INCOS S.R.L. with registered office in Milan (MI), Via Santa Maria Valle n.1, C.F. and VAT number 04279670980, which can also be contacted via email at info@incos.company and by PEC at incos.cosmetica@legalmail.it, in the person of the pro tempore, hereinafter also referred to as the "Company" or "Owner", in its capacity as Data Controller, you hereby provide the relevant information to the Data Subject for data processing. Unless otherwise specified, the normative references to articles of law refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free movement of such data and which repeals directive 95/46/EC (general regulation on data protection) and subsequent amendments; hereinafter also GDPR
a) The Data Controller of personal data is INCOS S.R.L. with registered office in Milan (MI), Via Santa Maria Valle n.1, C.F. and VAT number 04279670980 PEC incos.cosmetica@legalmail.it, email info @incos.company, website https://www.incos.company/ a> and Glowal Milano brand sales sites https://www.glowalmilano.it and/or https://www.glowalmilano.com
b) The personal data of the data subject processed, subject to consent, by the Data Controller are as follows:
In general, data that are a necessary prerequisite to enable the owner to provide the services requested by the data subject are marked with an asterisk or otherwise identified as mandatory (e.g., by flags necessarily to be clicked to proceed with the selected activity). In particular, the provision of personal data is mandatory for the provision of the services requested by the data subject through the website or app, including communication with the data subject about the services received and verification that any account created matches a real identity. Any refusal to provide the mandatory data will result in the inability of the owner to provide the services to the data subject.
c) Personal data are provided and disclosed to the minimum essential extent required, in compliance with any contractual commitments under the Terms of Use of the Site & General Conditions Of Sale, in order to fulfill the following purposes:
d) The lawfulness of processing therefore is based both on the consent given by the data subject and, under Article 6, on the necessity of processing for legal or contractual purposes.
e) The data subject has the right to request from the data controller access to and rectification or erasure of personal data or restriction of the processing of personal data concerning him or her and to object to their processing for legitimate reasons.
f) The data subject also has the right to obtain a copy of the personal data in analog or electronic format that allows for portability.
g) A data subject who has given consent under Article 6(1)(A) has the right to withdraw that consent at any time. However, this shall not affect the lawfulness of the processing based on the consent before revocation. The data subject is advised that withdrawal of consent may prevent, in whole or in part, the performance of contracts and relationships.
h) In the event of a dispute or difficulty with the data controller, the interested party has the right to contact the Italian guarantor for data processing available at the URL https://www.garanteprivacy.it/.
i) Some of the data being processed by the data controller may have been collected or provided by other sources such as, but not limited to, social networks or other third-party databases.
j) The data controller confirms to the data subject that there is no intention to transfer the data subject’s personal data to third parties outside the European Union. Should it become necessary to transfer some or all of the data subject’s personal data outside the borders of the European Union and/or to countries/subjects that have not explicitly adopted the measures required by the GDPR, the data controller will proceed to obtain new and explicit consent for this purpose from the data subject.
k) Il titolare del trattamento dei dati conferma all’interessato, nei limiti del possibile, che richiederà analogo livello di protezione dei dati qualora debba trasferire i dati personali dell’interessato a soggetti terzi per l’esecuzione di una delle finalità di cui sopra.
a) The Data Controller of personal data is INCOS S.R.L. with registered office in Milan (MI), Via Santa Maria Valle n.1, C.F. and VAT number 04279670980 PEC incos.cosmetica@legalmail.it, email info @incos.company, website https://www.incos.company/ a> and Glowal Milano brand sales sites https://www.glowalmilano.it and/or https://www.glowalmilano.com.
b) The personal data of the data subject processed, subject to consent, by the Data Controller are as follows:
In general, data that are a necessary prerequisite to enable the owner to provide the services requested by the data subject are marked with an asterisk or otherwise identified as mandatory (e.g., by flags necessarily to be clicked to proceed with the selected activity). In particular, the provision of personal data is mandatory for the provision of the services requested by the data subject through the website or app, including communication with the data subject about the services received and verification that any account created matches a real identity. Any refusal to provide the mandatory data will result in the inability of the owner to provide the services to the data subject.
c) Personal data are provided and disclosed to the minimum essential extent required, in compliance with any contractual commitments under the Terms of Use of the Site & General Conditions Of Sale, in order to fulfill the following purposes:
d) The lawfulness of processing therefore is based both on the consent given by the data subject and, under Article 6, on the necessity of processing for legal or contractual purposes.
e) The data subject has the right to request from the data controller access to and rectification or erasure of personal data or restriction of the processing of personal data concerning him or her and to object to their processing for legitimate reasons.
f) The data subject also has the right to obtain a copy of the personal data in analog or electronic format that allows for portability.
g) A data subject who has given consent under Article 6(1)(A) has the right to withdraw that consent at any time. However, this shall not affect the lawfulness of the processing based on the consent before revocation. The data subject is advised that withdrawal of consent may prevent, in whole or in part, the performance of contracts and relationships.
h) In the event of a dispute or difficulty with the data controller, the interested party has the right to contact the Italian guarantor for data processing available at the URL https://www.garanteprivacy.it/.
i) Some of the data being processed by the data controller may have been collected or provided by other sources such as, but not limited to, social networks or other third-party databases.
j) The data controller confirms to the data subject that there is no intention to transfer the data subject’s personal data to third parties outside the European Union. Should it become necessary to transfer some or all of the data subject’s personal data outside the borders of the European Union and/or to countries/subjects that have not explicitly adopted the measures required by the GDPR, the data controller will proceed to obtain new and explicit consent for this purpose from the data subject.
k) The data controller confirms to the data subject, to the extent possible, that it will require similar level of data protection if it has to transfer the data subject’s personal data to third parties for the performance of any of the above purposes.
a) the data of the interested party will be processed and stored for the time necessary in relation to the aforementioned purposes (in particular the supply of services and products offered to the interested party) and/or until the prescription or forfeiture of the rights deriving from the relationship. In particular, the data is kept for the entire period during which the data subject has an active account. After 12 (twelve) months from the deactivation of the registration account on the website https://www.incos .company/ and/or on sales sites https://www.glowalmilano.it a> and/or https://www.glowalmilano.com, the data is in each deleted in case, with the exception of those to be kept for precise legal obligations (for example, billing tax data). The data is not deleted immediately after deactivation of the account by the data subject in order to allow the data subject a right of withdrawal without losing the data stored on the account.
b) Regarding the sending of newsletters, a data subject’s e-mail address is deleted from the mailing list only upon the data subject’s express request. If the data subject does not make any request to remove his or her e-mail from the newsletter, he or she will continue to receive the newsletter e-mails, despite having deleted his or her account. In each newsletter e-mail the data subject will receive, there will be a link for unsubscribing the data subject’s e-mail from the mailing list.
c) The data subject has the right to request from the data controller access to and rectification or erasure of personal data or restriction of the processing of data concerning him or her or to object to its processing for legitimate reasons.
d) The data controller confirms that no automated decision-making process based on profiling or use of the data subject’s data other than the stated purpose is used.
e) The data subject’s data may be communicated and/or shared with:
f) The data subject’s data may be communicated and/or shared to the extent strictly necessary for purposes of technical and/or IT maintenance of the service.
g) This site is protected by reCAPTCHA. Privacy and terms applied by Google.
the data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, to obtain access to the personal data and the following information:
a) the purposes of processing;
b) the categories of personal data in question;
c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients in third countries or international organizations;
d) when possible, the intended retention period of personal data or, if not possible, the criteria used to determine this period;
e) the existence of the data subject’s right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;
f) The right to file a complaint with a supervisory authority;
g) where the data are not collected from the data subject, all available information about their origin;
h) the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the significance and expected consequences of such processing for the data subject.
i) Where personal data are transferred to a third country or international organization, the data subject has the right to be informed of the existence of adequate safeguards relating to the transfer.
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller shall be obliged to erase the personal data without undue delay if one of the following grounds exists:
1) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and if there is no other legal basis for the processing;
3) the data subject objects to processing under Article 21(1) and there is no overriding legitimate reason for processing, or objects to processing under Article 21(2);
4) personal data have been unlawfully processed;
5) personal data must be deleted in order to comply with a legal obligation under Union or Member State law to which the data controller is subject;
6) personal data were collected in connection with the provision of information society services referred to in Article 8(1).
The data controller, if it has shared and/or made personal data public and is subsequently obliged to delete it, taking into account available technology and the costs of implementation, will take reasonable measures, including technical measures, to inform those who are processing such personal data of the data subject’s request to delete any link, copy or reproduction of his or her data.
This right to erasure does not apply to processing carried out for the establishment, exercise or defense of a right in a court of law, pursuant to Article 17(2)(E).
The data subject has the right to obtain from the data controller the restriction of processing when one of the following cases occurs:
a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
b) processing is unlawful and the data subject objects to the deletion of personal data and instead requests that their use be restricted;
c) although the data controller no longer needs it for the purposes of processing, the personal data is necessary for the data subject to establish, exercise or defend a right in court;
d) the data subject has objected to the processing under Article 21(1), pending verification as to whether the data controller’s legitimate grounds prevail over those of the data subject.
Where processing is restricted, such personal data shall be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defense of a legal claim or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
A data subject who has obtained the restriction of processing shall be informed by the data controller before the restriction is lifted.
The data subject should know that the data controller will notify each of the recipients to whom personal data have been transmitted of any rectification or erasure or restriction of processing unless this proves impossible or involves a disproportionate effort. The data controller will notify the data subject of such recipients if the data subject so requests.
The data subject has the right to receive, in a structured, commonly used and machine-readable format, personal data concerning him or her that he or she has provided to a data controller and has the right to transmit such data to another data controller without hindrance from the data controller to whom he or she has provided them if:
a) the processing is based on consent under Article 6(1)(a) or Article 9(2)(a) or a contract under Article 6(1)(b); and
b) the processing is carried out by automated means.
When exercising his or her rights with regard to data portability, the data subject has the right to obtain direct transmission of personal data from one data controller to another, if technically feasible.
The exercise of the right does not apply to processing necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller and must not infringe on the rights and freedoms of others.
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of those provisions. The controller shall refrain from further processing the personal data unless the controller demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it relates to such direct marketing.
If the data subject objects to processing for direct marketing purposes, personal data are no longer processed for such purposes.
The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or affects him or her in a similar significant way, subject to the exceptions set out in Article 22(2).
The Data Controller informs the data subject that data are processed by both analog (paper) and electronic means.
Persons in charge of processing have received specific training and authorizations for data processing and are bound by obligations of secrecy.
Data stored in electronic form are protected by:
a) Use of up-to-date processors, operating systems and programs;
b) protection software;
c) backup and disaster recovery strategies;
In the event of a personal data breach, the data controller shall notify the competent supervisory authority pursuant to Article 55 of the breach without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay.
The data controller shall document any data breach, including the circumstances surrounding it, its consequences, and the steps taken to remedy it. A Data Breach Register has been prepared for this purpose.
When a personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the data controller shall notify the data subject of the breach without undue delay.
This register shall contain at least all of the following information:
a) The name and contact details of the data controller and, where applicable, the joint data controller, the data controller’s representative, and the data protection officer;
b) the purposes of processing;
c) A description of the categories of data subjects and categories of personal data;
d) The categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations;
e) where applicable, transfers of personal data to a third country or international organization, including identification of the third country or international organization and, for transfers under the second paragraph of Article 49, documentation of appropriate safeguards;
f) where possible, the expected time limits for deletion of the different categories of data;
g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Pursuant to Art. 37 of EU Reg. No. 679/2016 (GDPR), it should be noted that the Company is not a public authority or public body and also that it is not considered reasonable to consider the Company’s activities as "large-scale" for the following considerations:
For these reasons, it was not considered mandatory for the Company to appoint a data protection officer pursuant to art. 37, EU Reg. no. 679/2016 (GDPR).
In order to make visiting and using the website more convenient and efficient https://www.incos.company/" target="_blank" rel="noopener">https://www.incos.company/" target="_blank" rel="noopener"> incos.company/ managed by the Owner, cookies and similar technologies are used, such as scripts.
Cookies are small text files sent by the website and recorded locally in the temporary memory of the relevant user’s browser (and thus in the user’s computer) - for varying periods of time depending on the need and generally ranging from a few hours to a few years - and then re-transmitted by the browser to the website on the user’s next visit. By means of cookies, it is possible to semi-permanently record preference information and other technical data that enable smoother navigation and greater ease of use and effectiveness of the website. For example, cookies can be used to determine whether a connection has already been made between a user’s computer and the website, to highlight new features, or to maintain login information.
Scripts are tools for analyzing the usability of web pages and consist of small software programs temporarily activated on some of the pages of websites, which intercept, in a completely anonymous way, a set of interaction events with the content of the website itself (e.g., click, mouse path, and time spent by the mouse in a given location). After the collection activities are completed, this information is aggregated and analyzed to understand how to improve the structure of the web page or service.
Activation of cookies, scripts and all cookie-like technologies is subject to acceptance of the Cookies Policy on the website. By continuing to browse the website, closing the information wrapper or clicking on any part of the page or scrolling down to view further content, you are performing a manifest and explicit act of acceptance of the Cookies Policy and cookies for which you have not declared your refusal will be set and collected.
It is always possible for the user to take action to prevent the storage and reading of cookies by changing the privacy settings within the browser. You can also exercise your right to object to the full use of cookies by leaving the website and thereby also rejecting the use of the essential technical cookies necessary for its operation.
Any request for clarification or exercise of the rights of the interested party can be addressed to INCOS S.R.L., Milan (MI), Via Santa Maria Valle n.1, C.F. and VAT number 04279670980, PEC incos.cosmetica@legalmail.it. Furthermore, the same always has the right to lodge a complaint with the Privacy Guarantor through the site https://www.garanteprivacy .it.
The website https://www.incos.company/ and in particular the websites < a href="https://www.glowalmilano.it" target="_blank" rel="noopener">https://www.glowalmilano.it and/or https://www.glowalmilano.com of the owner’s brand Glowal Milano can make use of four different types of cookies:
These cookies are necessary for the website to function properly. They enable page navigation, content sharing, storage of your login credentials to make it faster for you to enter the site and to keep your preferences and credentials active while you are browsing. Without these cookies, the company cannot provide the services for which users access the website.
These cookies allow the company to know how visitors use the website, so that it can evaluate and improve its operation and prioritize the production of content that best meets users’ information needs. For example, they let it know which pages are the most and least visited. They take into account, among other things, the number of visitors, the time spent on the site by the average user, and how users arrive. In this way, the company can know what is working well and what to improve, as well as make sure that pages load quickly and are displayed correctly.
These cookies make it possible to offer users ads related to their interests. They are also used to limit the number of views of the same ad and to evaluate the effectiveness of advertising campaigns.
This category includes both cookies delivered by partners of the company and cookies delivered by third parties not directly controlled or controllable by the company. Cookies from partners enable advanced functionality, as well as more information and personal features, such as the ability to share content through social networks. These services are mainly provided by external operators hired by the company or knowingly integrated. If you have an account or use the services of such parties on other websites, they may be able to know that you have visited the company’s site. The use of data collected by these external operators via cookies is subject to the respective privacy policies listed and described above. These include cookies recorded by major social networks that enable sharing of content on the company’s website and public expression of liking for the company’s work. Non-partner cookies are conveyed, without the company’s control, by third parties who have ways of intercepting the user during his or her navigation even outside the company’s website. These cookies, which are typically profiling cookies, are not directly controllable by the company, which cannot, therefore, guarantee what use the third party owners make of the information collected. Opposition to the use of such cookies is therefore left to external tools or more simply to direct action by the user on his browser preferences.