Privacy policy
In compliance with the provisions of regulation (eu) 2016/679
Most recent update: 02/29/2024
We have the pleasure and duty to provide the following information about the processing of personal data, in accordance with the Privacy Code and Regulation (EU) 2016/679.
1. Type of personal data collected
The following personal data is collected and processed by Bulgari S.p.A. and the companies controlled by Bulgari S.p.A. in Italy and worldwide, as identified below (hereinafter referred to as "Bulgari Group Companies"), for the purposes outlined below:
a) personal and identifying data like your name, surname, date of birth, proof of identity, images recorded during store visits (where CCTV is in place), voice recorded during calls to a Bulgari sales service, payment information in the event of purchases made online or in stores;
b) data from interactions including information collected during store visits, like use of the Wi-Fi system, while participating in events or making online purchases, when you sign up to loyalty programmes (e.g. birthday, age group, dates of family events, profession, hobbies, purchases, use of particular social media or social media ID, phone number, email address, photograph, nationality, gender, language, favourite product categories, details of products purchased, sizes, prices, discounts, statistical spending levels, abandoned shopping carts, ways in which services are used), preferences and interests disclosed by the user over the course of your interactions with advisors in store (including preferences about our collections or other luxury brands, sizes, lifestyle or basic information about your family circle), responses to contact activities, data which may also include health-related information regarding potential side effects of our cosmetic products;
c) data collected when browsing or using media applications, including information about the behaviour of the user recorded with cookies or similar technology, as described in more detail in the Cookie Policy available online at: cookies--page__terms.html ,or data contained in your “Wish List”;
d) the personal data provided by you in order to report illegal conduct or violations of the Organisation and Control Model pursuant to the Italian legislative decree no. 231/2001 and/or the Code of Conduct (so-called "whistleblowing"). The lawful basis for such processing is a) the Controller's legitimate interest, pursuant to Art. 6, paragraph 1, sub-section f) of GDPR, who, having been made aware of the report raised by you, intends to protect and preserve all company assets b) the need to adhere to legal requirements to which the Controller is subject (see Art. 6, paragraph 2a et seq. of Italian Legislative Decree no. 231 of 8 June 2001) and c) the need to ascertain, exercise or defend a right in court, should this need arise. Should the personal data of the parties involved need to be communicated, the lawful basis is the consent of the interested party pursuant to Art. 6, paragraph 1, sub-section a) of GDPR.
Personal data is collected directly from the user (e.g. when creating an account on our websites/apps, making a purchase or interacting with our in-store advisors or Client Services), collected passively (e.g. using tracking tools like browser cookies), or collected via third parties (e.g. social media platforms).
2. Processing purpose
Bulgari processes the data provided by you for the following purposes:
• Contractual Purposes, namely (i) managing the sale of its products and providing sale and after-sale services (including, for example, fraud prevention, returns, product warranties and customer support); (ii) in the context of Bulgari's online activities, creating and maintaining your customer account and providing the services offered via its website, including clienteling services (which call for a personalised service from your trusted advisor), as well as the Bulgari newsletter if subscribed; (iii) consulting the production chain of certain items purchased by you, registering or transferring ownership, as well as downloading—and later giving to third parties—possible NFTs associated with said product; and (iv) checking your information requests;
• Fulfilment of Legal Obligations to which Bulgari is subject, including the requirements outlined by "Know Your Customer";
• Marketing and Profiling Purposes, i.e. sending you—with your prior consent—marketing communications regarding BULGARI products, services and exclusive activities via electronic means (such as email, SMS, MMS, mobile, social media and chats) or in paper format (e.g. traditional post); offers for personalised sales services (including but not limited to personal shopping services, free assistance services and courtesy services); satisfaction questionnaires for products and/or services offered, also by third parties, preferences and shopping habits at BULGARI and/or other LVMH brands in order to improve the service offered, use of virtual try-on features;
• Pursuit of Legitimate Interest, i.e. using data regarding amounts spent, product categories, store where the purchase was made, date of birth, status and number of family members to provide a service that is more in line with your requirements and send you marketing communications that are of most interest to you.
3. Provision of data
The provision of personal data in relation to the purposes outlined in paragraph 1, sub-section a) is obligatory and if it is not provided, Bulgari Group Companies cannot proceed with the contractual services requested. For the purposes detailed in paragraph 1 sub-sections b) and c), provision of data is free and optional and the use of such data is subject to the consent of the interested party. Denial thereof would not allow Bulgari Group Companies to achieve the indicated purposes.
Providing personal data for the purposes outlined in paragraph 1, sub-section d) is optional. However, failure to do so could compromise the investigation of the report; anonymous reports will only be evaluated if presented in adequate detail and provided with plenty information, in order to reveal facts and circumstances related to specific contexts.
4. Conditions applicable to the consent of minors
Processing the personal data of minors is lawful provided they are at least 16 years of age. If a minor is younger than 16 years of age, processing this data is only lawful if, and where, consent is provided or authorised by the holder of parental responsibility. We do not knowingly collect personally identifiable information from minors without permission from a parent or guardian, unless permitted by law.
5. Processing methods
Personal data will be processed using IT-based tools and/or processed manually for the length of time needed to achieve the purpose for which it was collected. In particular, personal data collected for the purposes outlined in paragraph 1, sub-sections b) and c) will also be processed with the help of automated mechanisms, according to procedures and reasoning strictly related to the purposes specified above.
6. Entering data in the crm system
The entering of personal data in the CRM system is optional and occurs only if consent is given for the fulfilment of one of the purposes detailed in paragraph 1 sub-sections b) and c). Once in the CRM system, Bulgari employees across the world, tasked with data processing, will automatically be able to view the information, change and revise it.
7. Scope of communication, transfers abroad and data publication
We do not disclose or share the personal data we collect, except with Bulgari S.p.A., its parent companies, subsidiary companies, associate companies, companies under the same control, or companies that are part of the same group that Bulgari S.p.A. belongs to (a complete list of which can be requested by emailing: privacy@bulgari.com), in order to offer users the same level of services worldwide. In this regard, we ensure that the Standard Contractual Clauses for data transfers between EU and non-EU countries outlined by the European Commission are applied. Personal data is processed only by authorised personnel, who have access to the information and are tasked with or responsible for data processing.
The user's personal data may also be processed by companies performing services on our behalf (including companies that provide shipping/delivery services for catalogues and/or products; companies that deliver newsletters, marketing material and promotional communications; companies that provide customer care services; companies that carry out analyses and market research; companies that maintain IT systems; companies that manage web session replay tools to ensure the best end-user experience).
Data collected may also be processed by third parties acting as independent data controllers, for example:
• banks or other payment management companies through credit card and tax-free services; • individuals, companies, associations or professional studios that provide assistance or consultancy services (lawyers, accountants, auditors);
• when required to do so in order to comply with applicable law, to respond to a court order or—more generally—any request from a competent authority;
• companies that assist in performing KYC procedures;
• companies that manage the so-called Virtual Try-On experience.
A complete list of third parties responsible for processing personal data on behalf of Bulgari, or as independent third-party data controllers, can be requested by emailing: privacy@bulgari.com. The data will, under no circumstances, be published.
8. Data retention period
The user's personal data will not be stored in a way that allows them to be identified and for no longer than is deemed reasonably necessary by Bulgari for achieving the purposes for which it was collected or processed, or as established by current legislation on data retention. Data collected for the reasons outlined in paragraph 1, sub-section a) will be stored by Bulgari S.p.A. and Bulgari Group Companies for the time period necessary for the performance of a contract, with legal and conventional guarantees provided for, or in accordance with legal requirements regarding data retention. Data collected for the purposes outlined in paragraph 1, sub-sections b) and c) will be stored until the client withdraws their consent to processing and in any case, with particular reference to data collected for the purposes outlined in paragraph 1, sub-section b), for no more than ten years (in compliance with the measure issued by the Italian Data Protection Authority on 24 April 2013, following the request for preliminary verification submitted by Bulgari S.p.A.). If consent is withdrawn or the retention period for the data collected for the purposes outlined in paragraph 1, sub-section b) expires early, this data will be automatically deleted or made permanently anonymous.
The personal data outlined in paragraph 1, sub-section d) will be stored for five (5) years starting from the notification date of the final outcome of the reporting process.
9. Rights of data subjects
Information may be requested at any time regarding the processing of your personal data and how it is carried out. It is also possible to correct or delete data, limit its processing, object to its processing and/or request that the data be sent to another controller. Bulgari S.p.A. and its subsidiaries must respond to requests within deadlines provided for by applicable regulations; they must also correct incorrect data, ensure that incomplete data is completed, and update data that is no longer correct; and finally, if requested, they must delete data and limit and/or stop its processing, or ensure that it is, where technically possible, sent to another controller. To exercise their statutory rights stated above or to request further information, and/or to report any errors or issues, the data subject may send an email to privacy@bulgari.com for a faster response, or indeed send a written request to the Data Protection Officer (DPO) at Bulgari S.p.A., Lungotevere Marzio 11, Rome. If the data subject is not satisfied with the response they receive, they may address the data protection Supervisory Authority.
In relation to processing the personal data outlined in paragraph 1, sub-section d) above, the interested party can exercise all rights provided by current legislation, if the exercising of those rights does not result in any effective and concrete detriment to the confidentiality of the whistle-blower's identity.
10. Personal data protection
Bulgari has obtained the international BS 10012:2017 certification for the compliance of its data protection management system as proof of the ever-constant attention it pays to protecting personal data and its commitment to respecting current data protection legislation. Since the internet is not a completely secure environment, we cannot guarantee that the personal data stored by and sent to us is completely safe. Therefore, we encourage you to be cautious when using the internet to access our websites, apps or social media.
11. Data controllers and processors
The website www.bulgari.com is managed by Bulgari S.p.A., with registered office at Via dei Condotti 11, Rome, acting in their capacity as Data Controller for personal data in accordance with Regulation (EU) 679/2016 (GDPR).
Regarding the processing of personal data for the management of whistleblowing reports, the data controllers will be both LVMH Moët Hennessy Louis Vuitton SE and the individual companies within the Bulgari Group, with these companies acting as joint controllers pursuant to Art. 26 GDPR. A complete list of data processors designated by controllers may also be requested by sending an email to privacy@bulgari.com.