Skip to main content
💥 MID SEASON SALE 10% OFF your online order and FREE SHIPPING >>

POLICY STATEMENT ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 (“GDPR”)

DATA CONTROLLER - KIKO S.p.A., with registered office at Via Giorgio e Guido Paglia No. 1/D, Bergamo (24122), VAT No. 02817030162, Tax Identification No. 12132110151 (the “Data Controller”).

DATA PROTECTION OFFICER (DPO) - Email address: dpo.kiko@kikocosmetics.com 

PERSONAL DATA PROCESSED

Data” means your data (first and last name, email address) provided during a request for assistance or a complaint. If you refuse to provide such data, your request for assistance or complaint cannot be submitted and the Data Controller cannot proceed with the management and evaluation of your request.
Special categories of data (e.g. data related to your health) will not be collected or otherwise processed by the Data Controller. If you voluntarily provide such data (e.g. by attaching reports, diagnostic tests or other information relating to your health), you are hereby informed that the Data Controller will not process such data in any way and will consequently destroy or make such data permanently anonymous.
 

PURPOSE OF PROCESSING

LEGAL BASIS FOR PROCESSING

DATA RETENTION PERIOD

A) The data provided when filling out the request for assistance form or for submitting and managing a complaint shall be processed by the Data Controller in order to respond to your requests for assistance and/or information on the data Controller's products/services, or to your complaint regarding the quality of a product, the side effects caused by product use, the damage resulting from the improper use of the products by store staff or by others (e.g. online orders, prices charged).

Fulfilment of contractual obligations or pre-contractual measures.
Art. 6(1)(b) GDPR.
 

 

For the entire phase of the submission, management, assessment and processing of the complaint and up to 4 years after the closure of the complaint for “critical” cases. 
The data related to your requests for assistance and/or information or your complaints related to non-critical cases will be kept for 365 days after the closure of the complaint.
 

B) To fulfil administrative and accounting obligations established by applicable national legislation.

The need to comply with a legal obligation.
Art. 6(1)(c) GDPR.

 

C) If necessary, to ascertain, exercise and/or defend the rights of the Data Controller in legal proceedings.

Legitimate interest of the Data Controller
Art. 6(1)(f) GDPR.

In the event of a legal dispute, for the entire duration of the dispute, until the time limits for appeal have been exhausted. 

D) To allow you to take part in a customer satisfaction survey. This allows the Data Controller to gather assessments and feedback on your experience of the service. 

Legitimate interest of the data subject.
Art. 6(1)(f) GDPR.

Your data and the information you enter in the survey will be kept for 365 days after completion of the survey. This is always without prejudice to your right to object, which may be exercised in accordance with the procedures for exercising your rights set out at the end of this policy statement. You may also object to the processing without responding to the survey. In this case the link to fill in the survey will cease to be valid 15 days after sending your objection. You will not be prompted to fill in the survey unless you decide to submit a new complaint more than 90 days after sending the previous complaint. The procedures for exercising your right to object will be the same if you submit a new complaint. 

 

Once the above retention terms have expired, the data will be destroyed, deleted or made anonymous in accordance with the technical cancellation and backup procedures.

PROVISION OF DATA

The provision of data is mandatory for purposes A), B) and C), i.e. for sending a request for assistance or a complaint, to comply with the regulatory obligations related to the management of your request and for exercising/defending a right in any legal proceedings. If you refuse to provide the data, we will not be able to satisfy your requests and/or fulfil the resulting obligations. 
The provision of the data for purpose D) is required by the Data Controller’s legitimate interest but you can always object to the processing by means of the procedures set out in this policy statement.
 

DATA RECIPIENTS

The data may be communicated to external entities operating as data controllers, such as, by way of example, supervisory and control bodies and authorities and, in general, public or private entities who have a right to request the data) or may be processed on behalf of the Data Controller by entities appointed as data processors pursuant to Article 28 of the GDPR, acting under the specific instructions of the Data Controller.
These entities include, but are not limited to, the following categories:
a)    companies of the Data Controller’s Group headquartered at the customer’s place of residence;
b)    companies that provide customer support services;
c)    companies or entities that provide IT services, IT systems maintenance or management services, or other services to the Data Controller that are necessary for the processing of your data for the aforementioned purposes.
 

PERSONS AUTHORISED TO PROCESS PERSONAL DATA 

The data may be processed by employees of the company departments responsible for the pursuit of the aforementioned purposes, who are expressly authorised for the processing and have received appropriate operating instructions pursuant to Art. 29 GDPR.

 

TRANSFER OF PERSONAL DATA

In view of the global nature of the Data Controller’s activities, the data may be transferred to countries located outside the European Union, to entities that, as the case may be, will operate as autonomous data controllers or data processors. It is in any case understood that the transfer of personal data to countries located outside the European Union will be carried out in accordance with the measures established by the applicable legislation, ensuring that the transfer takes place on the basis of an adequacy decision or, failing this, on the basis of adequate guarantees pursuant to Articles 44 et seq. of the GDPR. 

RIGHTS OF DATA SUBJECTS – COMPLAINTS TO THE SUPERVISORY AUTHORITY

By contacting the Data Controller, by post to KIKO S.p.A., Via Giorgio e Guido Paglia No. 1/D 24122 Bergamo, for the attention of the Privacy Officer, and the DPO by email to dpo.kiko@kikocosmetics.com, data subjects may at any time ask the Data Controller for access to the data concerning them, their erasure, the rectification of incorrect data, the completion of incomplete data, the restriction of processing in the cases provided for by Article 18 of the GDPR, and to object to the processing in the legitimate interests of the Data Controller.
In addition, in the event that the processing is based on consent or contract and is carried out by automated means, you have the right to receive the data in a structured, commonly used and machine-readable format, and, if technically feasible, to transmit it to another data controller without hindrance.
Finally, you have the right to lodge a complaint with the competent Supervisory Authority in the Member State where you have your residence, where you work or otherwise reside, or where the object of the complaint took place.

Sign up now

Register for exclusive advantages

DISCOUNTED Shipping

for orders over € 49

SECURE PAYMENTS

PURCHASES ARE SECURE AND GUARANTEED

Easy returns

up to 14 days after order delivery
OFFERS
NEWS
HELP