PRIVACY POLICY FOR SITE USERS
Please read this Privacy Policy carefully (hereinafter, "Privacy Policy"), which is intended for users of the website www.bathandbodyworks.it (hereinafter, the "Site"), prepared pursuant to art. 13 of the General Data Protection Regulation n. 2016/679 (hereinafter, also "GDPR"), in which we indicate all the details relating to the processing of your personal data (hereinafter also, "Data") and their use.
Please note that the Privacy Policy is intended to be applicable only to the processing of Data carried out on the Site and not also to processing carried out on different and additional websites, although accessible through links found within the Site itself.

  1. Data controller and related contact details
    The data controller is Hexagon S.p.A., via Giorgio e Guido Paglia n. 1/D 24122 Bergamo, Tax Code and VAT number 04058560162 (hereinafter "Controller" or "Company").
    For the purposes referred to in points 4.2, 5.2, 5.3 and 5.4 it is the independent data controller, in addition to Hexagon S.p.A., Percassi Retail S.r.l. based in Bergamo, Via Giorgio e Guido Paglia 1D, 24122
    E-mail address: percassiretail@legalmail.it
  2. Data Protection Officer (DPO) contacts
    You can contact the Data Protection Officer (DOP) at:
    dpo.hexagon@percassi.com
    dpo.percassiretail@percassi.com
  3. Categories of processed data
    • 3.1 Browsing data
      We collect the following data through the services used by the user.
      Technical data
      This category of data includes IP addresses or domain names of the computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and computer environment. This data is used only for the sole purpose of obtaining statistical information (and is therefore anonymous) and to verify proper site operations and is deleted immediately after processing. This data could be used to determine responsibility in the event of possible computer crimes against the website. Except for this eventuality, the website contact data are not held for more than seven days.
      Cookies
      The Site collects data using cookies or similar technologies. For further information, please visit the Site Cookie Policy del Sito.
    • 3.2 Data provided voluntarily by the user
      The Site offers users the opportunity to voluntarily provide personal information through, for example, filling out the "Contact", "Create Account" and "Checkout" forms on the Site, as well as signing up for the "Receive offers and latest BBW news via email".
  4. Services offered by the Site
    An illustration of the services offered by the Site is provided below. The following are indicated for each of the services offered: the purposes of the data processing, the legal bases underlying the processing itself and the storage times of the data processed.
    • 4.1 E-commerce
      BBW products can be purchased on-line on the Site. To purchase these products the user can:
      1. create an account and also access additional services offered by the Site (wish-list,etc.);
      2. select the various items and checkout as a "Guest".
      Purpose of the processing: to provide e-commerce services for the on-line sale of BBW products and to ship the purchased products. Legal basis of the processing: art. 6, paragraph 1, lett. b) of the GDPR, "execution of a contract of which the data subject is a party or execution of pre-contractual measures adopted at the request of the same". Retention times: personal data will be kept for the entire duration of the contract and, after termination, for the ordinary mandatory period.
    • 4.2 Site registration and Account creation
      The Site offers the possibility of creating a personal account to enter the world of BBW and be able to take advantage of additional services such as the "My love-it list", order and purchase history.
      Purpose of Data Processing: Site registration and account creation.
      Legal basis of the processing: art. 6, paragraph 1, lett. b) of the GDPR, "execution of a contract of which the data subject is a party or execution of pre-contractual measures adopted at the request of the same”.
      Retention times: personal data will be kept for the entire duration of the contract and, after termination, for the ordinary mandatory period.
    • 4.3 Contact section
      The “Contacts” section is found on the site The latter allows the user to submit requests for information, reports and complaints to the Company. For the purpose of providing this service, the user is necessarily required to provide the following personal data: e-mail address.
      Should the data subject wish to request information by telephone, the personal data requested by the operator will be processed exclusively for the purposes indicated below.
      Purpose of the processing: to provide feedback to the requests for information made by the user as well as to open specific tickets for customer care activities for lodged complaints.
      Legal basis of the processing: art. 6, paragraph 1, lett. b) of the GDPR, "execution of a contract of which the data subject is a party or execution of pre-contractual measures adopted at the request of the same”.
      Retention times: personal data will be kept for a period not exceeding 24 months from the time of their conferment.
    • 4.4 "Keep in touch with us" service
      The Site offers the user the opportunity to subscribe to the Company's "Stay in touch with us" service, so as to remain constantly informed about all the news in the BBW world, regarding new products, commercial offers, initiatives, events and services offered. In order to register for the "Stay in touch with us" service, the visitor is required to enter his/her e-mail address.
      Purpose of the processing: to allow the user to subscribe to the "Stay in touch with us" service offered by BBW.
      Legal basis of the processing: art. 6, paragraph 1, lett. b) of the GDPR, "execution of a contract of which the data subject is a party or execution of pre-contractual measures adopted at the request of the same”.
      Retention times: personal data will be kept until the time of a possible cancellation of the user from the service by clicking on the appropriate link at the bottom of each of the communications sent by the Company.
  5. Additional purposes of the processing
      As part of the processing of personal data carried out through the Site, the Data Controller pursues the following additional specific purposes:
    • 5.1 Fulfilment of legal obligations
      The Data Controller, where necessary, processes the personal data of the data subjects, collected through the Site, in order to guarantee compliance with the legal obligations, regulations and community standards to which it is subject.
      Legal basis of the processing: art. 6, paragraph 1, lett. c) of the GDPR, "processing is necessary to fulfil a legal obligation to which the data controller is subject”.
      Retention times: personal data will be kept for the period strictly necessary to allow the Data Controller to fulfil the legal obligations to which he is subject.
    • 5.2 Assessment, exercise and defence of rights in court
      The Data Controller, where necessary, processes the personal data of the data subjects, collected through the Site, in order to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions.
      Legal basis of the processing: art. 6, paragraph 1, lett. f) of the GDPR, "processing is necessary for the pursuit of the legitimate interest of the data controller".
      Retention times: personal data will be kept for the period strictly limited to the duration of the dispute, until the deadlines for appeals are reached.
    • 5.3 Direct marketing activities
      Your personal data, subject to your free and specific consent, will be processed by the Data Controllers to update you on promotional, commercial and advertising initiatives, on events, initiatives in accordance with the provisions of the Guarantor Authority for the protection of personal data "Guidelines on promotional activities and the fight against spam - 4 July 2013 [2542348] ". We would like to inform you that these activities can be carried out by post, telephone contacts via operator (so-called "Traditional methods"), e-mail, sending sms, push notifications and use of social networks (so-called "automated methods"). Furthermore, we will process your data to carry out analysis and reporting activities related to promotional communication systems. In the absence of your specific consent for this purpose, we will not be able to process your personal data for direct marketing purposes and therefore we will not be able to inform you of new products and/or promotions in progress.
      Legal basis of the data processing: Consent of the data subject pursuant to art. 6, paragraph 1, lett. a) of the GDPR, "the data subject has given consent to the processing of their personal data for one or more specific purposes".
      Retention times: personal data will be kept until the time of withdrawal of consent by the user. Purchase data for marketing purposes will be kept for 24 months. In any case, Controllers may keep the user's personal data to demonstrate compliance with the accountability principle pursuant to art. 5 GDPR.
    • 5.4 Profiling
      Subject to your free, optional and specific consent, we will process your personal data for profiling purposes. In particular, by monitoring the products and services you have purchased through the Site as well as your behaviour and interactions, we will evaluate your behaviour in more detail and analyse your preferences, your interests and your consumption habits. In the absence of your specific consent for this purpose, we will not be able to process your personal data for profiling purposes.
      Legal basis of the data processing: Consent of the data subject pursuant to art. 6, paragraph 1, lett. a) of the GDPR, "the data subject has given consent to the processing of their personal data for one or more specific purposes".
      Retention times: personal data will be kept until the time of withdrawal of consent by the user. Purchase data for profiling purposes will be kept for 12 months. In any case, Controllers may keep the user's personal data to demonstrate compliance with the accountability principle pursuant to art. 5 GDPR.
    • 5.5 Data disclosure/transfer
      Subject to your free, optional and specific consent, we may disclose your data to companies of the Odissea Group and/or to other companies in the retail sector (both physical and digital) to allow these companies to send you promotional/commercial material. In the absence of your specific consent for this purpose, we will not be able to disclose/transfer your personal data to third parties.
      Legal basis of the data processing: Consent of the data subject pursuant to art. 6, paragraph 1, lett. a) of the GDPR, "the data subject has given consent to the processing of their personal data for one or more specific purposes". Retention times: personal data will be kept until the time of withdrawal of consent by the user. In any case, the possibility is reserved for the Controllers to keep the user's personal data to demonstrate compliance with the accountability principle pursuant to art. 5 GDPR
      Data Controllers, to pursue their own purposes, will also create a personal profile referring to you in their centralised management system (CRM). If you so wish, you can proceed to independently cancel your account directly from the personal area reserved for you. However, this elimination does not involve the cancellation of your personal profile from the CRM, except for the exercise of your right of cancellation in the manner provided for in this information in the paragraph "Rights of the data subject".
  6. Recipients and transfer of personal data
    The Data may be processed by subjects operating as independent data controllers, such as, by way of example: supervisory and control authorities and bodies and in general subjects, public or private, entitled to request the Data. Data may also be processed, on behalf of the Company, by external parties designated as Processors (pursuant to art of the GDPR) who are given appropriate operating instructions. These parties are essentially included in the following categories:
    1. companies offering e-mail services;
    2. companies which offer services for the fulfilment of the purposes indicated in this policy (media agencies, IT suppliers, couriers, etc.);
    3. site management and/or maintenance companies;
    4. companies which provide support in carrying out market studies;
    5. companies offering shipping services.
    Personal data is not subject to transfer to third party countries outside the European Union. In any case, it is understood that, if necessary, the Data Controller may also transfer personal data to non-EU countries, hereto guaranteeing that the transfer will take place in compliance with the applicable legal provisions and therefore stipulating, if and to what extent necessary, specific agreements that guarantee an adequate level of protection of personal data, or in any case by adopting the standard contractual clauses provided by the European Commission for the transfer of personal data outside the EU.
  7. Authorised processors
    The data may be processed by the Data Controller and/or Processor's employees and/or associates assigned to fulfil the purposes indicated above, who are expressly authorised for the processing and have received appropriate operating instructions.
  8. Withdrawal of consent and exercise of the rights of the data subjects
    Data subjects can contact, to the kind attention of the Privacy Officer, the respective Privacy Offices of the Data Controller:
    • by ordinary mail to the following address:
    • Via Giorgio e Guido Paglia 1D, 24122, Bergamo

    • by e-mail to the following e-mail addresses:
    • privacy.hexagon@percassi.com (for all processes)
    Data subjects can ask the data controller to access the data concerning them, their cancellation, the correction of inaccurate data, the integration of incomplete data, the limitation of processing in the cases provided for by art. 18 GDPR, as well as the opposition to the processing, for reasons connected to one's particular situation, in the hypothesis of legitimate interest of the owner.
    In case of exercise of your right of cancellation, the Data Controllers will delete the data referred to you not only from the BBW site, but also from all the databases of Hexagon S.p.A. and/or Percassi Retail: this could therefore include the possible cancellation also from other platforms of the Data Controllers on which you have registered. Therefore, in consideration of the impact that such cancellation could have on you, the Data Controllers will be able to adopt procedures better aimed at ascertaining your identity.
    Data subjects also, in the case in which the processing is based on consent or contract and is carried out with automated tools, have the right to receive the data in an organised, commonly used, machine-readable and interoperable format, and, if technically possible, to transmit it to another controller without hindrance.
    Data subjects have the right to revoke the consent given at any time for marketing and/or profiling and/or data transfer/communication purposes. The possibility remains for the data subject who prefers to be contacted exclusively through traditional methods, to oppose the processing for marketing purposes only in relation to the receipt of communications through automated methods.
    Data subjects have the right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work or place of the alleged infringement.