Pursuant to the EU Regulation on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation “GDPR” as subsequently amended and supplemented), any personal data provided or otherwise collected in the course of our activities will be processed in compliance with the principles laid out by the above-mentioned regulation and in accordance with our confidentiality policy and with the principles of lawfulness, fairness, transparency and protection of the rights of the Data Subject i.e. the person to whom the information refers.
Your Data will be processed for the purposes and under the conditions outlined below.

1. Data Controller
LOCH DAVIS ROSEMARY with registered office at SESTIERE CANNAREGIO 6091, 30121 – VENEZIA [Venice, Italy], Italian tax code LCHRMR65C44Z347K, Italian VAT no. 04202480275, mail: romi@romilochdavis.com, acts as the Data Controller.
You may contact the Data Controller at any time to exercise your rights as provided for in Articles 15 to 22 of EU Regulation no. 679 of 27/4/2016.

2. Purposes of data processing
Personal data may be processed by the Data Controller to:

• allow and ensure the best browsing experience on the site www.romilochdavis.com (legal basis: legitimate interest of the Data Controller)
• execute your requests for information about the products on sale (legal basis: your request):

1. execute the contract for the purchase of products on sale (legal basis: your request)
2. comply with the legal requirements to which the Data Controller is subject (legal basis: legal obligations)
3. promote the Data Controller’s business activities (legal basis: your consent)

3. Type of Data collected
The Data Controller collects data classified as:
a) general personal data i.e. personal and contact details;
b) details relating to the payment of products sold.

4. Nature of data provision
The provision of data for the purposes indicated above is mandatory in order to allow navigation, to execute pre-contractual requests or to execute sales contracts.
The provision of data for the purposes of promoting Data Controller’s activities is optional and is subject to your express consent.

5. Sharing and communication of personal data
Notwithstanding the disclosure of personal data carried out in order to fulfil legal obligations, personal data collected and subsequently processed may be shared by the Data Controller for the purposes outlined above with:

• professional corporations acting as Data Processor on behalf of the Data Controller (e.g. lawyers, accountants, IT system management and maintenance service providers) for purposes strictly related to the services provided by them. Your data will neither be disclosed or otherwise used without your express written consent nor used for the purposes of obtaining anonymous statistical, commercial information, etc.
• jointly liable and trusted third parties;
  
  
• legal authorities;
  Data Controller’s employees or collaborators.
• 
  The recipients of your data, duly instructed about the data processing, are bound by confidentiality and professional secrecy obligation.

6. Data retention period
In compliance with Italian and EU data protection regulation and pursuant to Article 2220 of the Italian Civil Code, personal data collected for the purposes of service provision shall be stored by the Data Controller for a period of 10 years from the date of last contact with the Data Subject. In any case the data will be retained for as long as is necessary to carry out the purposes set out in this privacy policy.
The data collected for promotional purposes will be kept for a maximum of 24 months from the date of collection.

7. Rights of the Data Subject
The Data Subject may exercise, with regard to the processing of personal data, the rights provided for by Articles 15-22 of the EU Regulation no. 679 of 27/04/2016 (GDPR)
and in particular: right to erasure (right to be forgotten), right to restriction of processing, right to updating, right to rectification, right to portability, right to object to processing of personal data and any other right provided for in articles 15-22 of the GDPR.
Extract from the Rights of the Data Subject – EU regulation 2016/679
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
The Data Subject shall have the right

• to lodge a complaint with a supervisory authority, Data Protection Commissioner, in accordance with the procedures and instructions published on the official website of the authority: www.garanteprivacy.it;
  
  
• where the personal data are not collected from the Data Subject, to obtain any available information as to their source;
• to be informed about the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The Data Subject may exercise the aforementioned rights by any means and free of charge. This privacy policy may be amended, either orally or in writing, with further elements and indications, in order to better answer any question related the protection of personal data and to comply with the relevant regulation in force from time to time.