“Hi my name is Erica I am 39 and I have a 23-year-old son and a 22-year-old daughter-in-law. I lost my hair about 2 years ago due to a really stressful life event. I can remember sitting in the airport waiting to pick up my son and running my hand through my hair and a grapefruit sized chunk coming out. I got introduced to CNC online, well, I had gone through creams to put on my head to grow back hair, I had gone through shots on my scalp, I had gone through medication, I had used wigs work and once I got it it was amazing because I could be active, I could go swimming, I could tell people on my terms whether I had hair or not I wasn't forced to like with wearing a wig.”
Consent for marketing purposes
I, the undersigned, hereby give my consent to the processing and communication of my personal data so as to receive newsletters, commercial communications and/or advertising material via e-mail, post, text message and/or telephone regarding products or services provided by the Data Controller as well as the measurement of the degree of satisfaction relating to the quality of said services.
ADVIHAIR S.R.L., VAT N° 11495171008, with its offices at Via Benini n. 11 - 40069 Zola Predosa (Bologna, Italy), (hereinafter referred to as the, "Data Controller"), in its capacity as Data Controller, hereby informs you, in accordance with Art. 13 of EU Regulation n. 679/2016 (hereinafter referred to as, "GDPR") that your personal data (provided at the moment of subscription, by means of which business relationships deriving from the existing contract are established) shall be processed in compliance with the methods and for the purposes specified below. In accordance with the provisions of both the GDPR, Italian Legislative Decree n. 196/2003 and any subsequent amendments (hereinafter referred to as the "Privacy Code"), the processing operations carried out by the Data Controller, shall be based on principles of correctness, lawfulness and transparency and they shall be carried with the aim of complying with the principles of relevance, completeness, non-excessiveness while also safeguarding confidentiality.
The scope of data processing
Such data shall be processed, also by using IT and telematic procedures, with the acquisition, where necessary, of images, in accordance with the abovementioned legislation as well as any foreseen confidentiality obligations. More specifically, the personal data shall be processed by the centre, that will carry out all the necessary, individual processing operations ? collection, registration, organisation, storing, processing, modification, extraction, etc. as well as any other operation deemed useful with regards to the provision of the services requested.Data processing purposes, Nature of data provision and consequences arising from the refusal to provide the requested data
1. Primarily, personal data shall be processed exclusively for purposes closely linked and instrumental to the fulfilment of contractual obligations to which you are party and that constitute the legal basis for the data processing itself in accordance with Art. 13, paragraph 1, letter c) of the GDPR. Such purposes particularly include:
- The conclusion of contracts for services and products provided by the Data Controller;
- The conclusion of contracts for services and products provided by the Supplier;
- Participation in presentation/courses/demonstration activities;
- The fulfilment of precontractual, contractual, administrative, and tax obligations arising from the existing business relationship established with you (requirements regarding operational, organisational, management, tax, administrative, insurance and accounting activities relating to the contractual and/or precontractual business relationship established);
- The fulfilment of obligations foreseen by law, by regulations, community legislation or by an order from a legal Authority (for example, with regards to anti-money laundering);
- The exercising of the Data Controller's rights, for example, with regards to the right to defence before a court. The processing of such data shall be carried out without the need for your express consent (Art. 6 letters b), c) of the GDPR) and the provision of such data is deemed as mandatory. In the absence of such provision, we cannot guarantee the establishment and execution of contractual relations with the Data Controller.
2. Secondarily, personal data may be processed only after obtaining your specific and explicit consent (Art. 7 of the GDPR) for the following purposes:
a) Marketing: to send you newsletters, commercial communications and/or advertising material via e-mail, post, text message and/or telephone, regarding products or services provided by the Data Controller as well as the measurement of the degree of satisfaction relating to the quality of said services.
b) The taking and use of portraits, photographic images and videos: the use and publication of portraits in photos and/videos that shall be taken, on the Data Controller's website and on its social network profile pages. For this purpose, the Data Controller hereby guarantees the fullest respect for rights relating to the honour and reputation of such data. The posing and use of the images are understood to be completely free of charge. The giving of one's consent with regards to Data Processing for Marketing purposes as well as for the use of the portrait, photographic image and video, for the abovementioned purposes and methods, is absolutely facultative and optional (and, in any case, such consent can be revoked without any formal procedure, also following the provision of services) and failure to provide such data shall not lead to any interference and/or consequences with regards to the abovementioned business relationship. In any case, also when the consent to authorise the Data Controller to carry out all the aforementioned operations has already been given, you shall be entitled to revoke such at any time whatsoever, by sending a registered letter regarding your "de-listing" and/or "image deletion" requests to the Data Controller's address as specified below. Following the receipt of such request, the Data Controller shall promptly remove and delete the relevant data from the databases used for Data processing for Marketing purposes and/or the use of the portrait, photographic image and video. The mere receipt of the de-listing request shall automatically be considered as a confirmation that such deletion process has been carried out.
Data processing shall be carried out both manually (e.g. the collection of paper forms) and electronically or in any case, with the aid of appropriate electronic, IT and telematic tools so as to guarantee the security and confidentiality of the data itself, in accordance with what is stated in both Art. 32 of the GDPR and the Privacy Code. In any case, during the performance of data processing operations, all the necessary technical, IT, organisational, logistic measures and safety procedures shall be adopted, in order that the minimum level of protection of the data foreseen by law shall be guaranteed.Duration of data processing
The Data Controller shall process the personal data for the necessary time so as to fulfil the aforementioned purposes and, in any case, for no longer than 10 years after the business relationship has ended, for the primary purposes and for no longer than 2 years after the need for data processing for Marketing Purposes has ended. The images shall be kept indefinitely and stored in the databases so as to have a historical memory of the events. Anyhow, a periodic verification is carried out relating to the obsolescence of the data stored in relation to the purposes for which they had been collected.Categories of Individuals to whom the data may be communicated:
Your personal data may be communicated:
- To the Data Controller's employees in their capacity as persons in charge of data processing and/or internal data processors and/or system administrators;
- To self-employed professionals (lawyers, consultants, etc.), administrative and tax consultants for the necessary legal fulfilments, companies that carry out outsourcing activities on behalf of the Data Controller, in their capacity as appointed external Data Processors.
- To supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as those individuals to whom the communication of data is compulsory by law in order to carry out said purposes.
- For defensive investigations or to assert or defend one's rights before judicial courts, as long as it exclusively refers and is closely linked to such purpose.
The Data Controller shall not transfer your personal data to a third-party country or to an international organisation.Rights of the Data Subject
In your capacity as a data subject, you have rights in accordance with Art. 15 of the GDPR and more specifically, the right to obtain the confirmation from the Data Controller as whether or not personal data relating to you is being processed and, in which case, to obtain access to such personal data as well as the following information: a) the purpose of the processing; b) the categories of the personal data in question; c) recipients or categories of recipients to whom personal data has been or shall be communicated, in particular if these refer to third-party countries or international organisations; d) when possible, the foreseen period of retention of the personal data or, if this is not possible, the criteria used to determine such period; e) the right to ask the Data Controller to rectify or delete your personal data or the restriction of the processing of the personal data relating to you or to oppose to its processing; f) the right to lodge a complaint with a supervisory authority; g) if such data has not been provided by the data subject himself/herself, all the information available regarding its origin; h) the existence of an automated decision-making process, including profiling operations and, at least in such cases, significant information regarding the logic used, as well as the importance and the foreseen consequences of such processing for the data subject. Where applicable, you also have the faculty to exercise the rights pursuant to Articles 16-21 of the GDPR (the right to rectification, the right to be forgotten, the right to restriction of processing, the right to data portability and the right to object), as well as the right to lodge a complaint with the Italian Anti-trust Authority by following the procedures and indications published on said Authority's official website: www.garanteprivacy.it or alternatively, alternatively the right to lodge a complaint before a competent judicial authority.Methods of exercising rights
You shall be able to exercise your rights at any time whatsoever by sending a registered letter to the Data Controller to such effect.Data Controller
The Data Controller of the personal data you provided is: ADVIHAIR S.R.L., VAT N° 11495171008, with its offices at Via Benini n. 11 - 40069 Zola Predosa (Bologna, Italy) in the person of its Legal Representative. Articles from 15 to 22 of the GDPR are available by clicking on this link: http://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32016R0679&from=IT