Furla Privacy Policy
APPROVED BY
Order of December 8, 2025
CEO
Furla Rus LLC
____________________________
M.V. Landyshev
Furla Rus LLC
PERSONAL DATA PROCESSING POLICY
1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) was developed in compliance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ On Personal Data. The purpose of this Policy is to set out the approaches to the processing and protection of personal data of the Limited Liability Company ‘Furla Rus’ (hereinafter referred to as the Company), operating under the legislation of the Russian Federation and located at Russian Federation, 121099, Moscow, Smolenskaya Square, bldg. 3, (floor/unit/office 8/I/19).
1.2. The Company is a subsidiary of Furla SpA, a legal entity established in compliance with the laws of Italy, registered with the Chamber of Commerce and Industry of Bologna under the number: BO-278122, located at 40068 San Lazzaro di Savena (Bologna) Italy.
1.3. The Company processes personal data of its buyers, that is, persons who purchased Furla goods in one of the Company’s retail stores or by placing an order in its online store at https://furla.ru (hereinafter referred to as the Website), as well as potential buyers who show interest in Furla products and have visited one of the Company’s retail stores or the Website. In addition, the Company processes personal data of certain categories of other entities interacting with the Company during its business activities (applicants, employees, contractors and a number of others).
1.4. The Company follows the principles of ensuring the security of personal data of any personal data subjects in order to protect their rights and freedoms, including protecting the rights to privacy, personal and family secrets, as well as compliance with the requirements of Russian and international legislation. The legal grounds for processing personal data by the Company are the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, the Civil Code of the Russian Federation, the Law of February 7, 1992 No. 2300-1 ‘On the Protection of Consumer Rights’, the Federal Law of December 6, 2011 No. 402-FZ ‘On Accounting’, Order of the Federal Archive of December 20, 2019 No. 236 ‘On Approval of the List of Standard Management Archival Documents Generated in the Course of Activities of State Authorities, Local Governments and Organizations, Specifying Storage Periods’, other legal acts regulating the activities of the Company, and also its constituent documents.
1.5. This Policy covers all information containing personal data of personal data subjects that the Company may receive about any personal data subject when performing its business activities. This Policy is posted in all places where personal data are collected by the Company and is recommended for familiarization by all personal data subjects who give their data to the Company.
1.6. Terms not defined in this Policy have the meaning specified the legislation of the Russian Federation (primarily Federal Law of July 21, 2006 No. 152-FZ ‘On Personal Data’).
2. GOALS AND METHODS OF PROCESSING PERSONAL DATA
2.1. Here are the purposes, composition and terms of processing personal data of various categories of subjects in the Company:
Purpose of processing | Categories of subjects and composition of data | Processing deadlines |
Making a decision on concluding an employment contract with an applicant, including agreeing upon his/her candidacy with the global management of the Furla group of companies. | Applicants: last name, first name, patronymic, gender, date of birth, citizenship, work experience, skills, achievements, education, qualifications, knowledge of foreign languages, contact numbers, emails, health limitations, photos, other data specified in the CV, or provided by the applicant. | Before making a decision on the candidacy. |
Conclusion and fulfillment of employment contracts | Workers: last name, first name, patronymic; year, month, date of birth; place of birth; address of registration; phone numbers; emails; marital status, children; social status, availability of benefits; property status, information about income; work experience (total work experience); content of the employment contract; information contained in ID documents; information about visas, work permits, and other migration documents; information contained in the work book; information contained in the insurance certificate of state pension insurance; information contained in the certificate of registration of an individual with the tax authority in the Russian Federation; information contained in military registration documents; information about education, profession, qualifications or special knowledge or training; photos; other subject-related information establishing the fact that the above information regards the subject (including information contained in the unified form T-2 ‘Employee Personal Card’). Special categories: information about disability and health status. Close relatives of employees: last name, first name and patronymic, date of birth, degree of relationship. | Before the employment contract termination date. |
Organization of employee insurance services | Workers: full name; date of birth; gender. | Before the employment contract termination date. |
Organization of medical examinations of employees and provision of medical services to them | Workers: last name, first name and patronymic; date of birth (age); gender; place of birth; address; citizenship; compulsory medical insurance policy data; passport details; insurance number of an individual personal account; place of work; experience; job title; phone number. | Before the employment contract termination date. |
Organization of business trips and transportation for employees | Workers: last name, first name and patronymic; date of birth; gender; address; place of birth; passport details; citizenship; telephone number, email. | Before the employment contract termination date. |
Corporate training for employees | Workers: full name; job title; subdivision; photo; email; information about training; date of birth (age); gender; address; place of birth; passport details; citizenship; phone number. | Before the employment contract termination date. |
Employee access to corporate services | Workers: full name; job title; phone number; email. | Before the employment contract termination date. |
Ensuring operator’s compliance with occupational safety and health legislation | Workers: full name; year, month, date of birth (age); job title; department (place of work); information contained in the insurance certificate of state pension insurance; personnel number; employment date. Special categories: health information. | Before the employment contract termination date. |
Access control | Workers: last name, first name and patronymic; job title; place of work; gender; passport details; photo. | Before the employment contract termination date. |
Conclusion and fulfillment of civil contracts with counterparties | Performers and suppliers: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties: full name; position, place of work, telephone number, email. | Before the day of termination of the contract with the counterparty. |
Consideration of requests and quality control of customer support service | Buyer1s and potential buyers: full name; phone number; email, contact details. | Before the expiration of 1 (one) year from the date of sending the application. |
Conclusion and fulfillment of civil contracts with customers, including operation of the website and online store, refund of funds. | Buyers and potential buyers: full name; delivery address, phone number; email; passport details, address of registration, bank details. | Within 3 (three) months from the date of fulfillment of the order or until the day the buyer’s request for a refund is fulfilled. |
Implementation of a loyalty program | Loyalty program participants: full name; gender; residential address, phone number; email; birthday; gender; identifier in the CRM system, identification number of the equipment. | Before the termination of the operator’s activities or the subject’s participation in the loyalty program. |
Promotion of goods and services on the market, performing marketing activities through advertising related to products under the Furla trademark and services provided by the Company, the Company’s partners, by making direct contacts with potential consumers using communication means (taking into account the selected contact options) | Loyalty program participants: full name; date of birth; phone number; email. | Before the termination of the Company's activities, unless consent to send advertising is revoked earlier. |
Normal functioning of automated personnel, accounting and tax accounting systems | Employees and former employees: full name; year, month, date of birth; place of birth; address of registration; phone numbers; emails; marital status, children; social status, benefits; property status, information about income; work experience (total work experience); content of the employment contract; information contained in identity documents; information about visas, work permits, and other migration documents; information contained in the work book; information contained in the insurance certificate of state pension insurance; information contained in the certificate of registration of an individual with the tax authority in the Russian Federation; information contained in military registration documents; information about education, profession, qualifications or special knowledge or training; photos; other subject-related information establishing the fact that the above information regards the subject (including information contained in the unified form T-2 ‘Employee Personal Card’). Special categories: information about disability and health status. Close relatives of employees and former employees: last name, first name and patronymic, date of birth, degree of relationship. Counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties and former counterparties: full name; job title; emails; phone number Buyers and former customers: full name; passport details, address of registration, bank details. | Before the termination of the Company's activities or the Company's refusal to use the accounting system. |
Compliance with the requirements of current legislation | Employees, former employees and their relatives: full name; gender; passport series, number, date and issuing authority; year, month, date of birth; place of birth; address of registration; actual residence address; taxpayer identification number; insurance number of an individual personal account information about income; email address; phone number; information about marital status, position; work experience; information about the date of employment, date and number of the employment order; information about the date of dismissal from work, date and number of the dismissal order; information about the date of transfer to another job, date and the number of the transfer order; other data contained in the personnel records; information contained in the children's birth certificate; information contained in the birth certificate; information contained in the marriage registration certificate; information contained in the marriage annulment certificate; information about education, profession, qualifications, or availability of special knowledge or training; information contained in the driver's license (if any); information about military registration; information contained in the military registration document, about the reserve category, about the military rank, the full code designation of the military-accounting specialty, composition (profile), name of the military commissariat at the place of military registration, information on the state of health (category of fitness for military service).Counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; date of birth; address of registration; taxpayer identification number; insurance number of an individual personal account; bank details; information about income; primary state registration number of an individual entrepreneur. Representatives of counterparties and former counterparties: full name; gender; passport series, number, date and issuing authority; job title. Buyers: Full Name; delivery address, telephone number; email address; passport details, address of registration, bank details. | Before the expiration of the deadlines provided for by the legislation of the Russian Federation on the storage of documents and information. |
Analysis of site visits as part of evaluating the effectiveness of marketing campaigns | Site visitors: information collected through metric programs, including location information; type and version of the operating system; browser type and version; device type and screen resolution; source from where the user came to the site, from which site or according to which ad; language of the operating system and browser; data on user activity on the site; IP address. | Before the termination of the Company's activities, or before termination of the site exploitation. |
2.2. Any actions to personal data, be it processing of paper documents or processing data by automated systems, are only made by the Company for the above purposes. To achieve the above goals, personal data can be processed by the Company through the following operations: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (provision, access), blocking, deletion, destruction. The Company does not distribute any personal data.
3. COLLECTING PERSONAL DATA
3.1. The Company processes only personal data provided to the Company by the personal data subjects or by third parties with the consent of the personal data subjects.
3.2. If processing personal data is not expressly provided for by Russian legal acts, the Company processes personal data only in the following cases:
(a) the Company or another person has received the consent from the personal data subject for processing his/her personal data by the Company;
(b) the processing of personal data is required to fulfill a contract to which the personal data subject is a party (or a beneficiary);
(c) processing of personal data is required to conclude a contract at the initiative of the personal data subject or a contract under which the personal data subject is a beneficiary or guarantor;
(d) the processing of personal data is required to exercise the rights and legitimate interests of the Company or third parties.
3.3. Buyers, including potential ones, have the opportunity to express their consent to processing personal data by the Company:
(a) in the course of providing their data when sending an application through the feedback form on the Website (when providing personal data in the specified way, the subject expresses his/her consent to the processing of his/her personal data by the Company for consideration of application and quality control of the customer support service within the above deadlines);
(b) when providing their data through an electronic form when registering an account on the Website or through a special consent collection system available in the Company’s stores (when providing personal data in one of the specified ways, the subject expresses his/her consent to the processing of his/her personal data by the Company for the implementation of the global loyalty program, performing marketing activities through advertising products under the Furla trademark and services provided by the Company and its partners, establishing direct contacts with the subject within the above deadlines);
(c) in the course of providing his/her data when subscribing to the newsletter by email (when providing personal data in this way, the subject expresses his/her consent to the processing of his/her personal data by the Company for marketing activities through advertising products under the Furla trademark and services provided by the Company and its partners, establishing direct contacts with the subject within the above deadlines).
3.4. The Company also processes personal data of unregistered customers who made purchases in the Website online store. In this case, the buyer’s personal data are only processed to fulfill the purchase and sale contract (accepting payment for goods and related services, organizing delivery of goods to the place specified by the buyer) and create conditions for resolving eventual disputes.
3.5. The Company uses information about statistics on the use of the Website (including the number of visitors, their gender, age, types of devices, sources of visits, as well as the behavior of visitors on the Website pages). This information is collected using Yandex.Metrica service. Such services use cookies, that is small text files placed on users’ computers to analyze their user activity. The information collected using cookies is used for identification of the Website visitors, but may help to improve the Website operation and optimize its work based on the preferences of a particular user. Website visitors may reject the use of cookies by selecting the appropriate settings on their browser. Read more about data processing policy of the provider of Yandex.Metrica service at https://yandex.ru/legal/confidential/..
3.6. Any buyer, including a potential one, always has the right not to provide his/her personal data to the Company: personal data are only provided at the will and discretion of the personal data subject. However, without the data specified when placing an order on the Website, the Company is unable to ensure the proper fulfillment of its obligations to the buyer. If a person does not provide the personal data required to participate in the loyalty program, he/she cannot be registered on the Website and use additional services that the Company offers to its registered customers (for example, attending events organized by the Company or previewing collections).
4. PERSONAL DATA TRANSFER
4.1. The Company may transfer personal data to third parties who process them on behalf (in the interests) of the Company, as well as to independent personal data operators. When transferring personal data to other operators, the Company notifies such persons of the obligation to maintain the confidentiality of personal data and use them only for the purposes for which they were transferred, and also ensures that contracts with such persons include the terms provided for by current legislation and aimed at ensuring the protection of personal data by their recipients.
4.2. Personal data of candidates for employment in the Company may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Coordination of the candidate with the global management of the Furla group of companies. | The parent company of the group (Italy). |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
4.3. Employee personal data may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
Outsourcing of payroll calculation and other related services. | Contractors who provide bookkeeping, tax and management accounting services to the Company. |
Issuing a bank card to an employee to receive wages | Credit organizations. |
Providing access to communication services. | Communication service providers. |
Organizing access to online libraries as employee incentives. | Contractor who provides access to the online library. |
Voluntary medical, life and health insurance for employees. | Insurance companies and brokers. |
Organization of medical examinations of employees. | Medical organizations. |
Business and other trips for employees. | Travel agencies, hotel and transportation providers. |
Employee training and promotion. | Educational organizations. |
Creation of work accounts in corporate services for employees. | The parent company of the group (Italy). |
Ensuring labor safety at workplaces. | Companies providing labor protection services. |
Military registration of employees. | Organizations ensuring the Company’s compliance with the military registration law |
Organization of access control at Company’s sites. | Owners of the Company’s trade sites and offices, as well as security organizations engaged by them or the Company. |
Financial and other types of audits of the Company. | Audit companies. |
Special assessment of working conditions at workplaces. | Companies assessing working conditions. |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.4. Personal data of counterparties, former counterparties and their representatives may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Interaction with counterparties through electronic document management systems. | Operators of electronic document management services. |
Technical support of information systems. | Contractors who provide technical support and information system support for the Company. |
Financial and other types of audits of the Company. | Audit companies |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.5. Personal data of customers, potential customers and loyalty program participants may be transferred to the following persons:
Process requiring data transfer | Categories of recipients |
Receiving and processing incoming requests from buyers, including potential ones; making outgoing notifications and calls. | Call center service providers. |
Ensuring the Website operation, the Website online store, as well as corporate information systems used by the Company to process information on customers and potential customers as well as loyalty program members. | The parent company of the group (Italy), as well as other persons participating in support of information system support (France, Sweden). |
Delivery of orders to customers and loyalty program members. | Carriers, warehousing operators, postal organizations, delivery companies and courier services. |
Implementation of a loyalty program. | The parent company of the group (Italy), as well as partners who joined to the loyalty program. |
Sending text messages and emails. | Mailing service providers. |
Financial and other types of audits of the Company. | Audit companies. |
Long-term storage of documents generated in the course of the Company’s business. | Companies providing professional storage of documents. |
4.6. Personal data of the site visitors can be provided to the following parties:
Process requiring data transfer | Categories of recipients |
Analysis of website visit statistics | Metric data collection service providers |
Assessment of the efficiency of marketing campaigns and their optimization. | Marketing service providers. |
4.7. A full list of persons processing the subject’s personal data on behalf of the Company or receiving the subject’s data from the Company may be provided to the subject in the manner prescribed in Section 6 of this Policy.
4.8. In some cases, recipients of personal data may be located outside the Russian Federation. However, the Company does not transfer personal data to countries that do not provide adequate protection of the rights of personal data subjects. The Company notifies authorized bodies on any facts of cross-border transfer of personal data in cases provided for by law.
4.9. State authorities of the Russian Federation, as well as other public entities, can gain access to processed personal data only in cases established by the Russian law.
5. STORAGE AND PROTECTION OF PERSONAL DATA
5.1. The Company is fully committed to the protection of personal data processed. The Company has appointed a person in charge for organizing the processing of personal data, who supervises any issues related to the processing of personal data and ensuring the rights of personal data subjects. The Company has also introduced a set of internal documents regulating the procedure for processing and protecting personal data of subjects.
5.2. When processing personal data, organizational, legal and technical protection measures are taken to exclude any possibility of unauthorized access to personal data by unauthorized persons. Among other things, such measures include:
(a) modeling threats to the security of personal data;
(b) ensuring the security regime of the premises where personal data information systems are located, preventing any possibility of uncontrolled presence in these premises of persons who do not have the right to access them;
(c) drawing up a list of persons whose access to personal data is required for their official duties;
(d) ensuring the safety of personal data media;
(d) managing access to personal data (including password protection);
(e) personal data security control;
(f) ensuring the availability of personal data (including through backup of personal data at specified intervals);
(g) anti-virus protection of personal data information systems.
5.3. The periods for storage and other processing of personal data depend on the purposes of processing personal data and/or individual consents of the personal data subjects. In any case, processing of personal data must be terminated upon achievement of the purposes of processing the relevant data, as well as in case of termination of the grounds for processing personal data (including withdrawal of previously given consent to the processing of personal data, if the legislation does not grant the Company the right to continue processing personal data).
5.4. Personal data processed by the Company must be destroyed with the mandatory registration of the fact of destruction by drawing up a personal data destruction act. In case of destruction of personal data processed using automation tools, in addition to the act, the fact of destruction of personal data must be registered in the Event Journal of the relevant personal data information system. The composition of information recorded in acts and journals when personal data are destroyed is determined by the Russian law.
6. RIGHTS OF PERSONAL DATA SUBJECTS
6.1. Subjects whose personal data are processed by the Company have the following rights:
(a) the right to gain access to information on processing their personal data;
(b) the right to require the Company to clarify personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not required for the stated purpose of processing;
(c) the right appeal in court any unlawful actions or inactions of the Company in the processing and protection of personal data, and take any other legal measures to protect their rights.
6.2. Personal data subjects have the right (by personal contact or by sending a written request) to gain access to information on processing their personal data, containing:
(a) confirmation of the fact of processing personal data by the Company;
(b) legal grounds for and purposes of processing personal data;
(c) methods used by the Company for processing personal data;
(d) name and location of the Company, information about persons who have access to personal data or to whom personal data may be disclosed under a contract with the Company or incompliance with federal law;
(e) processed personal data related to the relevant personal data subject, as well as the source of their receipt, unless a different procedure for the presentation of such data is provided for by federal law;
(f) terms of processing of personal data, including periods of their storage;
(g) the procedure for the exercise of the personal data subject’s rights provided for by the legislation on personal data;
(h) information on cross-border data transfer;
(i) name, last name, first name, patronymic and address of the person processing personal data on behalf of the Company, if the processing has been or will be assigned to such a person;
(j) other information required by law.
The information specified in this clause is provided to the personal data subject or his/her representative upon receipt of an application or request from the personal data subject or his/her representative. The request must contain the number of the main document identifying the personal data subject or his/her representative, information about the date of issue of the specified document and the issuing authority, information confirming relationships of the personal data subject with the Company, or information otherwise confirming the fact of processing personal data by the Company. The request must be also signed by the personal data subject or his/her representative.
6.3. If a person who sends an application or request to the Company is not authorized to receive personal data information, this information is not given to him/her. The person who made the relevant request is given a notice of refusal. Responses to applications and requests for information on processing personal data are sent within 10 (ten) business days from the date of their receipt by the Company, unless a shorter period for application consideration is established by law.
6.4. If inaccuracy of the processed personal data is confirmed based on the information provided by the personal data subject, his/her representative or an authorized body protecting the rights of personal data subjects, the personal data must be clarified within 7 (seven) business days from the date of submission of such information. If data cannot be clarified within the specified period, they are clarified as soon as possible. Data are unblocked based on the results of their clarification.
6.5. If an inspection reveals unlawful processing of personal data by the Company, the violation must be eliminated within 3 (three) business days from the date of confirmation of unlawful processing. If it is impossible to ensure the legality of processing personal data, the data must be destroyed within 10 (ten) business days from the date of detection of unlawful processing of personal data.
6.6. The personal data subject or his/her representative is immediately notified of the elimination of violations or the destruction of personal data, and if the application or request were sent by an authorized body protecting the rights of personal data subjects, this authorized body is notified thereof in the same manner.
6.7. The personal data subject also has the right to withdraw his/her consent at any time, without paying any fee and without any adverse consequences, by contacting the Company directly or by sending a written request to the Company's postal address. If the personal data subject withdraws consent to the processing of his/her data, the Company’s employees must stop processing his/her personal data and destroy them within 10 (ten) days. This rule does not apply to cases where the Company has legal grounds to continue processing personal data after withdrawal of consent, without violating the legal rights of personal data subjects.
6.8. Personal data subjects, whose personal data are processed by the Company, can use the following contact details on any matters about the procedure for exercising their rights:
Phone: +7 (495) 641 40 76
Email: CC_Russia@furla.com
Postal address: 121099, Moscow, Smolenskaya square, 3, 8th floor, FURLA office