asterisk bell bell-off bell-on bin caret-down close contact dot dot-empty download dreambox-empty email hamburger head info lock lock-open mobile pen plus search shipping-address shopping-bag-empty three-dots order-shipped new arrow-down arrow-left arrow-right arrow-up filterby sortby zoom infoNew greenCheck
Have questions about an order or return?
More questions?
 

We’ve selected shipping to

BELGIUM

PRIVACY POLICY

Your privacy: summary information.

Welcome to our website yoox.com (hereinafter referred to as the "Website" or “Site”).

Your privacy and the security of your personal data is very important to YOOX NET-A-PORTER GROUP S.p.A. (hereinafter referred to as “ YOOX”). For this reason, we take the utmost care when collecting and handling your personal data, and adopt specific measures to protect your security.

Below you will find a summary of the key information regarding how your personal data is processed when you navigate the Website and use the corresponding services offered. For detailed information, please read our "Extended Privacy Policy", available at the end of this page.

We also ask that you read our “ Cookie Policy”, the yoox.com “ General Terms of Use” and the “ Myoox Terms and Conditions of Use ”, which contain detailed information on the conditions relating to our services. Some services may be subject to specific legal conditions: in such cases, we shall provide you with the relevant information in each instance.

Who is the Data Controller?

The Website and related services are managed by YOOX, while the products on the Website are offered and sold by both YOOX and its partners (hereinafter referred to as "Partners").

For this reason, your personal data will be processed both by YOOX and by its Partners. Specifically:

- YOOX processes your personal data as an independent Data Controller with respect to the processing activities envisaged within the context of your use of the website, as well as with regard to the provision of any related services, the management of the website itself and the sale of products that YOOX directly offers for purchase on the Website.

Further information on the main characteristics of these data processing activities is provided below, while detailed information can be found in section 1 of the Extended Privacy Policy;

- the Partners process your personal data in their capacity as independent Data Controllers with regard to the contract for the sale of their products through the Website and relative obligations. For more information on these data processing activities, please see the Partners’ privacy policies, which can be accessed via their product pages on the Website;

- YOOX and its Partners process your personal data jointly, i.e. as "joint data controllers", for processing activities with regard to which YOOX and Partners (hereinafter referred to as the "Joint Data Controllers") are jointly responsible for deciding the purposes and means of processing. Specifically, these data processing activities concern anti-fraud activities - including the management of chargebacks and disputes with respect to payments relating to the sale of the Partners' products on the Website, including jointly with products sold directly by YOOX - and the "management of online sales" of the products offered by the Partners on the Website.

Further information on the main characteristics of these data processing activities is provided below, while detailed information can be found in section 2 of the Website’s Extended Privacy Policy.

YOOX has stipulated an agreement for this purpose with its Partners, in order to specifically regulate its own commitments and those of its Partners with respect to the obligations provided for in the Personal Data Protection Act (the so-called “Joint Controllership Agreement”). You can view the key contents of the Joint Controllership Agreement by clicking here.

YOOX NET-A-PORTER GROUP S.p.A. is a sole shareholder company subject to the management and coordination of Compagnie Financière Richemont S.A., with registered office on Via Morimondo 17 - 20143 Milan (Italy), Tax Code and VAT no. 02050461207.

You can contact YOOX at any time by writing to the above address or to our Customer Care team (selecting “privacy”).

If you wish, you may also contact the “Data Protection Officer” (href="mailto:DPO@ynap.com">DPODPO email address.

You can find information on the identity and contact details of the Partners (including the contact details of any Data Protection Officers designated by the individual Partners) in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

For any requests regarding the processing of data in joint ownership, you can contact YOOX at the addresses indicated above: indeed, to assist you in exercising your rights, YOOX has been identified as a “point of contact” with regard to all questions on the processing of data in joint ownership between YOOX and its Partners. If you prefer, you can still contact our Partners regarding these issues at the addresses indicated in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

What data do we process and why?

In its capacity as independent Data Controller, YOOX processes different types of personal data: the information you provide us with when you complete an order and purchase products sold by YOOX or register on the Website, and the data we collect while you browse or use the services offered on the Website. For details on the data we process, please see paragraph 1.2 of the Extended Privacy Policy.

In its capacity as independent Data Controller, YOOX processes your data for the purposes and according to the legal bases indicated below (detailed information in this regard is provided in the paragraphs 1.3, 1.4 and 1.6 of the Extended Privacy Policy).

a) To conclude and perform the agreement for the purchase of goods offered by YOOX on the Website;

b) For registration on the Website in order to benefit from the services reserved for registered users (in case of registration/authentication on the Website through "Facebook" or "Google", these subjects will also process your data: more information in this regard is provided in the paragraph 1.2 of the Extended Privacy Policy);

c) For the provision of the services offered on the Website;

d) For the management of requests made to our Customer Care team.

The types of processing indicated in letters a), b), c) and d) are carried out on the basis of the need to execute a contract of which the Data Subject (you) is a part, or on the basis of pre-contractual measures adopted at the request of the same;

e) For the fulfilment of legal obligations.

Data processing carried out on the basis of the need to fulfil a legal obligation to which YOOX is subject;

f) Sending of newsletters;

g) Sending of promotional text messages;

h) Opinion polls and market research;

i) Sending of personalised promotional and commercial communications for registered users (i.e., communications regarding products that we believe are of interest to the user, based on the analysis of the purchases made and the information regarding the user's navigation on the Website, such as the products viewed or placed in the cart);

The types of data processing indicated in letters f), g), h) and i) are carried out only following receipt of your express prior consent;

j) Personalisation of the contents of the Website for marketing purposes (i.e. on the Website, we display information about products that we think may be of interest to the user based on the analysis of the purchases made and information regarding the user's navigation on the Website, such as the products viewed or placed in the cart);

k) Analysis and statistical surveys to improve the commercial offering and services of the Website (i.e. to make the Website easier to use and improve the shopping experience);

l) To prevent and suppress fraud, counterfeiting and abusive conduct;

m) To ensure the correct technical functioning and security of the Website;

n) To ensure the protection of the relevant rights.

The types of data processing indicated in letters j), k), l), m), and n) are carried out on the basis of the legitimate interest of YOOX or of a third party.

Subject to your express consent, we also use your personal data to send "web push notifications" to your device, i.e., personalised notifications regarding YOOX products and commercial news (further information is provided in paragraph 1.5 of the Extended Privacy Policy).

The Partners, in their capacity as independent Data Controllers, process your personal data with regard to the contract for the sale of their products through the Website and relative obligations. You can find detailed information on these data processing activities by the Partners in the privacy policy of each Partner, accessible from each of their product pages on the Website.

As Joint Data Controllers, YOOX and Partners process different types of personal data: the information you provide us with when you complete an order and purchase products sold by Partners on the Website, and the data we collect while you browse or use the services offered on the Website. For details of the data processed, please see paragraph 2.2 of the Extended Privacy Policy.

YOOX and its Partners process your personal data as Joint Data Controllers with respect to the following processing activities:

1. Anti-fraud activities, including the management of chargebacks and disputes related to payments in connection with the sale of Partners' products on the Website, including in conjunction with products sold by YOOX;

The processing type indicated in number 1) is carried out on the basis of the legitimate interest of YOOX and the Partners.

2. Management of the online sale of the products offered by the Partners on the Website.

The data processing is carried out on the basis of the necessity to fulfil a contract to which the Data Subject (you) is party, or to carry out pre-contractual measures adopted upon request of the same.

Further information on the purposes and legal bases of the processing carried out jointly by YOOX and its Partners is provided in paragraph 2.2 of the Extended Privacy Policy.

Who will process your data?

With respect to the processing activities carried out by YOOX in its capacity as independent Data Controller, your data is processed by staff who have been duly trained and authorised by YOOX. The data will only be communicated externally when this is indispensable with respect to the processing purposes indicated above. As part of the delivery of the Website's services and in order to execute a sales contract, the data may be processed by YOOX suppliers: the latter have been evaluated and chosen by YOOX for their proven reliability and competence.

The data may be shared by YOOX with the following categories of recipients: email service providers; Internet service providers; companies specialising in IT and telematic services; companies that provide customer support services; companies offering marketing services, companies specialising in market research and data processing; couriers and shippers; bank operators. More information is provided in paragraph 1.7 of the Extended Privacy Policy.

In certain cases, your data will be transferred by YOOX to countries outside the European Union or the European Economic Area: more information regarding this is provided in paragraph 1.8 of the Extended Privacy Policy.

With regard to the processing activities carried out by the Partners, in their capacity as independent Data Controllers, you will find detailed information on the subjects who will carry out these processing activities the privacy policy of each Partner, accessible via their product pages present on the Website.

With respect to the processing activities carried out by YOOX and the Partners as Joint Data Controllers, your data is processed by staff who are trained and authorised by YOOX and the Partners. The data will only be communicated externally when this is indispensable with respect to the processing purposes indicated above. As part of these processing activities, the data may be processed by suppliers of YOOX and Partners: these suppliers have been evaluated and selected by YOOX and the Partners for their proven reliability and competence.

The data may be shared with the following categories of recipients: email service providers; Internet service providers; companies specialising in IT and telematic services; companies that provide customer support services; companies offering marketing services, companies specialising in market research and data processing; couriers and shippers; bank operators. More information is provided in paragraph 2.3 of the Extended Privacy Policy.

In certain cases, your data will be transferred to countries outside the European Union or the European Economic Area: more information regarding this is provided in paragraph 2.4 of the Extended Privacy Policy.

How long do we keep your data?

Your personal data will be kept for a limited period of time, which varies according to the purpose for which they the data is processed, at the end of which your data will be definitively erased or in any case rendered anonymous in an irreversible manner.

With respect to processing activities carried out by YOOX in its capacity as independent Data Controller, for example, the data collected during the purchase of products sold by YOOX will be processed until all the administrative and accounting formalities have been complied with, and will then be stored in accordance with local tax legislation (ten years). The data used to send you newsletters or SMS messages will be processed until you ask us to stop sending them (withdrawal of consent or objection to receipt) and, in any case, within 4 (four) years from the last relevant interaction with us. Detailed information in this regard is given in paragraph 1.9 of the Extended Privacy Policy.

With regard to the processing activities carried out by the Partners, in their capacity as independent Data Controllers, you can find detailed information on the relative data retention periods in the privacy policy of each Partner, which can be accessed via their product pages, which can be found on the Website.

With respect to the processing activities carried out by YOOX and Partners in their capacity as Joint Data Controllers , detailed information on data retention periods is provided in paragraph 2.2 of the Extended Privacy Policy.

What are your rights?

With respect to the processing activities carried out by YOOX in its capacity as independent Data Controller, you have the right to object at any time:

- To processing activities carried out for direct marketing purposes (sending of newsletters via email, sending of promotional SMS messages, opinion polls, sending of commercial/promotional communications via personal email). Upon receipt of your request, we will cease the processing activity to which you objected within the shortest time technically possible. You can also exercise your right to object by following the instructions contained in the communications we send you (for example, by clicking on the link at the bottom of each of the messages sent by email); to processing activities carried out on the basis of "legitimate interest", for reasons relating to your specific situation. Having examined these reasons, if deemed legitimate, we will cease the processing activity to which you objected within the shortest time technically possible.

You also have the following rights:

- to revoke the consent you have given for one or more of the data processing purposes described above;

- to obtain access to your data as well as to information on the data processing activities we are carrying out, as well as a copy of such data;

- to obtain the rectification of any inaccurate data and the completion of f incomplete data;

- to obtain the erasure of your data, in the cases provided for by law;

- to obtain the limitation of your data, in the cases provided for by law;

- to receive your data in a standard electronic format, so that it can be transferred to another party ("data portability").

For more information on these rights and how to exercise them, see paragraph 1.10 of the Extended Privacy Policy.

To exercise your rights, you can contact us using the contact details indicated above. For any questions regarding your rights, you can also contact our Data Protection Officer, using the contact details indicated above.

With regard to the processing activities carried out by the Partners, in their capacity as independent Data Controllers, you will find detailed information on your rights and on how to exercise them (including the contact details of any Data Protection Officer designated by the individual Partners) in the privacy policy of each Partner, accessible from their product pages on the Website.

With respect to the processing activities carried out by YOOX and by the Partners as Joint Data Controllers, you have the right to object at any time:

- to the sending of emails for direct marketing purposes. Upon receipt of your request, we will cease the processing activity to which you objected within the shortest time technically possible. You can easily exercise your right to object by clicking on the link at the bottom of each communication sent by email;

- to processing activities carried out on the basis of " legitimate interest", for reasons relating to your specific situation. Having examined these reasons, if deemed legitimate, we will cease the processing activity to which you objected within the shortest time technically possible.

You also have the following rights:

- to obtain access to your data as well as to information on the data processing activities that the Joint Data Controllers are carrying out, as well as a copy of such data;

- to obtain the rectification of any inaccurate data and the completion of f incomplete data;

- to obtain the erasure of your data, in the cases provided for by the law;

- to obtain the limitation of your data, in the cases provided for by law;

- to receive your data in a standard electronic format, so that it can be transferred to another party ("data portability").

For more information on these rights and how to exercise them, see paragraph 2.5 of the Extended Privacy Policy.

To exercise your rights with regard to the processing activities carried out in joint ownership by YOOX and its Partners, you can contact YOOX at the addresses indicated above: indeed, to assist you in exercising your rights, YOOX has been identified as a “point of contact” with regard to all questions on the processing of data in joint ownership between YOOX and its Partners.

For any questions regarding your rights and personal data, you can also contact the YOOX Data Protection Officer using the contact details indicated above.

If you prefer, you may still exercise your rights directly with our Partners, contacting them using the details indicated in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

If you believe that your personal data has been processed illegally, you may log a complaint with one of the supervisory authorities responsible for ensuring compliance with the data protection regulations in force. In Italy, complaints may be submitted to the Italian Data Protection Authority (http://www.garanteprivacy.it/).

This policy may undergo changes and additions over time. We will ensure that you are adequately informed in the event of substantial changes to the policy. In any case, the updated version of the policy will be published on this page, with an indication of the date of its last update.


Extended Privacy Policy

Contents

1. Processing of personal data carried out by YOOX in its capacity as independent Data Controller.

2. Processing of personal data carried out by YOOX and its Partners in joint ownership.

3. Complaints and other important information.

Summary of the Joint Controllership Agreement between YOOX and its Partners : the summary is provided at the bottom of this page.

____________

The yoox.com website (hereinafter the “Website” or “Site”) and related services are operated by YOOX. Through the Website, you can purchase products sold by YOOX and its partner sellers (hereinafter referred to as “Partners”). For this reason, your personal data will be processed both by YOOX and by its Partners, where relevant. This policy on the processing of personal data contains detailed information on both the data processing activities carried out by YOOX as independent Data Controller ( section 1), and the activities carried out jointly by YOOX and its Partners as Joint Data Controllers ( section 2). With regard to the processing activities carried out by the Partners in their capacity as independent Data Controllers, you will find the relevant detailed information in the privacy policy of each Partner, accessible via their product pages and present on the Website.

1. Processing of personal data carried out by YOOX as independent Data Controller.

1.1 General information.

Who is the Data Controller?

YOOX NET-A-PORTER GROUP S.p.A, (hereinafter “YOOX”) is the Data Controller, i.e. the party that decides how and why your personal data should be processed, a sole-shareholder company managed and coordinated by Compagnie Financière Richemont S.A., with registered office at via Morimondo n. 17 - 20143 Milan (Italy), Tax Code and VAT no. 02050461207.

You can contact YOOX at any time by writing to the above address or to our Customer Care team (selecting “privacy”).

In this section 1 of the Website's Extended Privacy Policy, you will find information regarding the processing of your personal data as carried out by YOOX as independent Data Controller.

Who is the Data Protection Officer (DPO)?

YOOX has designated a Data Protection Officer or “ DPO” (Data Protection Officer).

If you have any questions regarding the protection of your Personal Data or the exercise of your rights, please contact our Data Protection Officer (DPO), either by way of a written letter addressed to the “Data Protection Officer” at the YOOX address indicated above, or via email to the DPO email address.

1.2 What personal data do we process?

The categories of personal data that YOOX collects and processes in relation to the use of the Website and the related services offered are as follows:

a) the personal data necessary to conclude and execute your purchase on the Website, such as name and surname, email address, shipping address, billing address, telephone number, payment details, product purchased and other information present in the purchase orders, information on shipments and returns;

b) email address, when you subscribe to our newsletter service or for commercial communication activities or to carry out opinion polls and market research;

c) mobile phone number, when you subscribe to our promotional SMS messaging service or to carry out opinion polls and market research;

d) the personal data that you provide us when you contact our Customer Care team;

e) information regarding your interests and preferences with regard to the contents of the Website, our products and services, which we use in order to personalise the contents of the Website and the commercial communications, as well as for statistical surveys and analyses (for more information, see letters j), k) and l) of the following paragraph 1.3). In particular: information regarding your previous purchases, on the use of the services of the Website reserved for registered users, on the sections of the Website you visit most often or the services you use most frequently, on your IP address, the pages of the Website you have visited, the products viewed and those added to your cart, the purchases made and any withdrawals/returns, the time spent on each page of the Website, the frequency of access to the Website, the interactions between you and the pages of the Website that you visit and any personalised content present on these pages, information contained in the "log files" of the Website servers (IP address, date and time of the request, resource requested, status codes of the responses given by the server, other information regarding the user's IT environment), with reference to letter j) of the following paragraph 1.3; the pages of the Website you have visited, the products viewed, your interactions with the pages of the Website you have visited and with any personalised content present on these pages, products added to your cart, time spent on each page of the Website, information contained in the "log files" of the Website's servers (date and time of the request, requested resource, codes on the status of the responses given by the server), with reference to letter k) of the following paragraph 1.3.

f) name and surname, email address and password, for registering your Myoox account. In case of registration/authentication of the Myoox account via the services of third-party operators ("Facebook Login" or "Login with Google"), we collect the data necessary for registration/authentication on the Website, i.e. your email address, from these operators. In particular: i) in the event of registration/authentication using "Facebook Login", YOOX and Meta Platforms Ireland Limited (the company that provides the function for accessing the "Facebook Login" website) act as joint data controllers for the processing of your data on the basis of a specific "joint controllership agreement" that has been stipulated between the parties, and which you can view here. For more information, see also the documentation made available by Meta Platforms Ireland Limited and its privacy policy; ii) in case of registration/authentication using "Login with Google", Google Ireland Limited will also process your data (further information is available in the Google privacy policy );

g) data processed when you access the area reserved for registered users, such as which services you use and when, as referred to in paragraph 1.5 below (order history, products of interest, virtual credit, saved searches, card payment details, size information);

h) information regarding other people that you provide us with in the case of purchase of a product to be delivered to a friend, or to be delivered as a gift (name and surname, address). In these hypotheses, we deliver the privacy policy to the person indicated by you at the time of the initial communication with this person, and in any case in compliance with the times and methods established by law. We would like to remind you that the use of other people's personal data may be subject to the regulations on the protection of personal data;

i) contact details of the third-party companies interested in becoming a YOOX partner, with a view to managing these requests.

YOOX does not process personal data concerning minors. By accessing yoox.com and using the services offered by YOOX, you declare that you are over the age of 18.

In addition to the data listed in this paragraph, when you use the app or mobile version of our Website, YOOX may:

- collect personal data for marketing purposes in order to send push notifications to your device, with your express prior consent. You may disable push notifications at any time by modifying your preferences in the settings on your mobile device.

- collect information automatically, such as site traffic data, data on how long you spend on the app, or your IP address, in order to improve our offering of products and services;

- collect the information that you provide us with, such as your photo and your clothing and accessory sizes, in order to facilitate your use of the YOOXMIRROR service. We shall store such data until you decide to delete your profile (as created by you), or until you request that we delete your Myoox account.

1.3 How do we use personal data?

YOOX collects and processes your personal data for the following purposes:

a) To conclude and perform the agreement for the purchase of goods offered on the YOOX Website.

We process your personal data (in particular as referred to in letter a) of the previous paragraph 1.2) to conclude the contract for the purchase of the products that we offer on the Website and to execute contractual activities such as the shipment of the product, the management of the payment and the management of the return and refund, where applicable.

We also process the data in order to send you communications regarding the conclusion and execution of the contract, such as emails confirming the receipt of your order, the acceptance thereof and the successful shipment of the product. In countries where it is available as a service, you can also choose to receive these communications via "WhatsApp"; you can always change your mind by replying "Stop Order" to our message, which will arrive via "WhatsApp"; in this case, you will continue to receive communications by email only.

b) Registration on the Website and use of the services offered to registered users .

Registration on the Website can be carried out by entering some personal information (as referred to in letter f) of the previous paragraph 1.2), required in order to enable you to be identified, and to allow the services reserved for registered users as described in the following paragraph 1.5 to be carried out.

c) Provision of the services offered on the Website and in the app .

To this end, in relation to each service and the characteristics thereof, YOOX needs to collect the personal data necessary to perform the service you requested (see the relevant service in the previous paragraph 1.2).

d) Management of requests made to our Customer Care team.

Our Customer Care team uses the personal data you provide (specifically that referred to in letter d) of the previous paragraph 1.2) to fulfil your requests for information and assistance (with the exception of requests regarding the products of the Partners, which are managed by the latter: see the following paragraph 2.2 for more information).

The contact details published on the Website are not intended for the receipt of spontaneous applications from those wishing to work for YOOX: any CVs and applications sent to these addresses will be discarded and the related data deleted. To submit your application to YOOX, the user is invited to use the appropriate section of the website https://www.ynap.com.

e) Fulfilment of legal obligations.

We process your data (as referred to specifically in letter a) of the previous paragraph 1.2) in order to fulfil the obligations imposed on us by national and European Union laws and regulations, primarily civil and fiscal obligations deriving from the contract for the purchase of products on the Website (such as, for example, the issuance of the invoice and archiving thereof, the management of the legal guarantee of conformity).

f) Sending of newsletters.

Subject to your consent, we will send you (see letter b) of the previous paragraph 1.2) all newsletters (communications regarding YOOX news and commercial promotions) via email.

g) Sending of promotional text messages.

Subject to your consent, we will send you messages regarding our news and commercial promotions ("SMS service") via SMS (see letter c) of the previous paragraph 1.2).

h) Opinion polls and market research.

Subject to your consent, we will contact you in order to carry out market research and satisfaction surveys, which we implement in order to improve the Website, our products and services, the relationship with our users and customers and the quality of our commercial offering. These communications may be sent via email, SMS, telephone and paper-based mail (see letters a, b and c of the previous paragraph 1.2).

i) Personalised Website content and sending of personalised marketing communications for registered users .

Subject to your consent, YOOX will personalise the contents of the Website which will be presented to you as a registered user thereof, as well as customising commercial communications addressed to you (by email, SMS, telephone and paper mail), on the basis of a profiling activity (construction of a profile), with a view to be able to offer you previews and offers that are more in line with your tastes and preferences.

This activity allows us to help you to identify products and services that are of real interest to you, and to improve your shopping experience on the Website.

As a result of this data processing activity, you will be able to view personalised content on the Website and receive personalised promotional communications.

The personalisation of the contents and communications will be carried out by means of a profiling activity which entails the collection and analysis of information on your previous purchases, on the use of Website services reserved for registered users, on the sections of the Website you visit most often or the services you use most frequently, on your IP address, the pages of the Website you have visited, the products viewed and those placed in the cart, the purchases made and any withdrawals/returns, the time spent on each page of the Website, the frequency of access to the Website, the interactions between you and the pages of the Website visited and with any customised content present therein, the information contained in the "log files" of the Website's servers (IP address, date and time of the request, requested resource, codes on the status of the responses given by the server, other information on the user's IT environment) (see letter e) of the previous paragraph 1.2). This information helps us understand which products and services you are most interested in.

In order to ensure that the information in our possession is correct and allows us to adequately carry out the personalisation activities described, please go to the “my profile” section of your Myoox account and, if necessary, update it.

On receipt of your express prior consent, we will send personalised marketing communications, including via "web push notification": information on this differing type of processing is provided in the following paragraph 1.5 “Web Push Notifications”.

You can withdraw your consent at any time

- to the personalisation of the contents of the Website through the appropriate option in the "My profile" section of your Myoox,

- upon receipt of personalised communications, by clicking on the link at the bottom of each email received,

- to receiving personalised push notifications, by following the instructions in the following paragraph 1.5 “Web Push Notifications”.

j) Personalisation of the contents of the Website for marketing purposes (i.e. on the Website, we display information about products that we think may be of interest to the user based on the analysis of the purchases made and information regarding the user's navigation on the Website, such as the products viewed or placed in the cart); We use information about your navigation on the Website to personalise the contents of the Website for marketing purposes, i.e. to show you the products and services that we believe are most in line with your interests, as expressed while browsing.

This activity allows us to help you to identify products and services that are of real interest to you, as well as improving the Website shopping experience for our users.

As a result of this processing activity, when browsing the Website, you will also see products that we believe are in line with your interests.

The information we use for this activity includes the following: pages of the Website you have visited, products viewed, interactions between you and the pages of the Website you visit and with any customised content present therein, products added to your shopping cart, time spent on each page of the Website , information contained in the "log files" of the Website servers (date and time of the request, resource requested, codes on the status of the responses given by the server) (see letter e) of the previous paragraph 1.2).

This customisation (so-called profiling) is not based on the use of "cookies" or other similar tracking tools, but rather is carried using the information we collect on from the server during individual browsing sessions on the Website. Where you have given your consent to YOOX regarding the use of profiling cookies (see the specific policy on YOOX cookies: “ Cookie Policy"), the personalisation will also take place through these cookies.

k) Analysis and statistical surveys to improve the commercial offering and services of the Website .

We collect some information on your use of the Website in order to carry out analyses and statistical surveys in aggregate form, with the goal of obtaining useful information to improve our commercial offering and our services on the Website and the way in which these are presented, i.e. to understand how the Website is used and to render this use easier and more intuitive for users, as well as to improve our commercial offering and the shopping experience of our users.

The information collected and used for these purposes includes the following: pages of the Website visited, products placed in the cart, time spent on each page of the Website, interactions with the contents of the Website (see letter e) of the previous paragraph 1.2).

l) Prevention and suppression of fraud, counterfeiting and abusive conduct .

Your data (as referred to in the previous paragraph 1.2) will also be processed to allow YOOX to carry out security checks and anti-fraud activities, with a view to implementing prevention and protection measures against fraudulent activities, counterfeiting and abusive behaviour (including by third parties) that is in violation of current regulations, contractual provisions applicable to the Website, the app and the related services, and the rules of fairness and good faith.

In carrying out these activities, we also consult external databases and "blacklists" for tracking fraudulent online activities. In these cases, your data is collected by the external providers of such databases and blacklists. It should be noted that in the event of items reported by customers as not delivered by the courier or as lost during a return procedure, you will be asked to forward a copy of an identity document, in order to allow YOOX to carry out the checks necessary to process the refund; any personal data that is not essential for the purpose will not be used. In the event of suspected theft of the goods not received, a copy of your identity document will be attached to any report filed with the competent authorities to protect your rights and those of YOOX.

With reference to the sale of our Partners' products through the Website, your data is processed in order to carry out activities to prevent and supress fraud, counterfeiting and abusive behaviour by YOOX and by the Partners as Joint Data Controllers. More information on this is available in the next paragraph 2.2.

m) to ensure the correct technical functioning and security of the Website.

We process your data in order to ascertain and ensure the correct technical functioning and security of the Website.

More specifically, for this purpose, we use your navigation data (IP address, information contained in the "log files" of the Website’s servers and other data indicated in paragraph 1.2), which allow us to detect anomalies connected to any technical malfunctions of the Website or to situations that may compromise the security of the Website, thus enabling us to intervene in order to ensure the correct technical functioning and security of the Website.

n) Protection of rights.

We will process your data (as referred to in the previous paragraph 1.2) in order to protect our rights or those of another subject in judicial, extrajudicial (mediation bodies and bodies with similar functions) and administrative settings, should this prove necessary.

In the event that you originally wish to authorise the activities referred to in letters f), g), h), i) and j) but then subsequently wish for these to cease, you can request this at any time: to stop these activities (including the sending of any promotional communications), you can contact YOOX via our Customer Care team, selecting "privacy" or by writing to YOOX at the address indicated in the first paragraph of this policy, or, with reference to the receipt of promotional communications, by following the instructions at the bottom of each message received (for example, by clicking on the appropriate link at the bottom of newsletters and other communications sent via email, or by sending "STOP" to the number indicated in the SMS received). If you are a registered user of the Website, you can also stop these activities and communications by going to the "My profile" section of your Myoox.

For processing activities that require the sending of communications in various ways (via SMS, email, paper mail, etc.), you can request that the sending of communications be ceased only with respect to some of the aforementioned methods, by contacting YOOX on 800593888 or via the Customer Care team, selecting "privacy", or by writing to the address indicated in paragraph 1.1.

Please be aware that you may receive further communications from us even after you have requested termination thereof, due to the fact that for technical reasons, your request may take up to 15 (fifteen) days to come into effect.

With regard to all the activities indicated above, we will process your personal data primarily through IT and electronic tools.

1.4 Your Myoox profile.

Registering on the Website enables you to create a Myoox profile, through which you can use the services indicated below.

• My Orders: track your orders, exchange and return items that weren't right for you and view your order history.

• Dream Box: save your favourite items and receive updates via email when they become available or if they drop in price. You can disable Dream Box notifications at any time from your Myoox account. You may choose to receive Dream Box notifications via WhatsApp in the countries in which this service is available (you can always change your mind by responding to any of our WhatsApp messages with “Stop Dream Box”, and you will then continue to receive Dream Box notifications via email only).

• Moneyoox: choose the easiest and fastest refund method for any items you want to return. Use your virtual credit for future orders.

• Première: save your searches while you shop and receive email updates when items you show interest in become available. You can disable Première notifications at any time from your Myoox account.

• My details: manage your log-in details and your consent regarding communications (personalised or standard) on our news and promotions.

• My addresses: save or modify your addresses to make placing your next order easier and faster.

• My cards: save or modify your card details to make placing your next order faster and just as secure. You can modify or delete the cards saved using this function at any time.

• My Sizes: create your profile and only browse the items in your size.

• YOOXMIRROR, only available on the app: create your own personalised avatar.

1.5 Web push notifications.

We use your personal data to send you "web push notifications", through your browser and subject to your express consent, and in particular, personalised notifications regarding YOOX products and commercial news.

To be able to send you these notifications we use technologies similar to cookies (more specifically, "HTML5 Local Storage"), which store information on your device (in "local storage"). Some of your personal data and, more specifically, the information indicated below this paragraph, is also stored on our servers, which are located in the European Union. YOOX cannot delete the information stored in the local storage area of your device; in order to delete this information, please follow the instructions indicated in the "Cookie Policy ” by YOOX.

Communications are personalised according to: the way you navigate and use the Website (in particular the products you view, purchase or place in your shopping cart), as well as the data you enter in the registration form when purchasing products on the Website (in particular, the name used to personalise communications sent to you and your date of birth so that we can send you promotions and discounts on your birthday).

The categories of personal data used for this purpose are: products purchased, displayed or placed in the shopping cart, name, date of birth, gender (male or female), preferred language and version of the Website used (country), information about the device and browser that you are using, date and time you gave your consent to receive the web push notifications, My Account/MYOOX creation date,
date of your last visit to the Website.

This activity allows us to help you identify products and services that are of greater interest to you, and to improve your shopping experience on the Website.

As a result of this processing activity, you will receive communications of the type described above.

You may revoke your consent to receiving such personalised commercial communications at any time by following the instructions below, in accordance with the browser you are using.

Most popular browsers:

- Chrome: Settings > Show Advanced Settings > Privacy – Content Settings > Notifications - Manage exceptions> Enter www.OFS.com and select “Block”

- Firefox: Options > Content > Notifications – Select > www.OFS.com – “Block”

- Safari: Preferences > Notifications > From here select "Deny"

You may also revoke your consent to receiving notifications directly from the messages you receive, by following the instructions below.

- Desktop: Right-click on the notification > disable notifications from www.yoox.com

- Mobile: Access the notification centre > Site parameters > Notifications > Block notifications from www.yoox.com

In any case, the service shall be terminated and the corresponding personal data in our possession erased after 365 (three hundred and sixty-five) days from the date of your last visit to our Website.

In order to ensure that the information in our possession is correct and allows us to send the personalised push notifications correctly, please go to the “my profile” section of your Myoox account and, if necessary, update it.

1.6 Legal basis of data processing

We only process your personal data in the presence of one of the conditions established by the legislation currently in force (the so-called "legal bases" or "conditions of lawfulness"), and more specifically:

a) due to the need to execute a contract of which you are a part, or to carry out pre-contractual measures adopted at your request.

When we process your data for the purpose of concluding and performing an agreement to which you are a party, we take care to ensure that only the minimum information necessary is used. This legal basis legitimises the processing of personal data that takes place as part of the following activities:

- Conclusion and execution of a purchase agreement for the products offered on the Website by YOOX;

- Registration on the Website and use of the services reserved for registered users;

- provision of the services offered on the Website and in the app;

- the processing of your requests by our Customer Care team.

The provision of your personal data for these activities is optional, although, depending on the case, it may be a necessary requirement for the conclusion or fulfilment of a contract. You are free to decide whether or not you wish to provide us with your data; however, if we do not have the data requested, we will not be able to conclude or carry out the agreement or fulfil your requests. This means that you will not be able to purchase the products and benefit from any YOOX services, register on the Website or benefit from the services of the Website, and that YOOX will not be able to process your requests;

b) due to the need to fulfil a legal obligation imposed on us by law.

This legal basis authorises us to process your data in order to fulfil the legal obligations to which we are subject. In particular, in the event that an agreement for the purchase of goods on the Website is concluded, we must process your data in order to fulfil any legal obligations with which YOOX must comply, in accordance with the tax obligations and other regulations to which YOOX is subject.

You are free to decide whether or not to provide us with your data and to conclude a contract with YOOX, but if you do so, your data will be processed in order to fulfil the relevant legal obligations to which YOOX is subject;

c) Based on your consent.

We will only carry out the following processing activities if you have provided us with your express consent:

- sending of our newsletters by email;

- sending of promotional text messages (“SMS service”);

- conducting opinion polls and market research;

- personalisation of the contents of the Website and sending of personalised marketing communications.

Providing us with your personal data for such activities is entirely optional. You are free to decide whether or not to provide us with your data for these purposes, but a failure to do so will mean that you cannot receive our newsletters, SMS messages regarding our news and commercial promotions or personalised marketing communications, nor will it be possible for YOOX to carry out opinion polls and market research.

d) for a legitimate interest of YOOX or of a third party.

We process your data on this legal basis in the following cases:

- analyses and statistical surveys to improve the commercial offering and the services of the Website. In this instance, the processing is carried out on the basis of our legitimate interest in acquiring useful information to improve the quality and effectiveness of the commercial offering and services provided through the Website. The provision of data for this processing activity is entirely optional. However, failure to provide it, with opposition to the activity in question, will only make it impossible for YOOX to use the data to improve the commercial offering and services on the Website;

- to prevent and suppress fraud, counterfeiting and abusive conduct; In this case, the processing activity is carried out on the basis of our legitimate interest in the prevention and suppression of fraudulent activities that may compromise the profitability of the Website and the security of its users. The provision of data for this processing activity is optional, although it is a necessary requirement for the sending of an order or fulfillment of a purchase agreement, and failure to provide the data will render this impossible;

- personalisation of the contents of the Website for marketing purposes. In this case, the data processing is carried out on the basis of our legitimate interest in increasing the profitability of the Website by personalising the users' browsing experience. The provision of data for this processing activity is entirely optional. Failure to provide the data, with opposition to the activity in question, will only make it impossible to view the customised Website content;

- to ensure the correct technical functioning and security of the Website; In this case, the data processing is carried out on the basis of our legitimate interest in preventing and resolving situations that could compromise the functioning of the Website and its services, as well as user security. The provision of data for this processing activity is optional, although it is a necessary requirement for the browsing and use of the Website, and failure to provide the data will render this impossible;

- Protection of rights. In this instance, the data processing is carried out on the basis of the legitimate interest of YOOX or of a third party in protecting their rights. The provision of data for this processing activity is optional, although it is a necessary requirement for the browsing and use of the Website, and failure to provide the data will render this impossible.

1.7 Who will process your data?

Your data will be processed by YOOX and the subjects appointed by the latter only when this is indispensable with respect to the data processing purposes described above (see previous paragraph 1.3).

Your personal data will be processed by YOOX internal staff, who are specifically trained and authorised to do so.

YOOX also relies on third parties (suppliers or business partners) to carry out some of its services and the related processing activities, to whom it shall transmit the necessary personal data. In particular, depending on the service in question, the data will be communicated to the following categories of providers:

- Email service providers;

- Internet service providers;

- Companies specialised in IT and telematic services;

- Companies providing customer assistance;

- Companies offering marketing services;

- Companies specialised in market research and data processing.

Having been appropriately selected and on the provision of suitable guarantees of compliance with the rules on the protection of personal data, these parties shall process the personal data on behalf of YOOX, acting as their “Data Processors” on the basis of a specific written designation.

As part of the services offered by YOOX, your data is also communicated by YOOX to other third parties, who will process this data in their capacity as independent data controllers. These include:

- YOOX Partners, who offer their products for sale on the Website, with reference to the processing of data connected to the sales contract;

- Couriers and freight forwarders;

- Banking operators.

Finally, in accordance with the law and where deemed necessary, your data is shared with the tax authorities, police forces and judicial and administrative authorities for the detection and prosecution of crimes, the prevention and safeguarding against threats to public security, to allow YOOX or third parties to ascertain, exercise or defend a right in judicial, extrajudicial (mediation bodies and bodies with similar functions) and administrative settings, to fulfil legal obligations, as well as for other reasons related to the protection of the rights and freedoms of others.

1.8 Transfer of data outside the European Union.

To fulfil the purposes described above, where strictly necessary, your data will also be transferred to countries outside the European Union or the European Economic Area (EEA).

The data will be transferred in compliance with the related conditions provided for by the legislation currently in force. Specifically:

1) in accordance with the “adequacy decisions” adopted by the European Commission (more information, including the list of countries to which an adequacy decision applies, is available here );

2) in the absence of an adequacy decision, in compliance with “standard data protection clauses” (or “standard contractual clauses”) and in any case, where necessary, including “additional measures” ensuring an equivalent level of data protection to that established by European legislation;

3) in the absence of “standard data protection clauses”, in compliance with one of the other “appropriate safeguards” provided by law (Article 46, Regulation (EU) 2016/679).

1.9 How long do we keep the data?

We will store your personal data for a limited period of time, which varies according to the purpose for which your personal data is processed. At the end of this period, your data will be permanently erased or anonymised in an irreversible manner, except in cases where the data must be retained for a longer period due to disputes, requests from the competent authorities, or pursuant to applicable legislation.

Your personal data is stored by us in compliance with the terms and criteria specified below for each data processing purpose.

a) To conclude and execute the contract for the purchase of the products offered on the Website by YOOX: up to the conclusion of the administrative and accounting formalities and in any case up to 10 (ten) years from the date of conclusion of the purchase agreement;

b) To enable registration on the Website and use of the services offered to registered users: until the user unsubscribes from the service or following a request by the user to cease the activity;

c) To enable provision of the services offered on the Website: until the user unsubscribes from the service or following a request by the user to cease the activity;

d) To manage requests send to our Customer Care team: for the time necessary to fulfil the request and without prejudice to any further period of data storage that is necessary for the purpose of protecting the rights of the Data Controller or third parties;

e) To fulfil legal obligations: your data will be kept for as long as necessary for YOOX to fulfil the obligations established by law and, in any case, in compliance with any mandatory retention periods established by law. Civil law requires that accounting records be kept for 10 (ten) years from the date of the last registration (Article 2220 of the Italian Civil Code);

f) To send newsletters: until the consent given for this activity is revoked or until a request for termination of the same is received, and, in any case, no later than 4 (four) years from the date of the last relevant interaction by the user;

g) To send promotional SMS messages: until the consent given for this activity is revoked or until the request for termination of the same is received, and, in any case, no later than 4 (four) years from the date of the last relevant interaction by the user;

h) To carry out opinion polls and market research: until the consent given for this activity is revoked or until the request for cessation of the same is received, and, in any case, no later than 4 (four) years from the date of the last relevant interaction by the user;

i) To enable the personalisation of the contents of the Website and the sending of personalised marketing communications to registered users: until the revocation of the consent given for this activity or until the request for termination of the same is received, and in any case, no later than 2 (two) years from the last relevant interaction with the user;

j) To carry out analyses and statistical surveys to improve the commercial offering and the services provided by the Website: up to 12 (twelve) months from the last relevant interaction by the user, where any subsequent further processing will take place after aggregation and anonymisation of personal data;

k) To enable prevention and repression of fraud, counterfeiting and abusive behaviour: data relating to payment, up to the certification of the payment and the conclusion of the related administrative-accounting formalities following the expiry of the right of withdrawal and the terms applied for disputing the payment, without prejudice to further storage of the data where there is a need to process this in order to protect the rights of the Data Controller or of a third party, as well as requests from the competent authorities for the prevention and repression of crimes; in the event of items reported by customers as not delivered by the courier or as lost during a return procedure, the requested copy of the identity document will be kept for 6 (six) months, except where this needs to be sent to the authorities, which may involve further conservation for the time necessary for this procedure to be included;

l) To ensure the correct technical functioning and security of the Website: for as long as necessary to achieve this purpose;

m) To protect the rights of the Data Controller or of third parties: until the situation of conflict or legal dispute that requires the processing of data can be considered definitively resolved.

In any case, for technical reasons, the definitive deletion or irreversible anonymisation of personal data shall be concluded within 60 (sixty) days of the terms indicated above.

1.10 Your rights

You can exercise the rights described in the Personal Data Protection Act at any time, with reference to the specific processing of your data as carried out by YOOX. Below is a description of these rights and how to exercise them.

a) Right to object: you have the right to object to the processing of your data for “direct marketing” purposes (i.e. for the purpose of sending advertising materials or for direct selling, or for undertaking market research or commercial communications) at any time, without having to indicate the reason why you object. You can also object to profiling activities carried out for direct marketing purposes. In these cases, we will cease processing your data for the direct marketing purposes to which you have objected. We would like to remind you that the data processing activities for direct marketing purposes are those described in the paragraph 1.3, letters f), g), h), i) and j).

You also have the right to object to the processing we carry out on the basis of “legitimate interest” (more information on these processing activities is provided in the previous paragraph 1.6), including profiling, by telling us the reasons that justify your request (the law requires these reasons to be related to your particular situation). In this case, after evaluating your request, we will cease the processing activities to which you have objected, unless there are reasons that result in us having to refuse your request, as required by current legislation.

b) Right to withdraw consent: you can withdraw the consent you have given for a particular processing activity involving your personal data at any time. Upon receipt of your request, we will promptly cease the processing of your data based on the consent you have chosen to revoke; however, we will continue to process the data in the ways other than that for which you have revoked your consent. The processing that was carried out before the withdrawal of consent will remain lawful (the withdrawal of consent does not affect the lawfulness of such processing);

c) Right to access: you can ask us for confirmation that we are processing your personal data, and in relation to the processing activities carried out, you can obtain access to your data and additional information regarding the processing thereof (purposes of processing, categories of data, recipients to whom the data has been disclosed, data retention period, exercisable rights, information on the origin of the data, any automated decision-making processes and data transfer to non-EU/EEA countries). In particular, you have the right to obtain a copy of the personal data of yours that we are processing.

d) Right to rectification: you have the right to have any inaccurate personal data corrected without undue delay. You can also request the supplementation of your personal data, in the event that the data is incomplete with respect to the purpose for which it is processed. We will not accept requests for supplementation of personal data that we do not need to process with respect to the purposes described in paragraph 1.3, in compliance with current legislation.

e) Right to erasure: you can have your personal data erased without undue delay in the following cases: (i) the data is no longer necessary in relation to the purposes described in paragraph 1.3 or (ii) you have revoked your consent and there is no other legal basis for processing the data, or (iii) the data has been unlawfully processed or (iv) the data must be erased to comply with a legal obligation or, finally, (v) when you have exercised your right to object and there is no overriding legitimate reason that allows us to continue the processing. Once we have received your request, if it is legitimate we will promptly cease processing activities and erase your personal data; if the data has been made public, depending on the available technology and cost of implementation, we will take reasonable steps to notify any other subjects that are processing your data of your request for erasure. The erasure of data cannot be fulfilled in some cases provided for by law, including those concerning data processing activities required in order to fulfil legal obligations and to protect a right in court.

e) Right to restrict processing: you can limit the processing of your data. In such cases, while we continue to retain your data, we will not use this, unless you ask us to do so or in the event of any exceptions required by law. Restricted data processing may be obtained solely in the following cases: (i) when you contest the accuracy of your personal data or (ii) when the processing is unlawful but you object to the erasure of your personal data or (iii) when we no longer need your personal data, but you need it in order to exercise a right in court or (iv) when you object to the processing of your data during the period in which we are assessing the grounds of your request.

f) Right to data portability: you can request to receive your data in standard electronic format, so that you can transfer it to another data controller. Upon request, where technically possible, we will transfer your data directly to the third party indicated by you. This right can be exercised only if the legal basis of the processing is your consent or the need to execute a contract or pre-contractual measures adopted at your request (for information on the legal bases, see paragraph 1.6). Unlike the right to access, in this case, you will only obtain the data you have provided to us, which does not include the data that we ourselves have created (in particular, the data from your "profile" created during processing activities that involve personalisation activities). When we receive and fulfil a portability request, we only transmit the data that is compatible and necessary for the pursuit of the purposes described in this policy and, in any case, we adhere to the choices expressed by the data subject.

To exercise these rights, you can contact YOOX by calling 800593888, by contacting our Customer Care team through the appropriate form on our Website (selecting "privacy") or by sending a letter to our address (provided in paragraph 1.1 above).

Users registered on the Website can view the data relating to the Myoox services (see paragraph 1.4 above), access and modify the data provided during registration and manage their consent, as well as accessing their Myoox profile. For processing activities for purposes f), g), h), i) and j) as indicated in the previous paragraph 1.3 and which provide for the sending of promotional communications, the right to object or to revoke the consent regarding the aforementioned can also be exercised using the appropriate link or the procedure indicated in each communication sent, as already indicated in paragraph 1.3.

YOOX will respond to requests to exercise the rights without undue delay and, in any case, within one month of receipt of the request at the latest. This period may be extended by two months, if necessary, depending on the complexity and number of requests.

Please be aware that due to technical reasons, the activities resulting from the exercise of one of the aforementioned rights, such as erasure or objection, may take up to 15 (fifteen) days to be carried out: you may therefore receive, for example, further communications from us even after requesting the termination thereof, due to the fact that for technical reasons related to system updates, your request may take up to 15 (fifteen) days to come into effect.

To ensure that our users’ data is not breached or used unlawfully, we may need to ask you for some additional information before granting your request to exercise any of the rights described, in order to verify your identity.

For any requirements regarding your rights and personal data, you can also contact our Data Protection Officer using the contact details indicated in paragraph 1.1 above.

2. Processing of personal data carried out by YOOX and its Partners as joint data controllers.

2.1 General information.

Who are the Joint Data Controllers?

The yoox.com website (hereinafter the “Website” or “Site”) and related services are operated by YOOX. Through the Website, you can purchase products sold by YOOX and its partner sellers (hereinafter referred to as “Partners”). For this reason, with respect to specific processing activities involving the personal data of Website users, YOOX and its Partners are Joint Data Controllers, in that they jointly decide the purposes and means of such processing (hereinafter, YOOX and Partners shall be referred to as “Joint Data Controllers”).

In this section 2 of the Extended Privacy Policy for the Website, you can find information on the processing of your personal data as carried out by YOOX and its Partners as Joint Data Controllers.

We would like to remind you that:

- YOOX also processes your personal data as an independent data controller in relation to the purposes indicated in section 1 of this policy, “Processing of personal data carried out by YOOX as an independent data controller”;

- The Partners also process personal data as independent Data Controllers, in relation to the sale of the products they offer on the Website. For more information on these processing activities, please see the Partners’ privacy policies, accessible from their product pages, which can be found on the Website.

YOOX NET-A-PORTER GROUP S.p.A. (hereinafter “YOOX”), sole shareholder company subject to the management and coordination of Compagnie Financière Richemont S.A., Via Morimondo 17 – 20143 Milan (Italy), Tax Code and VAT no. 02050461207.

You can contact YOOX at any time by writing to the above address or to our Customer Care team (selecting “privacy”).

You can find information on the identity and contact details of the Partners (including the contact details of any Data Protection Officers designated by the individual Partners) in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

For any request regarding the processing of data in joint ownership, you can contact YOOX at the addresses indicated above: indeed, to assist you in exercising your rights, YOOX has been identified as a “ point of contact” with regard to all questions on the processing of data in joint ownership between YOOX and its Partners. If you prefer, you can still contact our Partners regarding these issues at the addresses indicated in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

YOOX has stipulated an agreement for this purpose with its Partners, in order to specifically regulate its own commitments and those of its Partners with respect to the obligations provided for in the Personal Data Protection Act (the so-called “ Joint Controllership Agreement”). You can view the key contents of the Joint Controllership Agreement by clicking here.

Who are the Personal Data Protection Officers (DPOs)?

YOOX has designated a Data Protection Officer or “ DPO” (Data Protection Officer).

If you have any questions regarding the protection of your personal data or the exercise of your rights, please contact our Data Protection Officer (DPO), either by way of a written letter addressed to the “Data Protection Officer” at the YOOX address indicated above, or via email to the DPO email address.

The contact details of the Data Protection Officer appointed by a Partner may be found in that Partner’s Privacy Policy, accessible from their product pages, which can be found on the Website.

2.2 Characteristics of processing activities carried out as Joint Data Controllers: purposes, legal basis of the processing, personal data involved in the processing, data retention period, nature of the provision and consequences of non-provision, other information.

The table below indicates the data processing activities carried out jointly by YOOX and its Partners and, for each of them, the purpose, the legal basis, the data processed, the data retention period, the nature of the provision and any consequences of non-provision, as well as other useful information.

1. Activities: Prevention and suppression of fraud, counterfeiting and abusive behaviour in relation to the sale of Partner products on the Website, including in conjunction with YOOX products, and including the management of chargebacks and disputes related to payments.

YOOX

Partner

Purposes of processing

Prevention and suppression of fraudulent behaviours with respect to the sale of Partner products on the Website, including in conjunction with YOOX products, and including the management of chargebacks and disputes related to payments.

When you purchase YOOX products or services only, your data is processed for anti-fraud purposes solely by YOOX, in its capacity as independent Data Controller. More information on this can be found in section 1.3 above.

Prevention and repression of fraudulent activities with respect to the sale of proprietary products on the Website, including the management of chargebacks and disputes with respect to payments.

Legal basis of processing

Legitimate interest (Article 6, paragraph 1, letter f) of the Regulation). In particular: legitimate interest in the prevention and suppression of fraudulent activities that may compromise the profitability of the Website and the security of Website users, with respect to the sale of the Partner’s products on the Website, including in conjunction with YOOX Products.

Legitimate interest (Article 6, paragraph 1, letter f) of the Regulation). In particular: legitimate interest in the prevention and suppression of fraudulent activities that may compromise the profitability of the sale of proprietary products on the Website and the security of Website users.

Personal data processed

Website visitor/customer’s IP address, purchases made, data relating to shipments and returns, data relating to purchase order payment data, characteristics prior to withdrawals and returns.

Data relating to purchase orders and to shipments with reference to orders involved in chargebacks and disputes related to payments made.

Data retention period

Data related to payments: until the payment has been certified and the relative administrative and accounting formalities have been fulfilled following the deadline applied for payment disputes. This is in any case without prejudice to further storage due to the need to process the data for the purposes of protecting the rights of the Data Controller or of a third party (until the conflict situation or the legal dispute requiring data processing can be considered definitively resolved), as well as to requests from the competent authorities for the prevention and suppression of crimes (for as long as necessary).

Data related to orders and to shipments: retention until the relative administrative and accounting formalities have been fulfilled, following the expiry of the right of withdrawal and the deadline applied for payment disputes. This is in any case without prejudice to further storage due to the need to process the data for the purposes of protecting the rights of the Data Controller or of a third party (until the conflict situation or the legal dispute requiring data processing can be considered definitively resolved), as well as to requests from the competent authorities for the prevention and suppression of crimes (for as long as necessary).

Nature of data provision and consequences of non-provision

The provision of data for this processing activity is optional, although it is a necessary requirement for the sending of an order or fulfilment of a purchase agreement.

The provision of data for this processing activity is optional, although it is a necessary requirement for the sending of an order or fulfilment of a purchase agreement.


2. Activities: the “management of online sales” of products offered by the Partner on the Website, including data processing activities from the time the order is submitted through the Website to the fulfilment of the relevant sales contract.

YOOX

Partner

Purposes of processing

To ensure the proper functioning of the Website, managing of purchase orders relating to Partner products, also in conjunction with YOOX products, including related customer service activities.

With respect to the management of Website sales of products offered exclusively by YOOX, your data is processed solely by YOOX, in its capacity as independent Data Controller. More information on this can be found in paragraph 1.3.

Sale of proprietary products through the Website, with management of related purchase orders.

Legal basis of processing

Data processing is necessary to fulfil a contract to which the Data Subject is party or to carry out pre-contractual measures adopted on request by the Data Subject (Article 6, paragraph 1, letter b) of the Regulation), with reference to the “General Conditions of Use” governing the information society service (online sales) provided by YOOX through the Website and, where products sold by YOOX are also ordered, with reference to the sales contract between Website users and YOOX and the pre-contractual stage between the same subjects.

Data processing is necessary to fulfil a contract to which the Data Subject is party or to carry out pre-contractual measures adopted on request by the Data Subject (Article 6, paragraph 1, letter b) of the Regulation), with reference to the sales contract between Website users and Partners and the pre-contractual stage between these subjects.

Personal data processed

Name and surname, email address, shipping address, billing address, telephone number, payment details and other information included in the purchase orders.

Name and surname, shipping address, billing address, telephone number and other information included in the purchase orders.

Data retention period

30 days from the expiry of the deadline for contesting payment and on conclusion of the related administrative and accounting formalities, without prejudice to the further storage of data as required by law.

30 days from the expiry of the deadline for contesting payment and on conclusion of the related administrative and accounting formalities, without prejudice to the further storage of data as required by law.

Nature of data provision and consequences of non-provision

The provision of data for these data processing activities is optional, although, depending on the case, it may be a necessary requirement for the conclusion or fulfilment of a contract. You are free to decide whether or not to share your data, but without this, it will not be possible to conclude or fulfil the contract.

The provision of data for these data processing activities is optional, although, depending on the case, it may be a necessary requirement for the conclusion or fulfilment of a purchase contract. You are free to decide whether or not to share your data, but without this, it will not be possible to conclude or fulfil the contract.


With regard to the retention period, your personal data is stored only for the periods of time indicated above. At the end of these periods, your data will be permanently deleted or otherwise anonymised in an irreversible manner. This is without prejudice to cases where retention for a further period is necessary to deal with any disputes, requests from competent authorities or pursuant to applicable legislation.

In any case, for technical reasons, the definitive deletion or irreversible anonymisation of personal data shall be concluded within 60 (sixty) days of the terms indicated above.

In relation to all the data processing activities indicated above, your personal data is mainly processed through IT and electronic tools.

2.3 Who will process your data?

Your data will be processed by the Joint Data Controllers and the subjects appointed by them only when this is indispensable with respect to the data processing purposes described above (see previous paragraph 2.2).

Your personal data will be processed by staff of the Joint Data Controllers, who are specifically trained and authorised to carry out such processing activities.

The Joint Data Controllers also use third parties (services providers and business partners) to carry out some of their activities and related data processing activities, with whom they share the necessary personal data. In particular, depending on the activity in question, the data will be communicated to the following categories of providers:

- Email service providers;

- Internet service providers;

- Companies specialised in IT and telematic services;

- Companies providing customer assistance;

- Companies offering marketing services;

- Companies specialised in market research and data processing.

Having been appropriately selected and on the provision of suitable guarantees of compliance with the rules on the protection of personal data, these parties shall process the personal data on behalf of the Joint Data Controllers, acting as their “Data Processors” on the basis of a specific written designation.

Your data is also shared by the Joint Data Controllers with other third parties, who will process this information as independent Data Controllers. These parties may include:

- Couriers and freight forwarders;

- Banking operators.

Finally, in accordance with the law and where deemed necessary, your data is shared with the tax authorities, police forces and judicial and administrative authorities for the detection and prosecution of crimes, the prevention and safeguarding against threats to public security, to allow the Joint Data Controllers or third parties to ascertain, exercise or defend a right in judicial, extrajudicial (mediation bodies and bodies with similar functions) and administrative settings, to fulfil legal obligations, as well as for other reasons related to the protection of the rights and freedoms of others.

2.4 Transfer of data outside the European Union

To fulfil the purposes described above, where strictly necessary, your data is also transferred to countries outside the European Union or the European Economic Area (EEA).

The data will be transferred in compliance with the related conditions provided for by the legislation currently in force. Specifically:

4) in accordance with the “adequacy decisions” adopted by the European Commission (more information, including the list of countries to which an adequacy decision applies, is available here );

5) in the absence of an adequacy decision, in compliance with “standard data protection clauses” (or “standard contractual clauses”) and in any case, where necessary, including “additional measures” ensuring an equivalent level of data protection to that established by European legislation;

6) in the absence of “standard data protection clauses”, in compliance with one of the other “appropriate safeguards” provided by law (Article 46, Regulation (EU) 2016/679).

2.5 Your rights.

You can exercise the rights described in the Personal Data Protection Act at any time, with reference to the specific processing of your data as carried out by the Joint Data Controllers. Below is a description of these rights and how to exercise them.

a) Right to object: you have the right to object to the processing of your data for “direct marketing” purposes (i.e. for the purpose of sending advertising materials or direct selling, or for undertaking market research or commercial communications) at any time, without having to indicate the reason why you object. You can also object to profiling activities carried out for direct marketing purposes. In these cases, we will cease processing your data for the direct marketing purposes to which you have objected.

You can easily object to the sending of promotional content emails by clicking on the appropriate link found at the bottom of each email received. Please be aware that you may receive further communications from us even after you have requested termination thereof, due to the fact that for technical reasons, your request may take up to 15 (fifteen) days to come into effect.

You also have the right to object to the processing we carry out on the basis of “legitimate interest” (more information on these processing activities is provided in the previous paragraph 2.2), including profiling, by telling us the reasons justifying your request (the law requires these reasons to be related to your particular situation). In this case, after evaluating your request, we will cease the processing activities to which you have objected, unless there are reasons that result in us having to refuse your request, as required by current legislation.

b) Right to access: you can ask us for confirmation that we are processing your personal data, and in relation to the processing activities carried out, you can obtain access to your data and additional information regarding the processing thereof (purposes of processing, categories of data, recipients to whom the data has been disclosed, data retention period, exercisable rights, information on the origin of the data, automated decision-making processes and data transfer to non-EU/EEA countries). In particular, you have the right to obtain a copy of the personal data of yours that we are processing.

c) Right to rectification: you have the right to have your inaccurate personal data rectified without undue delay. You can also request the supplementation of your personal data, in the event that the data is incomplete with respect to the purpose for which it is processed. We will not accept requests for supplementation with personal data that we do not need to process with respect to the purposes described in paragraph 2.2, in compliance with the current legislation.

d) Right to erasure: you can have your personal data erased without undue delay in the following cases: (i) the data is no longer necessary in relation to the purposes described in paragraph 2.2 or (ii) the data has been unlawfully processed or (iii) the data must be erased to comply with a legal obligation or, finally, (iv) when you have exercised your right to object and there is no overriding legitimate reason that allows us to continue the data processing. Once we have received your request, if it is legitimate, we will promptly cease processing activities and erase your personal data; if the data has been made public, depending on the available technology and cost of implementation, we will take reasonable steps to notify any other subjects that are processing your data of your request for erasure. The erasure of data cannot be fulfilled in some cases provided for by law, including those concerning data processing activities required in order to fulfil legal obligations and to protect a right in court.

e) Right to restrict processing: you can limit the processing of your personal data. In such cases, while we continue to retain your data, we will not use this, unless you ask us to do so or in the event of any exceptions required by law. Restricted data processing may be obtained solely in the following cases: (i) when you contest the accuracy of your personal data or (ii) when the processing is unlawful but you object to the erasure of your personal data or (iii) when we no longer need your personal data, but you need it in order to exercise a right in court or (iv) when you object to the processing of your data during the period in which we are assessing the grounds of your request.

f) Right to data portability: you can request to receive your data in a standard electronic format, so that you can transfer it to another data controller. Upon request, where technically possible, we will transfer your data directly to the third party indicated by you. This right can only be exercised if the legal basis for data processing (paragraph 2.2) is your consent or the need to fulfil a contract or pre-contractual measures adopted at your request. When we receive and fulfil a portability request, we only transmit the data that is compatible and necessary for the pursuit of the purposes described in this policy and, in any case, we adhere to the choices expressed by the data subject.

To make it easier for you to exercise your rights, YOOX has been identified as a “point of contact” concerning all matters relating to processing activities carried out as joint data controllers by YOOX and Partners.

To exercise your rights with regard to the data processing activities carried out jointly by YOOX and the Partners, and for any request related to the processing activities carried out by the Joint Data Controllers, you can therefore contact YOOX at any time, by writing to the YOOX address indicated in paragraph 2.1 above or to our Customer Care team (selecting “privacy”).

YOOX will respond to requests to exercise the rights without undue delay and, in any case, within one month of receipt of the request at the latest. This period may be extended by two months, if necessary, depending on the complexity and number of requests.

For any questions regarding your rights and your personal data, you can also contact the YOOX Data Protection Officer using the contact details set out in paragraph 2.1 above.

If you prefer, you can nonetheless exercise your rights directly with our Partners. You can find information on the identity and contact details of Partners (and of their Data Protection Officers, where applicable) in each Partner’s privacy policy, accessible from their product pages, which can be found on the Website.

Please be aware that due to technical reasons, the activities resulting from the exercise of one of the aforementioned rights, such as erasure or objection, may takeup to 15 (fifteen) days to be carried out: you may therefore receive, for example, further communications from us even after requesting the termination thereof, as due to technical reasons related to system updates, your request may take up to 15 (fifteen) days to come into effect.

To ensure that our users’ data is not breached or used unlawfully, we may need to ask you for some additional information before granting your request to exercise any of the rights described, in order to verify your identity.

3. Complaints and other important information.

3.1 Complaints

If you believe that the processing of your personal data has been carried out illegally, you can file a complaint with one of the supervisory authorities responsible for compliance with the rules on personal data protection.

In Italy, complaints may be submitted to the Italian Authority for the Protection of Personal Data (Garante per la Protezione dei Dati Personali). You can also submit the complaint to a supervisory authority of another EU country, if the latter authority is that of the state in which you usually reside, work or where the alleged violation occurred.

More information on how to submit a complaint can be found on the Italian Authority for the Protection of Personal Data website at http://www.garanteprivacy.it/.

You can also contact the Data Protection Officer (DPO) of YOOX and the Partners, using the contact details indicated in the previous paragraphs 1.1 and 2.1, to submit any requirement relating to the processing of your personal data.

3.2 Security measures.

We protect your personal data using specific technical and organisational security measures, in order to prevent it from being used in an illegal or fraudulent manner. In particular, we use security measures that guarantee: the pseudonymisation and encryption of your data; the confidentiality, integrity and availability of your data, as well as the resilience of the systems and services that process it; and the ability to recover the data in the event of incidents. YOOX shall also undertake to regularly test, verify and measure the effectiveness of the measures it has adopted with a view to ensuring the continuous improvement of data processing security levels.

With respect to the processing activities carried out by YOOX in joint ownership with the Partners, you can find more information on the security measures adopted in the " Summary of the Joint Controllership Agreement between YOOX and its Partners ”.

3.3 Modifications to the present policy.

This policy may be subject to changes and additions over time, due to the need to review its contents in relation to the possible evolution of the Website, its services, the technologies used, as well as with reference to any new regulatory provisions.

You can view the key contents of the Joint Controllership Agreement We shall inform you in an adequate and timely manner in case of substantial changes to this Privacy Policy. In any case, the updated version of the Privacy Policy will be published on this page, with an indication of the date of its last update.

3.4 Legislative references and useful links.

The processing of your personal data is carried out by YOOX and its Partners in full compliance with current legislation on the protection of personal data, consisting in particular of Regulation (EU) 2016/679 (General Data Protection Regulation) and, for YOOX and Partners established in Italy, by the Personal Data Protection Code (Legislative Decree 196/2003, as last amended and supplemented by Italian Legislative Decree 101/2018), as well as by the provisions of the Italian Authority for the Protection of Personal Data.

For further information regarding the legislation on the protection of personal data and your rights, please visit the website of the Italian Authority for the Protection of Personal Data: www.garanteprivacy.it.

Summary of the Joint Controllership Agreement

Essential content of the Joint Controllership Agreement

The website www.yoox.com (“Website” or “ Site”) is a “marketplace”: this means that the products on the Website are offered and sold by both YOOX NET-A-PORTER GROUP S.p.A. (“YOOX”) and its partner sellers (“Partners” or “Sellers”).

For this reason, in some cases YOOX and its Partners jointly decide on the purposes and means of processing the personal data of Website users (“ Data Subjects”) and, therefore, are deemed “Joint Controllers” of such processing activities.

In compliance with the provisions set out in the Personal Data Protection Act, YOOX and its Partners (“Joint Data Controllers”) have entered into a “joint controllership agreement”, with a view to determining the responsibilities of each regarding compliance with the obligations under this policy (Article 26 of Regulation (EU) 2016/679, hereinafter referred to as the “Regulation”) in a transparent manner.

The essential content of this agreement is contained in this document, which Data Subjects can consult in order to understand the responsibilities of YOOX and the Partners with regard to the data processing activities carried out as Joint Data Controllers.

Further information on the processing activities carried out jointly by YOOX and its Partners can be found in the appropriate section of the Personal data Privacy Notice.

YOOX and its Partners also process the personal data of Website users as “independent Data Controllers”: for further information, please refer to the same section of the abovementioned Privacy Notice.

YOOX NET-A-PORTER GROUP S.p.A. is a sole shareholder company subject to the management and coordination of Compagnie Financière Richemont S.A., with registered office on Via Morimondo 17 - 20143 Milan (Italy), Tax Code and VAT no. 02050461207.

The information on the processing of personal data by an individual YOOX Partner and indications regarding how to contact them can be found in the appropriate policy provided by the Partner, published on the Website and accessible via the dedicated link included in each of the Partner's product pages, which can be found on the Website.

1. Description of the data processing activities carried out in joint data ownership.

The following activities involve the joint processing of personal data by YOOX and its Partners. For each activity, information is provided on the activities for which each Joint Data Controller is responsible (“operational scope”), as well as the characteristics of the data processing activities carried out.

1. Activities: Prevention and suppression of fraud, counterfeiting and abusive behaviours, including the management of chargebacks and disputes related to payments, in connection with the sale of Partner products on the Website, including in conjunction with YOOX products.

YOOX

Seller

Operational scope

Collection of the data of Data Subjects: analysis of the data collected; transmission of the Data Subject’s data to the Seller so that the latter can identify any possible fraudulent activities; processing activities necessary to prevent the fraud by the Data Subjects.

Data processing activities necessary to prevent fraud by Data Subjects “to be checked”, subsequent to the order acceptance.

Purposes of processing

Prevention and suppression of fraudulent behaviours with respect to the sale of Partner products on the Website, including in conjunction with YOOX products, and including the management of chargebacks and disputes related to payments.

Prevention and suppression of fraudulent behaviours with respect to the sale of Partner products on the Website, including in conjunction with YOOX products, and including the management of chargebacks and disputes related to payments.

Lawful basis for processing

Legitimate interest (Article 6, paragraph 1, letter f) of the Regulation). In particular: legitimate interest in the prevention and suppression of fraudulent activities that may compromise the profitability of the Website and the security of Website users, with respect to the sale of the Seller’s products on the Website, including in conjunction with YOOX Products.

Legitimate interest (Article 6, paragraph 1, letter f) of the Regulation). In particular: legitimate interest in the prevention and suppression of fraudulent activities that may compromise the profitability of the sale of proprietary products on the Website and the security of Website users.

Categories of personal data

Website visitor/customer IP address, purchases made, data relating to shipments and returns, data relating to purchase order payment data, characteristics prior to withdrawals and returns.

Data relating to purchase orders and to shipments with reference to orders involved in chargebacks and disputes related to payments.

Categories of Data Subjects

Website visitors (registered or non-registered), Website customers and potential customers (registered or non-registered).

Customers and potential customers (registered and non-registered) of the Website.

Data retention period

Data related to payments: until the payment has been certified and the relative administrative and accounting formalities have been fulfilled following the deadline applied for payment disputes. This is in any case without prejudice to further storage due to the need to process the data for the purposes of protecting the rights of the Data Controller or of a third party (until the conflict situation or the legal dispute requiring data processing can be considered definitively resolved), as well as to requests from the competent authorities for the prevention and suppression of crimes (for as long as necessary).

Data related to orders and to shipments: retention until the relative administrative and accounting formalities have been fulfilled, following the expiry of the right of withdrawal and the deadline applied for payment disputes. This is in any case without prejudice to further storage due to the need to process the data for the purposes of protecting the rights of the Data Controller or of a third party (until the conflict situation or the legal dispute requiring data processing can be considered definitively resolved), as well as to requests from the competent authorities for the prevention and suppression of crimes (for as long as necessary).

Provision of data

The provision of data for this processing activity is optional, although it is a necessary requirement for the sending of an order or fulfilment of a purchase agreement.

The provision of data for this processing activity is optional, although it is a necessary requirement for the sending of an order or fulfilment of a purchase agreement.


2. Activities: “Online sales management” of the products offered by the Seller on the Website.

YOOX

Seller

Operational scope

Collection of data relating to Data Subjects’ purchase order proposals; transmission of data relating to Data Subjects’ purchase order proposals to the Seller; sending of communications to Data Subjects relating to the order proposals transmitted (e.g. confirmation of receipt of the proposal, acceptance or non-acceptance of the proposal); customer service activities related to this operational scope.

Management of the data relating to Data Subjects’ purchase order proposals and the management activities connected to such proposals, in any case no later than the acceptance or non-acceptance of the aforementioned order proposals; provision of indications regarding the sending of communications to Data Subjects regarding the transmitted order proposals (e.g. confirmation of receipt of the proposal, acceptance or non-acceptance of the proposal); customer service activities related to this operational scope.

Purposes of processing

To ensure the proper functioning of the Website, managing purchase orders relating to Seller products.

Sale of proprietary products through the Website, managing of related purchase orders.

Lawful basis for processing

The data processing is necessary to fulfil a contract to which the Data Subject is party or to carry out pre-contractual measures adopted upon request of the same (Article 6, paragraph 1, letter b) of the Regulation), with reference to the “General Terms and Conditions of Use” governing the information society service (online sales) provided by YOOX through the Website.

The data processing is necessary to fulfil a contract to which the Data Subject is party or to carry out pre-contractual measures adopted upon request of the same (Article 6, paragraph 1, letter b) of the Regulation), with reference to the sales contract between Website users and the Seller and the pre-contractual stage between these same subjects.

Categories of personal data

Name and surname, email address, shipping address, billing address, telephone number, payment details.

Name and surname, shipping address, billing address, telephone number.

Categories of Data Subjects

Website visitors (registered or non-registered), Website customers and potential customers (registered or non-registered).

Customers and potential customers (registered and non-registered) of the Website.

Data retention period

30 days from the expiry of the deadline for contesting payment and on conclusion of the related administrative and accounting formalities, without prejudice to the further storage of data as required by law.

30 days from the expiry of the deadline for contesting payment and on conclusion of the related administrative and accounting formalities, without prejudice to the further storage of data as required by law.

In the event that the sales contract with the Data Subject is concluded, subsequent storage of data is carried out by the Seller as independent Data Controller.

Provision of data

The provision of data for these processing activities is optional, although it constitutes a necessary requirement for the fulfilment of a contract. The Data Subject is free to share their data or not, but failing this, it will not be possible to execute the contract and corresponding requests.

The provision of data for these data processing activities is optional, although, depending on the case, it may be a necessary requirement for the conclusion or fulfilment of a purchase contract. The Data Subject is free to share their data or not, but failing this, it will not be possible to conclude or execute the contract.

As described in the Website’s Personal Data Privacy Notice, which should be referred to for further details, with respect to the processing activities described above, the personal data of the Data Subjects will be processed by authorised personnel of the Joint Data Controllers and by subjects external to the Joint Data Controllers only when this is indispensable for the fulfilment of the processing purposes described above. In particular, the data will be shared with the following categories of recipients: email service providers; Internet service providers that host the Website; companies specialised in IT and telematic services; companies providing customer assistance services; companies that carry out marketing activities; companies specialised in market research and data processing; couriers and shipping agents; bank operators; payment and credit card companies; tax authorities, police forces, judicial and administrative authorities.

2. Rights of Data Subjects and point of contact.

Data subjects benefit from the following rights: right to object; right to access; right to rectification; right to erasure; right to restrict processing; right to data portability. The Data Subject may also lodge a complaint with a supervisory authority. For further information, please refer to the Website’s Personal Data Privacy Notice.

To assist the Data Subjects in exercising their rights as per the Personal Data Protection Act (Article 15 and following of the Regulation), the Joint Data Controllers have decided to designate YOOX as the point of contact for Data Subjects and YOOX will respond to Data Subjects’ requests.

Data Subjects can contact YOOX at any time by writing to the address indicated above or to the YOOX Customer Care team (selecting “privacy”), or by calling the number 800593888.

So as to enable YOOX to respond to Data Subject’s requests, the YOOX Partners undertake to forward such requests to YOOX and to provide YOOX with the necessary cooperation in this regard. For requests of particular complexity or that otherwise require the involvement of the Partner, YOOX will involve the Partner in the handling of the request and the latter will provide YOOX with the necessary cooperation.

In compliance with the provisions set out in the Regulation, Data Subjects may also exercise their rights directly with regard to Partners, by contacting them at the addresses included in the appropriate policy provided by each individual Partner, published on the Website and accessible via the dedicated link included in each of the Partner's product pages found on the Website.

3. Information obligations towards Data Subjects.

The Joint Data Controllers have identified YOOX as being responsible for providing the Data Subjects with information on joint data processing activities (Articles 13 and 14 of the Regulation).

This information is contained in a special section of the Website’s Personal Data Privacy Notice, which YOOX makes available to Data Subjects on a dedicated page of the Website accessible through a link included both in the footer of each page of the Website, and as part of the Data Subjects’ registration process to the Website; this can also be requested from the Customer Care team.

To ensure the availability of all information pertinent to the data processing activities in joint ownership, the Partners have undertaken to publish on the Website the relevant required information of their competence via a specific policy provided by each individual Partner, accessible via the dedicated link included in each of the Partner's product pages found on the Website.

YOOX has also undertaken to make this essential content of the Joint Controllership Agreement available to Data Subjects and to inform Data Subjects of the “contact point” described in the previous paragraph.

The Joint Data Controllers have undertaken to ensure that the information on joint data processing provided to the Data Subjects is kept up to date. Updated information will be provided to Data Subjects by YOOX, and the Partners are required to collaborate with YOOX to ensure such updates take place.

4. Further obligations of the Joint Data Controllers.

Governed matter

Responsibilities of each Joint Data Controller

Principles, lawfulness of processing and obligations to cooperate

Both Joint Data Controllers have undertaken:

1. to carry out the data processing activities in joint ownership in compliance with the principles applicable to the processing of personal data (Article 5 of the Regulation), as well as to implement the measures and other guarantees necessary to ensure compliance with data protection, by design and by default (Article 25 of the Regulation);

2. to each carry out the assessments necessary to take advantage of the condition of lawfulness relating to “legitimate interest” (Article 6, paragraph 1, letter f) of the Regulation), as well as to provide Data Subjects with information relating to the evaluations carried out at their request;

3. cooperate with each other fairly and in good faith, in a timely and appropriate manner so as to ensure compliance with the Personal Data Protection Act;

4. to provide the supervisory authorities established by the Regulations with maximum cooperation, also in the interest of the other Party.

Data processors and persons authorised to process data (Articles 28 and 29 of the Regulation)

Each Joint Data Controller has undertaken to have the processing of data in joint ownership carried out through any external suppliers in strict compliance with all the provisions of the legislation on the protection of personal data, and is obliged to use only suppliers that present adequate guarantees on compliance with legislation on the processing of personal data and the rights of the Data Subjects, to conclude a specific contract with the suppliers "responsible for data processing", to monitor the activities carried out by the suppliers, etc.

Both Joint Data Controllers have undertaken to provide persons authorised to process personal data under their direct authority with the necessary instructions to ensure compliance with the legislation on the protection of personal data and to ensure that such persons are bound by an obligation of confidentiality.

Security of data processing (Art. 32 of the Regulation)

Each Joint Data Controller has undertaken to ensure a level of security for the data processing activities in joint ownership that is appropriate to the risk of varying probability and severity for the rights and freedoms of the Data Subjects, adopting the appropriate technical and organisational security measures in this regard that are deemed necessary and, in any case, the measures specifically agreed in the Joint Controllership Agreement.

Personal data breaches (Articles 33 and 34 of the Regulation)

The Joint Data Controllers have established that YOOX is responsible for fulfilling the obligations to notify the supervisory authority and to communicate to the Data Subjects any breach of personal data, without prejudice to breaches inherent to the processing “tools” that are under the sole control of the Partners. The Joint Data Controllers have assumed specific obligations regarding information and mutual collaboration, in order to enable compliance with current regulations, as well as appropriate and timely management of any breach of personal data.

Data protection impact assessment (Articles 35 and 36 of the Regulation)

The Joint Data Controllers have decided to jointly carry out any necessary impact assessments within the areas for which they are responsible, establishing a specific internal procedure for carrying out such assessments both before the start of the processing activities and subsequently (if the need to carry out an impact assessment should only emerge after the start of the processing activities) and for updating the same. The Joint Data Controllers have established that YOOX is responsible for any prior consultation with the competent Supervisory Authority, where necessary.

Data Protection Officer (Articles 37 and following, of the Regulation)

YOOX has appointed a Data Protection Officer (DPO), who can be contacted at the email address dpo@ynap.com or by writing to the “Data Protection Officer” at the YOOX address indicated above.

The Partners have undertaken to designate a DPO, if not already appointed, in the event that the execution of the data processing activities under joint ownership requires this pursuant to the Regulation. Information on the contact details of the DPO designated by the Partners may be found in the specific policy provided by each individual Partner, published on the Website and accessible via the dedicated link included in each of the Partner’s product pages found on the Website.

Transfer of personal data to third countries (Articles 44 and following, of the Regulation)

Each Joint Data Controller has undertaken to carry out any transfers of personal data to non-EU/EEA countries or international organisations only in compliance with the provisions of the legislation on the protection of personal data, ensuring that the level of protection of natural persons guaranteed by the Regulation is not affected by such transfers, by giving prior notice to the other Joint Data Controller and taking care to update the information to be provided to the Data Subjects.

Last update 25 March 2023