Skip to main content

DATA CONTROLLER

KIKO S.p.A., with registered address at 24122 Bergamo, via Giorgio e Guido Paglia n. 1/D, VAT Number 02817030162, Fiscal Code 12132110151, te. 035280011 (the “Company”).
 

DATA PROTECTION OFFICER (DPO)

Email address: dpo.kiko@kikocosmetics.com

 

SOURCES OF PERSONAL DATA

Website www.kikocosmetics.com, app or other mobile devices, surveys and market researches carried out through automated means, KIKO physical stores.

 

PURPOSE OF THE PROCESSING

LEGAL BASE FOR THE PROCESSING

DATA RETENTION

A) Contract:

•    Performance of a sale contract between the Company and the data subject (non-registered user - website);

•    Performance of a contract, i.e. Membership in the the Kiko Kisses’ loyalty program (in store/online).

As a consequence of the abovementioned contract: enjoy the services provided by the company, both in store and/or via the website www.kikocosmetics.com (“Website”) or the App KIKO KISSES (“App”). For instance: after sale services; competitions; registration to the Website or to the APP; request of information through the contact section on the website or through instant messaging; make reviews on the products tested through your online account or through the dedicated sections; any other service provided by the Company.

 

Performance of a contract to which the data subject is party (or in order to take steps at the request of the data subject prior to entering into a contract, e.g. when requesting information through the contact section of the website www.kikocosmetics.com)

Art. 6, par. 1, letter b) GDPR.
 

 

For the duration of the contract and, after validity, for an ordinary period of 10 years.

Fulfilment of administrative/accounting obligations established by the applicable national law.

Fulfilment of a legal obligation

Art. 6, par. 1, letter c) GDPR.

For the duration of the contract and, after validity, for an ordinary period of 10 years.

B) Direct Marketing: dispatch, via automated contact means (email – instant messaging) of advertising material, newsletter, promotional and commercial communications concerning products and/or events of the Company, as well as market researches and statistical analysis.

Consent (optional and revocable at any time), given by subjects who are at least 16 years old.

Art. 6, par. 1, letter a) GDPR.

 

24 months starting from the registration/creation of your account Kiko Kisses, or until consent withdrawal if this is antecedent.

C) Profiling: analysis of your preferences, purchasing habits, related behaviours and/or interests in order to send you customized commercial communications.

Consent (optional and revocable at any time), given by subjects who are at least 16 years old.


Art. 6, par. 1, letter a GDPR.

 

In order to analyze your purchasing habits, if authorised, the Company will take into account the purchases you made in the last 12 months.

D) Communication/transfer of personal data to third parties (in particular: companies within the Group to which the Company belongs).
Your ID data and your contact details will be communicated to the abovementioned third parties in order to carry out direct marketing activities (e.g. dispatch of communications via automated contact means like sms, emails, social networks and instant messaging) concerning their products.

Consent (optional and revocable at any time), given by subjects who are at least 16 years old.


Art. 6, par. 1, letter a GDPR.

 

For the time that is strictly necessary to transfer your personal data to third parties or until consent withdrawal if this is antecedent.

Upon expiration of the abovementioned data retention periods, personal data will be destroyed, cancelled or anonymised according to the technical cancellation and backup procedures of the Company.


2.1 – PERSONAL DATA PROCESSED FOR CONTRACTUAL AND LEGAL PURPOSES 

ID Data, contact details, contractual details (e.g. customer code, product code, order number), fiscal data, data related to the purchases made by the data subject, data acquired during the registration on the Website, on the App or on other mobile devices, browsing data, information required by the data subject.

 

2.2 – PERSONAL DATA PROCESSED FOR DIRECT MARKETING PURPOSES

ID Data, contact details, contractual details (e.g. product code, total amount of the purchase), data related to the purchases made by the data subject, data acquired during the registration on the Website, on the App or on other mobile devices, browsing data, data provided by the data subject when asking samples to the Company and when testing the products. Personal data refers only to subjects who are at least 16 years old.

 

2.3 – PERSONAL DATA PROCESSED FOR PROFILING PURPOSES

ID, contact details, contractual details (eg. product code, total amount of the purchase), data related to the purchases, data related to the products seen and/or added to the cart but not purchased, data acquired during the registration on the Website, on the App or on other mobile devices, browsing data, data provided by the data subject when asking samples to the Company and when testing the products. Personal data refers only to subjects who are at least 16 years old.

 

2.4 – PERSONAL DATA COMMUNICATED/TRANSFERRED TO THIRD PARTIES

ID Data and contact details.

 

3. – PROVISION OF PERSONAL DATA

Provision of personal data indicated in paragraph 2.1 for purpose A of the Information Notice (Contract execution) is necessary in order to manage you purchase and perform the related services you requested. Any failure to provide such data shall entail the impossibility for you to place the order and enjoy the abovementioned services.

Provision of personal data indicated in paragraph 2.2 and 2.3 for purposes B and C of the Information Notice (respectively, direct marketing and profiling) is optional and bound by your consent. You have the right to wihdraw your consent at any time by entering into your account on the Website (Section “Privacy Settings”), by entering on the App (by clicking “Preferences – Personal Data”), or by writing an email at dpo.kiko@kikocosmetics.com. The consent withdrawal will not affect the lawfulness of the processing based on your consent (for marketing and/or profiling) previously given.

Provision of personal data indicated in paragraph 2.4 for purpose C of the Information Notice (communication/transfer of personal data to third parties) is optional. Hence, in case of refusal, your personal data will not be transferred.You have the right to withdraw your consent at any time by entering into your account on the Website (Section “Privacy Settings”), by entering on the App (by clicking “Preferences – Personal Data”), or by writing an email at dpo.kiko@kikocosmetics.com. The consent withdrawal will not affect the lawfulness of the processing based on your consent previously given. 
 


4. – CATEGORIES OF RECIPIENTS/RECIPIENTS OF PERSONAL DATA

Personal data could be processed by external subjects acting as Data Controller pursuant to articles 4 and 24 GDPR such as, for instance: public authorities or monitoring bodies, public or private bodies entitled to request personal data, consulting companies, professionals such as lawyers, tax consultants and insurance companies.

Personal data could also be processed by external subjects appointed by the Company as Data processor pursuant to article 28 GDPR. The latter have received from the Company the necessary instructions required for ensuring the proper processing of personal data. 
The abovementioned Data Processor are included in the following categories: companies offering e-mail sending services, companies offering the maintenance and implementation of the website, companies offering market researches services; companies offering after sale services and assistance to the consumer, shipping and/or trucking companies, companies offering marketing services, companies within Kiko Group in order to provide intra-group services and manage the purchases made in the store of each Kiko entity.
 

5. – SUBJECTS AUTHORISED BY THE DATA CONTROLLER 

Your personal data will be also processed by the employees of the Company who belong to the areas in charge for achieving the abovementioned purposes of processing. 

Such employees have been authorised by the Data Controller and have received adequate instruction in order to process personal data pursuant to article 29 GDPR.
 

6. – TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

Considering that the activities of the Company are performed at a global level, personal data could be transferred to countries inside or outside the European Union to subjects acting as Data Controller or Data Processor. It is understood that the transfers outside the European Union will be carried out according to the measures established by the relevant provisions. An adequate level of protection with reference to data subjects will be ensured.

 

7. – YOUR RIGHT AS DATA SUBJECT - COMPLAINT WITH A SUPERVISORY AUTHORITY

By contacting the company and the DPO at the address dpo.kiko@kikocosmetics.com, you have the right to obtain the access to your personal data (article 15), request their rectification (article 16), their erasure in the case provided by the law (article 17) or restriction of their processing (article 18). 

Furthermore, pursuant to article 20 GDPR, with reference to the purposes of processing based on the contract or consent which are performed via automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from the Company if technically feasibile.

You have the right to withdraw the consent given at any time for marketing and/or profiling activities, as well as the right to object any time to the processing of your personal data for marketing and/or profiling activities by entering into your account on the Website (Section “Privacy Settings”), by entering on the App  (by clicking “Preferences – Personal Data”), or by writing an email at dpo.kiko@kikocosmetics.com.

Finally, you have the right to lodge a complaint with the Supervisory Authority, that is to say the Italian Authority for the protection of personal data  (https://www.garanteprivacy.it/).

 

8. – UPDATE OF THE INFORMATION NOTICE

The Data Controller reserves the right to amend/update the present information notice at any time. For this purpose, you will find here below the date of the last update. 

   Last update: 21.09.2020
 

Notice in relation to the processing of the personal data of online customers COOKIE policy pursuant to regulation (eu) 2016/679 (“GDPR”) here >>

 

Information notice regarding the processing of users’ personal data in accordance with eu regulation 2016/679 (“GDPR”) - NEWSLETTERS here >>

 

Information notice regarding the processing of users’ personal data in accordance with eu regulation 2016/679 (“GDPR”) - CONTACT US - here >>