Privacy Policy for Users of the www.mobilirebecca.it Website

(art. 13-14 EU Reg. 679/16GDPR”)

Ohme Group Srl (hereinafter also “the Owner”, “Ohme Group”, “Mobili Rebecca”) is constantly committed to adopting technical and organizational solutions aimed at guaranteeing high standards of protection in the processing of personal data.

This policy describes the extent, when, why, and how we collect and use your personal data when you use our website www.mobilirebecca.it, how we protect it, and how you can exercise your rights in relation to it.

1. Data Controller and Data Protection Officer

The Data Controller is Ohme Group srl, Tax Code and VAT No.: 02484770694, with registered office at Via GB Pirelli 14 - 62012, Civitanova Marche (MC), Tel.: 0733672081, email: privacy@mobilirebecca.it. The Data Protection Officer (DPO) can be contacted at dpo@mobilirebecca.it.

The Data Processors appointed by the Data Controller are entities that provide services instrumental to the performance of the activity and mainly belong to the following categories: IT and management service providers, Shopify e-commerce platform, hosting services such as (currently Cloudflare ), Google , Meta Inc. , SmartsUpp ), marketing platforms, CDN platforms, administrative and management service providers, external professionals and consultants (accountants, labor consultants, webmasters), payment gateways (e.g. Paypal), where they do not act as independent Data Controllers.

The list of data controllers is available from the Data Controller.

3. Authorized to process

The Data Controller, within its organization, has authorized and instructed certain individuals to process data under its authority, assigning them specific tasks, in compliance with the principles of "purpose limitation and data minimization" pursuant to Article 5, paragraph 1, letters b) and c) of the GDPR.

4. Data recipients

In addition to data processors and internal authorized persons, the Data Controller, pursuant to the legal bases indicated in this policy, may disclose personal data to third parties who, outside the cases described above, will act as independent data controllers, such as, for example, public administrations, banks, payment services, couriers and freight forwarders, marketing platforms, CDN platforms, law firms, and consulting firms.

In any case, personal data will not be disclosed.

5. Interested parties and categories of data processed

This notice is addressed to registered and unregistered users of the e-commerce site www.mobilirebecca.it, for whom the Data Controller will process the following categories of data for the purposes set out in this notice:

1. identification data: name, surname, date and place of birth, address, and, where applicable, tax code.

2. contact details: email address, landline number, mobile phone number, fax number, email address;

3. Shopping cart and purchase data : information relating to purchases, orders, returns, complaints, payments, invoicing, shipping, and warranties. Warranty fulfillment.

4. Payment data : amount, payment method, reference, and transaction status. The payment process takes place on the Shopify Inc. platform, which is PCI-DSS Level 1 certified. Complete payment method data (card number, expiration date, CVV) is managed exclusively by Shopify and payment gateways (e.g., PayPal, Fondy) and is never transmitted or stored in Ohme Group Srl's systems.

5. Browsing data (IP address, country, browser, device information, web beacons, consent to the use of cookies and similar technologies). Please refer to the cookie policy .

6. Purpose - Legal basis - retention period and nature of the provision

7. Data source

The data is normally provided directly by the Customer.

However, the Data Controller may collect data present in public databases (Chamber of Commerce, INI-PEC, Revenue Agency, Bank of Italy) primarily for the purposes of fulfilling legal obligations such as invoicing or for legal defense.

8. How and where we process data

The Data Controller will process the data in both paper and electronic form. They are stored and processed in electronic and paper archives located at the Data Controller's registered and operational headquarters (in Italy) and at the offices and servers of the data processors, limited to the purposes assigned to them. Given the importance of the Site to the Data Controller's business (e-commerce), please note that the www.mobilirebecca.it site is hosted on the Shopify Inc. platform and the domain is managed by Cloudflare Inc. The servers are located in Canada, as can be verified here.

9. Transfer of data outside the European Economic Area

The processing of the data subject's personal data carried out during use of the website www.mobilirebecca.it involves the transfer of data outside the European Economic Area. Therefore, the Data Controller will ensure that this occurs in the presence of an adequacy decision or, in the absence of one, in the presence of adequate safeguards pursuant to Articles 46 et seq. of the GDPR. Please note that the website operates on servers located outside the European Economic Area, as indicated above, specifically in Canada. With respect to this country, the transfer occurs pursuant to an adequacy decision of the European Commission dated 20 December 2001 , as amended by European Commission Implementing Decision (EU) 2016/2295 dated 16 December 2016 . The Data Controller may also transfer the data subject's data outside the European Economic Area, for example, in relation to the use of the services of Google Inc. or Meta Platforms Inc. (Facebook/Instagram/WhatsApp), and only to the extent that these entities store said data on servers located outside the EEA.

With regard to Google Inc. and Meta Platforms Inc., the transfer of data is made lawful by the adequacy decision with which the European Commission implemented the Data Privacy Framework.

Please consult the following links for more information:

The companies mentioned above have also agreed, in providing their services, to comply with the standard contractual clauses, for which we invite you to consult this link for Google Inc. and this link for Meta Platforms Inc..

10. Security measures

The Data Controller processes personal data in accordance with the data security obligations pursuant to Art. 32 of the GDPR. To ensure an adequate level of data protection to mitigate the risk of improper or unlawful use of data, the Data Controller constantly strives to implement physical, organizational, and IT security measures that meet current data security standards. These measures include, among others, the use of https/tls protocols, payment encryption, appropriate supplier selection, appointment of a Data Protection Officer (DPO), ongoing monitoring of privacy compliance, use of internal policies, backup procedures, disaster recovery, locked cabinets, authorization profiles, strong passwords with periodic changes and secure storage, written authorization and ongoing training for designated personnel, and monitoring of compliance with these measures. The complete list of security measures is available at the Data Controller's headquarters.

11. Children's privacy

Minors are defined as all persons under the age of 18. Pursuant to art. 2-quinquies of Legislative Decree 196/03 and subsequent amendments, in relation to the provision of information society services, minors are defined as all persons under the age of fourteen.

The Data Controller does not intentionally request or collect personal data from or relating to minors under the age of 18 without the consent of a parent or guardian.

If the Data Controller becomes aware that personal data relating to a minor has been submitted without the consent of a parent or guardian, it will make every reasonable effort to delete such personal data from its records as soon as possible and ensure that such personal data is not further used for any purpose, nor is it further disclosed to third parties.

12. Rights of the interested party

Right of access (Art. 15 GDPR)

You may request: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

You have the right to request a copy of the personal data undergoing processing.

  • Right to rectification

You have the right to request the rectification of inaccurate personal data concerning you and to obtain the integration of incomplete personal data.

  • Right to erasure

You have the right to obtain from the Data Controller the erasure of your personal data if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent, if there are no overriding legitimate grounds for profiling, if the data has been unlawfully processed, or if there is a legal obligation to erase it.

  • Right to restriction of processing

You have the right to obtain from the Data Controller restriction of processing when you have contested the accuracy of the personal data (for a period enabling the Data Controller to verify the accuracy of the personal data) or if the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead, or if the personal data are necessary for the establishment, exercise, or defense of legal claims, but the Data Controller no longer requires them.

  • Right to portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit that data to another controller if the processing: (i) is based on consent, (ii) on a contract and (iii) if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority and such transmission does not infringe the rights of a third party.

Data portability includes the right of the data subject to receive a subset of their personal data processed by the Data Controller and to retain it for further use for personal purposes. This storage can take place on a personal medium or in a private cloud, without necessarily involving the transmission of the data to another controller.

Data portability complements and strengthens the right of access to personal data, also provided for in Article 15 of the Regulation.

If the data subject requests data portability along with the direct transmission of their data to another data controller, please note that this right is subject to technical feasibility: Article 20, paragraph 2 of the Regulation provides that data may be transmitted directly from one data controller to another at the data subject's request, and where technically feasible. The technical feasibility of data transmission from one data controller to another must be assessed on a case-by-case basis.

Recital 68 of the Regulation clarifies the limits of what is technically feasible, specifying that it should not require data controllers to adopt or maintain technically compatible processing systems. Therefore, direct data transmission from a data controller to another data controller may occur if secure communication between the systems of the two controllers (transferring and receiving) is possible, and if the receiving system is technically capable of receiving the incoming data. If technical impediments prevent direct transmission, the data controller will provide training and a detailed explanation to the data subject. With regard to the interoperability of formats to ensure portability, the Data Controller will comply with the provisions of paragraph 1021, letter (b) of Law 205/2017 (“presence of adequate infrastructures for the interoperability of the formats with which the data are made available to data subjects”) within the limits of what is clarified by the WP242 Guidelines (“The expectation is that the controller transmits personal data in an interoperable format, but this does not impose any obligation on other controllers to support this format”).

Please note that, pursuant to the WP242 Guidelines, data controllers who comply with a data portability request are not specifically required to verify the quality of the data before transmitting it.

Furthermore, data portability does not impose any obligation on the Data Controller to retain data for a period longer than necessary or beyond that specified. Above all, it does not impose any additional obligation to retain personal data for the sole purpose of fulfilling a potential data portability request.

The exercise of the right to data portability (or any other right under the Regulation) does not affect any of your other rights.

The data subject may continue to use and benefit from the service offered by the Data Controller even after data portability has been completed. Portability does not entail the automatic deletion of data stored in the Data Controller's systems and does not affect the original retention period for the data transferred. The data subject may exercise these rights as long as the data processing by the Data Controller continues.

  • Right to object

You have the right to object at any time, in whole or in part, to the processing of your personal data if the processing is carried out for the purposes of the Data Controller's legitimate interest. In this case, the personal data will no longer be processed for these purposes.

  • Right not to be subject to a decision based solely on automated processing, including profiling
  • Right to lodge a complaint with the Guarantor Authority

Without prejudice to any other administrative or judicial remedy, if the data subject believes that the processing of his or her personal data violates the provisions of EU Regulation 2016/679, pursuant to art. 15, letter f) of the aforementioned EU Regulation 2016/679, and if the data subject believes that the Data Controller has violated his or her rights, he or she has the right to lodge a complaint with the Italian Data Protection Authority (Supervisory Authority www.garanteprivacy.it).

  • Right to withdraw consent

How to exercise your rights:

  • registered mail to Ohme Group Srl, Via GB Pirelli 14 - 62012, Civitanova Marche [MC], VAT number 02484770694, tel.: 0733 672081,
  • email: privacy@mobilirebecca.it;
  • pec: mobilirebeccasrl@pec.it
  • form available on the website www.mobilirebecca.it or available at the office.

The Data Controller will normally process requests within 30 days.

However, this period may be extended for reasons relating to the specific right of the data subject or the complexity of your request.

In certain situations, due to legal obligations, we may not be able to provide you with information about all of your data.

If we are forced to decline your request for information in this case, we will at the same time explain the reasons for our denial.

Version of 17.2.26.

Previous versions