-1.jpg?width=100&height=89&name=SL_logo_pacchetto_neg%20(1)-1.jpg "SL_logo_pacchetto_neg (1)-1"){kind=logo}
PRIVACY POLICY - CUSTOMER LOYALTY PROGRAM
This policy is drafted pursuant to and for the purposes of art. 13 of EU General Data Protection Regulation 2016/679 (GDPR) and Art. 130 of the Italian Privacy Code
WHY ARE WE PROVIDING YOU WITH THIS INFORMATION?
1.WHO IS THE DATA CONTROLLER? HOW TO CONTACT THE DATA CONTROLLER?
The Data Controller is Skinlabo Srl, with registered office in Turin (Italy) Postal Code 10122 - Via Pietro Micca No. 20, represented by its Pro Tempore Legal Representative, who can be contacted for any information at the following e-mail address privacy@skinlabo.com
HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THE DPO’S CONTACT DETAILS?
Skinlabo Srl has appointed its Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO can be contacted at the Data Controller's premises indicated above and by e-mail at the following e-mail address dpo.skinlabo@dpoprofessionalservice.it
2.TYPE OF DATA THAT CAN BE PROCESSED
Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3. PURPOSE OF PROCESSING, LAWFULNESS OF PROCESSING, DATA RETENTION PERIOD, NATURE OF DATA PROVISION
PURPOSE OF DATA PROCESSING A
A) Performance of the contract linked to the loyalty program membership
LAWFULNESS OF PROCESSING: data processing is necessary for the management of a contract to which the data subject is party (Recital 44) Art. 6 (1) (b) GDPR.
DATA RETENTION PERIOD: for the whole duration of the contract and, after termination, for a maximum period of 10 years after data collection.
NATURE OF DATA PROVISION: the provision of personal data is optional. Failure to provide the necessary personal data will result in the impossibility of participating in the customer loyalty program as defined in the customer loyalty program terms and conditions.
PURPOSE OF DATA PROCESSING B
B) HANDLING OF YOUR REQUESTS and of requests from other data subjects, pursuant to Art. 15 et seq. of the GDPR (data subject’s rights).
LAWFULNESS OF PROCESSING: data processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Recital 45) Art. 6 (1) (c) GDPR.
DATA RETENTION PERIOD: 5 years after closing of the request, except in the event of litigation
NATURE OF DATA PROVISION: the provision of personal data is mandatory as it is required for the fulfilment of all legal obligations.
PURPOSE OF DATA PROCESSING C
C) Dispute prevention and management and other legal aspects and for representation in legal proceedings.
LAWFULNESS OF PROCESSING: data processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Recitals 47-50)
Art. 6 (1) (f) GDPR
DATA RETENTION PERIOD: 10 years, except in the event of objection to the processing and for the necessary time for representation in legal proceedings
NATURE OF DATA PROVISION: the provision of personal data is necessary.
Failure to disclose personal information shall be balanced with the legitimate interest of the Data Controller specified in the purposes of this section.
4. TO WHICH RECIPIENTS OR CATEGORIES OF RECIPIENTS WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS
The Personal Data provided may be disclosed, depending also on the purposes envisaged in specific areas, to recipients, who shall process them in their capacity as Autonomous Data Controllers or Data Processors (Art. 28 GDPR) and/or as individuals (natural persons) operating under the authority of the Data Controller and Data Processors (Art. 29 GDPR) on the basis of specific instructions given on the purposes and methods of processing, for the relevant purposes based on the specific areas. More specifically, data may be transferred to recipients in the following categories: entities/parties that provide services for the management of the website and of the communication networks, including e-mail, host and website management; entities/parties/companies with headquarters in Italy with which the Data Controller has signed business contracts (e.g. consultants, shipping and trucking companies etc.); social media channels; competent authorities who enforce the law and/or regulations issued by public bodies, upon request.
5. IS THERE A TRANSFER OF PERSONAL DATA TO A COUNTRY OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)?
Personal data are managed and stored in data centers in Europe. Transfers of personal data to countries outside the European Economic Area (EEA) may only take place when the conditions laid down in the applicable legislation are complied with and when an adequate level of data protection is offered by those countries. For information on guarantees regarding the transfer of personal data outside the EEA please write to privacy@skinlabo.com .
6. IS THERE ANY AUTOMATED DATA PROCESSING?
Personal data will be subject to traditional manual, electronic and automated processing. Please note that no fully automated decision-making processes are carried out.
7. RIGHTS OF THE DATA SUBJECTS
You shall be able to exercise your rights under Articles 15 et seq. GDPR by contacting the DPO by e-mail at the e-mail address dpo.skinlabo@dpoprofessionalservice.it or by contacting the Data Controller at the e-mail address privacy@skinlabo.com. You shall have the right to obtain at any time from the Data Controller access to your personal data (Art. 15), their rectification (Art. 16) or erasure (Art. 17), as well as the restriction of their processing (Art. 18). The Data Controller shall inform (Art. 19) each of the recipients to whom the personal data have been transferred of any rectification or erasure or restriction of processing carried out. The Data Controller shall inform the data subject of these recipients if the data subject so requests. Where envisaged, you shall have the right to the portability of your personal data (Art. 20), and if you so wish, the Data Controller shall provide you with the personal data concerning you in a structured, commonly used and machine-readable format. Moreover, you shall have the right to object at any time (Art. 21) to the processing of your personal data based on the legitimate interest and, when processing is based on consent, you shall have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
In the event that you consider that the processing of your personal data carried out by the Data Controller is in breach of the provisions of Regulation (EU) 2016/679, you shall have the right to lodge a complaint with the Data Protection Authority (*) of the Member State in which you are habitually resident or work or of the place where the alleged violation took place (* the Italian Data Protection Authority is called Garante Privacy and it can be contacted at https://www.garanteprivacy.it/). Moreover, you shall have the right to take appropriate legal action.
8. AMENDMENTS TO THE PRIVACY POLICY
The Data Controller reserves the right to amend, update, add or remove parts of this privacy policy at its sole discretion and at any time. In order to facilitate this review, the policy will contain an indication of the date on which the policy was updated.
Updated on: January 24, 2024