Privacy Policy

Privacy Policy Statement – Article 13 of legislative decree no. 196 of 30 June 2003.

This information is given in accordance with the provisions of Legislative Decree No. 196 of 30 June 2003 (Data Protection Code) and in accordance with the applicable EC directives. It applies to anyone using the Website www.pinko.com (the “Buyers” and the “Website”), owned by Cris Conf SpA. ("Cris Conf"), and anyone browsing on the Website or using its services, regardless of whether or not they buy any products.

Please note that this Privacy Policy only covers the browsing of this Website, and does not cover any other websites that may be visited by the Buyer through the links on the Website, even if those websites are owned by Cris Conf or its subsidiaries, affiliates or parent companies (Article 2359 civil code); in such cases, the Privacy Policy on each of the Websites will apply.

Browsing of the Website by the Buyer implies automatic acceptance of this Privacy Policy.

1. Data controller, data coordinator and authorised persons

   The data controller is Cris Conf S.p.A., Strada Comunale per Fornio, 136, 43036 Fidenza (PR), tax code and VAT number 01516210349, email info@pinko.com; Cris Conf has autonomy to decide the purpose and method of data processing, and the security procedures to be used in order to guarantee the confidentiality, integrity and availability of the data.

   Cris Conf may designate one or more persons as data coordinators, as defined in Article 29 of the Privacy Code.

   The updated list of all data coordinators can be obtained from the head office of Cris Conf. For more information please send an email to info@pinko.com.

   The data coordinators carry out their activities in accordance with the instructions given by Cris Conf, and under its control. Cris Conf will periodically check that the data coordinators have fulfilled their duties and that they continue to provide appropriate guarantees of full compliance with the laws on data protection.

   Buyers’ data will be processed by persons authorised for that purpose, instructed by, and operating under the direct authority of Cris Conf or of the data coordinators.

2. Type of data processed; option to provide personal data

   2.1. Browsing data

   Browsing of the Website will result in Cris Conf obtaining “browsing data”, the transmission of which is implicit in the use of Internet communication protocols.

   This category of data includes IP addresses, browser type, operating system, domain names and website addresses from which the site was accessed or left, information about the pages visited by the Buyer within the Website, the time of access, the length of time spent on each page, an analysis of the internal pathways and other parameters relating to the operating system and digital environment of the Buyer, and data from cookies (for cookie regulations please see the Cookie Policy https://www.pinko.com/en-rs/customercare/cookies-policy.html ), and/or similar technologies such as pixel tags and web beacons (for the relevant regulations, please see the Cookie Policy).

   This technical/digital data is only collected and used in aggregate, anonymous form and may be used to verify responsibility for any computer crime against the Website. Therefore “browsing data” does not in itself identify the Buyer.

   2.2. Data supplied voluntarily by the Buyer

   The Website offers certain services for which the Buyer is required to provide additional details, known as personal data. For example, registration on the Website, access to reserved areas and the purchase of Cris Conf products and services are all activities that require the Buyer to provide personal data that will enable Cris Conf to unequivocally identify an individual, such as: name, surname, date of birth, residential address and/or domicile, telephone number, email address and credit card details.

   The provision of this data is optional, but is obligatory to enable the Buyer to access certain services on the Website. Refusal to provide details will have no consequences for the Buyer, but without them, Cris Conf will be unable to provide the Buyout with certain services.

   In order to promote and improve its products, services and content, Cris Conf may aggregate any personal and non-personal data. In such a case the non-personal data will be processed as personal details, for as long as it is aggregated with the latter.

3. Method and purpose of processing

   Personal data is mainly processed using electronic and remote means, by Cris Conf or by any other person appropriately selected for their reliability and competence, who provides the operations necessary for the use of the Website, its services and the purchase of products on the Website.

   The specific methods and purposes of the processing of the Buyer’s personal data will be indicated from time to time in the Privacy Policy statement (Article 13 Privacy Code), to be provided by Cris Conf to the Buyer when the Buyer provides his or her personal details.

   In general, the processing of the Buyer’s data by Cris will enable:

   A) registration on the Website or acceptance of the services offered by Cris Conf through the Website;

   B) the execution of activities that are connected, instrumental or necessary for the supply of Cris Conf services, including the communication of data to third-party companies who may provide essential or related services, or for the management of payments on the Website:

   C) customer satisfaction surveys and user preferences;

   D) the management of payments, including antifraud checks for payments made by credit card;

   E) the management of Buyers’ technical and commercial requests, regarding the progress of orders, and other queries;

   F) the sending, with consent, of advertising, informative and commercial materials (for example newsletters) and the provision of processed data to third parties for sales, attempted sales, or for any commercial and/or statistical purpose that is permitted by law. Consent to the sending of commercial and promotional materials (Articles 130 (1) and (2) – “direct marketing”) implies consent to the receipt of those communications not only through automated means but also through traditional methods (ordinary post and non-automated phone calls). In these circumstances the Buyer may provide his or her consent to receiving these communications only by traditional contact methods;

   G) the profiling of customers registering on the Website or carrying out purchases on the Website in order to allow Cris Conf, with consent, to process the decisions, habits and consumer preferences of the Buyer and therefore, to: (i) send the customers personalised texts relating to products and services offered by Cris Conf; (ii) cross-check data collected for different purposes, from among the services provided to the Buyer; (iii) use other forms of identification other than cookies (e.g. login credentials, fingerprints etc.) in order to monitor specific actions or behaviours in the use of the functions provided to the Buyer.

   Cris Conf will observe the need-to-know principle, in the processing of any data that may directly or indirectly identify the Buyer. Therefore, the Buyer’s details will not be processed if the purpose pursued in each case can be achieved through the use of anonymous data (such as market research aimed at improving the service) or by other means that enable the identification of the Buyer only in the case of need, or at the request of the authorities or police (for example, data relating to traffic and the length of time spent on the Website or the IP address).

   The Buyer’s data will be disclosed to third parties only with the express consent of the Buyer, except in cases in which it is required to be disclosed by law, or is necessary for purposes provided for by law, for which the Buyer’s consent is not required; in such cases the data may be provided to third parties who will process it autonomously and only for the above purposes (for example, if a request is made by the police, the courts or other authorities, or in order to fulfil obligations deriving from the contract with the Buyer, as in the case of payment communications).

   Any use other than the specific use for which the Buyer provided the data will be mentioned in the information and will only be followed up by Cris Conf with the express consent of the Buyer.

   For certain uses of data, consent is not required by law. For example, personal data may be used without consent of the Buyer if necessary in order to fulfil a legal obligation or to fulfil the contractual obligations towards the Buyer.

   Under Article 130 (4) of the Privacy Code, Cris Conf may use the Buyer’s details without having to obtain express consent, for the direct selling of products similar to those already bought by the Buyer, and for opinion surveys provided that the Buyer has not refused this use of details for the email address communicated to Cris Conf.

   The Buyer’s personal data will not be transferred to non-EC countries that do not provide adequate levels of protection. If the transfer of data is necessary for the provision of services or for the formation of a contract for sale, Cris Conf guarantees that the data transferred to the non-EC countries without adequate levels of protection will only be carried out after the appropriate safeguards provided for by the applicable laws have been put in place.

   Cris Conf may have to process data belonging to third parties communicated directly by the Buyer (for example if the Buyer wants to purchase a product from Cris Conf and have it sent to an address or domicile of another person). In these cases, Cris Conf will send the third party the information required by Article 13 of the Data Protection Code, when recording the data but the Buyer is responsible for obtaining consent from the person whose details are being transferred, before providing them to Cris Conf, and for informing the person about the contents of this Privacy Policy. The Buyer is the only person responsible for transmitting the data of the third party if they have not provided consent, or if the data is not used correctly or is used illegally.

   The data controller informs the Buyer that personal data will be kept for a period of 24 months. After that period the details will be deleted.

4. Redirecting to external sites

   The Website may use social plug-ins. Social plug-ins are tools that incorporate the functions of social networks directly into the Website (for example the Like function on Facebook).

   All social plug-ins on the Website are marked with the logo of the social network site.

   When visiting the page on the Website and interacting with the plug-in (for example clicking on the Like button) or when leaving a comment, the corresponding information will be sent by the browser directly to the social network (Facebook in this case) and will be stored by that site.

   For information about the purpose, methods of processing, use and conservation of personal data by social networks, and for information about how to exercise the rights of the data subject, please see the social network’s own Privacy Policy.

5. Links to third-party sites

   The Website contains links to other websites.

   Cris Conf does not monitor those websites, or their content.

   This Privacy Policy does not apply to third-party websites. The Website only provides links to those sites to facilitate the Buyer’s browsing experience and to enable hypertext links to other sites.

   Use of the links does not imply any recommendation by Cris Conf for the access or browsing of those websites, nor does it provide any guarantee about their content, the services or goods they supply and sell to customers.

   Cris Conf thus declines all liability regarding the content of those websites and their rules, including data protection regulations and the rules on processing of data when browsing those websites.

6. Rights of the data subject

   Under Article 7 of the Data Protection Code, the data subject, meaning anyone to whom the personal data relates, may obtain confirmation of the existence of personal data regarding him or her even if not yet registered, and may obtain its communication in an intelligible form.

   The data subject may obtain information about: A) the origin of the personal data; B) the purpose and use of the processing; C) the logic applied if data is processed with electronic tools; D) the identification details of the data controller, data coordinators and authorised person as defined in Article 5 (2) of the Data Protection Code; e) the persons or categories of person to whom the personal details may be communicated or who may receive the details as a national representative of the data coordinators or authorised persons. The data subject may also obtain: a) an update, rectification or, if interested, integration of the data; b) the deletion, conversion into an anonymous form or blocking of data processed in breach of the law, including any data that is not required to be kept in relation to the purpose for which it was gathered or subsequently processed; c) confirmation that the operations referred to in paragraphs a) and b) above have been brought to the attention, also in terms of their content, to those to whom the data was disclosed or transmitted, except in cases in which that obligation is impossible or requires a utilisation of resources that is manifestly disproportionate to the right being protected. The data subject may object entirely or partially: a) for legitimate reasons, to the processing of personal data even if relevant to the purpose for which it was collected; b) to the processing of personal data relating to him or her for the purposes of direct selling, publicity or for the carrying out of market research or business communications.

   In this regard the Buyer, by accessing his or her account on the Website, may change, update or delete his or her personal information including name, surname, address, country of residence, and credit card details.

   The deletion of personal data at the Buyer’s request may mean that it is impossible for Cris Conf to continue to provide its services to the Buyer.

   In order to exercise the above rights, report problems or request clarification about the use of personal data, the data subject should send a request, specifying the nature, to the data coordinator Cris Conf SpA, Strada Comunale per fornio 136, 43036 Fidenza (PR), tax code and VAT number 01516210349, email info@pinko.com.

   The data subject may at any time make a complaint to the relevant supervisory authority.

7. Security measures

   Cris Conf adopts adequate security measures in order to minimise the risk of loss or accidental destruction, unauthorised access or processing, or use of the data that does not conform to the purposes indicated in this Privacy Policy.

   Therefore, Cris Conf cannot guarantee that the measures used for the security of the Website and for the transmission of data on the Website limit or exclude any risk of unauthorised access or loss of data from devices belonging to the Buyer; the Buyer is therefore advised to check that his or her computer has adequate data protection software to protect incoming and outgoing data (such as up-to-date antivirus systems) and to check that the Internet service provider has taken suitable measures to ensure network data transmission security (firewalls and antispam filters).

8. Amendments to the Privacy Policy.

   This Privacy Policy governs the processing of personal data provided by the Buyer while browsing the Website. It may be completely revised or updated as a result of changes in the law or regulations governing the protection of personal data. Buyers will be informed of any changes and updates to this Privacy Policy as soon as the changes are made. They will be binding as soon as they are published on the Website. Cris Conf thus invites the Buyers to regularly check this page in order to verify the publication of the latest up-to-date Privacy Policy. The document contains the date of update.

9. Contacts

   For any queries or doubts concerning this Privacy Policy, the Buyer is asked to contact Cris Conf at info@pinko.com.

10. Terms and Conditions of use

    Before using the Website please carefully read the Terms and Conditions.

11. Treedom Initiative

    Introduction

    Cris Conf S.p.A., a company with sole shareholder, managed and coordinated by HPF S.r.l., with registered offices at Strada Comunale per Fornio 132, 43036 Fidenza (PR) Italy, with tax ID code and VAT no. 01516210349 (hereafter, the “Data Controller”), has begun an initiative jointly with Treedom S.r.l. (hereafter, “Treedom”), a company with registered offices at Via della Piazzuola no. 45, 50133, Florence, Italy (hereafter, the “Initiative”). With this document (hereafter, the “Privacy Policy”), Cris Conf S.p.A. is providing you with the information required by the Privacy Code and the GDPR regarding the processing of personal data that you may wish to provide in order to participate in the Initiative.

    11.1. Description of the Initiative

    According to the Initiative, a customer that purchases at the Data Controller’s stores or on its web platform www.pinko.com, on and after 24 February 2018, the specific T-shirt depicted on the informative material available at the stores or on the following dedicated web page: https://www.pinko.com/start-with-a-tree (hereafter, the “Product”) will be assigned a unique identification code (hereafter, the “Code”) by the Data Controller. The Code will enable the customer to register on the web platform owned by Treedom (www.treedom.net), specifically on the page devoted to the Initiative (hereafter, the “Platform”), so that the customer can participate in the “Thika” project managed exclusively by Treedom. For specific reasons associated with monitoring the progress of the Initiative, the Code may be sent to the customer only at his/her email address.

    In the “Thika” project, a customer that is in possession of a Code and that has duly registered on the Platform will be entitled to have a tree planted in Kenya by Treedom, said tree to be selected from an assortment of different types, and be regularly updated on its growth and on the progress of the Initiative. Please note that after you have registered on the Platform, Treedom will process your personal data in its role as independent Data Controller.

    In any event, for further details on the Initiative, please see the relative information on the Platform.

    11.2. Subject of data processing

    To participate in the Initiative, the Data Controller will process your personal data of a common, non-sensitive nature (in particular: name, surname, address and email address – hereafter, the “Data” or individually a “piece of information”) which you provide when you register on the Data Controller’s website, and/or when you purchase the Product without having registered on the Data Controller’s website, by filling out the specific form provided on the Data Controller's website for purchasing the Product on-line. It is understood that your consent to participating in the Initiative, and therefore to the processing of your Data, must be given by checking the box labelled with the phrase, “I agree to the processing of my personal data in order to participate in the Treedom Initiative”, which can be found on the form provided on the Data Controller's website for purchasing the Product on-line. Unless you give your consent, you cannot participate in the Initiative, and your Data will not be processed for enabling you to participate in the Initiative.

    11.3. Purposes of processing; nature of and legal basis for providing Data

    Purposes strictly associated with and essential to participation in the Initiative

    Your Data will be processed exclusively to enable you to participate in the Initiative, and thus to perform operations that include, but are not limited to, the following:

    1. sending to your email address the Code, as well as updates on the growth of the tree and, in general, on the progress of the Initiative;
    2. fulfilling all legal and bureaucratic/administrative obligations pertaining to and resulting from management of the Initiative.

    Providing your personal Data is optional, but you will not be able to participate in the Initiative if you refuse to provide it.

    The legal basis for such data processing is the consent of the interested party, which must be given at the times and in the ways described in paragraph 2, above.

    11.4. Methods of processing; parties to whom Data may be communicated or disseminated

    Your Data will be processed in accordance with principles of correctness, lawfulness, transparency and secrecy, and in compliance with the provisions of the Privacy Code and the GDPR using paper, digital and electronic transmission means, within a framework strictly correlated with the purposes described herein and, in any case, using methods that ensure its privacy and security, in compliance with the provisions contained in article 32 of the GDPR.

    For the purposes specified in this Privacy Policy, your Data will be made known to employees and similar personnel, and to associates of the Data Controller whom it authorises to perform and/or who are responsible for processing.

    To process your Data and thus enable your participation in the Initiative, the Data Controller may also need to communicate your Data to third parties that may or may not belong to the Data Controller’s corporate Group (the “Group” with offices located in and outside the EU, in compliance with regulations that allow such location) and which will act as outside data coordinators. Said third parties belong to categories that include, but are not limited to, the following:

    1. other companies in the Group;
    2. franchisees of the Data Controller;
    3. entities that provide services for managing the Data Controller’s computer systems;
    4. providers that manage and maintain the Data Controller’s website;
    5. professional studios;

    An updated list of all data coordinators can be obtained from the head office of Cris Conf. For more information, please send an email to info@pinko.com

    Your personal Data will not be disseminated.

    Your personal Data will be transferred outside the European Union only to the entities specified at point 6) above and exclusively when the European Commission has reached a decision on adequacy or when other suitable guarantees have been executed, as specified in the GDPR (including regulations obligating companies, and protection clauses).

    11.5. Duration of Data storage

    The Data Controller will process your Data for the time needed for acquiring the information required for your participation in the Initiative and for the subsequent management of said participation, until your consent is revoked or until the Initiative ends.

    11.6. Data Controllers and Coordinators

    The Data Controller in charge of processing your Data for the purposes mentioned in paragraph 3 above is Cris Conf S.p.A., with registered offices at Strada Comunale per Fornio 132, 43036 Fidenza (PR) Italy, with tax ID code and VAT no. 01516210349, as represented by its pro-tempore legal representative.

    On behalf of the Data Controller, the Data Processor/s is/are Pietro Negra, who may be contacted easily by any interested party by sending an email to the following address(es):

    Your personal Data will not be disseminated.

    11.7. Rights of the Interested Party

    With regard to the processing described in this Privacy Policy, you as the interested party are entitled to exercise specific rights, pursuant to article 7 of the Privacy Code, which include:

    1. obtaining from the Data Controller confirmation of the existence or non-existence of your Data, and being provided with said Data in an intelligible format;
    2. being informed of the origin of the Data and of the approach, purposes and methods of processing, together with the identifying details of the Data Controller;
    3. obtaining the details of the coordinators and of the representative designated pursuant to article 5, paragraph 2 of the Privacy Code, as well as an indication of the entities or categories of entities to which the Data may be disclosed, or the entities which may have access to the Data in their capacity as designated representative in Italy, as coordinators or as appointed staff;
    4. obtaining cancellation, transformation into an anonymous format or blocking of Data processed in violation of law, as well as updating, correction or – where you so wish – addition to the Data;
    5. obtaining confirmation that information on the origin of the Data and on the purposes and methods of its processing has been forwarded – also as far as the content is concerned – to those to whom the Data was communicated or transmitted, except in those cases in which such notification is impossible or requires the use of means which are manifestly disproportionate to the protected right;
    6. opposing – wholly or partially – the processing of your personal Data for legitimate reasons, even where such reasons are pertinent to the purposes for which the Data was collected; as well as opposing the processing of your Data for the purposes of sending advertising or direct sales materials, or for the execution of market research or sales communications.

    Beginning on 25 May 2018, you may as the interested party exercise the following specific rights, pursuant to articles 15-21 of the GDPR:

    7. right to access – article 15 of the GDPR: the right to obtain confirmation as to whether or not your personal Data is being processed and, in such case, to obtain access to your Data – including a copy thereof – and to obtaining communication of the following information, among other information:
       
       
       1. the purposes of processing;
       2. the categories of processed personal Data;
       3. the entities to whom the Data was or will be communicated, and particularly whether they are located in countries outside the EU or are international organisations;
       4. the duration of storage of the Data, or the criteria applied to such storage;
       5. the rights of the interested party (correction or cancellation of personal Data, limitation on processing, opposition to processing);
       6. the right to file a complaint;
       7. the right to receive information on the origin of the personal Data, if it has not been obtained from the interested party;
       8. the existence of an automated decision-making process, including profiling;
       9. whether the Data has been forwarded to a country outside the EU or to an international organisation, and information on the existence of suitable guarantees pursuant to art. 46 of the GDPR;
    8. right of correction – article 16 of the GDPR: the right to obtain, without unjustified delay, the correction of erroneous personal Data and/or additions to incomplete personal Data;
    9. right of cancellation (right to be forgotten) – article 17 of the GDPR: the right to obtain, without unjustified delay, the cancellation of your personal Data, when:
       
       
       1. the Data is no longer necessary for the purposes for which it was collected or otherwise processed;
       2. you have revoked your consent, and there is no other legal basis for its processing;
       3. you have revoked your consent, and there is no other legal basis for its processing;
       4. the Data has been processed illegitimately;
       5. the Data must be cancelled to fulfil a legal obligation;
       6. the Data has been collected in relation to an offer of services by an information firm as described in article 8, paragraph 1 of the GDPR.
       
       It is understood that the right of cancellation does not apply to the extent that its processing is required by the Data Controller or for exercising rights of freedom of expression and information, for fulfilling a legal obligation or for carrying out an undertaking performed in the public interest, for archiving in the public interest, for scientific or historical research or for statistical purposes, or for the ascertainment, exercise or defence of a right in a court of law.
    10. right of limitation on processing – article 18 of the GDPR: the right to obtain a limitation on processing, when:
        
        
        1. the interested party disputes the accuracy of personal Data, said limitation to extend for the period required by the Data Controller for checking such accuracy;
        2. processing is illegal, and the interested party opposes the cancellation of the personal Data; instead, he/she asks that its use be limited;
        3. the personal Data is required by the interested party for ascertaining, exercising or defending a right in a court of law;
        4. the interested party opposed processing pursuant to art. 21 of the GDPR while waiting for verification that the legitimate reasons of the Data Controller prevail over those of the interested party.
    11. right of data portability – article 20 of the GDPR: the right to receive – in a structured format that is commonly used and can be read by an automatic device – personal Data which was furnished to the Data Controller, and the right to transfer the Data to another data controller without impediment, if processing is effected with your consent and carried out using automated means. Also, the right to have your personal Data transferred directly by the Data Controller to another data controller when such transfer is technically feasible;
    12. right of opposition – article 21 of the GDPR: the right to oppose – at any time, for reasons associated with your specific situation – the processing of your personal Data, based on the legality of the legitimate interest thereof, or on execution of an undertaking of public interest, or on the exercise of public authority, including profiling, except if the Data Controller has legitimate reasons for continuing such processing that prevail over the interests, rights and liberties of the interested party, or except for ascertaining, exercising or defending a right in a court of law.
        Also, this includes the right to oppose processing at any time, when the personal Data is being processed for the purposes of direct marketing, including profiling, to the extent that processing is associated with such direct marketing.
        In particular, you have the right not to be subjected to a decision based exclusively on automated processing, including profiling, which produces legal ramifications which affect you or which similarly affect your person, except in the case that such decision is required for concluding or executing a contract between you and the Data Controller, or is authorised by law in the European Union or in Italy, or is based on your explicit consent;
    13. right of revoking consent – the right to revoke consent to processing your Data at any time, although there is no question of the legality of treatment as per your consent given before revocation;
    14. the right to file a complaint with the Italian Authority for Personal Data Protection, Piazza di Montecitorio no. 121, 00186, Rome (RM), Italy.

    The above rights may be exercised with the Data Controller by contacting the entities of reference specified at point 1 above.

    Exercising your rights as the interested party is free-of-charge, pursuant to article 12 of the GDPR. However, if requests are clearly unfounded or excessive, which may also be due to their repetitiveness, the Data Controller may charge you for a reasonable contribution to paying the expenses involved, given the administrative costs sustained for handling your request, or may refuse to honour your request.