Furla Privacy Policy
Annex 2
to the Order of the General Director No. SZPDn-03 of December 5, 2023
APPROVED BY
Order of December 5, 2023
CEO
Furla Rus LLC
A.V. Smirnov
Furla Rus LLC
PRIVATE DATA PROCESSING POLICY
1. GENERAL PROVISIONS
1.1. This Private Data Processing Policy (hereinafter referred to as the Policy) was developed in compliance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ On Private Data. The purpose of this Policy is to set out the approaches to the processing and protection of private data of the Limited Liability Company ‘Furla Rus’ (hereinafter referred to as the Company), operating under the legislation of the Russian Federation and located at Russian Federation, 121099, Moscow, Smolenskaya Square, bldg. 3, (floor/premises/office 8/I/19).
1.2. The Company is a subsidiary of Furla SpA, a legal entity established in compliance with the laws of Italy, registered with the Chamber of Commerce and Industry of Bologna under the number: BO-278122, located at 40068 San Lazzaro di Savena (Bologna) Italy.
1.3. The Company processes private data of its customers, that is, persons who purchased Furla products in one of the Company’s retail stores or by placing an order in its online store at https://furla.com/ru (hereinafter referred to as the Website), as well as potential customers who show interest in Furla products and have visited one of the Company’s retail stores or the Website. In addition, the Company processes private data of certain categories of other entities interacting with the Company during its business activities (applicants, employees, contractors and a number of others).
1.4. The Company follows the principles of ensuring the security of private data of any private data subjects in order to protect their rights and freedoms, including protecting the rights to privacy, private and family secrets, as well as compliance with the requirements of Russian and international legislation. The legal grounds for processing private data by the Company are the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, the Civil Code of the Russian Federation, the Law of February 7, 1992 No. 2300-1 ‘On the Protection of Consumer Rights’, the Federal Law of December 6, 2011 No. 402-FZ ‘On Accounting’, Order of the Federal Archive of December 20, 2019 No. 236 ‘On Approval of the List of Standard Management Archival Documents Generated in the Course of Activities of State Authorities, Local Governments and Organizations, Specifying Storage Periods’, other legal acts regulating the activities of the Company, and also its constituent documents.
1.5. This Policy covers all information containing private data of private data subjects that the Company may receive about any private data subject when performing its business activities. This Policy is posted in all places where private data are collected by the Company and is recommended for familiarization by all private data subjects who give their data to the Company.
1.6. Terms not defined in this Policy have the meaning specified the legislation of the Russian Federation (primarily Federal Law of July 21, 2006 No. 152-FZ ‘On Private Data’).
2. GOALS AND METHODS OF PROCESSING PRIVATE DATA
2.1. Here are the purposes, composition and terms of processing private data of various categories of subjects in the Company:
Purpose of processing | Categories of subjects and composition of data | Processing deadlines |
Making a decision on concluding an employment contract with an applicant, including agreeing upon his/her candidacy with the global management of the Furla group of companies. | Applicants: last name, first name, patronymic, gender, date of birth, citizenship, work experience, skills, achievements, education, qualifications, knowledge of foreign languages, contact numbers, emails, health limitations, photos, other data specified in the CV. | Before making a decision on the candidacy. |
Conclusion and fulfillment of employment contracts | Workers: last name, first name, patronymic; year, month, date of birth; place of birth; address of registration; phone numbers; emails; marital status, children; social status, availability of benefits; property status, information about income; work experience (total work experience); content of the employment contract; information contained in ID documents; information about visas, work permits, and other migration documents; information contained in the work book; information contained in the insurance certificate of state pension insurance; information contained in the certificate of registration of an individual with the tax authority in the Russian Federation; information contained in military registration documents; information about education, profession, qualifications or special knowledge or training; photos; other subject-related information establishing the fact that the above information regards the subject (including information contained in the unified form T-2 ‘Employee File Card’). Special categories: information about disability and health status. Close relatives of employees: last name, first name and patronymic, date of birth, degree of relationship. | Before the employment contract termination date.
|
Organization of employee insurance services | Workers: full name; date of birth; gender. | Before the employment contract termination date. |
Organization of medical examinations of employees and provision of medical services to them | Workers: last name, first name and patronymic; date of birth (age); gender; place of birth; address; citizenship; compulsory medical insurance policy data; passport details; insurance number of an individual personal account; place of work; experience; job title; phone number. | Before the employment contract termination date. |
Organization of business trips and transportation for employees | Workers: last name, first name and patronymic; date of birth; gender; address; place of birth; passport details; citizenship; telephone number, email. | Before the employment contract termination date. |
Corporate training for employees | Workers: full name; job title; subdivision; photo; email; information about training; date of birth (age); gender; address; place of birth; passport details; citizenship; phone number. | Before the employment contract termination date. |
Employee access to corporate services | Workers: full name; job title; phone number; email. | Before the employment contract termination date. |
Ensuring operator’s compliance with occupational safety and health legislation | Workers: full name; year, month, date of birth (age); job title; department (place of work); information contained in the insurance certificate of state pension insurance; personnel number; employment date. Special categories: health information. | Before the employment contract termination date. |
Access control | Workers: last name, first name and patronymic; job title; place of work; gender; passport details; photo. | Before the employment contract termination date. |
Conclusion and fulfillment of civil contracts with counterparties | Performers and suppliers: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties: full name; position, place of work, telephone number, email. | Before the day of termination of the contract with the counterparty. |
Consideration of requests and quality control of customer support service | Customers and potential customers: full name; phone number; email, contact details. | Before the expiration of 1 (one) year from the date of sending the application. |
Conclusion and fulfillment of civil contracts with customers, including operation of the website and online store, refund of funds. | Customers and potential customers: full name; delivery address, phone number; email; passport details, address of registration, bank details. | Within 3 (three) months from the date of fulfillment of the order or until the day the customer’s request for a refund is fulfilled. |
Implementation of a global loyalty program | Customers and potential customers: full name; delivery address, phone number; email. Loyalty program participants: full name; gender; residential address, phone number; email; birthday; gender; identifier in the CRM system. | Before the termination of the operator’s activities or the subject’s participation in the loyalty program. |
Promotion of products and services on the market, performing marketing activities through advertising related to products under the Furla trademark and services provided by the Company, the Company’s partners, by making direct contacts with potential consumers using communication means (taking into account the selected contact options) | Customers and potential customers: full name; date of birth; phone number; email. Loyalty program participants: full name; date of birth; phone number; email.
| Before the termination of the Company's activities, unless consent to send advertising is revoked earlier. |
Normal functioning of automated personnel, accounting and tax accounting systems | Employees and former employees: full name; year, month, date of birth; place of birth; address of registration; phone numbers; emails; marital status, children; social status, benefits; property status, information about income; work experience (total work experience); content of the employment contract; information contained in identity documents; information about visas, work permits, and other migration documents; information contained in the work book; information contained in the insurance certificate of state pension insurance; information contained in the certificate of registration of an individual with the tax authority in the Russian Federation; information contained in military registration documents; information about education, profession, qualifications or special knowledge or training; photos; other subject-related information establishing the fact that the above information regards the subject (including information contained in the unified form T-2 ‘Employee Personal Card’). Special categories: information about disability and health status. Close relatives of employees and former employees: last name, first name and patronymic, date of birth, degree of relationship. Counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties and former counterparties: full name; job title; emails; phone number Customers and former customers: full name; passport details, address of registration, bank details. | Before the termination of the Company's activities or the Company's refusal to use the accounting system. |
Compliance with the requirements of current legislation | Employees, former employees and their relatives: full name; gender; passport series, number, date and issuing authority; date of birth; place of birth; address of registration; actual residence address; taxpayer identification number; insurance number of an individual personal account; position, duration of service, information about income, military registration information, emails, phone number and other data contained in personnel records. Counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; job title. Customers: Full Name; delivery address, telephone number; email address; passport details, address of registration, bank details. | Before the expiration of the deadlines provided for by the legislation of the Russian Federation on the storage of documents and information. |
2.2. Any actions to private data, be it processing of paper documents or processing data by automated systems, are only made by the Company for the above purposes. To achieve the above goals, private data can be processed by the Company through the following operations: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (provision, access), blocking, deletion, destruction. The Company does not distribute any private data.
3. COLLECTING PRIVATE DATA
3.1. The Company processes only private data provided to the Company by the private data subjects or by third parties with the consent of the private data subjects.
3.2. If processing private data is not expressly provided for by Russian legal acts, the Company processes private data only in the following cases:
(a) the Company or another person has received the consent from the private data subject for processing his/her private data by the Company;
(b) the processing of private data is required to fulfill a contract to which the private data subject is a party (or a beneficiary);
(c) processing of private data is required to conclude a contract at the initiative of the private data subject or a contract under which the private data subject is a beneficiary or guarantor;
(d) the processing of private data is required to exercise the rights and legitimate interests of the Company or third parties.
3.3. Customers, including potential ones, have the opportunity to express their consent to processing private data by the Company:
(a) in the course of providing their data when sending an application through the feedback form on the Website (when providing private data in the specified way, the subject expresses his/her consent to the processing of his/her private data by the Company for consideration of application and quality control of the customer support service within the above deadlines);
(b) when providing their data through an electronic form when registering an account on the Website or through a special consent collection system available in the Company’s stores (when providing private data in one of the specified ways, the subject expresses his/her consent to the processing of his/her private data by the Company for the implementation of the global loyalty program, performing marketing activities through advertising products under the Furla trademark and services provided by the Company and its partners, establishing direct contacts with the subject within the above deadlines);
(c) in the course of providing his/her data when subscribing to the newsletter by email (when providing private data in this way, the subject expresses his/her consent to the processing of his/her private data by the Company for marketing activities through advertising products under the Furla trademark and services provided by the Company and its partners, establishing direct contacts with the subject within the above deadlines).
3.4. The Company also processes private data of unregistered customers who made purchases in the Website online store. In this case, the customer’s private data are only processed to fulfill the purchase and sale contract (accepting payment for products and related services, organizing delivery of products to the place specified by the customer) and create conditions for resolving eventual disputes.
3.5. In addition to private data, the Company uses anonymous information about statistics on the use of the Website (including the number of visitors, their gender, age, types of devices, sources of visits, as well as the behavior of visitors on the Website pages). This information is collected using third-party services (Google Analytics and other similar programs). The relevant services use cookies, that is small text files placed on users’ computers to analyze their user activity. The information collected using cookies does not identify the Website visitors, but may help to improve the Website operation and optimize its work based on the preferences of a particular user. Website visitors may reject the use of cookies by selecting the appropriate settings on their browser. Read more about the use of cookies on the Company’s Website at https://www.furla.com/ru/ru/eshop/customer-service/cookie-policy/.
3.6. Any customer, including a potential one, always has the right not to provide his/her private data to the Company: private data are only provided at the will and discretion of the private data subject. However, without the data specified when placing an order on the Website, the Company is unable to ensure the proper fulfillment of its obligations to the customer. If a person does not provide the private data required to participate in the loyalty program, he/she cannot be registered on the Website and use additional services that the Company offers to its registered customers (for example, attending events organized by the Company or previewing collections).
4. PRIVATE DATA TRANSFER
4.1. The Company may transfer private data to third parties who process them on behalf (in the interests) of the Company, as well as to independent private data operators. When transferring private data to other operators, the Company notifies such persons of the obligation to maintain the confidentiality of private data and use them only for the purposes for which they were transferred, and also ensures that contracts with such persons include the terms provided for by current legislation and aimed at ensuring the protection of private data by their recipients.
4.2. Private data of candidates for employment in the Company may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Coordination of the candidate with the global management of the Furla group of companies. | The parent company of the group (Italy). |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
4.3. Employee private data may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
Outsourcing of payroll calculation and other related services. | Contractors who provide bookkeeping, tax and management accounting services to the Company. |
Issuing a bank card to an employee to receive wages | Credit organizations. |
Providing access to mobile communication services. | Mobile operations. |
Organizing access to online libraries as employee incentives. | Contractor who provides access to the online library. |
Voluntary medical, life and health insurance for employees. | Insurance companies and brokers. |
Organization of medical examinations of employees. | Medical organizations. |
Business and other trips for employees. | Travel agencies, hotel and transportation providers. |
Employee training and promotion. | Educational organizations. |
Creation of work accounts in corporate services for employees. | The parent company of the group (Italy). |
Ensuring labor safety at workplaces. | Companies providing labor protection services. |
Military registration of employees. | Organizations ensuring the Company’s compliance with the military registration law |
Organization of access control at Company’s sites. | Owners of the Company’s trade sites and offices, as well as security organizations engaged by them or the Company. |
Financial and other types of audits of the Company. | Audit companies. |
Special assessment of working conditions at workplaces. | Companies assessing working conditions. |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.4. Private data of counterparties, former counterparties and their representatives may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Interaction with counterparties through electronic document management systems. | Operators of electronic document management services. |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
Financial and other types of audits of the Company. | Audit companies |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.5. Private data of customers, potential customers and loyalty program participants may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Receiving and processing incoming requests from customers, including potential ones; making outgoing notifications and calls. | Call center service providers. |
Ensuring the Website operation, the Website online store, as well as corporate information systems used by the Company to process information on customers and potential customers. | The parent company of the group (Italy), as well as other persons providing technical support and information system support (France, Sweden). |
Delivery of orders to customers. | Carriers, postal organizations, delivery companies and courier services. |
Implementation of a global loyalty program. | The parent company of the group (Italy). |
Sending text messages and emails. | Mailing service providers. |
Financial and other types of audits of the Company. | Audit companies. |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.6. A full list of persons processing the subject’s private data on behalf of the Company or receiving the subject’s data from the Company may be provided to the subject in the manner prescribed in Section 6 of this Policy.
4.7. In some cases, recipients of private data may be located outside the Russian Federation. However, the Company does not transfer private data to countries that do not provide adequate protection of the rights of private data subjects. The Company notifies authorized bodies on any facts of cross-border transfer of private data in cases provided for by law.
4.8. State authorities of the Russian Federation, as well as other public entities, can gain access to processed private data only in cases established by the Russian law.
5. STORAGE AND PROTECTION OF PRIVATE DATA
5.1. The Company is fully committed to the protection of private data processed. The Company has appointed a person in charge for organizing the processing of private data, who supervises any issues related to the processing of private data and ensuring the rights of private data subjects. The Company has also introduced a set of internal documents regulating the procedure for processing and protecting private data of subjects.
5.2. When processing private data, organizational, legal and technical protection measures are taken to exclude any possibility of unauthorized access to private data by unauthorized persons. Among other things, such measures include:
(a) modeling threats to the security of private data;
(b) ensuring the security regime of the premises where private data information systems are located, preventing any possibility of uncontrolled presence in these premises of persons who do not have the right to access them;
(c) drawing up a list of persons whose access to private data is required for their official duties;
(d) ensuring the safety of private data media;
(d) managing access to private data (including password protection);
(e) private data security control;
(f) ensuring the availability of private data (including through backup of private data at specified intervals);
(g) anti-virus protection of private data information systems.
5.3. The periods for storage and other processing of private data depend on the purposes of processing private data and/or individual consents of the private data subjects. In any case, processing of private data must be terminated upon achievement of the purposes of processing the relevant data, as well as in case of termination of the grounds for processing private data (including withdrawal of previously given consent to the processing of private data, if the legislation does not grant the Company the right to continue processing private data).
5.4. Private data processed by the Company must be destroyed with the mandatory registration of the fact of destruction by drawing up a private data destruction act. In case of destruction of private data processed using automation tools, in addition to the act, the fact of destruction of private data must be registered in the Event Journal of the relevant private data information system. The composition of information recorded in acts and journals when private data are destroyed is determined by the Russian law.
6. RIGHTS OF PRIVATE DATA SUBJECTS
6.1. Subjects whose private data are processed by the Company have the following rights:
(a) the right to gain access to information on processing their private data;
(b) the right to require the Company to clarify private data, block or destroy them if the private data are incomplete, outdated, inaccurate, illegally obtained or are not required for the stated purpose of processing;
(c) the right appeal in court any unlawful actions or inactions of the Company in the processing and protection of private data, and take any other legal measures to protect their rights.
6.2. Private data subjects have the right (by private contact or by sending a written request) to gain access to information on processing their private data, containing:
(a) confirmation of the fact of processing private data by the Company;
(b) legal grounds for and purposes of processing private data;
(c) methods used by the Company for processing private data;
(d) name and location of the Company, information about persons who have access to private data or to whom private data may be disclosed under a contract with the Company or incompliance with federal law;
(e) processed private data related to the relevant private data subject, as well as the source of their receipt, unless a different procedure for the presentation of such data is provided for by federal law;
(f) terms of processing of private data, including periods of their storage;
(g) the procedure for the exercise of the private data subject’s rights provided for by the legislation on private data;
(h) information on cross-border data transfer;
(i) name, last name, first name, patronymic and address of the person processing private data on behalf of the Company, if the processing has been or will be assigned to such a person;
(j) other information required by law.
The information specified in this clause is provided to the private data subject or his/her representative upon receipt of an application or request from the private data subject or his/her representative. The request must contain the number of the main document identifying the private data subject or his/her representative, information about the date of issue of the specified document and the issuing authority, information confirming relationships of the private data subject with the Company, or information otherwise confirming the fact of processing private data by the Company. The request must be also signed by the private data subject or his/her representative.
6.3. If a person who sends an application or request to the Company is not authorized to receive private data information, this information is not given to him/her. The person who made the relevant request is given a notice of refusal. Responses to applications and requests for information on processing private data are sent within 10 (ten) business days from the date of their receipt by the Company, unless a shorter period for application consideration is established by law.
6.4. If inaccuracy of the processed private data is confirmed based on the information provided by the private data subject, his/her representative or an authorized body protecting the rights of private data subjects, the private data must be clarified within 7 (seven) business days from the date of submission of such information. If data cannot be clarified within the specified period, they are clarified as soon as possible. Data are unblocked based on the results of their clarification.
6.5. If an inspection reveals unlawful processing of private data by the Company, the violation must be eliminated within 3 (three) business days from the date of confirmation of unlawful processing. If it is impossible to ensure the legality of processing private data, the data must be destroyed within 10 (ten) business days from the date of detection of unlawful processing of private data.
6.6. The private data subject or his/her representative is immediately notified of the elimination of violations or the destruction of private data, and if the application or request were sent by an authorized body protecting the rights of private data subjects, this authorized body is notified thereof in the same manner.
6.7. The private data subject also has the right to withdraw his/her consent at any time, without paying any fee and without any adverse consequences, by contacting the Company directly or by sending a written request to the Company's postal address. If the private data subject withdraws consent to the processing of his/her data, the Company’s employees must stop processing his/her private data and destroy them within 10 (ten) days. This rule does not apply to cases where the Company has legal grounds to continue processing private data after withdrawal of consent, without violating the legal rights of private data subjects.
6.8. Private data subjects, whose private data are processed by the Company, can use the following contact details on any matters about the procedure for exercising their rights:
Phone: +7 (495) 641 40 76
Email: CC_Russia@furla.com
Postal address: 121099, Moscow, Smolenskaya square, 3, 8th floor, FURLA office