Personal Data is defined by Article 4 No. 1) of the GDPR as "any information relating to an identified or identifiable natural person (Data Subject); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity" (hereinafter the "Personal Data").
This policy explains how we collect, use and protect the Personal Data of all users (the "Users") who access Lookalike through the mobile application downloaded on smartphones or tablets and through the website www.lookalike.it (the "Platform"). The processing of Personal Data shall be inspired by lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability according to the general principles defined in Article 5 of the GDPR.
It should be noted in advance that Lookalike refers via a link to third-party Partner websites where Users can purchase products or fashion items. In such cases, the data protection provisions applied by these third-party websites will apply in addition to what is contained in this information notice, and therefore the User is invited to read it.
For the definitions of Tips, Shop, Partner, Product and Platform, Users are invited to consult our Terms and Conditions.
- Data Controller and Data Protection Officer
The data controller is Lookalike S.r.l., with registered office in Via del Gonfalone 3, 20123 Milan (MI), P.I./C.F. 11814320963, pec firstname.lastname@example.org, (the "Data Controller").
The company has appointed a Data Protection Officer (DPO) who can be reached at the company's address in Via del Gonfalone 3, 20123 Milan (MI) and by e-mail at email@example.com.
- Personal data subject to processing
The Personal Data collected include Personal Data provided voluntarily and automatically collected Usage Data.
Personal Data provided voluntarily includes the following.
- Personal data for opening and managing an account, including for registration via Facebook, such as name, surname, e-mail address, password and telephone number.
- Personal data for completing the profile, such as profile photo, gender, date of birth and information about favourite products.
- Email address and contact details for receiving newsletter service and marketing communications.
Automatically collected Usage Data includes the following.
- Personal Data derived from the use of the Platform whenever Users interact with it such as the IP address used to connect to the Internet with the computer or mobile phone, information about the computer or mobile phone such as the Internet connection, browser type, version, operating system and device type.
Geolocation data: subject to Users' consent, the Controller collects real-time location data, including geographic location data, from the computer or mobile phone to improve the User experience.
Prohibited data: as established in the Terms and Conditions it is forbidden to provide Lookalike with any content that contravenes the prohibitions and limitations established in the Terms and Conditions (especially with regard to the uploaded images and the prohibition of processing through this function Personal Data, of the User himself or of third parties).
The Data Controller only processes the Personal Data of persons aged 18 years or over and accepts no liability for any misrepresentation provided during registration and creation of the personal account.
- Purpose of processing and legal basis
Personal Data are processed for the following purposes:
- a)Pre-contractual and contractual purposes of fulfilling the Terms and Conditions of Lookalike in order to access and use the services offered by the Platform. The processing of Personal Data for this purpose has its legal basis in Art. 6 par. 1 lett. b) of the GDPR, according to which the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the same.
This purpose includes the processing of Personal Data carried out to:
- allow Users to use the Platform;
- allow registration to the Platform
- maintain and manage the User's account;
- use the services of the Platform
- receive notifications of new brands, favourite articles, activities relating to Tips received and other important messages relating to the operation of the Platform.
- b)Purposes of fulfilling obligations required by law, regulations or EU legislation, such as obligations under tax, fiscal or accounting legislation or obligations relating to the protection of Personal Data (such as those relating to the exercise of data subjects' rights). The processing of Personal Data for this purpose finds its legal basis in Article 6(1)(c) of the GDPR, pursuant to which the processing is necessary to comply with a legal obligation to which the Data Controller is subject.
- c)General marketing purposes / newsletter service. Subject to the User's consent, the Controller shall process the User's Personal Data to send commercial communications relating to the Products, including the newsletter and for other activities with the purpose of commercial promotion and marketing in the broad sense (advertising communication, solicitation of purchasing behaviour, market research, surveys by e-mail, sms, post and/or telephone). The processing of Personal Data for such purposes has its legal basis in Article 6(1)(a) of the GDPR and is therefore based on consent. The User may revoke at any time the consent given and/or object, at any time, to the processing of his/her data for marketing purposes. Withdrawal of consent shall not affect the lawfulness of the processing based on the consent before withdrawal.
- d)Profiling for marketing purposes. Subject to the express consent of the User, Lookalike shall process the Personal Data of the Users, in an automated way, in order to monitor and track the behaviour and the activity of the Users on the Platform, collecting and recording the data related to the navigation (e.g.: pages visited, Products viewed, access device, dwell time) and to send the Users personalised The processing of Personal Data for this purpose finds its legal basis in Article 6(1)(a) of the GDPR and is therefore based on consent. The User may revoke his/her consent and/or object, at any time, to the processing of his/her data for profiling purposes for marketing purposes. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to withdrawal.
e)Legal defence purposes in order to allow the legal defence of a right or interest of the Controller before any competent authority or body. The processing of Personal Data for this purpose finds its legal basis in Article 6(1)(f) of the GDPR whereby the processing is necessary for the pursuit of the legitimate interest of the Data Controller. It is in the legitimate interest of the Data Controller to pursue remedies to ensure that its contractual rights are respected or to demonstrate that it has fulfilled its obligations arising from the contract with the data subject or imposed on the Data Controller by law.
- Recipients of Personal Data
The Personal Data provided by the User may be communicated by the Owner to the categories of recipients indicated below. The subjects to whom the Data Controller communicates the Data act, according to the requirements of the law, as autonomous controllers when they determine the purposes and means of processing, data processors pursuant to art. 28 GDPR when they process the Personal Data on behalf of the Controller or as subjects authorised to process pursuant to art. 2 quaterdecies of the Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018) when they act internally within the structure under the control and direction of the Controller.
Without prejudice to belonging to one of the above categories, Personal Data may be shared with the following entities.
- a)Employees and/or collaborators of the Data Controller, for the performance of administration, accounting and IT support activities.
- b)Companies, consultants or professionals who may be responsible for the installation, maintenance, updating and, in general, the management of the Data Controller's hardware and software.
- c)Companies in charge of sending commercial communications.
- d)Companies that provide the software to carry out the activity of tracking, monitoring and profiling for marketing purposes.
- e)All those subjects, including public authorities, who have access to the Data by virtue of regulatory or administrative provisions.
- f)All those public and/or private subjects, natural and/or legal persons (legal, administrative and fiscal consultancy firms), if the communication is necessary or functional to the correct fulfilment of the contractual obligations undertaken in relation to the services of the Platform as well as the obligations deriving from the law or in the case of ascertaining, exercising or defending a right.
Lookalike may share the User's Data at the time of the transfer to third parties of rights and obligations relating to the contractual relationship between the User and Lookalike in accordance with the Terms and Conditions, in particular in the case of transfer of a business sector, merger through the foundation of a new company, merger by absorption, demerger or any change of control affecting Lookalike. Before such an event, Lookalike will inform the User separately about the details of the sharing of his Data and will ask for his consent, where legally necessary.
In any case, Personal Data will only be communicated to entities that have committed to confidentiality or have an appropriate legal obligation of confidentiality. Personal Data will not be disclosed.
- Data retention period and processing methods
Personal Data are kept only for the period necessary for the purposes for which they are processed or within the terms provided by applicable national and community laws, rules and regulations.
For the pursuit of the purposes under article 3 letters a), b) and e) Personal Data may be kept for the entire duration of the contract as well as for the following 10 years in order to verify any pending litigation or to comply with any possible legal obligation.
In relation to the purpose referred to in Article 3 letter c) Personal Data shall be stored until the revocation of consent and/or the exercise of the right to object and, in any case, for a period not exceeding 24 months from the collection reserving the right, before the expiry of this term, to ask the User to renew consent and/or update the data.
In relation to the purpose of art. 3 letter. d) Lookalike will process the user's data until the revocation of consent and / or the exercise of the right to object and, in any case, not later than 12 months after collection, reserving the right, before the expiry of this period, to ask the User the renewal of consent and / or updating of data.
Thereafter, we will delete the Personal Data in accordance with our Data Retention and Deletion Rules or retain it in connection with an additional legal basis that still exists.
- Method of processing
The processing of Personal Data is carried out by means of paper, computer and/or telematic tools, with organisational methods and logics strictly related to the indicated purposes.
The Data Controller undertakes to use adequate security measures in order to minimise the risks of loss or destruction of data, unauthorised access or unauthorised processing without, however, being able to guarantee that the measures adopted exclude any risk of unauthorised access or dissemination of data. Users are therefore advised to use access points equipped with anti-virus software or systems for secure web browsing.
- Transfer of Personal Data outside the European Union
For certain processing activities of Personal Data, Lookalike may transfer such Data to external parties located in countries that do not belong to the European Union (EU) or to the European Economic Area (EEA) (hereinafter, "Third Countries"). The list of Third Countries will be updated from time to time and/or available upon request; the legitimacy of such transfer is, in any case, carried out in compliance with the appropriate and adequate safeguards for the purposes of the transfer itself and in particular in compliance with the general principle for transfer set out in Art. 44 GDPR, the existence of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, of adequate safeguards pursuant to Article 46 GDPR - including the standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR - and in the presence of one of the specific situations of derogation referred to in Article 49 GDPR, including the explicit consent to the transfer by the Data Subject.
- Obligation to communicate personal data and consequences of non-communication
For the pursuit of the purposes set forth in Article 3 letter a), the provision of Personal Data is optional; however, since the processing of Personal Data is necessary in order to access and use the services offered by the Platform, failure to provide Personal Data will make it impossible for the User to access and/or navigate the Platform and/or register and use the services reserved for Users.
For the pursuit of the purposes set out in Article 3 letter b) the provision of Data is mandatory, as its processing is necessary to allow the Data Controller to fulfil legal obligations imposed on it. Any refusal to provide the Data for this purpose will make it impossible for the User to use the Platform.
For the purposes referred to in Article 3 letters c) and d) the provision of data is absolutely optional. The non-disclosure of Personal Data for the purpose of generic marketing and/or profiling and/or the non-provision of consent to such processing and/or the revocation of such consent and/or the exercise of the right to object do not have any consequence on the User's ability to register with the Platform. The interested party may also freely revoke consent at any time, without prejudice to the legitimacy of the processing carried out prior to the revocation, and object to the marketing or profiling processing by sending an email to: firstname.lastname@example.org.
For the purposes referred to in Article 3 letter e) the provision of data is optional. However, it must be borne in mind that, to the extent that the processing is necessary for the establishment, exercise and defence of a right, the data controller is also exempt from the obligation to erase the data, by express provision of the GDPR.
- Ownership shared with Facebook ("Page Insights data")
Lookalike operates a so-called fan page on the social media platform Facebook. Facebook and Lookalike are exclusively and jointly Holders for the processing of the so-called "Insights data" (Art. 26 (1) paragraph 1 GDPR) insofar as these data are used for the creation of the so-called "Page Insights data" and only for the data collection steps from the fan page of Lookalike until transmission to Facebook. For the other data processing, Lookalike and Facebook are separately holders of the respective processing. Within the scope of their shared ownership, Lookalike and Facebook have concluded an agreement ("Appendix on the controller for Page Insights") which is available at the following link https://www.facebook.com/legal/terms/page_controller_addendum.
The purpose of processing the data of visitors to our fan page is to make the page available and to provide a statistical evaluation of the use of the page. This evaluation is made anonymous for Lookalike. The legal basis for the data processing is Art. 6 para. 1 lit. f) of the GDPR.
Pursuant to Art. 15 et seq. of EU REG 2016/679, the User may exercise the following rights: (1) request access to their Personal Data pursuant to art. 15 of the GDPR, (2) obtain the rectification and/or integration of the Data pursuant to art. 16 of the GDPR, (3) request and obtain the deletion of the Data pursuant to and within the limits of art. 17 of the GDPR unless one of the exceptions referred to in paragraph 3 of the same art. 17 applies, (4) request and obtain the restriction of the processing pursuant to art. 18 of the GDPR, (5) obtain the portability of the Data pursuant to and within the limits of art. 19 of the GDPR which allows the User to receive the Personal Data provided to the Controller in a structured, commonly used and machine-readable format and - under certain conditions - transmit it to another data controller without hindrance, (6) object, in whole or in part, to certain types of processing pursuant to art. 21 of the GDPR, including processing for marketing purposes, (7) withdraw consent pursuant to Art. 7(3) of the GDPR without affecting the lawfulness of the processing based on the consent given prior to withdrawal, (8) lodge a complaint with the Supervisory Authority (Privacy Guarantor), (9) receive clear, transparent and easily understandable information on how Personal Data is used and the exercise of rights, which is why the Controller provides the information contained in this document (Art. 13 GDPR).
The exercise of rights is not subject to any formal constraints and is free of charge. All rights may be exercised by sending an appropriate request to the Data Controller at the following e-mail address: email@example.com.
- Right to object
The User has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her carried out pursuant to Article 6 par. 1 lett. f) GDPR having as legal basis the legitimate interest of the Data Controller. The Data Controller shall refrain from further processing the Personal Data unless it demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
In case the Data are processed for direct marketing or profiling purposes, the Data Subject is also entitled to object at any time to the processing of Personal Data concerning him/her carried out for such purposes. In this case, the Personal Data shall no longer be processed for such purposes.
The request to object should be made by sending an appropriate application to the Data Controller at the following e-mail address: firstname.lastname@example.org.
The Data Controller may need, in consideration of regulatory changes or changes to its services, to update this policy by inserting the modified version of the same on the Platform. We therefore invite Users to periodically view the relevant section of the Platform in order to check and be aware of the updates that have been made and, where necessary, to communicate the changes directly to Users.