www.stoneisland.com is managed and maintained by YOOX NET-A-PORTER GROUP S.p.A. ("YOOX NET-A-PORTER GROUP"), company subject to the management and coordination of Compagnie Financière Richemont S.A., with registered office at via Morimondo, 17 – Milano 20143, Italy. YOOX NET-A-PORTER GROUP has been appointed the processor of users' personal data that is collected through www.stoneisland.com for all purposes carried out at the instruction of the controller SPORTSWEAR COMPANY S.p.A., ("SPORTSWEAR COMPANY"), with registered office at Bologna, Italy Galleria Cavour 4, 40124, at Galleria Cavour 4, 40124 Bologna, Italy, registered on the Trade and Companies Register of Bologna with Tax ID 01046470371 (“SPORTSWEAR COMPANY”).
Q&A on the recent "Privacy notice"
1. When did the cyber attack happen? The cyber attack was identified and promptly handled on December 22nd. Unfortunately, the extreme sophistication of the techniques implemented by the criminals made the reconstruction of the incident particularly complex and lengthy, also in reference to a possible compromise of data from clients, who were informed as soon as the investigation confirmed the risk of a possible exfiltration of data. 2. How do I know if my personal data was also affected by the attack and, if so, which data? At the moment, what we can confirm is that there was unauthorized access with possible exfiltration of some of your personal data including contact data. This only applies to customers of the www.stoneisland.com e-commerce site. We emphasize that the data relating to payment methods (IBAN, credit cards or other) and/or identity documents (identity card, passport or other) is not saved in our systems and therefore has not been subject to exfiltration. 3. What does this notice mean for me? What do I have to do? The notice aims to inform data subjects about the possible consequences of the cyber attack. Through this notice, therefore, we advise you to be wary of communications from third parties appearing to know certain information about you, and not to use credentials (ID and passwords) that are easily identifiable on the basis of the data you provided at the time of registration. 4. And what does data breach mean exactly? A “data breach” is an IT incident involving personal data that could have an impact on data subjects. In this case, it involved the unauthorized access of third parties to the company’s IT systems and could have caused the exfiltration of some personal data of customers of the e-commerce site only, including contact data. We emphasize that the data relating to payment methods (IBAN, credit cards or other) and/or identity documents (identity card, passport or other) is not saved in our systems and therefore has not been subject to exfiltration. 5. Do I have to officially notify any authorities? No, the subject required to do so is Stone Island as the data controller, who has already promptly notified the event to the Italian Data Protection Authority. Furthermore, the event has also been reported to the competent authorities. In line with general good practice, if you should ever realize that you are the victim of a crime (such as identity theft and/or fraud), we suggest that you report it to the competent authorities. 6.Have credit card details been taken? Should I block my credit card or other payment methods? The data relating to payment methods (IBAN, credit cards or other) and/or identity documents (identity card, passport or other) is not saved in our systems and therefore has not been subject to exfiltration. 7. Should I contact my bank’s security or fraud prevention department? No, the data relating to payment methods (IBAN, credit cards or other) and/or identity documents (identity card, passport or other) is not saved in our systems and therefore has not been subject to exfiltration. 8. Do I need to change my identity documents, e-mail and phone number?No, in our opinion this is not necessary. We do, however, advise you to be wary of communications from third parties appearing to know certain information about you, and not to use credentials (ID and passwords) that are easily identifiable on the basis of your data. 9. How can I buy a garment from you safely? You can buy our garments safely both in stores and on the website, as the systems have been sanitized. In any case, the company is tightening its security measures further. 10. Do I need to change all my passwords? As a good general rule when it comes to security, even more so in the case of cyber attacks, we advise you never to use passwords that are easily identifiable on the basis of personal information. If that is your case, we suggest that you update them. 11. Even if I only made my purchase in store (and not online) am I still at risk? No, the exfiltration only concerned personal data of customers of the e-commerce site, including contact data (such as e-mail address, telephone number). 12. Should I uninstall and re-install your Stone Island app from my mobile? No, uninstalling and reinstalling is not required and does not add additional security. If anything, we recommend that you change your login password for the Stone Island app if it can be identified on the basis of your data. 13. Can I remove my data from your systems? You can withdraw your consent to the processing of your personal data and close your account on the site at any time, except for the certain data which will be kept for legal purposes, by writing to Client Service by selecting the topic “privacy” in the appropriate form in the “Contact Us” section of the website. 14. Am I at risk if my data remains on your systems? No, the systems have been sanitized and we are further strengthening our security measures.
1. OUR POLICY
2. WHO COLLECTS YOUR PERSONAL DATA AND FOR WHAT PURPOSES
SPORTSWEAR COMPANY controls the use of www.stoneisland.com users' personal data; SPORTSWEAR COMPANY determines the purposes and means of processing personal data and the instruments used, including those for security measures. Due to exclusively organisational and operational requirements, we have appointed certain entities that will also process personal data belonging to www.stoneisland.com's users for purposes strictly connected and correlated to the performance of services on www.stoneisland.com. These processors have been chosen because of their experience, ability and reliability in processing personal data and they provide sufficient guarantees regarding compliance with current data processing laws (including the data security profile). In processing the personal data of www.stoneisland.com's users, the processors shall act only on instructions from SPORTSWEAR COMPANY. Co-owners regularly check that our processors comply with our instructions and that they continue to provide sufficient guarantees regarding their full compliance with the provisions on personal data processing. In order to receive a full list of data processors, you may contact email@example.com. Your personal data is collected and processed by SPORTSWEAR COMPANY for purposes which are strictly connected to the use of the web site and its services. However, your personal data may also be used for other processing operations within the limits of such purposes.
In particular, your personal data may be processed for the following purposes:
- when you register with our website we collect your personal data (for example, your personal details, password, e-mail address) through the registration form to receive our Newsletter, when specifically requested;
- when you require assistance we collect your personal data (for example, e-mail address and password) for purposes strictly necessary to providing you with Customer Care services related to www.stoneisland.com services;
- when you request technical assistance services, we collect your personal data to provide you with information regarding problems with navigation, browser compatibility and visualization or uploading of web pages of www.stoneisland.com.
Your personal data will be kept in the form that allows you to be identified for the time strictly needed for the purposes for which the data was collected and subsequently processed, and, in any event, within the legal limits.
Your personal data will not be disclosed to third parties for purposes not permitted by law or without your express consent. In addition to companies acting as data processors, your data will also be available to independent third party data controllers for purposes that are related and in addition to the granting of the services requested by the user. For details regarding this aspect, see the terms of the paragraph below “To whom we disclose your personal data”. Additionally, your data may be disclosed to the police or to judicial authorities, in accordance with the law and upon formal request from those parties. In all of these cases, your consent is not necessary.
We inform you that SPORTSWEAR COMPANY, processes the personal data of their users only for purposes that are strictly connected to the provision of services on www.stoneisland.com, and, upon consent, to inform you of new commercial initiatives which are strictly related to the activities and services of the web site. SPORTSWEAR COMPANY processes your personal data for direct marketing purposes only with your consent. SPORTSWEAR COMPANY may perform profiling activities regarding your surfing habits, in order to send offers that are in line with your interests, upon your consent.
SPORTSWEAR COMPANY may end up processing personal data from third parties that has been directly communicated by its own users, for example if the user intends to inform a friend of a service or product on www.stoneisland.com. In all of the above cases, please make sure you receive the consent of such individuals before disclosing their personal data to SPORTSWEAR COMPANY and make sure you inform them about the processing of their data, because you will be the sole person liable in connection with the disclosure of information and data regarding such third parties if they have not provided you with their express consent thereto, as well as solely liable for any improper or unlawful use of that information. In any event, SPORTSWEAR COMPANY shall fulfil any obligation to inform third parties required by law and, when necessary, shall request their express consent upon registering in its archives the personal information of the user indicated.
3. HOW WE COLLECT YOUR DATA
SPORTSWEAR COMPANY directly collects personal data and other information from their users as part of the online registration to the services of www.stoneisland.com.This data is processed by SPORTSWEAR COMPANY within the limits and purposes illustrated in the information presented to the user in the specific section on data collection, including therein the potential communication to third party individuals for purposes which are essential to the granting of the service requested by the user, as specified in the paragraph “To whom we disclose your personal data”. SPORTSWEAR COMPANY reserve the right to eliminate the accounts of registered users and all of the relative data in the event that content is revealed which is unlawful, damaging to the image of SPORTSWEAR COMPANY and/or the products of the latter or third parties, or which contain content which is offensive or which promotes illegal or defamatory activities, pornographic content, or content which incites violence, promotes racial, sexual or religious discrimination, or discrimination with regard to sexual orientation.
4. WHAT HAPPENS IF YOU DO NOT DISCLOSE YOUR PERSONAL DATA
Granting your personal data to SPORTSWEAR COMPANY might be essential for the provision of other services rendered on the web site or to perform obligations required by law and other regulations. Therefore, failing to provide some of your data that is required for such purposes to SPORTSWEAR COMPANY could result in it being impossible to provide the services that are available on www.stoneisland.com - such as, for example, providing assistance services -, or even correctly performing the legal and regulatory obligations. Failure to provide data may thus constitute, depending on the case, a legitimate and justified reason for not executing the provision of services via www.stoneisland.com.
Disclosure of further personal data to SPORTSWEAR COMPANY other than that required for fulfilling legal or contractual obligations or for providing the services requested, is, on the contrary, optional and does not have any effect on the use of the web site and of its services.
In some circumstances and if required, from time to time we will duly inform you if the personal data you are disclosing to SPORTSWEAR COMPANY is compulsory or optional. We will point out to you whether the disclosure of your data is compulsory or optional by marking with an appropriate symbol (*) the information that is compulsory or data needed for providing the required services on www.stoneisland.com. We remind you that failing to provide optional personal data will not imply any obligation or disadvantage to our users.
5. TO WHOM YOUR PERSONAL DATA WILL BE DISCLOSED
Personal data may be disclosed to third party companies that provide, on behalf of SPORTSWEAR COMPANY, specific services as data processors or to other recipients of personal data collected by SPORTSWEAR COMPANY - which names shall be specified each time -, that process your personal data only for the performance of the services requested and only when such purpose does not exceed the purposes for which your personal data was collected and subsequently processed and, in any case, according to applicable laws and regulations.
Personal data will not be disclosed to third parties or disseminated or transferred without informing our users of such disclosure/dissemination/transfer, without their consent and, in any case, in accordance with the law.
6. SECURITY MEASURES
Nevertheless, SPORTSWEAR COMPANY e YOOX NET-A-PORTER GROUP cannot guarantee to their users that the security measures adopted for the protection of the web site and for data and information transmission on www.stoneisland.com will limit or exclude any risk of unauthorised access or of loss of data. It is advisable that your computer be provided with software devices that protect network data transmission/receipt (such as updated antivirus systems) and that your Internet service provider take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).
7. YOUR RIGHT TO ACCESS DATA AND OTHER RIGHTS
You always have the right to obtain from SPORTSWEAR COMPANY:
- the updating, correction or, when you have an interest in such, the integration of your personal data;
- deletion, transformation into an anonymous form or blocking of your personal data which has been unlawfully processed, including data which does not need to be stored for the purposes for which it was collected or subsequently processed;
- the confirmation that the operations under letters a) and b) have been reported (together with the contents of the same) to whom the data was disclosed or disseminated, except when it becomes impossible or if the means used are clearly disproportionate to the right’s protection.
You are nevertheless entitled to object, in whole or in part:
- for legitimate reasons, to the processing of your personal data, even if it is related to the purposes for which it was collected;
- to the processing of your personal data for advertising or direct marketing purposes or in order to carry out marketing research or commercial communications.
You may freely exercise your rights at any time, provided that you do so in compliance with applicable laws, by sending your request to SPORTSWEAR COMPANY by contacting firstname.lastname@example.org or sending a request to SPORTSWEAR COMPANY at its registered office indicated above, to which we shall respond in a timely manner.
8. OPT-IN/OPT OUT
SPORTSWEAR COMPANY also uses your personal data to send advertising or direct marketing material or other commercial communications via e-mail only with your prior consent. Each time your consent is needed, we will inform you in advance and will give you the possibility of providing or denying your consent to use your personal data for these purposes. We would like to inform you that SPORTSWEAR COMPANY may process your personal data, even without your consent, in certain cases that have been prescribed by law such as, for example, when this is necessary to satisfy a legal obligation or when this is necessary to execute obligations that have been contractually assumed with regard to users (such as, for example, if you have asked to benefit from specific services through our web site). In any case, we wish to inform you that SPORTSWEAR COMPANY guarantee to their users may exercise, at any time and without needing to set forth reasons, their own right not to receive future communications related to the use of particular services, upon request.
9. LINKS TO OTHER WEBSITES
www.stoneisland.com provides links to these web sites exclusively to help its users in their searches and net-surfing activities and to allow links to other websites on the Internet. When SPORTSWEAR COMPANY and YOOX NET-A-PORTER GROUP provide links to other websites, SPORTSWEAR COMPANY and YOOX NET-A-PORTER GROUP do not recommend the use of these websites and do not provide any guarantees regarding their web content or the services and products supplied and sold by these websites to Internet users.
If you wish to receive further information on how SPORTSWEAR COMPANY processes your personal data, please contact email@example.com or send a request to SPORTSWEAR COMPANY at its registered office indicated above. Should you require any further information on your rights and on personal data protection law you can contact the personal data protection authority at the following address: www.garanteprivacy.it.