Privacy policy


This privacy notice (hereinafter, the "Privacy Notice") concerns the processing of your personal data while browsing the website www.skinfirstcosmetics.it (hereinafter, the "Website") carried out by Skin First Cosmetics S.r.l., with registered office at Via Lorenzo Mascheroni 14, 20145 – Milan (MI), Italy, VAT No. 11241570966, email privacy@skinfirstcosmetics.it (hereinafter, the "Controller"), in accordance with the applicable personal data protection laws, including EU Regulation 2016/679 ("GDPR").


1. Identity and contact details of the Representative

As the Controller is established within the EU territory, no representative has been appointed.


2. Contact details of the data protection officer

The Controller has appointed a Data Protection Officer ("DPO") pursuant to Article 37 of the GDPR. The DPO may be contacted at the following email address: dpo@skinfirstcosmetics.it


3. Means of processing

To complete the connection to the Website, certain personal data of yours are collected. This set of data includes, for example:

  • the IP address of the device you use;
  • the date and time of access;
  • the type of browser used;
  • the operating system used.

4. Purposes of processing, legal basis for processing and optional nature of consent

Your personal data will be processed for the following purposes:

  1. Personal data processed during browsing of the site: in this case, your personal data will be processed in order to allow you to browse the Website correctly. For this purpose, the communication of your personal data is a contractual obligation, without which the Website’s services, properly functioning, could not be made available. In the absence of communication of personal data, the Controller will not be able to provide you with the Website’s services.
  2. Personal data voluntarily provided via email or form: in this case, your data will be processed by the Controller in order to respond to your requests submitted voluntarily via form and/or email. The communication of your personal data for this purpose is purely optional. The legal basis for this processing is the Controller’s legitimate interest in responding to your requests. In the absence of communication of personal data, the Controller will not be able to respond to the requests.
  3. Personal data processed for the sending of commercial communications: in this case, your personal data will be processed in order to send you direct marketing communications, newsletters, advertising material, by means of traditional contact systems and automated IT systems, including commercial or promotional communications by email or SMS, or for market research and analysis. The communication of your personal data for this purpose is purely optional. The legal basis for this processing is your explicit consent to the processing of your personal data for this purpose. In the absence of your consent, the Controller will not proceed with the sending of commercial communications.
  4. Personal data processed for profiling: in this case, your personal data will be processed to determine your habits and preferences through profiling activities, in order to provide you with a personalised service. The communication of your personal data for this purpose is purely optional. The legal basis for this processing is your explicit consent to the processing of your personal data for this purpose. In the absence of your consent, the Controller will not be able to provide you with personalised services.
  5. Personal data processed to comply with legal obligations: in this case, your personal data will be processed for purposes related to the corresponding legal obligations. The legal basis for the processing is the Controller’s legal obligation to process personal data in accordance with applicable law.

5. Automated decision-making and profiling

If you consent to the processing of personal data in order to receive personalised services through profiling, your personal data may be subject to automated decision-making, with a specific algorithm deciding which communications are most suitable for your profile or which may be of greatest interest to you. Such processing may result, by way of example, in the sending of highly profiled commercial communications, the sending of discounts, the sending of invitations to events deemed of interest, etc. In accordance with Article 22 of the GDPR, you have the right to:

  • obtain human intervention in the decision-making process by the Controller;
  • express your opinion;
  • obtain an explanation of the decision reached by the Controller;
  • contest the decision itself.

6. Source from which the personal data originate

Only personal data provided in accordance with the Privacy Notice will be processed. The Controller will not process personal data originating from publicly accessible sources.


7. Recipients and categories of recipients of personal data

The following may be recipients of the personal data:

  • communications companies that carry out commercial communication and profiling activities on behalf of the Controller, where the relevant consent has been given, which qualify as processors;
  • companies that provide information society services, including in particular those that provide hosting services;
  • companies that carry out statistical and market research, where the relevant consent has been given.

8. Categories of personal data processed

In accordance with this Privacy Notice, the following categories of personal data will be processed:

  • browsing data necessary to complete your connection to the Website in accordance with the corresponding purpose set out in point 4;
  • personal and contact data provided by you via email and/or form in accordance with the corresponding purpose set out in point 4;
  • contact data and any other data you provide to receive commercial communications in accordance with the corresponding purpose set out in point 4;
  • personal data relating to your habits and preferences collected through profiling mechanisms in order to provide you with personalised services in accordance with the corresponding purpose set out in point 4;
  • personal data necessary to comply with specific regulatory obligations in accordance with the corresponding purpose set out in point 4.

9. Data transfers

The Controller intends to transfer personal data to entities established in a third country outside the European Union or to an international organisation. Such entities may include, by way of example:

  • communications companies that carry out communication activities on behalf of the Controller;
  • communications society service providers.

The transfer of personal data to such entities, where established in a third country or an international organisation, is carried out in the presence of an adequacy decision by the European Commission, which has verified that the third country, territory or one or more specific sectors within the third country, or the international organisation concerned ensures an adequate level of protection of rights. In any event, the Controller, should it deem it appropriate, reserves the right to enter into specific separate agreements obliging such entities to adopt adequate security measures, including organisational measures, aimed at providing appropriate safeguards for your rights. Personal data may thus be transferred to the following countries: U.S.A.. To obtain a copy of such data or the place where they have been made available, it is sufficient to send the relevant request to the Controller at the addresses indicated above.


10. Retention period of personal data

  • the browsing data necessary to complete your connection to the Website will be retained for 6 months from the closure of the browsing session;
  • the personal and contact data provided by you via email and/or form will be retained for the period strictly necessary to respond only and exclusively to any requests you may submit;
  • the contact data and any other data you provide to receive commercial communications will be processed and retained until you withdraw the consent previously given for this type of processing. Once the request has been handled, the Controller will, without undue delay, delete all your personal data relating to this processing;
  • personal data relating to your habits and preferences collected through profiling mechanisms will be processed and retained until you withdraw the consent previously given for this type of processing. Once the request has been handled, the Controller will, without undue delay, delete all your personal data relating to this processing;
  • personal data necessary to comply with specific legal obligations will be retained in accordance with the relevant legal provisions.

11. Right to object

As a Data Subject, you have the right to object under the following terms:

  • the right to object at any time, on grounds relating to your particular situation, to the processing of Personal Data concerning you pursuant to Article 6(1)(e) or (f) of the GDPR. The Controller shall refrain from further processing your personal data unless the Controller demonstrates the existence of compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of a legal claim;
  • where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct marketing;
  • in the event of objection to processing for direct marketing purposes, the personal data are no longer processed for such purposes. You may object to the processing of your personal data for direct marketing purposes only in part, for example by objecting only to the sending of promotional communications through automated and/or digital tools, or to the sending of paper communications and/or the receipt of telephone communications;
  • where your personal data are processed for scientific or historical research or statistical purposes pursuant to Article 89(1) of the GDPR, on grounds relating to your particular situation you have the right to object to the processing of personal data, unless the processing is necessary for the performance of a task carried out in the public interest.

12. Other rights

The Controller also wishes to inform you of the existence of the following rights:

  • Right of access: you have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed and to access your personal data and specific information, in accordance with Article 15 of the GDPR;
  • Right to rectification: you have the right to obtain from the Controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to obtain the completion of incomplete personal data, including by providing a supplementary statement, in accordance with Article 16 of the GDPR;
  • Right to erasure of data, including the right to withdraw consent: you have the right to obtain from the Controller the erasure of your personal data without undue delay or to withdraw consent to processing, where the grounds set out in Article 17 of the GDPR apply. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent given by you before withdrawal;
  • Right to restriction of processing: you have the right to obtain from the Controller restriction of processing, where the circumstances set out in Article 18 of the GDPR apply;
  • Right to data portability: you have the right to receive, in a structured, commonly used and machine-readable format, your personal data provided to the Controller and you have the right to transmit them to another Controller without hindrance from the Controller indicated in this Privacy Notice, as provided for in Article 20 of the GDPR;
  • Right of the customer to object to commercial communications: as a customer, you have the right to object at any time, free of charge, to the receipt of commercial communications from the Controller;
  • Right to lodge a complaint with the Supervisory Authority: you have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data, to report a breach of personal data protection legislation, in accordance with Article 77 of the GDPR.

13. How to exercise your rights

You may exercise the rights indicated in the Privacy Notice by sending requests directly to the Controller at the email address privacy@skinfirstcosmetics.it, or by sending the relevant communication by registered letter with return receipt to the Controller’s registered office as indicated above. You may lodge a complaint with the Supervisory Authority for the Protection of Personal Data in the manner provided on the official website, addressing it to the contact details available at https://www.garanteprivacy.it/home/footer/contatti.


14. Accessibility of the Privacy Notice

The Privacy Notice is available on the Website or at the Controller’s premises.


15. Changes

The Controller may amend the Privacy Notice, including to comply with changes in national and/or European Union law, or technological innovations. Any new versions of the Privacy Notice will be published on the Website. You are invited to check the Privacy Notice periodically. Any change will in any event be communicated to you through a pop-up on the Website or by different methods and/or IT tools.

If the Controller substantially amends the Privacy Notice, providing for new purposes of processing and/or categories of personal data processed, it shall inform you and request the necessary consents through a pop-up on the website or by different methods and/or IT tools.