Art. 1. Data controller:  the party that decides how and why to process the data

Art Cosmetics S.r.l. single member company, subject to the management and coordination of AC Holding S.r.l.

Phone: +39 0363 547001
Certified email address:

Art. 2. DPO Contact details

Art Cosmetics S.r.l. as a single member company has appointed a DPO  (Data Protection Officer). The contact details of the DPO are provided below.

Phone: +39 0363 547001

Art. 3. Purpose and legal basis for the processing: Why the data are processed and reasons for their processing

Purpose a) – CONTACT US section.

  • answering contact requests received from the website.

Legal basis: performing pre-contractual activities (consent to data processing is not required).
Failure to provide the requested data prevents the company from performing its pre-contractual activities.

Purpose b) – NEWSLETTER subscription

  • Sending of communications by e-mail (newsletter) of a commercial and promotional nature.

Legal basis: consent freely provided by the data subject.
The consent provided by the data subject may be revoked at any time by giving notice to the Data Controller through the appropriate “unsubscribe” link at the bottom of the e-mails.
Failure to give consent to the sending of commercial communications prevents the Data Controller from sending such communications.

In addition, please note that:

  • No personal information is resold to third parties.
  • No data are used to detect personal preferences/habits through automated tools (profiling).

Art. 4. Data Processed and Processing Methods

The Data Controller to achieve the purposes established in Art. 3, processes the following data:

Purpose a) – CONTACT US section.

  • Mandatory data: first name, last name, company name, and e-mail address
  • Optional data: message

Purpose b) – NEWSLETTER subscription

  • Mandatory data: first name, last name, and e-mail address

The data are processed to the extent strictly necessary to achieve the purposes referred to in Art. 3 shown above, even through the support of IT tools.
The data processing is carried out with appropriate measures to ensure the security and confidentiality of the personal data. In particular, in compliance with appropriate security measures and in accordance with the principles of lawfulness, need and proportionality.

A copy of the data collected for purpose b) is processed by the platform provider that manages the mailing lists.

The communications are sent via an external platform, which is the Data Protection Officer, with headquarters and servers in Italy. The platform used for communications is “MailUp”. Please, find the link of the supplier’s  privacy policy below:

Art. 5. Data Storage

The data are processed and stored at the Data Controller’s headquarters and on the corporate devices used (example: servers, computers).
Some digital files are stored in the cloud (e.g. e-mail). All suppliers have been selected so as to ensure the safeguarding and confidentiality of the data.
All data are physically stored within the European Union.
The Data Controller will store the personal data for the period of time necessary to fulfill the purposes referred to in Art. 3 shown above.

  • Purpose a) – CONTACT US section: 12 months after the reply.
  • Purpose b) – NEWSLETTER subscription 24 months after subscription or until consent is revoked.

Some data may also be stored in backup systems. In this case, they may not be removed. We guarantee from the outset that, if a total restoration of the systems from the backup files is necessary, said personal data will be anonymized/deleted.
All personal data may be stored for a longer period in the case of litigation, for the entire duration of the litigation, to allow the Data Controller the right of defense.

Art. 6. Dissemination and transfer of data

Employees and/or contractors appointed by the Data Controller may have access to the data as persons authorized to process them over the course of their work.
The personal data are not subject to communication and dissemination to third parties, except for legal reasons to meet legal obligations.

Art. 7. Transfer of data to Third Countries

The data are not subject to communication and dissemination to countries outside the European Union.

 Art. 8. Rights of the Data Subjects

Art. 7 No. 3  The data subjects have the right to revoke their consent at any time; Art. 15 Right to access, including the right to obtain an indication of the planned period of storage of the personal data, or if this is not possible the criteria used to determine this period. Right to obtain information on the origin of the data collected, as well as the purposes and methods of their processing. Right to lodge a complaint with the Supervisory Authority (Data Protection Authority) at any time; Art. 16  Right of the data subject to obtain the updating, rectification or integration of the personal data; Art. 17 Right to deletion and right to be forgotten; Art. 18  Right to the limitation of the processing, when applicable;  Art. 20 Right to data portability, if the technology allows it; Art. 21 Right to oppose the data processing at any time, for reasons related to the data subject’s personal situation, if the processing is carried out when exercising public authority or performing a task of public interest or if it is carried out on the basis of the legitimate interest of the data controller; Art. 22 Right to obtain information on the existence of automated decision-making, including profiling.
In addition, Art. 19 obligates the Data Controller to notify about the rectification, deletion and/or restriction of the data processing requested by the data subject.

Art. 9. Requests of the Data Subjects: How may the rights be exercised

The requests referred to in Art. 8 above may be submitted by the Data Subjects to the Data Controller through the appropriate form: “Exercising the Rights concerning the Protection of Personal Data” available through the Data Controller’s website at:

The Data Controller and DPO may also be contacted using the contact details specified in Art. 1 and Art. 2 shown above.

Art. 10. Updates to this Privacy Policy

This Privacy Policy may be subject to changes and additions, also as the consequence of any regulatory changes and/or additions. Any changes will be notified to the Data Subjects.

Please note that the Data Subjects may request, at any time, a copy of the Privacy Policy by sending such request to: