Customer Service
If you reside in the United Arab Emirates, United States of America, Canada, Great Britain, Switzerland, Saudi Arabia, please refer to this information
NOTICE REGARDING THE PROCESSING OF PERSONAL DATA
In carrying out our business, it may be necessary to acquire information or data, and the processing thereof is carried out in compliance with current legislation (GDPR) and, for this reason, the necessary information concerning processing is provided.
Updates and Changes
The Data Controller reserves the right to modify, integrate or periodically update this Policy in compliance with applicable legislation or measures adopted by the Italian Data Protection Authority. The aforementioned changes or additions will be brought to the attention of those concerned. We invite all parties concerned to read the Privacy Policy and Notice on a regular basis, to check for any updates and to decide whether or not to proceed with the relationship and related data processing.
Data Controller
The Data Controller is Cris Conf S.p.A., with registered office in Strada Comunale per Fornio, 132, 43036 Fidenza (PR), e-mail PinkoPrivacy@pinko.com (also named the "Controller" or simply "PINKO").
The Data Protection Officer ("DPO") appointed by the Data Controller pursuant to articles 37 et seq. GDPR can be contacted by sending an email to the address: dpo@pinko.com
Recipients (data subjects)
This notice concerns data relating to customers, consumers and others interested in knowing about specific projects and/or products and/or services promoted/supplied by PINKO, including the recipients of digital lead-generation campaigns.
Means of Collecting Data, Source of Data and/or acquisition of Data
Data subjects provide data via paper-based and/or electronic forms, available online or at direct, partner and franchisee stores, giving their informed consent, where necessary and/or requested.
In addition, in some instances, after providing your express consent, certain data and information, including those relating to connected third parties, may be sourced from public and/or publicly available lists and databases.
Purpose of Data Processing
The purposes of processing are detailed below for each specific case.
Sale of goods and services, after-sales service, fulfilment of your requests and fulfilment of legal obligations
Your data may be necessary to make a purchase (via the website and/or from our stores), for related obligations, to make shipments, provide after-sales services (should you contact Customer Service, we will be able to follow up on your requests), and comply with applicable laws and/or regulations, which may also concern Tax Refunds. The provision of data relating to your order history for managing billing and shipping addresses, checking the status of your orders, managing payments with digital tools (by way of example and not limited to: credit cards, PayPal, bank transfers, etc.) and making return requests, as well as managing your subsequent requests, completing the obligations connected to it and providing you with the related services, falls within the prerogatives of the contractual relationship, as well as in the fulfilment of legal obligations, therefore express consent is not required for such data for the purposes described.
This provision is functional to the sale and marketing of products / services and/or to provide you with our after-sales assistance, as well as to respond to specific requests from customers and consumers (including potential ones), and to satisfy your requests. Your data will be processed and stored for the entire period necessary to achieve the purposes indicated above, and in any event, for a maximum of 10 years from your last purchase (in line with the limitation period set by the applicable legislation).
The legal basis for the processing of your data is the execution of the contract or pre-contractual measures adopted on request, and/or the fulfilment of legal obligations on the part of the Data Controller (art.6 comma 1 letts. b and c).
E-Commerce
In the specific case of e-commerce, Pinko relies on FiloBlu Spa, C.F./P.IVA 04274870288, with registered office in Santa Maria di Sala (Ve) via Caltana 116/c, and RetailTune P.IVA IT02889890345, with registered office in Vicolo Campanini Zefirino 1, 43121 Parma, as joint data controllers who jointly manage your data based on specific agreements. FiloBlu has appointed a Data Protection Officer (DPO) pursuant to Articles 37 et seq. GDPR, who can be contacted at: dpo@filoblu.com.
In this context, the following personal data are processed:
Contact details
Your first name and surname, delivery and billing address, telephone number, email address;
Identification data
Your IP address, your login data, browser type and version, time zone setting, plug-in types,
geopositioning information regarding your probable position, operating system and related versions, etc.
Each time you make a purchase—even if you do so as an unregistered guest—and use the email address for a previously registered profile, our offices
may detect a link to an existing account containing the information.
Data relating to the use of www.pinko.com
Your browsing path through the website www.pinko.com (Clickstream analysis), your displaying of products
and services, load times and page responsiveness, download errors, browsing time, behaviour and other
actions, etc..
We process your data only for:
- Use of the site and management of services:
Your data is processed to allow registration on the Website, access to and supply of the services reserved to users registered on the Website and sending via the Website of a purchase order for the products available on the Website, with the consequent conclusion of the related contract of sale with FiloBlu, including any administrative and accounting formalities. In this case, the legal basis is the contract and the legitimate interest.
- Fraud prevention
In some cases, in order to finalize your purchase, it may be necessary to carry out some additional checks with a view to preventing fraud and, therefore, you may receive communications, also by email from our dedicated account, in which we will ask you to send us the authorization code and a copy of the credit card used for the purchase, on which we ask you to obscure the eight central digits. The data collected in this way will be retained for 1 (one) year from the time of their collection for evidentiary purposes, to cooperate with the judicial authorities and to deal with any disputes that may arise in this regard. In this case the legal basis is the contract and the legitimate interest of the Controller. We guarantee that the data collected in this way will be processed in full compliance with the regulations in force for the safeguard and protection of personal data and may have to be shared with third parties who process credit or debit card payments and perform anti-fraud checks, banks, judicial authorities.
- Customer support
Communicating changes to our services, customer support via live chat, phone or email, including the correction of any bugs. In this case, the legal basis is the contract.
- Marketing
Your data is processed in order to send advertising material and newsletters, to provide commercial information by telephone, SMS, email, and also using traditional methods (e.g. sending catalogues by post), about promotional and sales initiatives of Pinko, to conduct market research and surveys on customer satisfaction. In this case, the legal basis is your consent.
- Profiling
With the sole aim of offering things, as far as possible, in line with your interests, we will perform certain analyses on aggregate data but without conducting any profiling on your specific habits. In this case, the legal basis is legitimate interest. In any case there is absolutely no automatic decision-making process concerning you.
Data retention for e-commerce is:
- 30 days for browsing management and analysis data;
- 12 months from the last use of the service or from the closure of your account, for types of processing related to the use of the e-commerce portal and for data used for internal statistics and analysis;
- 24 months for warranty management on marketed products;
- 10 years from the end of transcription on accounting and tax records for the issuance of tax documents and related accounting records linked to your purchase via the website;
- unless legal obligations require us to keep your data for a longer period;
- for the promotional and marketing activities described above, for a maximum period of 5 years from your last purchase or interaction with another initiative.
At the end of this period, the data will be automatically deleted or permanently anonymized; in any case, you may decide to delete your registration at any time, using the methods indicated in this notice.
Klarna
In order to offer you Klarna’s payment methods, we might in the checkout pass your personal data in the form of contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own privacy notice.
Browsing the company's website and cookies
During navigation on pinko.com, cookies are used. In this regard, please refer to the specific notice.
Dispute management
Your data may also be processed in order to protect a right of the Data Controller in out-of-court, administrative or judicial proceedings. In this case, the legal basis for this processing is to ascertain, defend and/or exercise a right in an out-of-court, administrative or judicial setting.
For this purpose, the Data Retention is set at a maximum of 20 years, in accordance with the applicable statute of limitations.
Registration with PINKO
The customer can be recognised as such when accessing the e-commerce site or in the "PINKO brand" stores both in Italy and abroad, also to benefit from the advantages connected to it: in this case the customer is required to proceed voluntarily and independently upon registering with PINKO.
In this sense, Cris Conf informs you that your personal data may be visible and processed in PINKO-brand stores all over the world by all authorised personnel: it will be up to you, on each occasion, to decide whether or not to be recognised as customer by providing your name at the time of purchase of the product or service.
The PINKO Site(s) has a reserved section - where you can register voluntarily beforehand and create a personal profile - in order to allow you to save your favourite products in the appropriate wishlist, store and consult your order history, manage billing and shipping addresses, and check the status of your orders, as well as manage your credit cards and make return requests, and manage all your subsequent requests, satisfy related obligations and provide you with related services.
For the purpose of registering on the site and managing the services, the legal bases of the processing are those of the execution of the contract/pre-contractual requests made by the data subject and the legitimate interest of the Data Controller. The provision of such data is necessary, any refusal will make it impossible to proceed with registration/creation of a personal profile.
Your personal data will be processed by Cris Conf until you decide to cancel your registration, in the manner indicated in this Policy, except for data that must be kept for a specific legal obligation.
Reply to an information request
Your personal data will be processed by Cris Conf only for the time necessary to respond to your request.
In particular cases, by express choice of the data subject, data may also be provided by sending a message (email addresses, telephone messaging, chats such a WhatsApp and similar, or social networks), containing their personal data and/or contact details.
In this case, the data subject is aware that this implies the use of the (above) third-party social systems, and it is evident that Cris Conf cannot intervene either on the technical aspects, or with reference to the policies of these third parties, and therefore it is not responsible, and cannot be held liable, for the functioning and effects deriving from their use. Therefore, the data subject will need to read the information about these third parties, and it is their responsibility to specifically evaluate the effects on their personal sphere, before using them.
It is further clarified that - for example - by sending a message, the data subject is expressing their free will and choice to use this channel, also authorising Cris Conf to reply on the same channel/address used by the data subject.
The personal and contact data are processed by Cris Conf for the fulfilment of a direct request from the data subject (pre-contractual requests and/or execution of the contract by the data subject), which does not require an express consent.
Marketing activities
If you would like to be kept up-to-date about the latest products and services provided by Cris Conf, you may sign up for our marketing initiatives. This enables Cris Conf to send you, through classic channels (e.g. mail, telephone calls, etc.) or computer and/or automated means (e.g. messaging systems, telephone calls without an operator, etc.), informative, advertising and/or promotional material, and to invite you to commercial events, by filling out the appropriate form.
The legal basis for the processing of personal data for marketing purposes, i.e. for sending communications of a promotional and commercial nature, also processing information about the purchase choices made, for the sole purpose of improving communication based on your preferences (profiling for marketing purposes) is at the data subject’s consent, expressed in one of the methods provided (digital or paper ).
Please note: as Cris Conf does not intend to carry out promotional activities directed at minors, age declaration will be required when providing data for this processing purpose.
Your personal data for processing will be handled by Cris Conf for the marketing purposes set out above for a maximum period of 5 years from your last purchase or interaction with another initiative. When this period expires, your data will be automatically cancelled, or permanently made anonymous; in any event, you may decide at any time to cancel your registration, in the manner set out in this policy.
Type of Data Collected and Processed
For the specific purposes outlined in this Notice, in accordance with your choices and willingness to provide consent where required, the Controller will process the following personal data: personal information (e.g. first name, surname and date of birth); contact and contact details; payment information (card details or payment details); data relating to purchases (date, place, quantity and type, consumer preferences); technical data relating to Website browsing; and, in the case of Tax Refund requests, Passport information. This information is personal in nature and, in some cases, can be classed as 'special' and/or 'sensitive'. If the data subject concerned provides information about third parties, it is his/her responsibility to inform them of the processing in progress.
Means of Processing Data
Data are processed in the following ways:
- lawfully and fairly, in accordance with regulations in force, to ensure that data remain confidential;
- by both electronic and non-electronic means (e.g. on paper);
- by persons (natural and legal) duly authorised to carry out such tasks, who are constantly identified and properly trained;
- with safety measures to guarantee the security of the subject to which the data refer and to avoid undue access to non-authorised third parties.
In addition, data will be entered, processed and stored in a CRM database accessible from all countries (a complete and updated list of which is available both at the Website and at the head office) in which Cris Conf is present, through its subsidiaries, franchisees, partners and the like, meaning that data may also be processed outside the countries of the European Union.
Mandatory and/or Optional Data Provision/processing and Consequences of Refusal
Processing is mandatory where required (and expressly indicated) for carrying out the activities described above.
The individual purposes specify the consequences of any refusal to process data, which could make it impossible or difficult to carry out what is contractually required.
Where the basis for the processing is identified in the consent of the data subject, it should be noted that they have the right to withdraw this consent at any time, without this affecting the lawfulness of the processing prior to the withdrawal.
Duration of processing and data retention
The data will be processed for the time necessary to fulfil the purposes detailed above or for the entire duration of the contractual relationship established, and also after the relationship comes to an end in order to fulfil any arising obligations, and/or for defence in court, in accordance with the regulations imposed by current legislation. Data retention is specifically indicated for each purpose detailed above.
Where the basis for the processing is identified in the consent of the data subject, it should be noted that they have the right to withdraw this consent at any time, without this affecting the lawfulness of the processing prior to the withdrawal.
Disclosure of Data to Third Parties
In order to carry out the activities and fulfil the purposes detailed above and in relation to the management and corporate model adopted, the data may be communicated to the categories of subjects listed below, which are duly authorised to process data, in their capacity as independent data controllers or data processors.
Categories of external parties to whom data are transferred
- External parties that Pinko uses for the marketing of products/services (e.g. retailers, franchisees, partners, etc.);
- Supervisory and control authorities and bodies; professionals, companies and partners to whom we have outsourced certain tasks and/or whose services/advice we use (e.g. administrative, tax-related, control, audit, certification, IT-management, promotional and advertising tasks, and professionals, collaborators and consultants, partner companies);
- subsidiaries and associates of Cris Conf spa;
- partners for the organisation of special projects;
- banks, credit and financial institutions, payment systems, insurance companies.
A comprehensive and up-to-date list is available upon request from the registered office of the Data Controller.
Dissemination of Data
Data and information shall not be disseminated.
Transfer Abroad
Your personal data will be included in a CRM database accessible from all countries in which Cris Conf is present through its subsidiaries (which are Joint Data Controllers). This involves the transfer of your personal data to countries outside the European Union: these transfers are, in all cases, guaranteed by adequacy decisions issued by the European Commission or by standard data protection clauses adopted within the framework of relations between the companies of the Controller's corporate group.
The list of Joint Data Controllers is always available from the PINKO head office. You may request a copy of your data that has been transferred outside the EU, as well as information regarding the specific safeguards in place for each non-EU country, by sending a specific request to PinkoPrivacy@pinko.com.
Exercisable rights of the Data Subject
Exercisable rights
The data subject shall have the right to receive confirmation as to whether or not personal data concerning him/her are being processed. In addition, the data subject has the right to access the data and the following information:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if these are recipients in non-EU countries or international organisations;
- where possible, the proposed retention period for personal data or, if this is not possible, the criteria used to determine said period;
- the existence of the right of the data subject to request that personal data are rectified or erased, that the processing of personal data concerning him/her is restricted, or to object to said processing;
- the right to lodge a complaint with a supervisory authority;
- if the data are not collected from the data subject, all available information regarding their origin;
- the existence of automated decision-making processes, including the profiling referred to in article 22, paragraphs 1 and 4, and, in certain cases at least, meaningful information about the logic used, as well as the importance and envisaged consequences of such processing for the data subject.
The data subject shall have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him/her. Taking into account the processing purposes, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent and if there is no other legal basis for processing (e.g. legal obligation);
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing (e.g. legal obligation);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- the personal data have been collected in relation to the offer of information society services;
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to article 21, paragraph 1, pending the verification whether the legitimate grounds of the Controller override those of the data subject.
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and b) the processing is done using automated means.
- In exercising his/her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
Deadlines and timing
The Controller shall provide the data subject with information regarding actions taken in relation to a request without undue delay and, at the latest, within one month of receipt of the request. In accordance with the GDPR, this time limit may be extended by two months, if necessary, taking into account the complexity and number of requests: in this case, the Controller shall inform the data subject of such extension and of the reasons for the delay, within one month of receipt of the request. If the data subject submits the request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise specified by the data subject. Any data subject may contact us by email (via the above-mentioned addresses) to exercise their rights and for any clarifications related to this Policy.