Privacy Policy

POLICY STATEMENT ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 (hereinafter the “GDPR”)

1. CONTROLLER - KIKO S.p.A., with registered office at Via Giorgio e Guido Paglia No. 1/D, BERGAMO, ZIP Code 24122, VAT No. 02817030162, Tax Code 12132110151, , tel. 035280011 (“Company”).

2. DATA PROTECTION OFFICER (DPO) - email address

PURPOSE OF THE PROCESSING

LEGAL BASE FOR THE PROCESSING

DATA RETENTION PERIOD and NATURE OF DATA HANDLING

A) Contractual purposes: 
•    Performance of the sales contract to which you are a party (user not registered website);

•    Execution of the contract linked to membership of the Kiko Kisses loyalty programme (in store and/or online).
You can use the services through the physical points (stores), the website www.kikocosmetics.com (“Website”) or the Kiko Kisses App (“App”). For example, after-sales support services; participation in premium events; registration with the website or mobile app; requests for information; reviews, and/or any other service provided to you by the Company.
Furthermore, as a result of its membership of the Kiko Kisses Programme and on the basis of the provisions of the relevant regulations, Kiko may conduct internal audits and verifications of members in order to combat any fraudulent, abusive or otherwise unlawful conduct in violation of the regulations.
 

Performance of a contract to which you are a party (or pre-contractual measures taken at the request of the data subject. E.g., request for information via the dedicated sections of the website www.kikocosmetics.com)

Art. 6, para. 1, letter b) GDPR.
 

 

For the entire contractual term and, after termination of the contract, for a maximum period of 10 years from collection

The provision of personal data (performance of the contract) is necessary to manage your purchase and provide the sales-related services as described above and if requested by you. Failure to provide such personal data therefore will result in the inability to complete the purchase and use of the services indicated. 
 

Fulfilment of administrative and accounting obligations established by applicable national legislation.

The need to comply with a legal obligation
Art. 6, para. 1, letter c) GDPR.

 

B) Purpose of Soft Spam: sending communications for the promotion and/or direct sale of products or services similar to those already purchased/received by the User pursuant to Article 130, paragraph 4 of Legislative Decree 196/2003 (the “Privacy Code”), using the email details indicated on such occasions, without prejudice to the right to object at any time by the methods set out at the end of the communication or at the addresses indicated below for the exercise of the rights established in Articles 15 et seq. of the GDPR.

Legitimate interest
Art. 6, para. 1, letter f) GDPR.

 

36 months from the last purchase made or until the date of objection to the processing, if earlier.

The provision of personal data is necessary pursuant to applicable legislation, without prejudice to your right to object at any time to the sending of communications

C) Direct marketing purposes: sending advertising materials, newsletters, promotional and commercial communications relating to the Company's products and/or events, by automated means of contact (e-mail and instant messaging), as well as carrying out market studies and statistical analyses.

Consent (optional and able to be withdrawn at any time) given by individuals over the age of 16.

Art. 6, para. 1, letter a) GDPR.
 

 

36 months from the last “enabling interaction” of the data subject with the Data Controller, or until the consent of the data subject is withdrawn, if earlier.
Enabling interaction refers exclusively to the purchase of a KIKO product by the interested party. 

The provision of personal data is optional and is subject to your consent. You can withdraw your consent by accessing the reserved area of the website (Section “Privacy Settings”), accessing the App (by clicking on “Preferences – Personal Data”), or by writing to the email address. Such revocation shall not in any way affect the lawfulness of processing based on consents granted prior to revocation.
 

D) Profiling purposes: analysis of your preferences, purchasing habits, related behaviours and/or interests in order to send you personalised commercial communications.

Consent (optional and able to be withdrawn at any time) given by individuals over the age of 16.
Art. 6, para. 1, letter a) GDPR.

 

For the analysis of your consumption habits, where authorised by you, your purchases that have a historical depth not exceeding 36 months will be examined.

Nature of data handling: see purpose C).  
 

E) Communication/transfer of data to third parties (specifically, companies belonging to the same Group as the Company).
Your personal and contact data will be communicated to the third parties indicated above in order to carry out marketing activities (for example, sending by automated means of contact such as text messages, e-mails, social networks, instant messaging apps) concerning their products.

Consent (optional and able to be withdrawn at any time) given by individuals over the age of 16.

Art. 6, para. 1, letter a) GDPR.
 

 

For the technical time necessary to transmit such data to the aforesaid persons or until the consent is withdrawn if earlier.

Provision of data is optional. Therefore, your personal data will not be transferred if you do not give your consent. You may revoke these consents by accessing the reserved area of the website (Section “Privacy Settings”), accessing the App (by clicking on “Preferences – Personal Data”), or by writing to the email address .
Such revocation will not affect in any way the lawfulness of processing based on the consent granted prior to its revocation.
 

 

When the above retention time limits have elapsed, the Data will be destroyed, erased or rendered anonymous in accordance with the technical cancellation and backup procedures.


4. DATA RECIPIENTS 

Data may be processed by external parties acting as independent data controllers pursuant to Articles 4 and 24 of the GDPR, such as, by way of example, supervisory and control bodies and, in general, public or private entities entitled to request data, consultancy companies and/or professional firms and/or professionals, for example, legal, tax and insurance companies.
Data may also be processed, on behalf of the Company, by external parties designated as Data Processors appointed pursuant to Article 28 of the GDPR, to whom adequate operational instructions are given regarding the correct processing of your personal data. These parties essentially include, by way of example, the following categories: companies that provide e-mail delivery services; companies that provide maintenance and development services for the Website; companies that provide support in carrying out market studies; companies that provide after-sales services and consumer services; shipping and transport companies; companies that provide after-sales services and other marketing activities; KIKO Group companies for the provision of intra-group services and the management of purchases made at the stores of each Group company.
Your data may be processed by employees of the company departments responsible for carrying out the objectives indicated above, who have been expressly authorised for processing and have received appropriate operational instructions pursuant to and for the purposes of Article 29 of the GDPR.

 

5. TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

In view of the global nature of the Company's activities, data may be transferred abroad to countries located within and outside the European Union, to entities (including KIKO S.p.A.'s affiliates) who, as the case may be, will operate as autonomous data controllers or data processors for the carrying out of the processing activities described in this Policy in connection with your use of our products and/or services. It is in any case understood that the transfer of personal data to countries located outside the European Union (including USA) shall be carried out in compliance with Articles 44 et seq. of the GDPR, implementing safeguards to ensure a proper level of data protection during the transfer of your personal data, such as:
- data transfer agreements incorporating the European Commission's Standard Contractual Clauses, to which our service providers operating in the United States adhere; or
- Adequacy Decisions adopted by the European Commission regarding third countries that provide an adequate level of protection;
- Additional measures required by applicable regulations and/or decisions of competent authorities.

 

6. YOUR RIGHTS AS A DATA SUBJECT - MAKING A COMPLAINT TO THE SUPERVISORY AUTHORITY

By contacting the Company and the DPO at , you may request access to the data concerning you (Art. 15 GDPR), the rectification of inaccurate personal data and/or the integration of incomplete personal data (Art. 16 GDPR), the erasure of your personal data in the cases provided for (Art. 17 GDPR), the restriction of processing in the cases provided for in Art. 18 of the GDPR.
In addition, pursuant to Article 20 GDPR, in relation to the purposes of processing this consent-based or contract-based policy statement using automated tools, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and, if technically feasible, to transmit it to another data controller without impediment.
You have the right to object pursuant to Art. 21 GDPR, at any time, to data processing based on legitimate interest.
You have the right to withdraw your consent at any time for marketing and/or profiling purposes and/or communication/assignment of data to third parties, as well as to object to the processing of data for marketing purposes, including profiling related to direct marketing by accessing the reserved area of the website (Section “Privacy Settings”), by accessing the app (clicking on “Preferences – Personal Data”) or by writing to the email address.
Finally, you are entitled to lodge a complaint with the Supervisory Authority, i.e. the Italian Data Protection Authority .