As the Controller for the processing of personal data within the meaning of "General Data Protection Regulation", KiffLab hereby informs on the following provisions regarding the protection of persons and other subjects as to the processing of their personal data. The processing of personal data is subject to the principles of correctness, lawfulness, transparency as well as the protection of confidentiality and of the rights of the data subject. Personal data may only be collected, processed and used in accordance with the provisions of the aforementioned regulation and the confidentiality obligations contained therein.
The Controller for the processing of personal data is KiffLab. Data protection officer can be contacted via: e-mail: firstname.lastname@example.org.
Data subjects are (a) the visitors of the website and (b) those persons who provide their data in the following manner:
by registering on the websites of the Controller
by registering for and using different services;
by purchasing goods through e-commerce;
by contacting (via telephone, fax, e-mail, etc.)
by subscribing to the brand newsletters of the Controller;
by registering for the periodically organized outdoor events by the Controller for its brands;
by participating in online and offline competitions;
by participating in partnership operations with third-party firms and
by making purchases during the periodically organized sample sales.
Purpose, legal basis of the processing and storage times of personal data
The personal data provided might be processed for the following purposes:
For website visitors: for the functioning of the website itself. The computer systems and programs used for the functioning of the website collect some personal data whose transmission is implicit in the use of internet communication protocols (e.g. IP addresses or domain name of computers used by users who connect to the website, URI addresses – Uniform Resource Identifier – of the requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, numerical code about the status of the response made by the server – good end, error, etc. – and other parameters relating to the operating system and computer environment of the user). Although this information is not collected to be associated with identified data subjects, by its nature it could, through processing and association with data held by third parties, allow users to be identified.
This data is used for the sole purpose of obtaining statistical information on the use of the website not associated with any user identification data, to check the correct functioning of the website and is deleted immediately after processing.
The data may be used to ascertain responsibility in the event of any computer crimes against the website.
The legal basis for the processing is therefore the legitimate interest of the Data Controller in the functioning and security of the website and the protection of its rights and the fulfilment of regulatory provisions.
For those users providing data according to point (b) of the previous point:
Use of the services offered and fulfilment of the purchase contracts concluded in the online store:
The personal data of the data subjects are processed in order to enable those persons to use the services and to fulfil and carry out the sales contracts concluded in the online stores. In particular, the data will be processed for the following purposes:
execution and fulfilment of the sales contract;
settlement of disputes;
customer billing history;
measurement of customer satisfaction;
tax or other legal requirements.
The processing of personal data in connection with the purposes mentioned in letter a) is not mandatory. If the data subject does not provide its personal data, the Controller may not be able to carry out the above-mentioned purposes and can therefore not guarantee the performance of the service and/or the fulfilment of the contract. The personal data that must be disclosed in order to use the services or to establish the business relationship are marked with an asterisk.
The legal basis of the processing for these purposes is the circumstance that it is necessary: for the performance of the contract to which the data subject is a party or of the pre-contractual measures adopted at the request of the latter; for the fulfilment of a legal obligation to which the Controller is subject. The protection of rights, by contrast, is based on the legitimate interest of the Controller. The legitimate interest of the Controller - in this case the performance of its business activity - also includes those data processing activities (inclusion in the management software or in the address book, analysis of turnover, checks on the quality of service, etc.) which, although not considered an obligation, are closely related to the performance of the contractual relationship.
The data will be stored for the entire duration of the contractual relationship, and, after the termination of the relationship – limited to the data necessary at that point – for the extinction of the contractual obligations assumed, for the fulfillment of any legal obligations, and for protection purposes which might be related or resulting from it; therefore, in general, personal data will not be stored more than 10 years after the conclusion of the contractual relationship.
Market studies and statistical purposes:
For these purposes, the data are processed exclusively in anonymous form, meaning that an identification of the person concerned is no longer possible.
The personal data may also be used for the following marketing activities:
sending newsletters of the brands owned by the Controller and newsletters informing about sample sales events;
sending periodic commercial communications regarding products and services offered by the Controller;
promotional activities also related to the transmission of advertising and promotional material.
The provision of data for the purposes mentioned under letter c) is not mandatory and the refusal by the data subject to consent to the processing for this purpose will have no negative impact on the business relationship with the Controller. The legal basis for such processing is the consent of the data subject, which may be withdrawn at any time.
For the purposes of direct marketing, the personal data of the data subject are stored until the previously given consent is revoked and, in any case, not longer than 48 months from the granting of consent.
Method of processing:
The personal data may be processed in the following ways:
processing of data through completion of factsheets, coupons and questionnaires;
processing by computer and automated means;
manual processing through paper-based archives;
processing of data collected by third parties;
transfer to third parties for processing operations.
With reference to marketing purposes, it is specifically pointed out that personal data may also be processed by means of:
electronic communications via e-mail, fax, MMS (Multimedia Messaging Service) or SMS (Short Message Service) or other types of messages;
the use of the telephone with operator and postal mail.
It is also specified that the withdrawal of consent or the refusal of the processing (see point 7 below) carried out through automatic means of contact (electronic communications made by e-mail, fax, Mms or Sms messages or other) will be understood as extending to the traditional ones (paper mail, call with operator), but it is still possible to exercise this right only in part, refusing, for example, only the sending of promotional communications through automated systems.
The data will always be processed in accordance with the principles set out in art. 32 GDPR.
The personal data provided will be kept at the headquarter of the Controller and will only be passed on to persons who are in a position to provide the necessary services for the correct handling of the business relationship with the data subject and the fulfilment of the contract, always under guarantee of the protection of the rights of the data subject. The personal data provided will be processed only by personnel expressly authorized by the Controller and specifically by the following categories of processors:
Group Brand & Marketing;
Group Business Development;
Group Retail BU;
Group Distribution BU.
Within the scope of its activity and for the purposes previously mentioned, the Controller may use the services of third parties who act either as autonomous data controllers or as data processors on behalf and under the direction of the Controller. Personal data may be transferred only for this reason to such third persons, and specifically to:
forwarding agents, carriers, delivery services, mailing providers, logistics firms;
consultants and professionals, in one-off disclosures or as part of a course of dealing;
banks and credit institutions;
providers of IT services.
The personal data may be transferred and disclosed to public bodies such as financial administration, police or judicial authorities, only to the extent required by law. Personal data will not be transferred outside the territory collected.
Rights of the data subject:
The data subject has the right to obtain from the Controller access, communication, rectification, integration, updating, cancellation and portability of personal data concerning him/her, as well as the right to exercise in general all the rights provided for as indicated below:
access to personal data: the right to obtain information free of charge about the personal data held by the Controller and the processing of said personal data, as well as to obtain a copy in an accessible format;
rectification of data: the Controller will correct or supplement incorrect or inaccurate data, including data which has become incorrect or inaccurate due to a non-carried out update, on the basis of a notice received by the data subject in this regard;
withdrawal of consent: if the processing is carried out on the basis of a consent previously given by the data subject, the latter may withdraw consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal;
erasure of data (“right to be forgotten”): the data subject may request, for example, erasure when the data are no longer necessary for the purposes for which they were collected or processed or when they have been processed unlawfully, when they have to be deleted in order to fulfil a legal obligation, when the data subject has withdrawn consent and there is no other legal basis for the processing, or when the data subject objects to the processing;
restriction of processing: the data subject may request this in certain cases: where the accuracy of the data is contested, within the time necessary for verification; where the lawfulness of processing is contested and the data subject opposes to erasure; need to use the data for the data subject's rights of defense, while they are no longer useful for the purposes of processing; if there is opposition to processing, during the time the necessary verifications are carried out; the data will be stored in such a way as to be restored, but, in the meantime, they are not available for consultation by the Controller except for the sole purpose to verify the validity of the data subject's request or its objections;
objecting in whole or in part, for reasons related to the particular situation of the data subject, to the processing based on legitimate interests (and in certain circumstances the data subject may nevertheless object to the processing of his/her personal data: if personal data are processed for purposes of direct marketing, the data subject has the right to object at any time to the processing, including profiling to the extent that it is related to such direct marketing. It is however noted that in the specific case the newsletter is sent on the basis of the consent given by the data subject and therefore the simple withdrawal of consent by the data subject is sufficient to stop the processing);
data portability: if the processing is based on consent or on a contract and is carried out by automated means, upon request of the data subject, the latter will receive in a structured format, commonly used and machine-readable, the personal data concerning him/her and may transmit them to another controller, without hindrance by the Controller to whom he provided them and, if technically feasible, may obtain that such transmission is made directly by the latter.
The data subject has also the right to lodge a complaint with the Guarantor for the Protection of Personal Data in case he/she believes that the processing that concerns him/her violates the regulations on the protection of personal data. In any case, we would like to have the opportunity to address in advance any concerns of the data subject, who may contact the e-mail address email@example.com or the other contact details of the Controller or the DPO for any clarification regarding the processing of personal data concerning him/her and for the exercise of his/her rights, including the withdrawal of consent.
The Controller reserves the right to update this policy regarding the processing of personal data at any time for organizational reasons or in order to comply with new legal regulations. It is therefore recommended to visit this page regularly and to check the date of the last change indicated at the end of the page.