 of the GDPR.

Furthermore, please note that the list of authorized entities and Data Processors is available at the Data Controller's registered office or, alternatively, you can request it from them using the contact details provided in the section "How can I contact the Data Controller?"

6. How will you process my data?
Your personal data will be processed with the help of electronic means for the time strictly necessary to achieve the purposes set out in the collection. The Data Controller will adopt the necessary technical and organizational measures to prevent loss, unlawful or incorrect use of data, as well as to prevent any unauthorized access by third parties. Therefore, the Data Controller will ensure the security of your personal data by limiting the number of individuals allowed access to servers or databases and implementing protective systems to prevent the risk of cyberattacks.

7. Are my data processed outside the European Economic Area?
The data processed by the Data Controller are located on servers within the European Union. However, some service providers may be based in non-European countries.

In these cases, the Data Controller will use these providers in accordance with the provisions of Articles 45 and following of the GDPR. Therefore, all necessary precautions will be taken to ensure the best possible protection of personal data, based on: a) adequacy decisions regarding the third countries in question expressed by the European Commission; b) adequate guarantees provided by the third party recipient in accordance with Article 46 of the Regulation; c) the adoption of binding corporate rules and, in particular, the implementation of technical and IT security measures that protect personal data and the rights of data . subjects to the fullest extent, as provided for by the GDPR and European regulations.

8. How long will you keep my data?
The Data Controller will process your personal data for the time reasonably necessary to achieve only the purposes set out in the previous sections. At the end of the retention period, your personal data will be deleted or made irreversibly anonymous and aggregated.

9. What are my rights and how can I protect my privacy?
In relation to your personal data and in accordance with the provisions of the GDPR, the Data Controller informs you that you have the right to request:

In the following table, we provide detailed information on how to exercise your rights:

YOUR RIGHT

HOW CAN YOU EXERCISE IT?

Access

You can request:
• Confirmation of whether there is processing of your personal data;
• Obtain a copy of your data;
• Receive other information about your personal data that is not already present in this notice.

Rectification

You can request the rectification of inaccurate or incomplete personal data. Before proceeding with rectification, we will verify the accuracy of the data in our records.

Deletion/ Right to be forgotten

You can request the deletion of your personal data, but only if: • Their retention is no longer necessary for the purposes for which they were collected; • You have withdrawn your previously given consent (where the processing is based on consent); • The processing has been carried out unlawfully; • It is necessary to comply with a legal obligation to which the Data Controller is subject (in relation to an order from an Authority).

Limitation

You can request the limitation of your personal data, but only if: • Their accuracy has already been contested; • They are no longer necessary for the purposes for which they were collected, but there is a legal dispute over their use; Following your request for limitation, the use of your personal data is allowed if: • Your consent continues to exist; • It is necessary to exercise or defend a legal claim; • To protect the rights of another natural or legal person involved in the processing.

Portability

You can request a copy of your personal data in a structured, commonly used, and machine-readable format.

Opposition

You can object at any time to the processing of personal data concerning you when: • The legal basis for the processing is the legitimate interest of the Data Controller; • Personal data are processed for direct marketing purposes, including profiling, to the extent that it is related to such direct marketing. When you object: • To the processing for direct marketing purposes, personal data will no longer be processed for such purposes; • In the case of the legitimate interest of the Data Controller, the processing may continue only if the Data Controller demonstrates compelling legitimate grounds for processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims. You can also exercise the right to object through automated means using specific technical methods, such as those provided on the website in your personal page and in emails (unsubscribe link).

The Data