IN COMPLIANCE WITH THE PROVISIONS OF REGULATION (EU) 2016/679
Most recent update: 24/07/2023
We have the pleasure and duty to provide the following information about the processing of personal data, in accordance with the Privacy Code and Regulation (EU) 2016/679.
1. TYPE OF PERSONAL DATA COLLECTED
The following personal data is collected and processed by Bulgari S.p.A. and the companies controlled by Bulgari S.p.A. in Italy and worldwide, as identified below (hereinafter referred to as "Bulgari Group Companies"), for the purposes outlined below:
a) personal and identifying data like your name, surname, date of birth, proof of identity, images recorded during store visits (where CCTV is in place), voice recorded during calls to a Bulgari sales service, payment information in the event of purchases made online or in stores;
b) data from interactions including information collected during store visits, like use of the Wi-Fi system, while participating in events or making online purchases, when you sign up to loyalty programs (e.g. birthday, age group, dates of family events, profession, hobbies, purchases, use of particular social media or social media ID, phone number, email address, photograph, nationality, gender, language, favorite product categories, details of products purchased, sizes, prices, discounts, statistical spending levels, abandoned shopping carts, ways in which services are used), preferences and interests disclosed by the user over the course of your interactions with advisors in store (including preferences about our collections or other luxury brands, sizes, lifestyle or basic information about your family circle), responses to contact activities, data which may also include health-related information regarding potential side effects of our cosmetic products;
d) the personal data provided by you in order to report illegal conduct or violations of the Organization and Control Model pursuant to the Italian legislative decree no. 231/2001 and/or the Code of Conduct (so-called "whistleblowing"). => The lawful basis for such processing is a) the Controller's legitimate interest, pursuant to Art. 6, paragraph 1, sub-section f) of GDPR, who, having been made aware of the report raised by you, intends to protect and preserve all company assets b) the need to adhere to legal requirements to which the Controller is subject (see Art. 6, paragraph 2a et seq. of Italian Legislative Decree no. 231 of 8 June 2001) and c) the need to ascertain, exercise or defend a right in court, should this need arise. Should the personal data of the parties involved need to be communicated, the lawful basis is the consent of the individual pursuant to Art. 6, paragraph 1, sub-section a) of GDPR.
Personal data is collected directly from the user (e.g. when creating an account on our websites/apps, making a purchase or interacting with our in-store advisors or Client Services), collected passively (e.g. using tracking tools like browser cookies), or collected via third parties (e.g. social media platforms).
2. PROCESSING PURPOSE
Bulgari processes the data provided by you for the following purposes:
• Contractual Purposes, namely (i) managing the sale of its products and providing sale and after-sale services (including, for example, fraud prevention, returns, product warranties and customer support); (ii) in the context of Bulgari's online activities, creating and maintaining your customer account and providing the services offered via its website, including clienteling services (which call for a personalized service from your trusted advisor), as well as the Bulgari newsletter if subscribed; (iii) consulting the production chain of certain items purchased by you, registering or transferring ownership, as well as downloading—and later giving to third parties—possible NFTs associated with said product; and (iv) checking your information requests;
• Fulfillment of Legal Obligations to which Bulgari is subject, including the requirements outlined by "Know Your Customer";
• Marketing and Profiling Purposes, i.e. sending you—with your prior consent—marketing communications regarding BVLGARI products, services and exclusive activities via electronic means (such as email, SMS, MMS, mobile, social media and chats) or in paper format (e.g. traditional post); offers for personalized sales services (including but not limited to personal shopping services, free assistance services and courtesy services); satisfaction questionnaires for products and/or services offered, also by third parties, preferences and shopping habits at BVLGARI and/or other LVMH brands in order to improve the service offered, use of virtual try-on features;
• Pursuit of Legitimate Interest, i.e. using data regarding amounts spent, product categories, store where the purchase was made, date of birth, status and number of family members to provide a service that is more in line with your requirements and send you marketing communications that are of most interest to you.
3. PROVISION OF DATA
The provision of personal data in relation to the purposes outlined in paragraph 1, sub-section a) is obligatory and if it is not provided, Bulgari Group Companies cannot proceed with the contractual services requested. For the purposes detailed in paragraph 1 sub-sections b) and c), provision of data is free and optional and the use of such data is subject to the consent of the individual. Denial thereof would not allow Bulgari Group Companies to achieve the indicated purposes.
Providing personal data for the purposes outlined in paragraph 1, sub-section d) is optional. However, failure to do so could compromise the investigation of the report; anonymous reports will only be evaluated if presented in adequate detail and provided with plenty information, in order to reveal facts and circumstances related to specific contexts.
4. CONDITIONS APPLICABLE TO THE CONSENT OF MINORS
Processing the personal data of minors is lawful provided they are at least 16 years of age. If a minor is younger than 16 years of age, processing this data is only lawful if, and where, consent is provided or authorized by the holder of parental responsibility. We do not knowingly collect personally identifiable information from minors without permission from a parent or guardian, unless permitted by law.
5. PROCESSING METHODS
Personal data will be processed using IT-based tools and/or processed manually for the length of time needed to achieve the purpose for which it was collected. In particular, personal data collected for the purposes outlined in paragraph 1, sub-sections b) and c) will also be processed with the help of automated mechanisms, according to procedures and reasoning strictly related to the purposes specified above.
6. ENTERING DATA IN THE CRM SYSTEM
The entering of personal data in the CRM system is optional and occurs only if consent is given for the fulfillment of one of the purposes detailed in paragraph 1 sub-sections b) and c). Once in the CRM system, Bulgari employees across the world, tasked with data processing, will automatically be able to view the information, change and revise it.
7. SCOPE OF COMMUNICATION, TRANSFERS ABROAD AND DATA PUBLICATION
We do not disclose or share the personal data we collect, except with Bulgari S.p.A., its parent companies, subsidiary companies, associate companies, companies under the same control, or companies that are part of the same group that Bulgari S.p.A. belongs to (the complete list can be requested by emailing: email@example.com), for the purposes of offering the user the same standard of services all around the world. In this regard, it should be noted that "model clauses" made available by the European Commission regarding the transfer of personal data outside of Europe are applied. Personal data is processed only by authorized personnel, who have access to the information and are tasked with or responsible for data processing.
The user's personal data may also be processed by companies performing services on our behalf (including companies that provide shipping/delivery services for catalogs and/or products; companies that deliver newsletters, marketing material and promotional communications; companies that provide customer care services; companies that carry out analyses and market research; companies that maintain IT systems; companies that manage web session replay tools to ensure the best end-user experience).
Data collected may also be processed by third parties acting as independent data controllers, for example:
- banks or other payment management companies through credit card and tax-free services;
- individuals, companies, associations or professional studios that provide assistance or consultancy services (lawyers, accountants, auditors);
- when required to do so in order to comply with applicable law, to respond to a court order or—more generally—any request from a competent authority;
- companies that assist in performing KYC procedures;
- companies that manage the so-called Virtual Try-On experience.
A complete list of third parties responsible for processing personal data on behalf of Bulgari, or as independent third-party data controllers, can be requested by emailing: firstname.lastname@example.org. Under no circumstances will personal data be published.
8. DATA RETENTION PERIOD
The user's personal data will not be stored in a way that allows them to be identified and for no longer than is deemed reasonably necessary by Bulgari for achieving the purposes for which it was collected or processed, or as established by current legislation on data retention. Data collected for the reasons outlined in paragraph 1, sub-section a) will be stored by Bulgari S.p.A. and Bulgari Group Companies for the time period necessary for the performance of a contract, with legal and conventional guarantees provided for, or in accordance with legal requirements regarding data retention. Data collected for the purposes outlined in paragraph 1, sub-sections b) and c) will be stored until the client withdraws their consent to processing and in any case, with particular reference to data collected for the purposes outlined in paragraph 1, sub-section b), for no more than ten years (in compliance with the measure issued by the Italian Data Protection Authority on 24 April 2013, following the request for preliminary verification submitted by Bulgari S.p.A.). If consent is withdrawn or the retention period for the data collected for the purposes outlined in paragraph 1, sub-section b) expires early, this data will be automatically deleted or made permanently anonymous.
The personal data outlined in paragraph 1, sub-section d) will be stored for five (5) years starting from the notification date of the final outcome of the reporting process.
9. RIGHTS OF INDIVIDUAL
Information may be requested at any time regarding the processing of your personal data and how it is carried out. It is also possible to correct or delete data, limit its processing, object to its processing and/or request that the data be sent to another controller. Bulgari S.p.A. and its subsidiaries must respond to requests within deadlines provided for by applicable regulations; they must also correct incorrect data, ensure that incomplete data is completed, and update data that is no longer correct; and finally, if requested, they must delete data and limit and/or stop its processing, or ensure that it is, where technically possible, sent to another controller. To exercise the above rights provided for by law, request further information and/or report potential misunderstandings or issues, the individual can send an email to email@example.com for a prompt response, or send a written request to the Data Protection Officer ("DPO") at Bulgari S.p.A., Lungotevere Marzio 11, Rome. If the reply received is considered unsatisfactory, the individual can contact the Italian Data Protection Authority.
In relation to processing the personal data outlined in paragraph 1, sub-section d) above, the individual can exercise all rights provided by current legislation, if the exercising of those rights does not result in any effective and concrete detriment to the confidentiality of the whistle-blower's identity.
10. PERSONAL DATA PROTECTION
Bulgari has obtained the international BS 10012:2017 certification for the compliance of its data protection management system as proof of the ever-constant attention it pays to protecting personal data and its commitment to respecting current data protection legislation. Since the internet is not a completely secure environment, we cannot guarantee that the personal data stored by and sent to us is completely safe. Therefore, we encourage you to be cautious when using the internet to access our websites, apps or social media.
11. YOUR CALIFORNIA PRIVACY RIGHTS
This paragraph applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We provide these additional terms to comply with the California Consumer Privacy Act of 2018 (CCPA), as amended by the entering in force of the modification provided by California Privacy Rights Act (CPRA) Any terms defined in the CCPA/CPRA have the same meaning when used in this notice.
Information We Collect: We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the categories of personal information from consumers within the last twelve (12) months indicate in par. 1 of the present document.
In addition, as stated in the present document, we don’t process sensitive personal information as defined under 1798.140 of CPRA.
Use of Personal Information: We may use the categories of personal information listed in paragraph no.2 of the present document. We will not use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing/Selling Personal Information: As stated in the present document, we disclose your personal information to our affiliates, or third parties as required for business purposes or under applicable law, including: contractors, vendors or third parties who process personal information on our behalf; channel partners such as distributors and resellers; and any parties to whom we are legally required to disclose your personal information.
We do not sell your personal information in exchange for monetary compensation. We may share your personal information by allowing certain third parties to collect your personal information via automated technologies on our Services for cross-context behavioural advertising purposes. This kind of sharing may be considered a “sale” or “share” under the CCPA/CPRA even when the personal information is exchanged for non-monetary consideration. You have the right to opt out of these types of disclosures of your information.
We may have disclosed your personal information to third parties that perform services on our behalf (as stated in par. No. of 7 of the present document).
Your Rights and Choices: The CCPA/CPRA provides consumers (California residents) with specific rights regarding their personal information. This section describes your rights and explains how to exercise those rights.
Bulgari further does not discriminate against users and consumers on the basis of their exercising any of their rights afforded by the CPRA or other applicable privacy laws.
To request access, delete or correct your Personal Information, please write to: firstname.lastname@example.org
Access to Specific Information and Data Portability Rights: you have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Right to rectification: You have the right to request us to correct inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Alternatively, we may delete contested personal information rather than correcting the information if the deletion of the personal information does not negatively impact the consumer or the consumer’s consent to the deletion.
Opposition Request Rights: You have the right to object to the share or sale of your data to third parties. To object to such data transmission, you can change your preferences using the link to the “DO NOT SELL MY PERSONAL INFORMATION” or by sending an e-mail to: email@example.com.
Deletion Request Rights: you have the right to request that we delete any of your personal information that we collected from you subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
• Comply with a legal obligation.
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights: To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by sending an email to firstname.lastname@example.org. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access or data portability twice within a 12-months period. The verifiable data subjects’ request must:
• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable data subjects’ request to verify the requestor's identity or authority to make the request.
We endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights. Unless permitted by the CCPA/CPRA, we will not:
• Deny you products or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of products or services.
• Suggest that you may receive a different price for products or services or a different level or quality of products or services.
12. DATA CONTROLLERS AND PROCESSORS
Data controllers are Bulgari S.p.A., Via dei Condotti 11, 00186 Roma (RM), and the Bulgari Group Companies, whose data may be requested by email at email@example.com. A complete list of data processors designated by controllers may also be requested by sending an email to firstname.lastname@example.org