Art. 1. Data Controller: the person or the company deciding how and why to process data

Art Cosmetics S.r.l. Single-member private limited liability company, subject to the direction and coordination of AC HOLDING S.r.l.

Phone: +39 0363 547001

E-mail address:

CEM address:

Art. 2. DPO Contact information

Art Cosmetics S.r.l. single-member private limited liability company has designated a DPO (Data Protection Officer). DPO contact information:

Phone: +39 0363 547001

E-mail address:

Art. 3. Purposes and legal basis for the processing: Why data is being processed and its justification

In order to:

a) fulfil pre-contractual/contractual obligations (e.g. issuing quotations, formulating contract proposals, administrative and accounting activities, communications on openings/closures/change of roles, etc.).

Legal basis: execution of the contract (consent to data processing is not required).

Refusal to provide the requested data will impede the proper execution of the contract.


fulfil legal obligations (those of regulations, of Community legislation, or an order of the Authorities).

Legal basis: legal obligation (consent to data processing is not required).

Refusal to provide the requested data will impede the Controller from fulfilling legal obligations.


exercising the rights of the Controller (e.g. any right of defence in court).

Legal basis: legitimate interest (consent to data processing is not required).

The Controller processes the data collected in order to exercise its rights.

Furthermore, it is emphasised that:

  •  No personal information shall be resold to third parties.
  •                 No data shall be used to detect personal preferences/habits through automated tools (profiling).

Art. 4. Processed data and methods of processing

The Controller processes common personal data (such as name, surname, company name, address, phone no., email, banking and payment details, tax code, VAT no.).

The processing is carried out at the offices of the Controller and of the Data Processors appointed pursuant to Article 28 of the GDPR, such as the accountant for the fulfilment of accounting and tax obligations, to the extent strictly necessary to achieve the purposes set out in Article 3 above, including with the aid of computers.

Data processing is carried out with appropriate measures to ensure the security and confidentiality of personal data, in particular in accordance with the principles of lawfulness, necessity and proportionality.

Art. 5. Data preservation

Data is processed and stored at the Data Controller’s head office and on the company tools used (e.g. servers and computers). Some digital files are stored in cloud systems (e.g. e-mail). Suppliers have been selected to ensure data protection and confidentiality.

These devices are physically located within the European Union.

The Controller will retain personal data for the time necessary to achieve the purposes pursuant to Art. 3, in particular for the full term of the contractual relationship with the supplier and for 5 (five) years after termination of said relationship. In addition, the data will be processed to fulfil the obligations imposed by current tax and anti-money laundering legislation.

Some data may also be present in backup systems. In such case, it will not be possible to remove it. We guarantee that in the event of a total erasure of the systems, such data will be anonymised/deleted again.

Personal data may be retained for a longer period in the event of any litigation and for as long as the litigation lasts to allow the exercise of the Data Controller’s right of defence.

Summary of retention periods

Purpose a): 5 years from the end of the contract.

Purpose b): Duration required by law.

Purpose c): Duration necessary to exercise the right of defence.

Art. 6. Data communication and transmission

The employees and/or collaborators appointed by the Data Controller have access to the data as persons authorised to process them in the performance of their work.

The data is not subject to communication or diffusion to third parties, except for any legal obligation. In fulfilment of these obligations, personal data, including bank data, may be transmitted to third parties who carry out the processing on behalf of the Controller in their capacity as Data Processors (for example, the accountant for invoicing data).

Personal data may be communicated to the following parties: credit institutions, law firms (for the management of any disputes and the exercise of the Data Controller’s right of defence), the competent Public Safety Authorities (for inspection and investigation activities).

Art. 7. Transfer of data to Third Countries

The data are not subject to communication and dissemination in countries outside the European Union.

Art. 8. Rights of the Data Subjects

Art. 7 no. 3 The Data Subject has the right to withdraw their consent at any time; Art. 15 Right of access, including the right to obtain an indication of the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. Right to obtain indication of the origin of the data collected, as well as the purposes and methods of processing. Right to make any claim to the Control Authority at any time (Data Protection Authority); Art. 16 The Data Subject’s right to have personal data updated, rectified or supplemented; Art. 17 Right to erasure (‘right to be forgotten’); Art. 18 Right to restriction of processing, where applicable; Art. 20 Right to data portability if permitted by existing technology; Art. 21 Right to object at any time for any reason on grounds relating to their particular situation if the processing is carried out in the exercise of official authority or in the performance of a task carried out in the public interest or if it is carried out on the basis of the legitimate interest of the Controller; Art. 22 Right to obtain information regarding automated individual decision-making, including profiling.

Art.19 also requires the Data Controller to communicate the rectification or erasure of personal data or restriction of processing requested by the Data Subject.

Art. 9. Requests of the Data Subjects: how rights can be exercised

The requests referred to in Art. 8 above may be submitted by the Data Subjects to the Data Controller using the specific ‘Exercise of personal data protection rights’ form available on the Data Controller’s website at the following address:

The Data Controller and the DPO may also be contacted at the addresses specified in Art. 1 and Art. 2 above.

Art. 10. Updates to this information

This information may be subject to changes and additions, as well as a consequence of possible regulatory changes and/or additions. Any changes will be communicated to the Data Subjects.

The Data Subject can request a copy of this information at any time by sending a request to: