Stampa
GFL SA
via Sorengo 1
6900 Lugano
P.IVA CHE-301633770
Cod. Doc. 21190.51.456666.3176217

Information notice

Privacy Policy concerning the Processing of Personal Data
Article 19 Swiss Federal Data Protection Act (FADP)
Articles 13-14 EU Regulation 2016/679 (GDPR)

Data subject: Portal browsers eu.gflcosmetics.com.

GFL SA in its capacity as Data Controller of your personal data, pursuant to and in accordance with Article 19 of the Swiss Federal Act on Data Protection (hereinafter referred to as the "FADP") and, where applicable, Articles 13 and 14 of EU Regulation 2016/679 (hereinafter referred to as the "GDPR"), we hereby inform you that the aforementioned regulations provide for the protection of individuals with regard to the processing of personal data. Such processing will be carried out in accordance with the principles of fairness, lawfulness, transparency, and the protection of your privacy and rights.

Your personal data will be processed in accordance with the terms of the above legal provisions and the confidentiality obligations contained therein.

Purposes and legal base of the processing: your data will be processed for the following purposes necessary to comply with contractual or pre-contractual obligations:

  • management of cookies required for the portal. technical cookies are indispensable for the proper functioning of the site and are used for the sole purpose of managing various services linked to the site, such as a login.;
  • management of technical statistical cookies for the portal. Statistical cookies help website owners understand how visitors interact with sites by collecting and reporting information in an anonymous and aggregate form.

Further to your consent, your personal data may be used for the following purposes:

  • management of non-technical marketing cookies for the portal;
  • management of non-technical statistical cookies for the portal.

Your contribution of data is optional with regard to the abovementioned purpose, and any refusal of consent will not affect the continuation of the relationship or the congruency of the processing.

Processing procedures. Your personal data may be processed, in accordance with Article 5 letter d) of the FADP and Article 4(1)(2) of the GDPR, by the following ways:

  • using electronic calculators running softwares managed by third parties;
  • Using electronic calculators running self-managed softwares or directly engineered.

All data are processed in compliance with the procedures specified in articles 6 and 32 of the GDPR and Articles 7, 8, and 31 of the FADP, through the adoption of appropriate security measures required.

Your data will only be processed by persons specifically authorised by the Data Controller, and specifically by the following categories of authorized persons:

  • internal operators to manage the web portal;
  • Marketing office.

Disclosure. Your data may be disclosed to external entities for the correct management of the relationship and specifically for the following categories of Recipients, including all the duly designated Data Processors:

  • web service provider for the management and maintenance of the platform.

Communications to Third Parties: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of recipients identified as Third Parties:

  • Google - https://business.safety.google/privacy;
  • Quantcast - https://www.quantcast.com/privacy/;
  • quantserve.com;
  • Shopify - https://www.shopify.com/it/legal/cookies.

Distribution: Your personal data will not be distributed in any way.

Your personal data may also be transferred, only for the aforesaid purposes, to the following countries:

  • Canada;
  • EU countries;
  • United States.

Data Storage Period. In accordance with the principles of lawfulness, limitation of purpose and minimisation of data, pursuant to art. 5 of the GDPR, the data storage period for your personal data is:

  • 0.02 days: cloudflare, shopify;
  • 0.03 days: shopify;
  • 0.04 days: shopify;
  • 14 days: shopify,;
  • 14.01 days: shopify;
  • 182.01 days: privacylab;
  • 365 days: shopify;
  • 365.01 days: shopify;
  • 365.26 days: shopify;
  • 390 days: doubleclick/google marketing;
  • 396 days: quantcast advertise;
  • 730.01 days: klaviyo, google,;
  • 90 days: google, quantcast advertise;
  • 90.01 days: shopify, facebook;
  • permanent: klaviyo, shopify, google ads, bundler, judge.me, jadge.me, meta platforms, inc., https://eu.gflcosmetics.com;
  • session: hotellerie-us.gflcosmetics.com, shopify.

Cookie management: in case you have doubts or concerns about the use of cookies you can always intervene to prevent the setting and reading, for example by changing the privacy settings in your browser in order to block certain types.


Since each browser - and often different versions of the same browser - also differ significantly from each other if you prefer to act independently through the preferences of your browser, you can find detailed information about the procedure required in the guide of your browser. For an overview of the most common browsing modes, please visit www.cookiepedia.co.uk.

Advertising companies also allow you to opt out of receiving targeted ads, if desired. This does not prevent the setting of cookies, but interrupts the use and collection of some data by these companies.


For more information and cancellation options, visit www.youronlinechoices.eu/.

Data Controller: the Data Controller, as defined by the Law, is GFL SA (via Sorengo 1 , 6900 Lugano, VAT no. CHE-301633770) in the person of its current legal representative.

You have the right to obtain from the Data Controller the erasure (right to be forgotten), restriction, updating, rectification, portability, and objection to the processing of your personal data. More generally, you may exercise all the rights provided for under Articles 15, 16, 17, 18, 19, 20, 21, and 22 of the GDPR, as well as Articles 21, 25, 28, and 32 of the FADP.
In the event of any violations, the data subject may contact the FDPIC – the Federal Data Protection and Information Commissioner (under the FADP and the Freedom of Information Act), or, for individuals falling within the scope of the GDPR, the national supervisory authority of the Member State where the violation occurred.

You may also examine whenever you like the updated version of the present report by connecting to the following web site https://www.privacylab.it/informativa.php?21190456666&lang=en.

Data subjects located within the territory of the European Union may contact the Data Controller or its Data Protection Representative established in the EU, appointed pursuant to Article 27 of the GDPR, directly at the following address: GFL SA Italian Branch (Via Santa Sofia n.29 , 20122 Milano (MI), contactable as follows: e-mail privacy@gflcosmetics.com).

Data Subject Rights
The data subject may, at any time, submit a request to the Data Controller to exercise the rights granted under the following regulations:
FADP: Articles 21, 25, 28, and 32
EU Regulation 2016/679 (GDPR): Articles 15, 16, 17, 18, 19, 20, 21, and 22

1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her exist, regardless of their being already recorded, and disclosure of such data in intelligible form, and the right to lodge a complaint with the supervisory authority.

2. The data subject has the right to be informed of:

  1. the source of the personal data;
  2. the purposes and methods of processing;
  3. the logic applied if the data are processed by electronic devices;
  4. the identification data concerning the Data Controller, the Data Processors and the representative designated
  5. the entities or categories of entity to whom or which the personal data may be disclosed and who or which may get to know said data as designated representative in the State's territory, as data processors or as persons in charge of the processing.

3. The data subject is entitled to obtain:

  1. the updating, rectification or, where interested therein, integration of the data;
  2. the erasure, anonymisation or blocking of data that have been unlawfully processed, including data whose retention is not necessary for the purposes for which they were collected or subsequently processed;
  3. certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were disclosed or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared to the right that is to be protected;
  4. the portability of the data.

4. The data subject has the right to object, in whole or in part:

  1. on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
  2. to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.