The company Angelini Beauty, S.A. (hereinafter referred to as “Angelini” or “Data Controller”), pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as “GDPR” or “General Data Protection Regulation”) and Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as “LOPDGDD”), provides the following information on the processing of the User’s personal data, as a user/visitor of the Website angelschlesserparfums.com website (hereinafter referred to as the “Website”).
- Data Controller and Data Protection Officer (DPO)
The Data Controller is Angelini Beauty, S.A., with registered offices at no. 1-3 Calle Josep Irla i Bosch, 08034 Barcelona, Spain, email: email@example.com.
The data controller has appointed a Data Protection Officer (DPO), who can be contacted directly at the following address: Data Protection Officer – DPO, no. 1-3, Calle Josep Irla i Bosch, 08034 Barcelona, Spain.
- Purposes of the processing and basis of legitimacy
All personal data that you provide are processed in accordance with the provisions of the law in a correct, lawful and transparent manner for the purposes set out below and on the basis of the following criteria of legitimacy (legal basis for processing).
|Purpose of data processing
|Legal basis for processing
|a) Fulfilment of legal obligations. In certain circumstances, we are required by law to use your personal data (e.g. to inform you of a potential security breach affecting your data and the measures we have taken to address the situation) [fulfilment of legal obligations].
|The processing of personal data for this purpose is a legal obligation for the data controller (Art. 6.1.c of the GDPR).
|b) Installation of technical cookies and other types of cookie in the browser.
|The processing of the User’s personal data with regards to technical cookies is based on our legitimate interest. The basis of this legitimate interest is that this type of cookie is necessary for the proper functioning of the Website.
- Categories of data processed
The Data Controller processes the following categories of personal data:
- In the event that the User needs to send communications or requests to Angelini (for the purposes of paragraph 2 letter a), the personal data necessary for the correct handling of said communication or request (in particular, name and surname, postal address, email address and telephone number) and any other personal data contained in the message.
- All data necessary to fulfil legal obligations (for the purposes specified in paragraph 2, letter c) (such as the User’s contact data for communications required by law or by authorities).
- Data sources
The Data Controller will obtain the User’s personal data:
- directly from the latter and their interaction with us.
- Data recipients
We will disclose the User’s personal data to third parties for the purposes of cosmetovigilance (purposes specified in paragraph 2, letter b) and to fulfil legal obligations (purposes specified in paragraph 2, letter c); said disclosure is obligatory insofar as required by law.
- Categories of recipients of personal data
For the aforementioned purposes (paragraph 2) and in relation to the recipients of the User’s personal data (paragraph 5), the User’s personal data may be disclosed:
- to persons authorised by the Data Controller to carry out personal data processing (employees or collaborators of the Data Controller).
- to Data Processors appointed by the Data Controller (suppliers of IT, technological and telematic services, Internet operators). The Data Controller ensures that access by data processors will be carried out in compliance with applicable regulations and in accordance with the instructions provided by the Data Controller.
- to autonomous Data Controllers of personal data (to handle your requests: couriers and shipping companies; for cosmetovigilance: national and European pharmaceutical and medicine agencies, other companies, also those belonging to the Angelini Group, linked to the Data Controller by licensing and distribution agreements, or in the event of transfer of cosmetic marketing licences; to fulfil legal obligations: public authorities).
The User’s data may also be transmitted, in compliance with the law, to tax, police, judicial and administrative authorities for the ascertaining and prosecution of criminal offences, the prevention of and protection against threats to public safety, to enable the Data Controller to ascertain, exercise or defend its rights in court, as well as for other reasons related to the protection of the rights and freedoms of third parties.
- Duration of storage of data
We store personal data for a limited period of time in accordance with the purpose of processing. After this period, the data will be permanently deleted or, in any case, irreversibly anonymised.
Personal data will be stored according to the terms and criteria specified below:
- For the handling of User requests (purposes as per paragraph 2, letter a) for a maximum period of 6 (six) months from the proper and full handling of the request.
- To comply with legal obligations (purposes as per paragraph 2, letter c) for a maximum period of 10 (ten) years from the end of the calendar year in which the Data Controller complied with the relative legal obligation, in order to document and be able to demonstrate correct compliance with the law (e.g. having suitably reported any security breaches that may have affected the User’s data, and the measures taken to deal with said situations).
For technical reasons, the termination of processing and the consequent erasure of the User’s personal data, or the anonymisation of the same, will take place within 30 (thirty) days of the aforementioned deadlines.
The above without prejudice to cases in which it is necessary to retain the data in question for a longer period for possible disputes, requests from competent authorities or in accordance with applicable law.
- Safety measures
Angelini Beauty SA has adopted security levels for the protection of personal data as legally required by current legislation and has installed all means and taken all possible technical and organisational measures to guarantee the security of personal data provided by the User and to prevent the destruction, loss, improper use, alteration, unauthorised access and theft of said data. Criteria such as the scope, context and purpose of processing, the state of the art and the associated risks were taken into account in determining said measures.
- Transfer of personal data outside the EU/EEA
The User’s personal data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) in the event of an adequacy decision by the European Commission recognising said country or territory as safe (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
The transfer of the User’s personal data to countries outside the EU/EEA that do not guarantee adequate levels of protection will only take place once the Data Controller and the recipients of the data have signed specific agreements containing adequate safeguards and clauses to guarantee the protection of the User’s personal data, referred to as “standard contractual clauses”, approved by the European Commission, or if transfer is necessary for the processing of the User’s requests and in the event that one of the exceptions provided for in Article 49 of the GDPR applies.
- Rights of Data Subjects
As a Data Subject, the User has the right:
- to obtain confirmation as to whether or not personal data relating to them are being processed and, if so, to obtain access to said data and related information (in particular, the purposes of the processing; the categories of personal data processed; the recipients or categories of recipients to whom the data have been or will be disclosed; the period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; the origin of the data; the existence of automated decision-making process, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; appropriate safeguards in case of transfer of personal data outside the EU/EEA), as well as a copy of said personal data, provided that the rights and freedoms of third parties are not affected (right to access).
- to obtain the rectification of inaccurate personal data concerning them, i.e. the correction, modification or updating of inaccurate or no longer correct data, as well as the right to have incomplete personal data completed, including by means of providing a supplementary statement. (right to rectification).
- to obtain the erasure of personal data concerning them if, in particular, (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or (ii) the personal data have been unlawfully processed; or (iii) the personal data have to be erased for compliance with a legal obligation; or, lastly, (iv) the data subject withdraws consent on which the processing is based (see “right to object” below) and where there is no other legal ground for the Data Controller to continue with processing (right to erasure). Erasure may not be carried out if, in particular, processing is necessary for the fulfilment of a legal obligation or for the establishment, exercise or defence of legal claims.
- to obtain from the controller restriction of processing, i.e. that the controller retains said data without the power to use them. This right may only be exercised if, in particular, (i) the accuracy of the personal data is contested, for a period enabling the Controller to verify the accuracy of such data, or (ii) the processing of the data is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, or (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claim, or (iv) the data subject has objected to processing (see “right to object” below) pending the verification whether the legitimate grounds of the controller override those of the data subject (right to restriction of processing).
- to receive the personal data concerning them, which have been processed in accordance with a contract, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to portability).
- to withdraw the consent granted to the Controller for the processing of their data (right to withdraw consent).
Furthermore, as a data subject, the User may also assert the right to object, which means that:
- they may object at any time, for reasons related to their particular situation, to the processing of personal data concerning them for certain specific purposes. In this case, the data controller will refrain from any further processing of their personal data.
In order to exercise these rights, the User may contact the Data Controller at any time by writing to Angelini Beauty, S.A., at Calle Josep Irla i Bosch, 1-3, 08034 Barcelona, Spain, or at the email address firstname.lastname@example.org.
If the User believes that their request has not been handled correctly or that we have processed their data in violation of the regulations in force, they have the right to lodge a complaint with the competent data protection authority, i.e. the Spanish Data Protection Agency (AEPD) at the following link: https://www.aepd.es/es (right to lodge a complaint).
The complaint may also be submitted to a data protection authority other than the Spanish authorities if said authority is that of the EU Member State where the User normally resides or that of the place where the alleged breach occurred.
- Cookies and similar technology
- Links to other websites
The Website may contain links to third-party websites.
Angelini can provide no guarantee, and assumes no responsibility, for the contents and information provided by said third parties, for their completeness or accuracy, nor for the content of third party websites or for the products and services potentially provided through third party websites, nor for the processing of personal data of users/visitors by said third parties.