Ducati is aware of the importance of the users' personal data and therefore intends to inform and provide users with the maximum security possible in regards to the management of all personal data collected through the website shop.ducati.com, (hereinafter referred to as the "Site"), managed by the provider and vendor, Drop S.r.l.. (the "Data Processor") is in accordance with Article 13 of Regulation (EU) 679/2016, pursuant to the protection of natural persons concerning the processing of personal data, as well as the free circulation of such data, which abrogates the Directive 95/46/EC (hereinafter referred to as "Regulation" or "GDPR").
Controller of the data collected on the Website
With reference to the data collected and processed through the Website, we inform you that:
- Ducati Motor Holding S.p.A, with registered office at Via Cavalieri Ducati, 3 - 40132 Bologna (BO) – Italy – VAT no. 05113870967, hereinafter also “Ducati” or the “Company”, is an independent controller of the personal data of users who sign up to the Website to receive commercial offers related to products available online;
- Drop S.r.l., with registered office at Via Sandro Pertini, 1, 63812 Montegranaro (FM) Italy, VAT 01383870431 (hereinafter “Drop”), in its capacity as the supplier chosen by Ducati for the management of the sales process through the Site, is responsible for the processing of the personal data of users who use the Site, on the basis of the instructions given by Ducati, for the purposes of managing the sales process through the Site.
Purposes and lawful basis for processing data
Ducati processes users' personal data for the following purposes:
a) purposes relating to the provision of requested services, among which is the purchase of online products;
b) purposes relating to the fulfillment of specific legal obligations;
c) purposes relating to the promotion of products and services in line with those previously purchased by the Customer ("soft spam"), sending communication to the e-mail address provided by the Customer. If you do not wish to receive such communications, you may notify Ducati at any time by clicking the link in the email communications you receive. In such case, Ducati will cease the aforementioned activity.
In relation to the purposes indicated above, the processing of personal data occurs by means of manual, computerized, and telecommunications tools designed to store, manage, and transmit them solely to achieve the purposes for which they were collected and, in any case, in such a way as to guarantee their security and confidentiality. In carrying out data processing activities, Ducati undertakes to:
▪ Ensure the accuracy and updating of the processed data, and to promptly acknowledge any corrections and/or integrations requested by the interested party;
▪ Notify the interested party of any violation of the personal data within the time frames and in the cases provided for by the laws in force;
▪ Guarantee compliance of the processing operations with applicable laws.
Furthermore, Ducati processes the acquired personal data in full compliance with the lawfulness, fairness and transparency principle. In compliance with the Privacy Law, the Company configures or, in any case, undertakes to configure its information systems and computer programs to minimize the use of personal data, so as to exclude processing if the purposes can be achieved using anonymous data or suitable methods respectively that allow the interested party to be identified only when necessary. Finally, the data are not used for the purpose of adopting automated decision-making processes.
Obligation to provide data
The provision by the user of the data required to achieve the purposes referred to in points a) and b) above, although not mandatory, is essential and indispensable for the full or partial management of contractual relationships and for the fulfillment of legal obligations; therefore, refusal to provide such data would make it impossible for the Company to carry out the aforementioned activities.
If the Company intends to use the collected personal data for any purposes other than those for which they were originally collected or authorized, the Company will inform you in advance and you may deny or revoke your consent.
Categories of persons to whom the data may be disclosed
The personal data provided will not be disseminated or disclosed to unidentified parties in any way and will not be made available for consultation. They may, instead, be communicated to well-defined parties, in full compliance with the provisions of law for purposes strictly related to the fulfillment of our contractual obligations.
Personal data retention policy
Personal data provided is retained by Ducati for the period of time strictly necessary for the fulfillment of the purposes relating to the data collection and for the fulfillment of legal obligations (e.g. for administrative or auditing purposes). The retention of data for longer periods will occur if authorized by the law and in the event of legal defense or court proceedings. Upon completion of the purposes, personal data will be automatically deleted or made anonymous. Upon request to the Data Controller or Data Protection Officer, the interested party may receive detailed information on the retention times of personal data processed by Ducati, pursuant to the Regulations implemented.
Data Protection Officer (DPO)
Ducati informs you that it has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the Regulation, with elected domicile at the Company's office, who can be contacted via the following e-mail address: firstname.lastname@example.org.
Rights of the interested party
We inform you that, pursuant to the Privacy Law and, specifically, to Articles 15-22 of the GDPR, the interested party may exercise specific rights by contacting the Data Controller, including:
a) Right to access: the right to obtain confirmation from the Data Controller that personal data is being processed or not and, if so, to obtain access to the personal data and to other information on the origin, purpose, the category of data processed, recipients of the data, etc.
b) Right to rectification: the right to have inaccurate personal data rectified by the Data Controller without undue delay, as well as the completion of incomplete personal data, also by providing a supplementary statement.
c) Right to erasure: the right to have personal data erased by the Data Controller without undue delay under the following circumstances:
▪ The personal data are no longer necessary for the purposes of the processing;
▪ The consent on which the processing is based has been revoked and there is no other lawful basis for the processing;
▪ The personal data have been processed unlawfully;
▪ The personal data must be erased to fulfill a legal obligation.
d) Right to object to processing: the right to object, at any time, to the processing of personal data that have a legitimate interest of the Data Controller as their lawful basis.
e) Right to restrict processing: the right to restrict processing by the Data Controller in cases in which the accuracy of the personal data is in question (for the period of time required by the data controller to check the accuracy of the personal data), if the processing is unlawful and/or the interested person has objected to the processing.
f) Right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and to transmit the data to another data controller, only for cases in which the processing is based on consent and only for data processed electronically.
g) Right to submit a complaint to a supervisory authority: without prejudice to any other administrative or judicial appeal, an interested party who believes that the processing concerning him is in breach of the Privacy Law, has the right to submit a complaint to the supervisory authority of the member state in which he lives or regularly works, or of the state in which the alleged breach has occurred.
If the processing is based on consent, the interested party may revoke his given consent at any time, without prejudice to the lawfulness of the processing carried out before the revocation.