Shop the look
 
  1. GENERAL PROVISIONS

This privacy policy (“Privacy Policy”) applies to all Personal Data processed by Lovisa Retail Germany GmbH, Richmodstrasse 6, Cologne 50667, Germany (“Lovisa”, “we”, “us”, or “Data Controller”) relating to transmitting a digital receipt to your email address. Lovisa complies with the General Data Protection Regulation (“GDPR”).

This privacy policy explains how we collect, hold, use, disclose and otherwise manage personal data when transmitting a digital receipt to your email address (that is, personal data is defined as any information relating to an identified or identifiable natural person under Art 4 no 1 of the GDPR – “Personal Data”). 

       2. YOUR PRIVACY: OVERVIEW

    At Lovisa, we take our responsibilities under current data protection regulations and laws seriously. We recognise the importance of the Personal Data you have entrusted to us and are committed to properly managing, protecting, and processing Personal Data.

          3. REVISIONS TO THIS PRIVACY POLICY

    Lovisa reserves the right to change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date of this Privacy Policy. If we make material changes to this Privacy Policy, we will provide you with additional notice (such as adding a statement to our websites’ homepage).

    1. TRANSMISSION OF DIGITAL RECEIPTS

    We offer our customers a choice of either physical or digital receipt when they are shopping in store. When a customer selects to receive a digital receipt, we may request to collect the following information:

    • Email address

    The customer’s email address is saved in our CRM System (Klaviyo) for the purpose of being able to send a digital receipt to the customer. The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. You can revoke this at any time with effect for the future. The legality of the data processing operations already carried out remains unaffected by this withdrawal of consent.

    1. RECIPIENTS / CATEGORIES OF RECIPIENTS / DISCLOSURE

    Disclosure of your Personal Data will generally be for the primary purpose of providing the service to you in accordance with this Privacy Policy.  In addition, Lovisa may disclose your Personal Data  for purposes related to the above purpose, other purposes which we notify you of when we collect the information and for purposes otherwise permitted or required by law.  This may include Lovisa disclosing Personal Data to related companies of Lovisa or other entities with which Lovisa has a commercial relationship, including to third parties in the following cases:

    We rely on contractually affiliated third-party companies and external service providers ("processors") to provide the services. In such cases, we pass on Personal Data to these processors in order to enable them to carry out parts of the processing on our behalf. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors may only use the data in accordance with our instructions and we also contractually oblige these processors to process your Personal Data in accordance with the GDPR.

    The transfer of data to processors takes place on the basis of Art 28 para 1 GDPR. In addition to the processors already mentioned in this Privacy Policy, we also use the following categories of processors:

    • IT service providers
    • Cloud service providers
    • Hosting service providers
    • Software service providers
    1. PROTECTING YOUR PERSONAL DATA

    Any Personal Data collected by Lovisa will be processed fairly, lawfully, and in a transparent manner. “Processing” includes, but is not limited to, collection, storage, transfer, dissemination, or erasure of Personal Data. Lovisa takes appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data.

    1. AUTOMATED INDIVIDUAL DECISION-MAKING; INCLUDING PROFILING

    We do not use automated processing for decision-making or profiling.

    1. THIRD COUNTRY TRANSFERS

    In instances where Personal Data is collected inside the EU or European Economic Area (“EEA”) and transferred to countries without adequacy decisions (see Art 45 GDPR and https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en for further information), we ensure suitable guarantees within the meaning of Art. 46 GDPR. This may include the use of the standard contractual clauses approved by the EU Commission in accordance with Art 46 para 2 lit c) GDPR. With our service providers who process your data on our behalf ("processors"), we conclude the standard contractual clauses for transfers to processors in third countries. For transfers to third parties who act as controllers in third countries, we use the standard contractual clauses for transfers to third parties as data controllers. You can request a copy of these standard contractual clauses using the contact details.

    1. HOW WE SECURE YOUR PERSONAL DATA

    We have an obligation to ensure that your Personal Data is protected from unauthorised processing, accidental disclosure, access, loss, destruction, or alteration. Accordingly, we have a range of technical security measures and procedures in place to ensure that your personal information is protected appropriately. These include but are not limited to:

    • Restricting access to information systems through access control measures and authentication techniques;
    • Encrypting sensitive data while at rest and in transmission;
    • Providing information security training to internal employees; and
    • Binding employees and contractors to information security policies

    Your Personal Data will be kept on databases held on servers kept in a physically and technologically secured environment, accessed only by authorised personnel or contractors. Where personal information is held in hard copy, it will be held in controlled, access restricted premises which only authorised personnel or contractors will be permitted to access.

    1. REQUIREMENT TO PROVIDE DATA

    You are neither legally nor contractually obliged to provide your Personal Data.

    1. PROCESSING FOR OTHER PURPOSES

    Your data will only be processed for purposes other than those described in this Privacy Policy if this is permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

    1. RETENTION OF PERSONAL DATA

    We will delete or anonymise your Personal Data as soon as it is no longer required for Lovisa to achieve the purpose for which we collected or used your Personal Data; in the event of an objection pursuant to Art. 21 GDPR, there are no compelling legitimate grounds on the part of our company to prevent deletion or, in the event of withdrawal of consent, there is no other legal basis for processing.

    We collect and store your email address only for the transmission of the digital receipt. After sending the email with the receipt, your email address is deleted from our CRM system.

    1. WHAT ARE YOUR RIGHTS? 

    13.1 RIGHT TO ACCESS (ART. 15 GDPR)

    You have the right to request information on whether or not Lovisa holds Personal Data about you and, if that’s the case, what Personal Data that Lovisa holds about you. This can be done via https://www.lovisajewellery.eu/pages/data-privacy. You are entitled to know what Personal Data we are processing, why we have processed it, and whether we have shared your Personal Data. You may exercise your right to request access and to obtain copies of any Personal Data we have collected from you, and request that your Personal Data be provided to you in a format that can be easily read.

    For this, you can contact our Data Protection Officer using the contact details in the contact section of this Privacy Policy.

    13.2 RIGHT TO RECTIFICATION (ART. 16 GDPR)

    You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. For this, you can contact us via https://www.lovisajewellery.eu/pages/data-privacy.

    13.3 RIGHT TO ERASURE (ART. 17 GDPR)

    European Privacy law entitles you to request deletion of your personal data stored by Lovisa. Please note that if you request the erasure of your personal data, we may retain or use your personal data to:

    • Exercise our legitimate business interests, such as fraud detection and prevention and enhancing safety against deceptive, malicious, fraudulent, or illegal activity, and/or to prosecute those responsible for such activity;
    • Establish, exercise, or defend legal claims, or remain in compliance with applicable law;
    • Perform our contractual obligations to which you are a party;
    • Perform a task carried out in public interest;
    • Identify, debug and/or repair errors that negatively affect the intended functionality;
    • Complete a transaction and/or provide a good or service requested by you or anticipated by you within the context of the business relationship, or to perform our obligations under contract; and
    • Any other permitted purposes under applicable law.

    13.4 RIGHT TO OBJECT (ART. 21 GDPR)

    You have the right to object to the processing of your Personal Data that is done based upon Art 6 para 1 lit e) or f) GDPR (Art 6 para 1 lit f) GDPR being Lovisa’s legitimate interests). Lovisa will not continue to process the Personal Data unless we can demonstrate a legitimate ground which overrides your interest and rights, or due to legal claims.

    You also have the right to object to direct marketing. You can opt out from Lovisa’s direct marketing by following the instructions contained in each marketing e-mail. After your objection, we will stop the processing.

    13.5 RIGHT TO DATA PORTABILITY (ART. 20 GDPR)

    This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right of transferring information from one organisation to another only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

    13.6 RIGHT TO LODGE A COMPLAINT (ART. 77 GDPR)

    You have the right to lodge a complaint with the competent data protection supervisory authority.

    13.7 RIGHT TO RESTRICTION (ART. 18 GDPR)

    You have the right to demand that we restrict the processing of your personal data under the conditions set out in Art. 18 (1) GDPR.

    1. BREACH

    In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, Lovisa will assess the risk to your rights and freedoms and if appropriate report this breach to the relevant authorities.

    1. CONTACT US / DATA PROTECTION OFFICER

    If you have any questions or comments about this Privacy Policy you can contact our data protection officer via email:  privacy@lovisa.com