Nouba Group S.r.l.
Legal Address: Via Privata Bastia 5, 20139 Milano (MI)
Italy
VAT: 11590150964
INFORMATION ON THE PROCESSING OF PERSONAL DATA
pursuant to art. 13 of EU Regulation 2016/679 (GDPR)
E-commerce site – Retail sale of cosmetic products
1. Data controller
Nouba Group S.r.l.
Private street Bastia, 5 – 20139 Milan (MI)
Tax code/VAT number: 11590150964
To exercise the rights referred to in the art. 15 ff. GDPR or for any request relating to the processing of their personal data, the interested party can contact the Data Controller at the following addresses:
2. Categories of interested parties
This information is aimed at the following categories of natural persons whose personal data is processed by the Data Controller within the e-commerce site:
Website visitors (navigation, cookies).
Registered users: natural persons who create a personal account on the site.
Guest mode buyers (guest checkout): natural persons who make purchases without registration.
Recipients of commercial communications: natural persons who have given consent to direct marketing.
3. Data processed, purposes and legal bases
The Data Controller processes the personal data of the interested party for the purposes described below, each supported by a specific legal basis pursuant to art. 6 GDPR.
3.1 Execution of the online sales contract
Data processed: personal and contact data (name, surname, shipping/billing address, e-mail address, telephone number), payment data (managed directly by PCI-DSS certified providers), order history.
Legal basis: art. 6, par. 1, letter. b) GDPR – execution of a contract of which the interested party is a party or execution of pre-contractual measures.
Applicable to: Registered users and guest buyers.
3.2 Fulfillment of legal obligations
Data processed: tax and accounting data (electronic invoicing pursuant to Presidential Decree 633/1972 and Legislative Decree 127/2015), documentation relating to the safety of cosmetic products (EC Reg. 1223/2009), anti-money laundering obligations where applicable.
Legal basis: art. 6, par. 1, letter. c) GDPR – fulfillment of a legal obligation.
3.3 User account management
Data processed: registration data (email, password, preferences), wish lists, saved addresses.
Legal basis: art. 6, par. 1, letter. b) GDPR – execution of the account service supply contract.
Applicable to: registered users only.
3.4 Management of customer service and complaints
Data processed: identification data, content of communications, data relating to the order subject to the complaint or request.
Legal basis: art. 6, par. 1, letter. b) GDPR (post-contractual management) and art. 6, par. 1, letter. f) GDPR (legitimate interest of the Data Controller in the management of complaints and legal protection).
3.5 Site security, fraud prevention and technical logs
Data processed: IP addresses, access logs, technical navigation data, technical and session cookies.
Legal basis: art. 6, par. 1, letter. f) GDPR – legitimate interest of the Data Controller in the security of information systems and the prevention of fraudulent activities, defense in court.
3.6 Direct marketing and promotional communications
The Data Controller, subject to the express consent of the interested party, processes the contact data to send commercial communications, newsletters, promotional offers and updates on the cosmetic products in the Nouba catalogue.
Data processed: name, surname, e-mail address.
Legal basis: art. 6, par. 1, letter. f) GDPR – legitimate interest (soft spam), or rather art. 130, co. 4, Legislative Decree 196/2003: the Data Controller may send marketing communications relating to products similar to those already purchased, provided that the interested party has not objected and that the possibility of opposition is indicated in each communication.
the interested party can unsubscribe from the newsletter at any time, without prejudice to the lawfulness of the processing carried out before the revocation, via: (i) unsubscribe link at the bottom of each communication; (ii) direct request to the Data Controller at the contact details referred to in the art. 1.
3.7 Profiling and personalization of the purchasing experience
The Data Controller, subject to the express consent of the interested party (distinct from consent to generic marketing), carries out profiling activities consisting of the analysis of purchasing habits, preferences and browsing behavior in order to:
personalize site content and product recommendations (e.g. “related products”, “you may be interested in”);
segment commercial communications based on the characteristics and preferences of the interested party;
optimize commercial offers based on the historical purchasing profile.
Profiling may involve the use of automated processes. The Data Controller does not adopt decisions based exclusively on automated processing which produce legal effects or significantly affect the interested party (art. 22 GDPR). Should this circumstance change, the Owner will update this information and acquire explicit consent.
Legal basis: art. 6, par. 1, letter. a) GDPR – free, specific, informed and unambiguous consent (art. 4 GDPR), acquired separately from marketing consent.
Revocation: identical to the methods indicated in par. 3.6.
3.8 Requirements regarding the safety of cosmetic products
In compliance with EC Regulation 1223/2009, the Data Controller collects and stores reports of serious side effects (SIE) communicated by buyers, for the purposes of cosmetovigilance and communication to the competent authorities.
Data processed: identification data of the reporter, description of the undesirable effect, product involved.
Legal basis: art. 6, par. 1, letter. c) GDPR – legal obligation (art. 23 EC Reg. 1223/2009).
4. Summary of treatments and storage times
5. Processing methods and security measures
The processing is carried out using electronic and, where necessary, paper tools, adopting technical and organizational measures appropriate to the risk pursuant to art. 32 GDPR, including:
data transmission via HTTPS/TLS protocol;
payment data encryption (outsourcing to PCI-DSS providers);
access to data limited to authorized personnel based on the “need-to-know” principle;
periodic backup and disaster recovery procedures;
6. Recipients and categories of recipients of the data
Personal data may be communicated to the following categories of recipients, each acting as data controller (art. 28 GDPR) or independent owner, according to their respective roles:
Payment service providers: supplier entities indicated in the PCI-DSS certified GSC, which operate as independent data controllers for the processing of payment data.
Couriers and freight forwarders: subjects in charge of logistics and delivery of orders (personal data and delivery address).
Email marketing and CRM service providers: platforms for sending newsletters and managing commercial communications, if adopted, appointed as data controllers.
Cloud and hosting service providers: providers of the site’s technological infrastructure, appointed as data controllers with adequate guarantees (art. 46 GDPR if non-EU).
Web analysis and advertising platforms: only with the consent of the interested party for profiling/marketing cookies (see separate Cookie Policy).
Legal consultants and auditors: professionals bound by professional secrecy, for consultancy and verification purposes.
Public authorities: Revenue Agency, judicial or administrative authorities, in the cases provided for by law.
The Data Controller does not sell or transfer for consideration the personal data of interested parties to third parties for the third parties’ own marketing purposes.
7. Transfer of data to third countries
If the use of service providers involves the transfer of personal data to countries not belonging to the European Economic Area (EEA), the Data Controller guarantees that this transfer takes place in compliance with the conditions set out in the articles. 44 ff. GDPR, and in particular through:
adequacy decision of the European Commission (e.g. EU-US Data Privacy Framework, where applicable);
standard contractual clauses approved by the European Commission;
other adequate guarantees pursuant to art. 46 GDPR.
8. Rights of the interested party
Pursuant to the articles. 15-22 GDPR, the interested party has the right to:
Access (art. 15): obtain confirmation of the existence of processing and a copy of the personal data processed.
Rectification (art. 16): obtain the correction of inaccurate data or the integration of incomplete data.
Deletion (“right to be forgotten”, art. 17): obtain the deletion of data in the cases provided for by law, within the limits of legal conservation obligations.
Limitation of processing (art. 18): obtain the limitation of processing in the cases provided for by the law.
Portability (art. 20): receive the personal data provided in a structured, commonly used and machine-readable format, where the processing is based on consent or contract and carried out with automated tools.
Opposition (art. 21): object, at any time, to processing based on legitimate interest (art. 6, par. 1, letter f) GDPR), including profiling activities on this basis.
Revocation of consent: revoke the consent given for marketing and/or profiling at any time, without prejudice to the lawfulness of the previous processing.
Complaint to the Supervisory Authority (art. 77): lodge a complaint with the Guarantor for the protection of personal data (www.garanteprivacy.it).
Requests to exercise rights must be addressed to the Data Controller at the contact details set out in the art. 1. The Data Controller responds within 30 days of receiving the request, unless extended by a further 60 days for complex cases (art. 12, par. 3, GDPR), with communication within the same initial deadline.
9. Cookies and tracking technologies
The site uses cookies and similar technologies. The processing of data carried out via cookies is governed by the specific Cookie Policy, available in the dedicated section of the site, which constitutes an integral part of this information.
10. Special categories of data – Allergies and adverse reactions
The Data Controller does not systematically collect data relating to the health of interested parties. However, as part of the cosmetovigilance service (art. 23 EC Reg. 1223/2009) and the management of complaints for adverse reactions, it is possible that health-related data may be processed (special category pursuant to art. 9 GDPR).
In such cases, the processing is carried out on the basis of art. 9, par. 2, letter. c) GDPR (vital interests) or art. 9, par. 2, letter. g) GDPR (relevant public interest pursuant to Union or Member State law), in compliance with the guarantees provided for by Legislative Decree 196/2003.
11. Minors
The Owner’s e-commerce services are aimed exclusively at individuals aged 18 or over. The Data Controller does not knowingly collect personal data from minors. If data relating to minors are inadvertently processed, the Data Controller will immediately delete them upon notification.
12. Information updates
The Data Controller reserves the right to modify or update this information at any time, due to regulatory changes, technological developments or changes in processing methods. The changes will be published on the site with indication of the date of the last update. In the event of substantial changes that affect the rights of interested parties, the Owner will send specific communication via e-mail to registered users.
