Privacy Policy
Version as of 26/02/2025
Pursuant to Law No. 78-17 of 6 January 1978 as amended relating to data processing, files, and freedoms, and the European Regulation No. 2016/679 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, the Company informs every person accessing the services offered on the Website (the “User”) of its commitment to respect the confidentiality, integrity, and security of the data that the User may provide, in particular through the website www.goutalparis.com (the “Website”) or in-store.
Any personal data that directly identifies the User (including, but not limited to, their last name, first name, postal, electronic, or telephone contact details) or indirectly are considered confidential data and will be treated as such, subject to any evolution in the legal framework regarding the qualification of personal data (“Personal Data”).
Terms used below that begin with a capital letter, whether singular or plural, have the meanings given in the GTU and/or GTS, with other terms possibly defined in this privacy policy.
1. Identification of the Data Controller
The data controller that collects and manages the User’s data on the Website and in-store is AmorePacific Europe, a simplified joint-stock company with a share capital of €63,050.00, whose registered office is located at 49, Avenue des Champs Élysées, 75008 Paris, and having the unique identification number 379 384 225 RCS Paris.
2. Personal Data That May Be Collected
During navigation on the Website, visits to the stores, and/or use of the various services provided by the Company, the User, where applicable, consents to the Company collecting the following categories of data:
– Identification and contact personal data: last name, first name, date of birth, postal address, email address, telephone number, nationality, language;
– Connection and browsing data: IP address, password;
– Personal data related to an order: gender;
– Personal data such as the geographical area of connection, the day and time of the Website visit, and the services consulted and/or used.
The User undertakes to provide updated and valid identification Personal Data as requested on the Website, and guarantees not to make any false statements or provide any erroneous information.
3. Methods of Collecting Personal Data
The User consents to the Company collecting their Personal Data during the following activities and interactions:
– Navigation on the Website;
– User Account Creation Form;
– Subscription to alerts or newsletters;
– Order Form;
– Delivery Form;
– In-store form;
– In-store product reservation;
– Registration on a waiting list for a Product;
– Creation of a shopping cart for Products;
– Account creation form with service providers and partners such as Facebook or Instagram;
– Any other voluntary interaction via the functionalities provided on the Website.
4. Legal Basis for the Collection and Processing of Personal Data
The User’s Personal Data is collected on the basis of the following legal grounds:
– The specific, free, and informed consent of the User (for example, for the creation of the User Account, subscription to the newsletter and special partner offers, etc.);
– The fulfillment of a legal obligation incumbent upon the Company;
– The performance of a contract concluded between the Company and the User (for example, for the execution of the Website’s general terms of use and sale);
– The legitimate interests of the Company (for instance, to ensure the security of transactions).
5. Purpose of Processing Personal Data
Mandatory Personal Data are the data strictly necessary for processing or responding to the User’s requests. In the absence of providing such Personal Data, the User is informed that certain services provided by the Company may not be available. The mandatory nature of the requested information is indicated to the User at the time of collection.
Optional Personal Data are collected by the Company in order to better understand the User and improve their browsing experience on the Website and/or in-store.
Personal Data is collected and processed for the following purposes:
– Creation of a User Account;
– Subscription to the Company’s newsletter;
– Contact and assistance;
– Management of the commercial relationship and sending newsletters;
– Commercial prospecting;
– Service improvement;
– Management of operations related to service performance (confirmation, order tracking, delivery, etc.);
– Access to the Website’s User Account (accessible by login and password);
– Contacting the Company via the online form.
Users are informed that, subject to their prior, specific, and affirmative consent, the Personal Data provided may be transferred to the Company’s commercial partners and/or to companies belonging to the same group as the Company, so that they may inform the User about their offers and services.
6. Duration of Retention of Personal Data
The Personal Data is retained by the Company for as long as necessary to fulfill the aforementioned purposes and in particular:
– Data relating to file management (order tracking, invoicing) is erased or archived after a period of five (5) years following the end of the relationship with the Company;
– Data relating to customer and prospect management (loyalty operations and prospecting, relationship monitoring, newsletter sending, etc.) is erased or archived after a period of three (3) years following the end of the relationship with the Company.
These Personal Data may also be kept for a further period of ten (10) years in an archive database, under restricted access, in order to: (i) comply with the legal and regulatory obligations of the Company; and/or (ii) enable the Company to assert a right in court before being permanently deleted.
7. Recipients of the Personal Data
The User’s Personal Data is intended for those duly authorized to process it within the Company, namely, depending on the nature of the processing and the type of data, persons from the sales department, customer service, marketing, administrative, and/or logistics and IT departments.
In the course of its activities and provision of services, the Company may use subcontractors who process the User’s Personal Data on its behalf and under its instructions. In such cases, the Company may transfer Personal Data outside the European Union, notably to Canada and/or South Korea.
The Company ensures that:
– Subcontractors, employees, or collaborators guarantee the same level of protection as the Company;
– They process the Personal Data solely for the purposes authorized by the intended use, with the required discretion and security; and
– They provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures to ensure the security and confidentiality of the User’s data.
In cases where the Company uses subcontractors located in countries that do not offer a level of protection equivalent to that in the European Union, the Company undertakes to ensure that such transfer is governed by data protection agreements established between the European Union and the destination countries, or by an adequacy decision of the European Commission regarding certain countries ensuring an adequate level of protection, or by the signing of standard contractual clauses established by the European Commission (SCCs) or adopted by a supervisory authority and approved by the European Commission, or by the implementation of binding corporate rules (BCRs), or by an approved code of conduct, an approved certification mechanism, or an administrative arrangement or a legally binding and enforceable instrument taken to enable cooperation between public authorities.
Finally, the Company may transfer or allow access to the User’s Personal Data to administrative or judicial authorities in order to comply with any law, regulation, judicial procedure, or enforceable governmental request.
8. Measures Implemented by the Company to Ensure the Security and Confidentiality of Personal Data
The Company undertakes to process Personal Data in a manner that is:
– Lawful;
– Fair;
– Transparent;
– Proportional;
– Relevant;
– Strictly limited to the announced purposes;
– Retained only for as long as necessary for the established processing; and
– Secure.
The Company implements and updates appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data by preventing its distortion, damage, or disclosure to unauthorized third parties.
9. Users’ Rights Regarding Personal Data
The User may, upon simple written request, access the Personal Data concerning them, request its modification or rectification, or require that it no longer appear in the Company’s database.
Under the right of access, the User is entitled, in accordance with Article 15 of the GDPR, to ask the Company to provide: (i) the communication of their Personal Data in an accessible form; (ii) confirmation as to whether their Personal Data is or is no longer being processed; (iii) information on the purposes of the processing, the categories of Personal Data processed, and the recipients to whom their Personal Data is disclosed; and (iv) the duration of retention of their Personal Data or the criteria used to determine that duration.
In accordance with Article 16 of the GDPR, the right to rectification entitles the User to require the Company to correct, complete, or update their Personal Data when it is inaccurate, incomplete, ambiguous, or outdated.
Under the conditions provided in Article 17 of the GDPR, the User has the right to have their Personal Data erased, allowing them to request that the Company delete their Personal Data as soon as possible, particularly when it is no longer necessary for the purposes for which it was collected.
Furthermore, the User has the right to restrict the processing of their Personal Data under the cases listed in Article 18 of the GDPR. This means they may request that their Personal Data be retained solely for the purpose of:
– Verifying the accuracy of the contested Personal Data;
– Serving as evidence in the assertion, exercise, or defense of their rights in court, even if the Company no longer needs it;
– Verifying whether the legitimate interests pursued by the Company prevail over theirs if they object to processing based on the Company’s legitimate interest; or
– Satisfying their request for limitation of the use of their data rather than deletion, in cases where the processing of their data is unlawful.
The User has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out based on consent prior to its withdrawal.
Under Article 20 of the GDPR, the User has the right to data portability, allowing them to retrieve the Personal Data they provided to the Company in a structured, commonly used, and machine-readable format, so as to transmit it to another data controller.
In accordance with Article 21 of the GDPR, the User has the right to object at any time to the processing of their Personal Data for direct marketing purposes.
Pursuant to Article 85 of Law 78-17 of 6 January 1978 relating to data processing, files, and freedoms, the User may set specific instructions regarding the retention, deletion, and disclosure of their Personal Data after death. These specific instructions will only concern the processing carried out by the Company and will be limited to that scope.
To exercise their rights of access, rectification, deletion, restriction, withdrawal of consent, portability, and objection as mentioned above, the User simply needs to send their request:
– By email to: customerservice@goutalparis.com; and/or
– By mail to the following address:
CEVA LOGISTICS, Parc Logistique du Pont de Normandie P.L.P.N. 2, Port 5051 – BP 112, 76051 Le Havre, France.
The Company will provide the person exercising these rights with information on the measures taken as soon as possible, and in any event within one (1) month from receipt of the request. This period may be extended by two (2) months due to the complexity and number of requests. The Company may verify the identity of the requester before proceeding.
If the Company does not comply with the request, it will inform the person, as soon as possible and no later than one (1) month from receipt of the request, of the reasons for non-compliance and the possibility to lodge a complaint with a supervisory authority and/or seek judicial recourse.
The exercise of these rights is free of charge. However, in the event of a manifestly unfounded or excessive request, the Company reserves the right: (i) to charge administrative fees in accordance with the costs incurred; or (ii) to refuse to comply with the request.
10. Remedies in the Event of a Personal Data Breach
In the event of a breach of Personal Data that could pose a risk to the User’s rights and freedoms, the Company will notify the breach to the CNIL as soon as possible, and if possible, within a maximum of seventy-two (72) hours after becoming aware of it. The Company will also inform the User as soon as possible in accordance with Article 34 of the GDPR.
Without prejudice to any other administrative or judicial recourse, any User who considers that the processing of their Personal Data constitutes a breach of applicable legislation may file a complaint with a competent supervisory authority such as the Commission Nationale de l’Informatique et des Libertés (CNIL).
11. Requests for Information
For any questions regarding the processing of their Personal Data and the exercise of their rights, Users can contact the dedicated service, specifying “GDPR Information Request” in the subject line, via:
– Email: customerservice@goutalparis.com; and/or
– Mail: CEVA LOGISTICS, Parc Logistique du Pont de Normandie P.L.P.N. 2, Port 5051 – BP 112, 76051 Le Havre, France.
12. Modification of the Personal Data Processing Policy
The Company reserves the right to modify this Personal Data Processing Policy in order to comply with the obligations set forth by privacy protection legislation or to adapt it to its practices. Consequently, the User is advised to review it regularly to be aware of any modifications or adjustments.