SCOPE – DATA CONTROLLER
WHAT INFORMATION WE PROCESS
We process your personal data that you provide to us when you:
· Interact with our third party booking provider Yoobic (e.g., by booking an appointment for a virtual shopping experience)
· purchase Products from us through the Virtual Shopping process in a participating Store
· contact the Store
WHY WE USE YOUR INFORMATION
We collect and process your personal data in order to:
· manage the booking process
· complete and manage your purchases and respond to your requests
· improve our Products and services
We do not sell or share your personal data to anyone.
PARTIES WITH WHICH WE SHARE YOUR INFORMATION
The Store may share your personal data with:
· third-party providers Yoobic and Adyen that help us to provide the Virtual Shopping experience (these recipients act on our behalf and under our instructions only);
· third parties in case of judicial processes, request by courts or authorities, other legal obligation, to defend our rights, or in case of merger, acquisition, or assets transfer.
Some of these recipients are located outside the EEA, but we ensure that your personal data remain at all times adequately protected (if the country of destination is not one that the EU Commission considers offers an adequate level of protection, we cover the data transfer by appropriate safeguards).
NECESSARY v. OPTIONAL INFORMATION
Some of your personal data are necessary to complete your purchase or to provide the service that you request from us. If you refuse to provide these personal data, it would make it impossible for us to complete the purchase or provide the requested service.
Only functional and required session cookies are retained during the Virtual Shopping process through the Yoobic landing page.
HOW TO CONTACT US
For any query or request relating to our use of your personal data, or to exercise your rights, you may contact firstname.lastname@example.org.
HOW LONG WE KEEP YOUR INFORMATION
We only keep your personal data for so long as necessary to achieve these purposes. This may be up to 10 years after the end of the contractual relationship with you (statute of limitation for legal claims in most EEA countries), unless a shorter or longer retention period applies under applicable data protection laws.
You may, at any moment, exercise your rights under data protection law, including (when applicable) your right of access, rectification, restriction, erasure, opposition (including objecting, at any time and for free, to the processing of your personal data for direct marketing), right to portability and your right to withdraw consent. You also have the right to lodge a complaint with the competent supervisory authority.
What is the content of this document? What happens to my personal data when I interact with the VF Group?
We collect and process your personal data in accordance with all applicable data protection laws and regulations, including, without limitation, the laws promulgated on the matter by the European Union, such as the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") and supplementing national provisions, if you are in the United Kingdom, the GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”), as well as the orders and guidelines issues by the competent data protection authorities, as applicable (the "Data Protection Laws").
Who controls the processing of my personal data? Who is accountable for it?
The data controller of your personal data when you purchase goods from us is the local entity of the VF Group that sells the goods to you through the Virtual Shopping process. This local entity is also the data controller of the personal data that you provide when you interact with our customer service. The relevant VF company is identified on your purchase receipt.
The affiliate company VF INTERNATIONAL S.A.G.L., Via Laveggio 5, 6855 – Stabio, Switzerland, may provide services to the above mentioned Data Controller, such as, for example, hosting and management services with regards to the VF webpages you may access as part of the Virtual Selling process.
VF Group's Data Protection Officer may be contacted via our Privacy Office Europe at email@example.com.
What personal data are processed?
Automatic Information Collection on the VF Digital Platforms
Information you provide voluntarily to us:
We collect and process:
1. personal data that you provide when you interact with us, through VF webpage, for example, when you book an appointment for the Virtual Shopping process. This personal data may include:
- your name, e-mail address, telephone number
2. personal data that you provide when you purchase goods from us (from a participating Store through the Virtual Shopping process) or interact with a Store for customer service purposes. This personal data may include:
- your name, e-mail address, telephone number
- the history of Products you purchase
- details regarding your transaction
- information regarding the reasons why you contacted customer service
For what purposes are my personal data processed?
We collect and process your personal data for the following purposes:
a. to manage your purchases of goods (through the Virtual Shopping process with our Stores):
- this includes all activities relating to the purchase of goods, such as for example delivery of goods, billing, returning and exchanging of goods, receiving refunds, , as applicable, payment related activities;
b. to provide you with our customer-service (see details section 3 below), including:
- to provide you with after-sale services;
- to respond to your request(s) of information, question(s), communication(s) or feedback
- for internal training purposes and improvement of our customer-service;
c. for other purposes:
- for fraud prevention purposes, through internal procedures aimed at verifying the regularity of transactions, to protect our financial integrity and to protect you against the misuse of data and fraudulent purchases; and
- to comply with our obligations under applicable laws, regulations and to assess and defend a legal right.
d. to operate and manage the VF webpage, including to provide you with the goods through the Virtual Shopping process.
What are the legal bases for the processing of my personal data as described herein?
We will collect and process your personal data for the purposes described in the Section "For what purposes are my personal data processed?" on one of the following legal bases:
§ The processing of your personal data is necessary for performance of a contract with you or in order to take steps prior to entering into a contract with you at your request (Article 6, 1., (b) of the UK GDPR);
§ The processing is necessary for the purposes of our legitimate interests or our affiliates' or other third parties' legitimate interests, and such interests are not overridden by your interests or fundamental rights and freedoms (Article 6, 1., (f) of the UK GDPR); The legitimate interests that we pursue notably include our interest to manage and maintain the contractual relationship with you, to answer to your specific requests, to ask your feedback in order to improve our services and Products, or to pursue other general marketing activities.
§ Where your specific consent is required to the processing of your personal data as described herein, your personal data will be processed based on such consent (Article 6, 1., (a) of the UK GDPR);
How long will my personal be data processed?
Personal data are not kept for longer than the time necessary to achieve the specific data processing purposes described herein. This may be up to 10 years after the end of the contractual relationship with you (statute of limitation for legal claims in most EEA countries), unless a shorter or longer retention period applies under applicable laws.
Are my personal data safe?
We are committed to protect the security and confidentiality of your personal data. We take – and require that any service provider and/or third party processor processing personal data on our behalf and on our instructions takes – appropriate technical and organizational measures to prevent loss and destruction, even accidental, of data, unauthorized access to data, unlawful or unfair use of data. Moreover, information systems and software programs are configured so that personal and identification data are used only when necessary to achieve the specific processing purpose from time to time sought.
We deploy a variety of advanced security technologies and procedures to help protecting personal data against the risks outlined above. For example, personal data provided by users are stored on secured servers placed in controlled locations. Moreover, for the transmission of some data through the Internet are deployed encryption techniques such as the Secure Socket Layer (SSL) protocol.
However, please note that no electronic transmission or storage of information is 100% secure. Therefore, despite the security measures that we have put in place to protect your personal data, we cannot guarantee that loss, misuse, or alteration of data will never occur.
Where do my personal data go? Who are the recipients, where is it transferred and for what purposes?
Personal data collected through the VF webpage, as part of the virtual sale of goods by our Stores and as part of our customer service, are stored on the servers provided and managed by our third-party storage and hosting providers, with servers located in the European Union and/or the United Kingdom. Certain personal data collected as part of the sale of goods in our stores might also be stored locally in the store. All these personal data may be shared with recipients as detailed below.
1°. Your personal data will be accessible within our organization by the internal and external personnel that need to access it because of their duties in relation to the processing purposes herein specified. We ensure that these persons are held by appropriate security and confidentiality duties.
2°. Your personal data may also be accessible by third party service provider that we appoint to process personal data on our behalf and on our instructions (as data processors). These data processors include:
§ third party service providers to which we may revert to for performance of professional, technical and organizational services functional to the managing of the VF webpage and the activities performed therein;
§ third party service providers to which we revert for closing purchase transactions and payment processing through our e-commerce platform e.g. Adyen;
§ third party service providers that are managing and supporting the Virtual Shopping process and all the pre- and post-sale activities, such as, order processing, performance marketing, financial services, warehouse management, and customer relationship management;
A list of these data processors, with indication of where they are located, is available upon request to our Privacy Office. These data processors are bound by appropriate contractual obligations to implement adequate security measures to protect security and confidentiality of personal data.
3°. Your personal data may also be communicated to other companies of the VF Group within the European Economic Area, processing personal data on behalf of the data controller(s) identified above. A list of these VF Group's companies, with indication of where they are located, is available upon request to our Privacy Office. For example, VF Europe BV may provide accounting and back-office services and VF Northern Europe Ltd may provide post-sale customer services, as data processors.
4°. Your personal data may also be shared with institutions, authorities, public entities, banks and financial institutions, professionals, independent consultants, also in associate form, business partners or other legitimate recipients as permitted by applicable laws and regulations, for example in case of judicial processes, request by competent courts and authorities or other legal obligation, to protect and defend our rights and property.
5°. Lastly, we may also communicate your personal data to third parties in case of mergers, acquisitions, transfers of any of our assets, Products, websites or operations.
Except for the foregoing, personal data will not be shared with third parties, natural persons or legal entities, that are unrelated to, or that do not perform a business, professional or technical function for us.
Personal data will not be communicated to third parties for their own marketing purposes.
Such transfers take place on the processing bases identified in Section 3 above.
These abovementioned recipients may be located in countries other than the country in which personal data was originally collected, it being noted that your personal data will in principle only be transferred within the European Economic Area or other countries recognized by the EU Commission (or in respect of the UK an adequacy regulation under the UK GDPR) as adducing an adequate level of protection of personal data.
In case any of the above recipient is established in a country outside the UK or EEA that is not covered by an adequacy decision of the European Commission (or in respect of the UK an adequacy regulation under the UK GDPR) and therefore does not provide the same level of protection for your personal as in the EEA or UK, we shall implement appropriate safeguards, including, but not limited to relevant data transfer agreements based on the EU Commission Standard Contractual Clauses for the transfer of data to third countries or binding corporate rules. A copy of these appropriate safeguards may be obtained by contacting our Privacy Office at firstname.lastname@example.org
Am I obliged to provide my personal data? What are the consequences if I refuse to provide them?
Except in relation to the surfing data (please refer to the above section 3 - "What personal data are processed? ), providing your personal data may be a requirement necessary to enter into or to perform a contract, such as a purchase contract in the context of the Virtual Shopping process, to reply to and manage request of information, questions, communication or feedback. In the above referenced circumstances, refusal to provide your personal data would make it impossible for us to perform the contract or to provide the requested services, Products or information as above specified.
Does the VF webpage contain elements controlled by third parties? Who is responsible and liable for these elements?
The VF webpage may contain links to other sites, as well as objects or elements controlled by third parties e.g. Yoobic or Adyen.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.
We only use strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
Except for essential cookies, all cookies will will remain valid until their set expiry date (unless deleted by the user before the expiry date).
What are my rights in relation to the processing of my personal data and how can I exercise them?
You are entitled at any moment to enforce the rights available to you under applicable Data Protection Laws, including, but not limited, to the right of access, rectification, restriction, erasure, opposition (including objecting, at any time and for free, to the processing of your personal data for direct marketing purposes), right to portability as well as the right to withdraw your consent. You also have the right to lodge a complaint with the competent supervisory authority.
For any query or request relating to the personal data processing by VF and to enforce the rights under Data Protection Laws, you may contact our Privacy Office at email@example.com.
* * * * * * *
Appendix 1 - Data Subject's Rights
Right of access
Subject to applicable law, you have the right to obtain confirmation from us as to whether or not personal data that concerns you is processed, and, if so, to request access to such personal data including, without limitation, the categories of personal data concerned, the purposes of the processing and the recipients or categories of recipients. However, we do have to take into account the rights and freedoms of others, so this is not an absolute right. If you request more than one copy of the personal data undergoing processing, we may charge a reasonable fee based on administrative costs.
Right to rectification
You have the right to request from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you also have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.
Right to erasure ('right to be forgotten')
You have the right to request from us the erasure of personal data concerning you in certain circumstances as defined under applicable law. When your request falls within one of those circumstances, we will erase your personal data without undue delay. If, for technical and organisational reasons, we were not able to erase your personal data, we will ensure that it is fully and irreversibly anonymized so that we will no longer be holding such personal data about you.
Right to restriction of processing
In certain circumstances as defined under applicable law, you have the right to request the restriction of processing of your personal data. In such case, your personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Right to data portability
In certain circumstances as defined under applicable law, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another data controller or to have such personal data transmitted directly from us to another data controller, where technically feasible.
Right to object
In certain circumstances as defined under applicable law, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. This notably applies in case of processing of your personal data based on our legitimate interests or for statistical purposes.
Right to object to direct marketing
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing for such direct marketing (including profiling related to such direct marketing).
Right not to be subject to a decision based solely on automated processing,
Subject to certain restrictions, you have the right not to be subject to a decision based solely on automated processed, including profiling, which produces legal effects on you similarly significantly affects you.
Right to withdraw consent
If you wish to access such personal data or exercise any of the rights listed above, you should apply in writing, providing evidence of your identity, to our Privacy Office at firstname.lastname@example.org.
Any communication from us in relation to your rights as detailed above will be provided free of charge. However, in case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
In case you have a complaint about the processing of your personal data, you have the right to lodge a complaint with a competent supervisory authority.
* * * * * * *