Purpose and principles of data processing.
In compliance with the applicable legal obligations, WILIER TRIESTINA S.P.A. (hereinafter “WILIER”) describes how it processes the personal data of users who browse and interact with web services accessible electronically from www.wilier.com and with the website’s electronic pages.
Consultation of the website may involve the processing of data relating to identified or identifiable natural persons. This data is divided into three general categories:
Index of topics
(to browse, place the cursor over the list, and then click on the text)
We process three general types of data: browsing data, data actively provided by the data subject and data collected from third parties.
1) Browsing data
During normal operation, the IT systems and software procedures used to operate this website collect personal data whose transmission is implicit in Internet communication protocols. This information is not collected to be linked to identified data subjects, although by its very nature, it could be used to identify users through processing and associations with data held by third parties. This data category includes the IP addresses or domain names of the computers used by users to connect to the website, the URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), the country of origin and other parameters related to the user’s operating system and computer environment (e.g., characteristics of the browser and operating system used, the type of device used to access the Internet, temporal details of the visit (e.g., the time spent on each page, and details of the path followed within the site's pages, particularly with regard to the sequence of pages consulted.
Browsing data can also be used to establish responsibility in the event of offences committed against the website or committed through the website (malware attacks, spamming, unauthorised access to computer systems, etc.). In this case, data is kept for as long as necessary to protect the rights of WILIER and/or third parties.
2) Data actively provided by the user
There are two types of data voluntarily provided by the user and collected via the site:
- “B2B” data (relating to dealers, distributors, Company agents, as well as individuals requesting an invoice for tax purposes for a product purchase); the master data is managed solely by WILIER
- “B2C” data (relating to individuals who are end users of company products and who do not require an invoice for tax purposes for a product purchase); WILIER manages the master data via HUBSPOT
When the user uses some website services, we may process third-party personal data that the user sends to our Company. In these cases, the user becomes the autonomous data controller, and assumes all obligations and responsibilities under the law. This confers on our Company the broadest possible protection against any dispute, claim, claim for damages for processing, etc. by third parties whose personal data has been processed through use of the website functions in violation of personal data protection laws.
In any case, if the user provides or otherwise processes third-party personal data by using the website, the user warrants and assumes all related liability that in this case of processing is based on a legal basis pursuant to Article 6 of the Regulation legitimising the processing of the data in question.
3) Data relating to the password for access to the B2B section of the website.
Users can be authenticated on the site in two ways:
a) WILIER creates and sends an initial password to the user via email granting access to the reserved area of this website dedicated to dealers/distributors and consumers. The user is required to change the password at the first login. The user must keep the password confidential and may ask WILIER to reset it at any time.
b) Single sign-on: This form of authentication allows the user to access all WILIER websites with a single user ID and password, or via the authentication system of the most common social media networks (social login).
4) Data collected from third parties
Our Company does not collect the data subject’s personal data from third parties, except:
The purpose of personal data processing is to:
Only with the user’s prior specific consent (obtained through special online and/or paper forms) will the data collected also be used for direct marketing activities (market surveys, sending of commercial and promotional communications or newsletters, via any automated means of communication, email, telephone with operator, text message, chat, social media, etc., or non-automated means, e.g., ordinary post).
WILIER also processes data for profiling purposes.
Profiling can be analytical (relating to past or present aspects of the physical person), or predictive, i.e., relating to future personal aspects (e.g., to predict the most likely consumption choices).
Profiling can also be strictly functional for direct marketing purposes (to analyse or predict certain aspects of data subjects based on commercial actions).
In particular, profiling can be “basic” or advanced”, or “not relevant” as below:
- Basic profiling:
This may include the aggregation, comparison and analysis of the following types of data: customer/non-customer status, gender, residence/domicile/registered office (country, region, province), e-mail, contact language, types of product purchased from WILIER dealers (model, colour, size, cost), types of product or service viewed on the site, types of product left in the WILIER e-commerce shopping cart, dates and frequency of cart abandonment, propensity to purchase (high, medium, low) taken from the individual history of purchases from WILIER and/or its dealers, purchase dates and frequency; company to which the data subject belongs and data subject’s position; actions performed by the data subject when receiving information and commercial e-mail communications from WILIER (actual receipt, message opened, message read, reply to the call to action contained in the message e.g., click on the link or banner contained in the message or land on a landing page outside the message).
Some of this information is collected through contact forms for technical support (where personal data is required) or registration forms (e.g., to activate the WILIER warranty).
WILIER considers all such personal data for basic profiling to be not particularly invasive of the data subject’s privacy, and in particular of the fundamental rights and freedoms protected by the GDPR, since it: i) involves only data related to the contact between the data subject and the WILIER digital ecosystem consisting of the website, e-commerce service hosted in it and the CRM (HUBSPOT) that collects the data (including data on actions performed by data subjects having received direct marketing e-mails); ii) involves data relating to WILIER products and services only for the cycling sector; iii) involves data on actions of which the data subject is aware; iv) does not involve geolocation data; v) does not involve any specific data; vi) does not involve individuals other than the data subject (e.g., members of the household); and vii) involves data collected through a limited number of channels/sources that dialogue technically with each other. Furthermore, this processing is never fully automated, since any decision regarding the effective use of the results of the analysis for direct marketing purposes is taken by WILIER staff.
- Advanced profiling:
This type of analysis includes additional categories of personal data, as well as comparison with personal data taken from other, different contact channels with the user. We wish to clarify that WILIER does not currently perform any form of advanced profiling.
The legal basis provided for by the GDPR by which the processing may be regarded as lawful differs depending on whether profiling is basic or advanced (see the chapter LEGAL BASIS OF PROCESSING hereinafter, for more information).
- Non-relevant profiling
In accordance with the legislation in force, WILIER considers the processing of data for profiling purposes for subjects other than natural persons not to be relevant.
The purposes of direct marketing and advanced profiling are collectively referred to as “secondary purposes”.
The logic and organisation of forms of processing will be closely related to the individual purposes indicated above. Processing will be done using electronic, telematic and/or paper means. During processing, WILIER protects the data against unauthorised access or processing; it is accessible only via access to various software applications, with mandatory personal passwords, and only by personnel previously authorised by WILIER who are required to comply with pre-determined limitations of use.
In the case of primary purposes, processing is necessary to perform pre-contractual measures adopted at the data subject’s request (e.g., requests for clarification, information or commercial offers), for performance of a contract to which the data subject is a party, or to fulfil a legal obligation to which WILIER is subject (e.g., to allow verification of the proper fulfilment of legal and contractual obligations with respect to the data subject or third parties by the administrative and taxation authority, the board of statutory auditors or auditors, etc.) and/or based on the legitimate interest of:
a) WILIER (prevailing over the data subject’s interests or fundamental rights and freedoms) to process data in order to effectively and efficiently manage the relationship with its users, customers and/or providers and to organise production, organisational and management processes (including relations with its sub-providers and/or parent companies, subsidiaries and affiliates pursuant to Article 2359 of the Italian Civil Code or with companies under joint control) to meet this objective
b) third parties to whom the data is sent, to receive personal data from the Data Controller and to process it i) to verify the proper fulfilment of existing legal and contractual obligations towards the data subject or third parties (e.g., verification by Public Authorities of the fulfilment of fiscal obligations, or by the board of statutory auditors or auditors regarding the fulfilment of legal obligations, etc.) or ii) to manage activities connected with the Data Controller's request to receive support for managing activities towards data subjects
In the case of secondary purposes, the legal basis for processing is as follows:
The collected data are processed by WILIER's internal delegates who need to have knowledge of them when carrying out their activities (e.g., sales office, marketing office, administrative office, call centre, technical staff for the maintenance of the company IT system, etc.).
WILIER has also appointed some third parties to whom the Company communicates data as data controllers.
WILIER has a legitimate interest in processing for the aforementioned primary purposes. Therefore, such processing will be possible even without the data subject’s consent. The provision of data to WILIER is mandatory if it is necessary for the fulfilment of legal obligations and failure to to do so would prevent the establishment of a contract with the data subject and/or the organisation to which the data subject belongs. In the other cases mentioned above, the data subject is not required to provide the data, although this will prevent continuation of pre-contractual relations, the data subject’s online registration on the website and/or the provision of services or sale of products for which WILIER requests registration and/or data.
Non-registered users may browse the website and view only the content and materials available without registration.
In relation to the secondary purposes of processing (direct marketing, profiling, as provided for in point 5 above) as well as for the communication of data by WILIER to third parties for these purposes:
As permitted by the current legislation and in order to fulfil WILIER’s privacy obligations in accordance with the principles of simplification (as per the Italian Data Protection Supervisor's General Order of 15 May 2013 "Consent to personal data processing for ‘direct marketing’ using traditional and automated contact tools"), the consent WILIER requests for secondary and direct marketing purposes is unique and comprehensive for all possible processing means for Marketing Purposes (electronic/telematic, paper), as well as for all possible direct marketing purposes (i.e., requiring consent for each separate marketing purpose pursued).
We also inform you that without your express consent, we are authorised to use the e-mail address that you provided during previous product or service purchases to send you commercial communications and sales offers via e-mail, as long as they relate to products and services similar to ones you have already purchased. However, you may easily oppose processing at any time free of charge (by opting out via our online platform) (hereinafter, this rule is called “soft spam”).
No. WILIER communicates some data to other companies belonging to the WILIER Group or to third parties that by contract are delegated by us to process the data (e.g., transmit commercial communications) solely on behalf of WILIER based on the same specific marketing consent including that to communicate to third parties for these purposes.
Only with further, separate, additional*, documented, express and optional consent, will WILIER also communicate or transfer your data to third parties who process it as joint or autonomous Data Controllers (these are usually third-party partners for Event promotion), who use them for direct marketing purposes).
Even after consenting to the processing of personal data for direct marketing and possible advanced profiling purposes, the data subject may notify WILIER of a different wish at any time, using one of the following alternative methods:
Collected data is processed by staff delegated by WILIER requiring knowledge of it to perform their activities (e.g., sales, marketing, administrative, technical staff for the maintenance of the company IT system, etc.).
WILIER communicates personal data to third-party recipients only when it is necessary and functional to fulfil the purpose of data processing for the service or product requested by the data subject, and in any case, it communicates it only after informing the data subject, and where necessary, obtaining the data subject's consent to do so. Disclosure to third parties will always be limited to data required for their purposes. The third-party recipients of the data - hereafter better identified - will process the data, according to the case, a) as “data processors" (i.e., on our behalf and on the basis of our written directives aimed at ensuring respect for privacy during processing and under our supervision), or b) as joint data controllers (i.e., on the basis of a written agreement that regulates their respective activities and responsibilities in relation to personal data), or as autonomous data controllers (in this case they will provide the data subject with all the necessary legal information on their respective processing, unless they are bound by professional confidentiality under the current regulations).
Within the scope of the primary purposes, and in particular where the data subject enters into a contract with our Company, the data may be communicated by WILIER to all subjects whose intervention in the processing is useful based on the services requested by the data subject and/or on legal obligations or deriving from regulations or other EU legislation, e.g.: parent companies, subsidiaries or affiliates of the WILIER group and/or third-party partners providing functional or complementary activities to the provision of products or services requested by the data subject (e.g., management of information requests, quotes, orders, contracts, after-sales), third parties performing activities related to and/or instrumental to processing (e.g., commercial agents, banks for deposits and payments, commercial information companies, credit collection companies, credit transfer companies, credit insurance companies, electronic payment service providers, couriers, carriers and freight forwarders, factoring companies, insurance companies, lawyers and law firms, chartered accountants, accountants, auditors and auditing companies, members of the supervisory body in accordance with Leg. Decree 231/2001 on organisational models to prevent of the commission of certain categories of offence, statutory auditors, third parties responsible for web hosting services and/or maintenance of this website and/or of the computer systems used by it and/or of the electronic archives connected to the site; carriers and freight forwarders; public safety authorities and computer forensics companies in the case of requests related to criminal and civil investigations and/or suspected offences or other violations or unlawful acts committed against WILIER and/or third parties.
In the case of processing for secondary purposes (advanced profiling, direct marketing), we will also communicate the data after obtaining specific consent (see below) to the following product or categories of commodity of third party recipients: other subsidiaries of the WILIER group, advertising agencies, marketing analysis companies, communication and/or public relations companies, companies responsible for designing, printing and maintaining advertising or promotional materials and/or their online management, website production companies, web marketing companies, direct e-mailing service companies (e.g., Mailchimp, HubSpot or similar), consultants and/or other entities entrusted by us with activities functional to these purposes; maintenance companies of the IT systems on which our databases are hosted or are processed; providers of electronic communication and ICT services; third-party commercial partners with which WILIER initiates co-marketing actions (e.g., influencers, dealers, agents). The data will not be disseminated.
WILIER also communicates personal data to AMAZON WEB SERVICES Inc. (AWS), with registered office at 1200 12th Avenue South, Suite 1200, Seattle, WA 98144 (USA), which provides i) an infrastructure and back-end service hosting data and files that allow this site to function (AWS DynamoDB service), allowing distribution and providing a ready-to-use structure for specific website functionalities, and ii) user identity and access management services provided by AWS Cognito.
Services under ii) include social media login features that use identity services from third-party social media providers (e.g., Google, Facebook). These services authenticate users identity and provide the option to share some personal data from these services with us, such as name and e-mail address, to pre-complete our login form.
Personal data may be processed in part in foreign countries, whether inside or outside the EU, in so far as the Company uses providers having data centres or offices in those countries (e.g., for technical management of this site and/or the technical operation of the site’s database, or to manage direct marketing activities and profiling related to it in various ways).
In particular, personal data will be transferred abroad when necessary for commercial or Marketing Purposes, and only to non-EU countries guaranteeing adequate levels of protection in accordance with EU Commission decisions, or, in the absence of specific decisions, only following the conclusion of specific contracts between WILIER and these subjects with regard to the Marketing Purposes, containing appropriate safeguard clauses for the protection of personal data by the foreign entity receiving it, in accordance with applicable legislation and, as a minimum, the relevant standard texts approved by the EU Commission (Standard Contractual Clauses - SCC).
WILIER uses the following cloud providers with registered office or data centres located in the USA:
However, other inactive data processed by WILIER, and in particular data other than that mentioned above, may be transferred from the EU to the USA for the service on a non-occasional basis.
It is possible that, in certain exceptional situations, under the legislation in force in the USA (e.g., Article 702 of FISA and Executive order EO 12333) and exclusively for national security purposes, the American public authorities may access personal data transferred by WILIER to the USA. However, on the basis of a specific analysis performed by the Company in accordance with the ECJ “Schrems II ruling” of 17 July 2020 and the guidelines of the European Data Protection Board (EDPB), the possibility that the aforementioned public authorities would have an interest in accessing and processing data (of which the provider is not required by law to notify WILIER and/or the data subject) appears entirely remote, given: (i) WILIER's core business (ii) the limited types of personal data processed by WILIER and (iii) the limited categories of data subjects to which the data relates.
Therefore, the Company considers that the aforementioned SCC guarantee a level of protection of data subjects’ rights substantially equivalent to that provided for under the GDPR. Data subjects will be informed of the adoption of any additional measures.
WILIER also performs constant monitoring in order to identify providers with registered office or data centres in the USA and verifies that data transfer to them is based on appropriate legal bases required by the GDPR.
When data is transferred outside the EU for reasons other than Marketing Purposes, the legal basis of the transfer is also constituted by WILIER's legitimate interest in performing the contract with the data subject or a contract concluded by WILIER with third parties in favour of the data subject or to fulfil relevant legal obligations.
Personal browsing data is processed for the time required to allow browsing and technical interaction between the user and the website. This time coincides with the duration of the individual browsing session.
In the case of processing for primary purposes, personal data is normally processed for the entire duration of the pre-contractual and/or contractual relations established with the data subject, in particular:
a) for the time necessary to meet the data subject’s pre-contractual requests (e.g., open tickets for warranty technical interventions, track and manage successful sending of replies by the Company to the data subject): 24 months from the date of personal data collection
b) in the case of a contract concluded with the data subject: for the duration of the contract
c) after termination of the above contractual relationship: 10 years in order to fulfil all legal obligations (e.g., tax and civil) connected with the terminated contractual relationship and to respect the limitation period for any civil claims by the data subject against WILIER.
Personal data processed for IT security purposes (e.g., logs) are kept for the time required to perform the security checks and assess the results: 24 months from the time of collection.
In the event of out-of-court or court litigation with the data subject and/or third parties, the data will be processed for the entire time strictly necessary to fully protect the Data Controller’s rights.
Processing for secondary purposes has the following duration (unless the data subject’s consent is renewed at the end of the period):
The Data Controller of the personal data is WILIER TRIESTINA S.p.A., Via Fratel Venzo 11, Rossano Veneto (VI), Italy, in the person of its Chief Executive Officer, Andrea Gastaldello, email: email@example.com
A complete and up-to-date list of external data processors is available for viewing at the Company upon written request of the data subject.
JOINT STATISTICAL DATA PROCESSING WITH FACEBOOK
For Pages, Facebook offers Page Insights, a feature that provides aggregated data to help understand how people interact with Facebook Pages.
With respect to the Facebook page https://www.facebook.com/wiliertriestina, WILIER is Joint Data Controller for statistical data with Facebook Ireland Limited (“Facebook Ireland”). This link provides the appendix on the data controller for Facebook Page Insights, which indicates the division of responsibilities between Facebook Ireland and WILIER as administrator of the page: https://www.facebook.com/wiliertriestina
The page https://www.facebook.com/privacy/explanation provides information on Facebook’s data policy as well as the following information:
• The types of information Facebook collects
• How Facebook uses this information
• How this information is shared
• Legal basis for data processing
• How to exercise rights under the GDPR
• Facebook Ireland contact data for personal data protection questions
• Contact details of Facebook Ireland’s data protection officer
• Facebook visitors’ rights under the GDPR
• The data retention period
MORE ABOUT WILIER’S SOCIAL MEDIA CHANNELS
WILIER manages the LinkedIn page at https://www.linkedin.com/company/wilier-triestina-spa/
WILIER manages the YouTube channel at https://www.youtube.com/user/WilierChannel
WILIER manages the Twitter account at https://twitter.com/WilierTriestina
WILIER manages the Pinterest account at https://www.pinterest.it/wiliertriestina/
WILIER manages the Instagram account at https://www.instagram.com/wiliertriestina/
With regard to the processing of personal data, the data subject may exercise the following rights, contacting our Company without any particular formality: Company.
Rev 3.0 - 09/06/2021