IN COMPLIANCE WITH THE PROVISIONS OF REGULATION (EU) 2016/679
Most recent update: 05/19/2023
We have the pleasure and duty to provide the following information about the processing of personal data, in accordance with the Privacy Code and Regulation (EU) 2016/679.
1. TYPE OF PERSONAL DATA COLLECTED
The following personal data is collected and processed by Bulgari S.p.A. and the companies controlled by Bulgari S.p.A. in Italy and worldwide, as identified below (hereinafter referred to as "Bulgari Group Companies"), for the purposes outlined below:
a) personal and identifying data like your name, surname, date of birth, proof of identity, images recorded during store visits (where CCTV is in place), voice recorded during calls to a Bulgari sales service, payment information in the event of purchases made online or in stores;
b) data from interactions including information collected during store visits, like use of the Wi-Fi system, while participating in events or making online purchases, when you sign up to loyalty programs (e.g. birthday, age group, dates of family events, profession, hobbies, purchases, use of particular social media or social media ID, phone number, email address, photograph, nationality, gender, language, favorite product categories, details of products purchased, sizes, prices, discounts, statistical spending levels, abandoned shopping carts, ways in which services are used), preferences and interests disclosed by the user over the course of your interactions with advisors in store (including preferences about our collections or other luxury brands, sizes, lifestyle or basic information about your family circle), responses to contact activities, data which may also include health-related information regarding potential side effects of our cosmetic products;
d) the personal data provided by you in order to report illegal conduct or violations of the Organization and Control Model pursuant to the Italian legislative decree no. 231/2001 and/or the Code of Conduct (so-called "whistleblowing"). => The lawful basis for such processing is a) the Controller's legitimate interest, pursuant to Art. 6, paragraph 1, sub-section f) of GDPR, who, having been made aware of the report raised by you, intends to protect and preserve all company assets b) the need to adhere to legal requirements to which the Controller is subject (see Art. 6, paragraph 2a et seq. of Italian Legislative Decree no. 231 of 8 June 2001) and c) the need to ascertain, exercise or defend a right in court, should this need arise. Should the personal data of the parties involved need to be communicated, the lawful basis is the consent of the interested party pursuant to Art. 6, paragraph 1, sub-section a) of GDPR.
Personal data is collected directly from the user (e.g. when creating an account on our websites/apps, making a purchase or interacting with our in-store advisors or Client Services), collected passively (e.g. using tracking tools like browser cookies), or collected via third parties (e.g. social media platforms).
2. PROCESSING PURPOSE
Bulgari processes the data provided by you for the following purposes:
• Contractual Purposes, namely (i) managing the sale of its products and providing sale and after-sale services (including, for example, fraud prevention, returns, product warranties and customer support); (ii) in the context of Bulgari's online activities, creating and maintaining your customer account and providing the services offered via its website, including clienteling services (which call for a personalized service from your trusted advisor), as well as the Bulgari newsletter if subscribed; (iii) consulting the production chain of certain items purchased by you, registering or transferring ownership, as well as downloading—and later giving to third parties—possible NFTs associated with said product; and (iv) checking your information requests;
• Fulfillment of Legal Obligations to which Bulgari is subject, including the requirements outlined by "Know Your Customer";
• Marketing and Profiling Purposes, i.e. sending you—with your prior consent—marketing communications regarding BVLGARI products, services and exclusive activities via electronic means (such as email, SMS, MMS, mobile, social media and chats) or in paper format (e.g. traditional post); offers for personalized sales services (including but not limited to personal shopping services, free assistance services and courtesy services); satisfaction questionnaires for products and/or services offered, also by third parties, preferences and shopping habits at BVLGARI and/or other LVMH brands in order to improve the service offered, use of virtual try-on features;
• Pursuit of Legitimate Interest, i.e. using data regarding amounts spent, product categories, store where the purchase was made, date of birth, status and number of family members to provide a service that is more in line with your requirements and send you marketing communications that are of most interest to you.
3. PROVISION OF DATA
The provision of personal data in relation to the purposes outlined in paragraph 1, sub-section a) is obligatory and if it is not provided, Bulgari Group Companies cannot proceed with the contractual services requested. For the purposes detailed in paragraph 1 sub-sections b) and c), provision of data is free and optional and the use of such data is subject to the consent of the interested party. Denial thereof would not allow Bulgari Group Companies to achieve the indicated purposes.
Providing personal data for the purposes outlined in paragraph 1, sub-section d) is optional. However, failure to do so could compromise the investigation of the report; anonymous reports will only be evaluated if presented in adequate detail and provided with plenty information, in order to reveal facts and circumstances related to specific contexts.
4. CONDITIONS APPLICABLE TO THE CONSENT OF MINORS
Processing the personal data of minors is lawful provided they are at least 16 years of age. If a minor is younger than 16 years of age, processing this data is only lawful if, and where, consent is provided or authorized by the holder of parental responsibility. We do not knowingly collect personally identifiable information from minors without permission from a parent or guardian, unless permitted by law.
5. PROCESSING METHODS
Personal data will be processed using IT-based tools and/or processed manually for the length of time needed to achieve the purpose for which it was collected. In particular, personal data collected for the purposes outlined in paragraph 1, sub-sections b) and c) will also be processed with the help of automated mechanisms, according to procedures and reasoning strictly related to the purposes specified above.
6. ENTERING DATA IN THE CRM SYSTEM
The entering of personal data in the CRM system is optional and occurs only if consent is given for the fulfillment of one of the purposes detailed in paragraph 1 sub-sections b) and c). Once in the CRM system, Bulgari employees across the world, tasked with data processing, will automatically be able to view the information, change and revise it.
7. SCOPE OF COMMUNICATION, TRANSFERS ABROAD AND DATA PUBLICATION
We do not disclose or share the personal data we collect, except with Bulgari S.p.A., its parent companies, subsidiary companies, associate companies, companies under the same control, or companies that are part of the same group that Bulgari S.p.A. belongs to (the complete list can be requested by emailing: email@example.com), for the purposes of offering the user the same standard of services all around the world. In this regard, it should be noted that "model clauses" made available by the European Commission regarding the transfer of personal data outside of Europe are applied. Personal data is processed only by authorized personnel, who have access to the information and are tasked with or responsible for data processing.
The user's personal data may also be processed by companies performing services on our behalf (including companies that provide shipping/delivery services for catalogs and/or products; companies that deliver newsletters, marketing material and promotional communications; companies that provide customer care services; companies that carry out analyses and market research; companies that maintain IT systems; companies that manage web session replay tools to ensure the best end-user experience).
Data collected may also be processed by third parties acting as independent data controllers, for example:
- banks or other payment management companies through credit card and tax-free services;
- individuals, companies, associations or professional studios that provide assistance or consultancy services (lawyers, accountants, auditors);
- when required to do so in order to comply with applicable law, to respond to a court order or—more generally—any request from a competent authority;
- companies that assist in performing KYC procedures;
- companies that manage the so-called Virtual Try-On experience.
A complete list of third parties responsible for processing personal data on behalf of Bulgari, or as independent third-party data controllers, can be requested by emailing: firstname.lastname@example.org for a prompt response, or send a written request to the Data Protection Officer ("DPO") at Bulgari S.p.A., Lungotevere Marzio 11, Rome. If the reply received is considered unsatisfactory, the interested party can contact the Italian Data Protection Authority.
In relation to processing the personal data outlined in paragraph 1, sub-section d) above, the interested party can exercise all rights provided by current legislation, if the exercising of those rights does not result in any effective and concrete detriment to the confidentiality of the whistle-blower's identity.
10. PERSONAL DATA PROTECTION
Bulgari has obtained the international BS 10012:2017 certification for the compliance of its data protection management system as proof of the ever-constant attention it pays to protecting personal data and its commitment to respecting current data protection legislation. Since the internet is not a completely secure environment, we cannot guarantee that the personal data stored by and sent to us is completely safe. Therefore, we encourage you to be cautious when using the internet to access our websites, apps or social media.
11. DATA CONTROLLERS AND PROCESSORS
Data controllers are Bulgari S.p.A., Via dei Condotti 11, 00186 Roma (RM), and the Bulgari Group Companies, whose data may be requested by email at email@example.com.