"Personal data" (e.g. Art. 4 number 1 of EU Regulation 2016/679) means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing", (e.g. Art. 4 number 2 of EU Regulation 2016/679) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise providing access, alignment or combination, restriction, erasure or destruction.
Who are the Data Controllers and where can I contact them?
Company Name: Dsquared2 S.p.A.
Registered office address: Via Ceresio 9, 20154 Milano, Italy, Italy
Email contact details: firstname.lastname@example.org
Dsquared2 S.p.A. can be contacted at the above addresses.
Company Name: YOOX NET-A-PORTER GROUP S.p.A., company with sole shareholder subject to direction and coordination of Compagnie Financière Richemont S.A.
Registered Office: via Morimondo 17, 20143, Milan, Italy.
Email contact details: email@example.com
In particular, Dsquared2 S.p.A. is the owner of the website www.dsquared2.com and of the brand "DSquared2" and the independent data controller for processing data for marketing purposes (including statistical analysis and surveys), profiling for marketing activities and CV management. Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. are, on the other hand, joint data controllers, processing data relating to online purchases and after-sales assistance, as well as the "pick up in store", "return in store", "click and reserve" and "book an appointment" services (hereinafter also "Omni-Channel Services") offered by the website www.dsquared2.com.
The fundamental content of the existing joint venture agreement between Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A., with an indication of their respective responsibilities and functions in the processing of personal data, is set out in the table below. Any further information related to the contents of the above-mentioned joint venture agreement may be requested by writing to us at the above-mentioned addresses.
Summary of the joint venture agreement:
|Processing activities||Co-controllers - Respective responsibilities|
|Online sales|| || || |
|Post-sales assistance|| || || |
|Omni-Channel services|| || || |
Contact details for Data Protection Officer (DPO) of Dsquared2 S.p.A.
First and Last Name: Matteo Alessandro Pagani
Domicile for these purposes: via Filippo Turati 26, 20121 Milan, Italy.
Telephone number: 02.39443190
Email address: firstname.lastname@example.org
Contact details for Data Protection Officer (DPO) of YOOX NET-A-PORTER GROUP S.p.A.
Domicile for these purposes: via Morimondo 17, 20143, Milan, Italy.
Email contact details: email@example.com
Processing of personal data
Personal data collected
Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A., each according to their own responsibility, collect and process the following personal data when you browse or shop on dsquared2.com:
- personal data necessary to conclude and fulfil your purchase on dsquared2.com such as name and surname, e-mail address, shipping address, billing address, telephone and payment details;
- e-mail address for subscription to the newsletter service;
- personal data provided when contacting Customer Service to provide the requested assistance;
- personal data for marketing communications;
- to register your Account we collect your name and surname, email address, password, gender, and date of birth. If you are a registered user, we collect information about your access to the reserved part of the Website. By express consent, through the analysis of your personal data, we can process information regarding your interests and preferences with respect to our products and services, in order to present proposals and offers in line with your tastes.
- information about your browsing on dsquared2.com, such as the pages you visit and how you interact with the single page and we save this information on our servers;
- in order to improve your shopping experience;
- in order to provide you with the services offered by dsquared2.com (including Omni-Channel Services). For this purpose we need to collect, in relation to each service and its characteristics, the personal data necessary to perform the specific service you request;
- personal data contained in your CV to evaluate your application.
Please note that Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. do not process personal data relating to minors. If you access dsquared2.com and use the services offered by Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. you agree that you are over the age of majority.
Purposes of the processing
Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. process the data subject's data by electronic means, and possibly on paper for marketing purposes by sending promotional and informational material by email, that is, to respond to requests or questions made by you, to solve problems related to our good or services and to receive useful advice aimed at improving our offering.
For each of the purposes identified above, the following table specifies the legal grounds, the categories of personal data and their retention period:
|Purpose of the processing for which the personal data is intended||Legal grounds for processing||Categories of personal data subject to processing||Retention period of personal data|
|Entering and performing the contract for the purchase of products||Contract||Personal identification data||Until the completion of administrative and accounting formalities and for a further period of 10 years|
|Registration on the Website and use of the services offered to registered users||Contract||Personal identification data||Until you request deletion of your account|
|Provision of the services offered on dsquared2.com||Contract||Personal identification data||Until termination of the service or until you request cancellation of subscription to the service|
|Provision of Omni-Channel services||Contract||Personal identification data||Until the completion of the service requested and for a further period of 10 years|
|Management of Customer Care enquiries||Contract / Consent||Personal identification data||Until your request is satisfactorily resolved and for a further period of 6 months|
|Submission of CVs and assessment of applications for an open position||Consent||Personal identification data and specific data relating to health status||12 months|
|Statistical analyses and surveys to improve product range and services||Consent||Data and personal identification data||Until you unsubscribe from the service or on your request to discontinue the activity|
|Marketing communications relating to products and services (news, new arrivals, exclusives, offers and promotions) and to carry out market research and surveys to assess satisfaction in order to improve services and the relationship with users||Consent||Personal identification data||Until you unsubscribe from the service or upon your request to discontinue the activity and in any case no longer than 2 years|
|Customising the experience as a registered user on dsquared2.com, suggesting previews and offers in line with your tastes and sending marketing communications tailored to your interests||Consent||Personal identification data||Until you withdraw your consent to such activity or until the termination of such activity, and in any case no longer than 12 months|
|Identifying the nearest store (Store Locator)||Consent||Data related to the geographical position||Until termination of the service or withdrawal of the consent given|
Categories of receivers
In relation to the purposes indicated, data may be disclosed to companies and/or persons in EU countries that provide services as Managers, and thus on behalf of YOOX NET-A-PORTER GROUP S.p.A. (YOOX NET-A-PORTER GROUP) and/or of Dsquared2 S.p.A., that is, the autonomous data controllers. For the sake of clarity and by way of example but not exhaustively, this include the following types:
- Internet providers;
- Companies specialised in computer and telecommunications services;
- Companies specialised in customer services;
- Companies specialising in market research and data processing;
- Communications agencies;
- Marketing consultancy companies;
- Freelance consultants in the administrative, fiscal, accounting and legal fields;
- Supervisory and oversight bodies.
The list of the Recipients / external Processors with further data that may be used for identification is available from the Data Controller in charge of the processing of personal data.
Transfer of personal data to non-EU third countries
The transfer of your personal data to countries that are not members of the European Union and that do not ensure adequate levels of protection will only be carried out after specific agreements have been entered into between Dsquared2 S.p.A. and/or YOOX NET-A-PORTER GROUP S.p.A. and said parties, containing safeguarding clauses and appropriate guarantees for the protection of your personal data, known as the 'standard contractual clauses', also approved by the European Commission, or if the transfer is necessary for the stipulation and fulfilment of a contract with Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. (for the purchase of goods offered on our Website, for registration on the Website or for the use of services on the Website) or for the management of your requests.
Rights of the data subject
In relation to the personal data covered by this policy, the data subject has the right to exercise the rights provided for by the EU Regulation as indicated below:
- right of access by the data subject [Art. 15 of the EU Regulation](consisting of the ability to be informed about the processing of personal data and if required receive a copy);
- right to correction of personal data [Art. 16 of the EU Regulation] (the data subject has the right to have inaccurate personal data concerning him or her corrected);
- right to deletion of personal data without undue delay (“right to be forgotten”) [Art. 17 of the EU Regulation] (the data subject has the right to have his or her personal data deleted);
- right to the restriction of processing of personal data in the circumstances provided for in Art.18 of the EU Regulation, including in the event of unlawful processing or dispute of the accuracy of the personal data by the data subject [Art. 18 of the EU Regulation];
- right to data portability [Art. 20 of the EU Regulation], (the interested party may request his/her personal data in a structured format in order to transfer it to another Data Controller, in the cases provided for by the same article);
- right to object to the processing of personal data [Art. 21 of the EU Regulation] (the data subject has the right to object to the processing of his/her personal data in the cases provided for and regulated by Art. 21 of the EU Regulation);
- right not to be subjected to automated decision-making [Art. 22 of the EU Regulation] (the data subject has the right not to be subject to a decision based solely on automated processing);
- right to withdraw your consent [art. 7 of the EU Regulation] (the data subject may at any time withdraw a consent given for the processing of personal data in relation to any activity for marketing purposes). According to Article 7 of the EU Regulation, withdrawing consent does not affect the lawfulness of the processing based on the consent given before the revocation.
The above rights may be exercised in accordance with the EU Regulation by contacting Customer Care , selecting the reason "Privacy".
If the data subject considers that his/her rights have been compromised, he/she has the right to lodge a complaint with the Italian Data Protection Authority using the process indicated by the Authority at the following website: https://www.garanteprivacy.it/web/guest/reclamo
Automated decision making process
The use of automated decision-making processes, including profiling, that have legal effects affecting the data subject, or that have a similar significant impact on him or her, is lawful only in the cases provided for and regulated by Art. 22 of the EU Regulation, or if:
- it is necessary for the conclusion or performance of a contract between the data subject and the data controller;
- it is authorised by EU law or by the law of the Member State to which the data controller is subject;
- it is based on the explicit consent of the data subject.
Personal data will be processed in paper, electronic and telematic form and entered in the relevant databases (potential customers, customers, users, etc.) which can be accessed by, and thus disclosed to, persons expressly designated by the Controller as Processors and Agents responsible for the processing of personal data, that may consult, use, process, compare, or perform any other appropriate operation, including automated operations, in compliance with the legal provisions necessary to guarantee, inter alia, the confidentiality and security of data as well as the accuracy, updating and relevance of the data with respect to the stated purposes.
Data processing for browsing purposes
During their normal operation, the computer systems and software procedures used to operate this website acquire some personal data, the transmission of which is implicit in the use of Internet communication protocols.
This information is not collected in order to be linked to identified data subjects, but by its very nature it could, through its use and in conjunction with data held by third parties, allow users to be identified.
Among the information that may be collected are IP addresses, the type of browser or operating system used, URI (uniform resource identifier) addresses, the domain name and addresses of the websites from which you accessed or left the website (referring/exit pages), the time when the request was made to the server, the method used and information on the response obtained, additional information about your browsing on the website (see also the section on cookies) and other parameters regarding the operating system and computer environment.
This same data could also be used to identify and establish responsibilities in the event of any cyber crime against the website.
Notice concerning children under 18 years of age
Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. do not process personal data relating to minors. If you access dsquared2.com and use the services offered by Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. you declare that you are of legal age. Dsquared2 S.p.A. and YOOX NET-A-PORTER GROUP S.p.A. will not be liable in any way for any collection of personal data, as well as false statements, provided by minors.
Changes and updates
Legal provisions on the rights of the data subject
Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- If personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
- The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
- The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Right to rectification
The data subject shall have the right to have the controller correct inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”)
- The data subject shall have the right to have the controller delete personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data has been unlawfully processed;
- the personal data must be erased to comply with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to delete it, said controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested them to delete any links to, or copy or replication of, that personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Right to restriction of processing
- The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the deletion of the personal data and requests the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification of whether the legitimate grounds of the controller override those of the data subject.
- Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Notification obligation regarding correction or deletion of personal data or restriction of processing
The data controller shall provide notice of any correction or deletion of personal data, or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject so requests.
Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit such data to another controller without hindrance from the controller to which the personal data was provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); b) and
- the processing is carried out by automated means.
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this article shall be without prejudice to Article 17. That right shall not apply to processing necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to object
- The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, which includes profiling to the extent that it is related to such direct marketing.
- If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
- In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- Where personal data is processed for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless such processing is necessary to perform a task carried out for reasons of public interest.
Automated individual decision-making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or that similarly significantly affects him or her.
- Paragraph 1 shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- it is based on the explicit consent of the data subject.
- In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.
- Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Date last updated: 01/06/2021