Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR) and applicable national legislation


1. General Information
G & P Cosmetics s.r.l. (hereinafter also referred to as the “Company” or “G & P) hereby informs you that for the purposes indicated below, it will process your personal data (or those of the Company you represent if acting on its behalf), which you provided. Only data necessary to pursue the purposes indicated in this privacy policy will be requested and processed. You must only provide your data and/or the data of the company represented by you. If you are acting on behalf of a company, the activities envisaged by this privacy policy will be carried out in relation to the company using the data provided by you, thus consenting to the processing (where consent is required) on behalf of the company you represent.

2. Purposes and legal basis
The Company will be processing your data:

A. so that the company can analyse the request and reply. The data processing is based on the following legal basis: consent;
B. in order to comply with an obligation imposed by laws, regulations or EU legislation (the legal basis is compliance with a legal obligation);
C. for legitimate interests such as to exercise or defend a legal claim of G&P (the legal basis of the data processing is the pursuit of legitimate interests). In considering these legitimate interests, it has been analysed that they do not compromise or interfere with the interests or fundamental rights and freedoms of the data subject (the legitimate interest was assessed on the basis of a Triple Test available by contacting the Company);
D. so that the Company may send you business communications (such as, e.g., advertising messages and/or information, including pertaining to discounts and promotions) on the Company’s products/services/initiatives to the e-mail address you indicated in the form (please note that e-mails may also be sent through automated tools). The data processing is based on the following legal basis: consent;

3. Compulsory provision of data
PURPOSE OF POINT 2, letter A
You will be free to disclose or not to disclose your personal data for the purposes under point 2 (A) of the information notice. Similarly, you will be free to give or not to give your consent; however, if you do not give your consent, the Company will not be able to respond to your request.

PURPOSE OF POINT 2, letter B, C
The provision of data for the purposes indicated in point 2 (B) and 2 (C) of this privacy policy is necessary and any failure to provide such data will make it impossible for G&P to carry out the activities set forth in the preceding points.

PURPOSE OF POINT 2, letter D
You may or may not disclose your personal data/those of the company you represent to us for the purposes set forth in point 2 (D) of the policy just as you may or may not provide your consent. Failure to provide your consent will therefore have no consequence other than not being subject to the activities set forth in the point by G&P (there are therefore no consequences on the other purposes). Furthermore, should you consent to the processing of your personal data for the purposes set forth in point 2 (D) of this privacy policy, you may always withdraw your consent freely and without motivation (and thus object to the activities in question) by contacting the Company using the contact details provided in point 6.

4. Categories of data recipients
For the purposes set out in point 2 (A), the data will not be disclosed to third parties unless disclosure is necessary based on the request (e.g., to post office/courier services in the case of a request for the dispatch of paper material

For the purposes indicated in point 2 (B) of this policy, the data may be disclosed by G&P to public bodies, judicial bodies and police forces.

For the purposes indicated in point 2 (C) of this policy, the data may be communicated by G&P to lawyers-legal consultants, public bodies, judicial bodies and police forces and to the post office (which may see the address for sending any written communications).

For the purposes indicated in point 2 (D) above, the data will not be disclosed to third parties

G&P will only disclose data that are necessary to pursue the individual purposes indicated in this policy.
On behalf of G&P, all persons delegated by the Company may come to know of the data, each in relation to their role. These include public relations officers, even external to the Company, information systems officers, even external to the Company, who may at times perform the duties of system administrators and are in those cases appointed as such, consultants of the Company - such as, for example, computer technicians who may at times perform the duties of system administrators and are, in those cases, appointed as such, legal advisors - interns, website management staff, even external to the Company, staff operating in the matters under your request, legal staff, marketing staff, even external to the Company, collaborators of data processors) and the data processors appointed by G&P (e.g. marketing consultants, IT outsourcers, companies in charge of sending newsletters or communications, companies which provide assistance in corporate management such as the parent company). The list of data processors may be accessed at any time by contacting the Company using the contact details indicated in point 6. The Data Processors shall only process the data necessary to perform the tasks assigned to them.

5. Data Storage
The data will be stored for as long as is necessary to pursue the purposes contained in this policy. The data storage period is as follows:
- for the purpose of complying with legal obligations, regulations and EU legislation, for so long as envisaged by those laws;
- for the purposes set out in point 2(A), for 6 months from the final response to the request without prejudice to storage for the purposes set out in points 2(B) and 2(C);
- for the purposes indicated in point 2(D), until the withdrawal of content and/or the request for erasure, without prejudice to storage for the purposes indicated in points 2(B) and 2(C); every 24 months from the issuance of consent, you will be reminded, by a specific communication, of the possibility of indicating that you no longer have an interest in being subject to the activities identified in this point and, in that case, the data will no longer be stored for the purposes under point 2(D), without prejudice to storage for the purposes indicated in points 2(B) and 2(C);
- in any case, all data may be retained for a period necessary to enforce or defend a right of the Company under Italian and European law.

6. Data Controller and Data Protection Officer
The Data Controller is: G&P COSMETICS SRL, with registered office in Via L. Mascheroni no. 27 - 20145 Milan (Italy), Tax Code, VAT number and Padua Companies Register no. 04778640963, Economic & Administrative Index no. MI 1771789, fully paid-up share capital of €62,500.00, company subject to management and coordination by AGF88 Holding S.r.l., Tel. 0575 720 682, Fax 0575 749 923, PrivacyGep@gepcosmetics.com.

Currently, the Company is not legally required to have an internal Data Protection Officer. If such a function becomes necessary, the identity of the relevant person will be made known via the Company’s website www.g&pcosmetics.it, which you are encouraged to visit periodically, also for any updates to this privacy policy.

7.  Rights
We hereby inform you that the GDPR allows the data subject to request to the Data Controller (using the contact details provided above) full access to its personal data and the rectification of such data, the data erasure, a restriction to the data processing, and the right to data portability; the data subject may also object to the processing of its data, again by contacting the Company, and exercise the other rights set forth in Chapter 3, Section 1 of the GDPR, including that of revoking consent, where envisaged: revocation of consent shall not however affect the lawfulness of the processing based on the consent given before revocation.

8. Complaints
If you believe that your data are being processed in breach of the GDPR, you have the right to lodge a complaint with the Italian Supervisory Authority (whose details can be found at the website www.garanteprivacy.it), as envisaged by Art. 77 of the GDPR, or to take appropriate legal action (Art. 79 of the GDPR).  Furthermore, you may also contact the Supervisory Authority of the state in which you habitually reside or work. The list of Supervisory Authorities can be found at the link www.garanteprivacy.it).

9.  Processing methods
The data will be processed on the basis of computerised and paper/manual instruments, and suitable protection systems will be adopted to safeguard confidentiality. All data will be stored and processed in a manner that fully protects confidentiality in compliance with all regulations in force (and thus also in accordance with the principles of fairness, lawfulness and transparency and protection of confidentiality and rights) and strictly to pursue the purposes set out in this privacy policy. Only operations necessary to pursue the purposes set out in this privacy policy will be carried out on the data. The data will be stored, as far as the Company is concerned, at its headquarters or server farm and as far as the data processors are concerned, at their headquarters or server farms. Any data disclosed to third parties will be stored and processed by them independently. The data will also be arranged in databases, including computerised databases.


Privacy policy updated as of 5/6/2024.
Previous versions of the privacy policy can be obtained by contacting the Company using the contact details provided in point 6.