• “Data”, “personal data” and “special category data”;
• “Data Protection Officer/DPO”; and
• “Processing” (in the context of activities carried out in relation to personal data)
have the meaning given to them in Data Protection Law.
“Data Protection Law” means the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act 2018, together with any subordinate legislation made under the Act
• the nature of the personal data processed;
• the purposes and means of the processing of personal data;
• the identity and contact details of the data controller(s);
• the contact details of the Data Protection Officer (DPO);
• any third parties involved in the processing activities;
• the retention period of personal data;
• the security measures adopted to protect personal data;
• the privacy rights of users
Users of the Site who are under the age of fourteen (14) are not allowed to consent to the processing of Personal data without parental authorization.
WHO WE ARE – CONTROLLERS
Under the GDPR, the controller is the subject that, alone or jointly with others, determines the purposes and means of the processing of Personal data.
Depending on the nature of Personal data and the purposes of data processing, the identity of the controller may vary.
The sole controller for the processing of transactional data and logistical data relevant to sale activities carried out on the Site is:
• The LEVEL GROUP S.R.L., a company registered in Italy under Chamber of Commerce number MI1945372 having its registered address at Piazza Arcole 4, 20143 Milano (MI), Italy (“TLG”); contact: [email protected]
The sole controller for the data processing related to email marketing personal data and performance marketing personal data processed in connection with the Site activities is:
• C. & J. Clark International Limited, a company registered in England and Wales under company number 00141015 and having its registered address at 40 High Street, Street, Somerset BA16 0EQ, United Kingdom (“Clarks”); contact: [email protected].
In the latter case, TLG will act solely as a data processor under the instructions of Clarks.
TLG and Clarks act as joint controllers for any data processing related to personal Clarks accounts and to contact center activities and will be referred to as the “Controllers”. Pursuant to art. 26 of the GDPR, the Controllers have determined their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them.
There is a designated Data Protection Officer to ensure that the Site processes Personal data in compliance with the GDPR. The DPO can be contacted for any inquiries at the following email address:
For TLG: [email protected]
For Clarks: [email protected]
PERSONAL DATA. PURPOSES OF PROCESSING.
Personal data is collected automatically by the Site or received via multiple sources: forms, chat, e-mail, apps, devices, social media and other means. The collection and processing of personal data is ensured if one of the following conditions apply:
• user consent has been given
• personal data is required for the performance of a contract entered into by the Controllers and the user, such as when a user purchase a product through the Site
• compliance with legal obligations
• protection of vital interests
• public interest, or
• a legitimate exists.
The Site processes Personal data in various shapes for the following purposes:
• USER BROWSING DATA
The Site collects non-sensitive browsing data by automatic means in order to enable and improve user navigation (e.g., IP address, date/time of the visit and its length, any referring URL, the pages visited on the Site, the device used and other information).
The processing of such information allows users to access the Site and fully enjoy its features and services. Furthermore, browsing data may be used to verify that the Site is functioning properly.
From time to time, browsing data are processed anonymously for statistical purposes.
Browsing data are unlikely to allow identification of the relevant data subject. However, by their very nature, browsing data may allow identification of the users if associated with other information.
The browsing data described above are stored only temporarily in compliance with the applicable law.
• MAKING ORDERS
When users make a purchase on the Site, at the checkout, the Site asks users to provide personal data for the essential purpose of fulfilling their purchase orders and to comply with contractual obligations (e.g., name and surname, e-mail address, delivery address, telephone number etc.).
Such personal data is also essential for the customer services to assist users on inquiries and for any related necessity, before or after the purchase is made in the Site (for instance, with respect to the order delivery status or on product returns).
Personal data relating to orders and purchases will be stored as long as required to comply with applicable law, contractual obligations and with the applicable tax and financial reporting obligations.
The Site may also verify the payment instruments used by users to purchase on the Site (e.g. credit or debit card, etc.) for the main purpose of preventing fraudulent activities or pursuant to the applicable anti-money-laundering laws. As full reliance for payment verification is given to third-party payment processors, the Controller does not process or store any financial information belonging to users.
Failure to provide the personal data required at checkout will prevent users from completing an order on the Site.
Based on its legitimate interest to improve its relationship with customers, the Site might send to the latter email communications with product suggestions, discounts, feedback requests or other updates to users. Users have the right to withdraw consent at any time and Customers are always free to unsubscribe from such email communications (for instance, by clicking on the “unsubscribe link” at the bottom of each email).
•CREATING A CLARKS ACCOUNT
When users opt to register a Clarks account on the Site, they are asked to submit personal data (e.g., date of birth, gender, etc.). The Site clearly indicates which Personal data is mandatory (or not) to set up a Clarks account.
Users must submit personal data that is true and accurate at the time of registration and are invited to maintain their personal data up-to-date (if any modification occurs) by logging into their Clarks account to make all relevant changes.
Users who choose to enable or log in to their Clarks account via a social media platform account, should be aware that when they connect their Site account to a social media account, the Site collects certain personal data the User has already provided to that specific social media platform (for example, the email address and public profile on Facebook).
The Controllers do not oversee or control such social media services or the user’s profiles on these social media platforms and do not establish privacy settings or rules for how personal data on those platforms will be used. Users are highly encouraged to read all policies and information regarding the applicable social media services to learn more about how they process personal data.
• NEWSLETTER AND MARKETING COMMUNICATIONS
On the Site, users can subscribe to receive newsletters and commercial communications.
The Site always collects the explicit, free and unambiguous consent of users prior to submitting newsletters and marketing communications to these users or, more in general, before undertaking electronic marketing initiatives dedicated to them.
In such cases, users may be invited to submit personal data in addition to their e-mail address (e.g., gender, country of residence, etc.) for the purpose of having newsletter and marketing communications tailored to the user profile.
Users can always easily withdraw their consent from receiving newsletters and commercial communications in the following ways:
• through their Clarks account settings;
• by clicking on the ‘unsubscribe’ link in any of such email;
• by contacting our Customer Service.
Under the explicit user’s consent, newsletter and marketing communications may be tailored to the user “profile”, based on the personal data the Site collects or receives about the concerned user.
With respect to the customers of the Site, it is in the Site’s legitimate interest to process personal data to offer more interesting products, to improve the Site and to personalise the products offered on the Site.
The main purpose of profiling is to propose products, services and initiatives more responsive to the tastes, shopping habits and interests of users and customers.
Personal data may be also used for remarketing, retargeting or profiling purposes, including via third parties (e.g., social networks, etc.).
Neither the Site nor the Controller will ever carry out any profiling activities relating to children.
SHARING AND TRANSFER OF PERSONAL DATA
Each of the Controllers may transfer personal data of customers to primary third-party suppliers, acting as Processors for the purpose of performing business operations in order to fulfil their contractual obligations.
Each of the Controllers will make their best effort to ensure that all Processor(s) will apply their industry best practice to protect personal data and that they will not use personal data for any other purposes than those agreed with each of the Controllers.
For instance, each of the Controllers may share Personal data with the following categories of processors:
• members of the Controller’s group companies, where they assist in providing their services to users or to third parties in the event of a corporate restructuring process;
• people who help get orders to users, such as couriers and postal operators;
• fulfilment centres and warehouses;
• advertising, digital, marketing and social media agencies;
• IT and technology service providers;
• customer care service providers;
• professional advisors; and
• payment service providers.
In such cases, sharing Personal data with the Processors is necessary for each of the Controllers to fulfil their contractual obligations and, also, to improve the Site’s products and services.
Users can request a list of the categories of Processors involved in the processing of Personal data relevant to the Site’s activities on behalf of TLG by email to: [email protected]
Users can request a list of the categories of Processors involved in the processing of Personal data relevant to the Site’s activities on behalf of Clarks by email to: [email protected]
Each of the Controllers must always reserve the right to disclose personal data about users as required by law (for instance, in response to law enforcement requests), and where needed to protect the rights of the Controllers or their affiliates or third parties.
In any other cases, the sharing of personal data will be conditional upon the preliminary and explicit consent of the user, unless processing is allowed under an alternative legal basis.
As some third party recipients may be based outside of the European Economic Area, the Controllers may be required to transfer user’s personal data outside of the EEA. Whenever personal data is transferred out of the EEA, a similar degree of protection is attached to it by ensuring at least one of the following safeguards are implemented:
• transfers of personal data will only take place to countries, territories or sectors within a country that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• The transfer is subject to a legally binding and enforceable commitment on the recipient to protection the personal data (e.g. through the use of European Commission approved standard contractual clauses).
• Where service providers used are based in the US, personal data may be transferred to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
• The transfer is made subject to binding corporate rules.
• The transfer is based on a derogation from restrictions on transferring personal data outside of the EEA (such as where a user gives their consent, the transfer is necessary for the performance of contract with the user, or the transfer is necessary for the establishment, exercise or defence of legal claims).
PROCESSING METHODS AND SECURITY MEASURES
Personal data of users is processed by each of the Controllers with IT, automated and electronic tools and, in limited cases, by using documentary means. In accordance with the GDPR, specific security measures have been implemented to prevent data loss, unlawful or improper use, and unauthorized access.
Only authorised employees of each of the Controllers, and authorised employees of the third-party suppliers, acting as Processors on behalf of each of the Controllers, have access to personal data related to the Site activities. Data processing agreements are in place with the Processors to ensure that they always meet the level of security required by the GDPR while processing Personal data related to the Site activities.
While the Site adopts primary security measures to prevent loss, destruction or dissemination of personal data, at the same time it cannot exclude the safety risks that are naturally involved by online transmission of data. The user accepts the inherent risks of providing personal data over the internet and will not hold the Site responsible for any breach of security unless this breach is due to the Site’s negligence or wilful default.
RETENTION OF PERSONAL DATA
The Controllers will store personal data for as long as it is needed to provide users with the required services or to meet legal or tax obligations or for the minimum period prescribed by the law.
In order to determine the appropriate retention period for personal data stored by the Site under user consent, the Controllers will take into account multiple factors to ensure that personal data is not stored for longer than the necessary or appropriate period.
Such criteria will also include:
• the purpose for which the Site holds personal data;
• legal, tax and regulatory obligations in relation to that personal data;
• the type of ongoing relationship with the concerned user or customer (how often the user logs into their Site account, whether users continue to receive marketing communications, how regularly they browse or buy on the Site, etc.);
• any specific user request in relation to the deletion of Personal data;
• legitimate business interests.
The Site will promptly delete or anonymise personal data that is no longer needed or retained according to the law.
CONNECTION TO THIRD-PARTY WEBSITES OR PLATFORMS
The Site may contain banners, advertising messages and other links to third-party websites or platforms. The Controllers cannot control or be held responsible for the conduct of such third-party websites or platforms with respect to privacy law. Users are encouraged to read their privacy policies to verify how they collect and process personal data.
THE RIGHTS OF USERS
Users are entitled to receive confirmation as to whether the Controllers hold any Personal data about them.
If this is the case, under the GDPR, users also hold the rights to:
• Be informed about the collection and use of their personal data;
• Access their Personal data at no cost;
• Have inaccurate personal data rectified, or completed (when it is incomplete);
• Have Personal data erased (“the right to be forgotten”);
• Under specific conditions, obtain the restriction or suppression of their Personal data
• Obtain and reuse their personal data for their own purpose across different services when processing is based on a contract or on consent, and the processing is carried out by automatic means (“the right to data portability”);
• Under specific conditions, to object to the processing of their personal data;
• Object at any time to the use of personal data for “profiling” or “automated decision-making” purposes;
• The right to submit complaints related to the collection and processing of personal data to the competent supervisory authority;
• The right to stop direct marketing at any time;
• The right to withdraw consent to the processing of Personal data at any time
HOW TO COMPLAIN
The Controllers hope that they can resolve any query or concern raised about their use of the user’s information. If users are not happy with how the Controllers manages their personal data, a complaint may be lodged with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ and the supervisory authority in Italy is The Italian Data Protection Authority (Garante per la protezione dei dati personali) contacted at https://www.garanteprivacy.it/web/guest/home.
Last Update: January 7th, 2020