PRIVACY POLICY

This Privacy Policy is valid from 11.07.2019

Changing the Privacy Policy

Under certain circumstances, LC WAIKIKI may, as a personal data controller, modify this policy on the processing of personal data to reflect changes in legislation, internal practices and procedures for processing personal data, or technological advances made over a certain period of time. In the event that we make changes in the way your personal data is processed or used, they will be published in the updated policy and the date of entry into force of the policy so amended will be published at the beginning of the processing note updated personal data. Therefore, this Privacy Policy must be consulted periodically in order to keep up with the latest policies and practices in this field.

In accordance with the provisions of Regulation (EU) No. No 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC, known as the "General Data Protection Regulation" or, in short, "GDPR", we bring you the following aspects regarding the processing of your personal data:

Who we are

LC Waikiki is a global ready-made clothing retailer based in Turkey, operating in more than 30 countries (list of LC Waikiki’s subsidiaries) with its more than 40,000 employees thus all related data processing activities are jointly operated and carried out by the following entities from the LC Waikiki Group of companies as joint controllers:

  1. Mainly by LC WAIKIKI RETAIL RO S.R.L., daughter company registered and functioning under Romanian laws, with headquarters in Romania, Bucharest, 6th District, 26Z Timisoara Blvd., 11th Floor, duly registered with the Trade Registry Office attached to the Bucharest Tribunal under no. J40/9674/2009, having fiscal registration and VAT no. RO 26054330, for all operations related to the conclusion and execution of the distance sale agreement (orders, shipment etc.);
  2. In subsidiary by LC WAIKIKI MAĞAZACILIK HIZMETLERI TIC. A.Ş., mother company and sole shareholder of LC WAIKIKI RETAIL RO S.R.L, registered and functioning under Turkish laws, with headquarters in Turkey, 15 Temmuz Mahallesi Gülbahar Cad. No:41 Bağcılar, 34212 İstanbul, Turkey.

What personal data we process

If you visit our Stores

For issuing product invoices, return invoices and payment orders we will need your name, surname, address and signature. For resolving complaints received from you through the Register of Complaints, you will process your full name, surname, e-mail address and telephone number. To ensure store security, monitor access routes and activity in LC WAIKIKI stores through CCTV systems we will process video footage in which you might appear. We also use the images to best organise the store activity for optimal customer satisfaction (making sure all the products are displayed and easy to access, completing empty shelves with new merchandise, clearing the hangers near the exchange cabins, etc.).

  • If you book a product in the store or a product available in another LC WAIKIKI store, we will need your name, surname and phone number to inform you when you can pick up your product

If you visit our website

  • Data regarding the profiling of the LC WAIKIKI’s website users according to the Cookies Policy you can access here: age, sex, IP, traffic data, geo-location data, device information (Device ID, software version, connection used, operating system, browser used), keywords searched by the user according to its interests;
  • Data regarding your shopping account: name, surname, billing and delivery address, account ID and password, e-mail address, telephone number, shopping and payment history and preferences, shopping cart content, your interactions with our on-line Customer Support Services.

If you want to be part of the LC WAIKIKI Team

  • Data of the recruitment process: name, surname, age, gender, nationality, address, CV data, workbook (if applicable), level and specialization of studies required by job description; recommendation letter, references from your past jobs (if applicable), specific test and evaluation results support documents including sensitive data, such as criminal records, psychological examination certificate (if applicable).

If you contact our Call Center

  • Voice data: Your voice and the information provided during the entire phone call.

Where do we obtain personal data from

As a rule, the personal data we process is obtained directly from you. However, there are situations in which we will also be in possession of your personal data through other legitimate means, such as executing a contract to which you are not a party:

  • If you are designated as an authorized person or business contact for our partners;
  • If you purchase a LC Waikiki product form our partners on-line shop/marketplace;
  • If you use in our stores discounts or any other benefits won in our partner’s campaigns (shopping malls);
  • If you work as a leased employee in our stores;
  • If you allow recruitment platforms to share your resume with us.

Purposes of the processing

Your personal data are processed by LC WAIKIKI for legitimate purposes, according to the legal regulations in force, as follows:

  • Concluding and executing contracts with our partners;
  • To process, confirm and fulfil your order, including confirming payment, updating you on the status of your order and shipping the order to you;
  • For Customer support and general assistance;
  • Managing communications systems and IT systems, conducting audit reports, managing database security and all IT systems;
  • Drafting tax documents and collecting payment amounts from individuals, including recovering debits and invoices issued by suppliers;
  • To issue product invoices, return invoices and payment orders;
  • To resolve complaints received from you through the Register of Complaints;
  • To provide security for goods and people inside LC WAIKIKI’S stores by using the video surveillance system;
  • Conducting recruitment / selection activities for filling vacancies and managing recruitment / contest files during the various stages of the procedure;
  • Developing campaigns for customers or potential customers through an electronic newsletter or SMS for direct marketing purposes;
  • Streamlining the services made available to the clients and constantly improving the quality of the services offered, in particular the Call Center service through the recording of calls or web services and products by inviting you to complete our surveys;
  • To register your user account on our website;
  • Representation of the company in courts and before public authorities.

NOTE

If LC WAIKIKI wishes to process your personal data for purposes other than those originally declared, you will be provided with a separate information note detailing the subsequent purpose of the processing, the legal basis of the processing, and the retention period of your personal data, along with any other useful information in relation to further processing to enable you to express your consent freely, knowingly and expressly for each processing operation (if such processing is conditional upon your express consent being obtained).

Legal Basis of processing

  • Making steps at your request before concluding a contract (Article 6 (1) (b), of the GDPR);
  • The fulfillment of legal obligations by LC WAIKIKI (Article 6 (1) (c) of GDPR);
  • The legitimate interest of LC WAIKIKI (Article 6 (1) (f) of the GDPR), such as: the organization of the entire LC WAIKIKI activity for the purpose of carrying out the activity; Scheduling of IT applications; solving complaints and requests received from clients or other interested persons; monitoring store access; initiating and conducting litigation by courts of law and (possibly) other public authorities;
  • Your consent to processing, when expressly granted, freely and unconditionally, in specific situations such as, for example, marketing processing (Article 6 (1) (a) of the GDPR).

For how long we keep personal data

  • Personal data processed for accounting purposes, especially those related to billing and payments, will be stored for a period of 10 years starting on 1 January of the year following the end of the financial year in which they were drawn up according to legal provisions;
  • Personal data from the recruitment process will be kept for a period of 6 months from the end of the recruitment / selection process for the vacancy;
  • Video footage of store surveillance cameras are kept for a maximum of 30 days;
  • Personal data submitted through the Register of Complaints, according to the legislation, shall be kept for at least 1 year after its completion;
  • Product reservation forms will be kept in special compartments at the store where you requested the product until the product arrives;
  • Personal data processed for concluding and performing the distances sales contract (online purchases) will be kept for the entire contractual period plus a maximum period of 10 years during which related rights should reach prescription/statute of limitation;
  • Personal data processed for user account purposes will be kept for as long as your account is valid. Your account shall be disabled and closed after a period of inactivity of 2 years calculated since the last log-in in that account;
  • Data processed under your consent will be processed during the validity period of your consent or until you choose to withdraw your consent or the data is no longer necessary;
  • Data processed under our legitimate interest will be processed for a maximum period of 5 years, after which it will be anonymized and processed for statistical purposes

When personal data processing conditions set forth in the legislation no longer apply, LC WAIKIKI has to delete, destroy, or anonymize personal data ex-officio, or upon request of the data subject. Personal data, which is processed in compliance with the legislation, is deleted, destroyed or anonymized by the data controller ex-officio, or upon request of the data subject, when such personal data is no longer necessary for the purposes of processing.

In some circumstances, such as to meet our legal or regulatory obligations, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may hold on to your personal data after we’ve finished providing services to you, or for longer than our general retention policy.

Who do we share personal data with

Under certain expressly regulated conditions, your personal data may be processed by LC WAIKIKI, through processors or jointly with other companies, in the latter case, as a relationship of the type of Joint Controllers who will establish in common goals and means of processing, according to the provisions of art. 26 of RGPD.

In some situations, service providers such as, but not limited to, service providers and IT systems, various contractual partners such as: Microsoft Corporation, Iron Mountain, etc. You will also be able to send your data to lawyers, accountants, auditors, or other professionals who are required to keep professional secrecy.

For reporting to state authorities, in accordance with the legal obligations in force, it will be necessary to transmit your data to various public institutions.

The full list of our partners can be found here .

Personal data transfers to third countries

If your data will be transferred to other companies in other countries to initiate, conclude, and develop contracts and/or projects with such an entity as, but not limited to: travel management and order processing and delivery, you will be informed and will be done only by ensuring the safeguards provided by art. 44-49 of GDPR.

Personal data security

LC Waikiki takes all necessary measures to ensure that its employees, and all companies and organizations it works with, exercise due care and have awareness related to data security. LC Waikiki, provides training on data security to its employees when they first start working at the company, and at later stages as well to update their knowledge on this matter. All employees that access personal or sensitive personal data are required to provide a letter of undertaking in relation to security and privacy of such data.

In case of any non-conformity with policies and procedures, disciplinary action is taken. The security of personal data is provided with password-protected protocols, firewalls, and access control mechanisms. Data is classified and labeled. Physical security measures are taken against external and peripheral threats. Changes made in the information systems are recorded. To avoid data losses, back up of personal data is taken according to data backup policy. Information systems are regularly scanned for security vulnerabilities and any detected vulnerability is eliminated. In case of any breach of information security, non-conformities are determined immediately and all necessary measures are taken to eliminate and prevent recurrence of such non-conformities.

We also hold an ISO/IEC 27001- Information Security Management System certificate meaning that we employ the highest standards in protecting all the data we process and we are periodically audited by an independent security auditor.

Technical measures are listed below:

  • Internal IT controls are made for the systems operated by the company.
  • Our servers are kept in secured locations with strict physical access (CCTV, ID Card Management, human security, secured access ways, etc.); we have mirroring solutions, periodical back-ups and a Disaster Recovery Plan;
  • IT risk assessment of the systems operated by the company is conducted as part of the Corporate Risk Management process.
  • e-training on privacy and data security is provided to raise awareness of the personnel related to personal data and laws on protection of data.
  • Personnel are required to provide a letter of undertaking related to their responsibilities for data security. In case of any non-conformity with policies and procedures, disciplinary action is taken.
  • Data processed by the company is classified based on its level of confidentiality, and information is shared in the company and out of the company using methods chosen according to classification of data.
  • Firewalls, proxy servers, networks and sub networks are used for network and data security of the company.
  • Firewall access rules are periodically reviewed to ensure password-protected protocol is used for security of data at application and service level.
  • Multi-factor authentication is used to access critical systems of the company.
  • There are systems to prevent or detect unauthorized transfer of data from the company, and technical rules are identified for operation of these systems, and compliance with these rules is monitored.
  • Periodical general infiltration tests, application-based and general vulnerability scans, code scans are carried out and if needed, corrective actions are taken.
  • Access of IT employees to personal data is controlled and subject to approval; also any administrator account action is logged.
  • There is an audit trail of any modification to be made on the systems operated by the company, in order to follow up any issue related to data security.
  • Personal data is destroyed without leaving an audit trail and making it impossible to recover such data
  • Hardening measures are taken for IT services and systems
  • Central applications are used to prevent malware, and malware database is updated in all end-users.
  • Places where data is stored and backed up are physically secured. Environmental factors are monitored centrally.
  • Under the applicable legislation, all kinds of digital medium, where personal data is stored, is protected with password or cryptographic methods to meet data security requirements.
  • Backup of personal data is to avoid data losses, under data backup policy

Your rights in relation to the personal data processing

You have the following rights in relation to the personal data we hold about you:

Your right to be informed about how your personal data is being used

You have the right to be provided with sufficient information, in a concise, transparent and easily understandable form, in order for you to gain insight and understanding of our processing activities and thus to ensure transparency of personal data use. For such informational purposes we have designed and made available to you this Privacy Policy.

This Privacy Policy will keep you informed about how we will use your personal data. All necessary details have been provided hereto, so please read it carefully.

Your right of access

In brief

If you submit an access request to us, we shall confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (along with certain other details).

In detail

  • Upon your request, we will confirm that we process your personal data and, if so, we will provide you with a copy of your personal data that is subject to our processing and the following information:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipients to whom personal data has been or is to be disclosed, in particular recipients from third countries or international organizations;
    4. where possible, the period for which personal data are to be stored or, if that is not possible, the criteria used to determine that period;
    5. the existence of the right to require the operator to rectify or erase personal data or to restrict the processing of personal data relating to the data subject or the right to object to processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where personal data are not collected from the data subject, any available information on their source;
    8. the existence of an automated decision-making process including the creation of profiles and, in those cases, relevant information on the logic used and the significance and expected consequences of such a processing for the data subject.
  • If we transfer your data outside of the European Economic Area or to an international organization you have the right to be informed of the appropriate safeguards applied.
  • The first copy of your personal data is provided free of charge. For additional specimens of the same personal data, we may charge a reasonable additional charge, taking into account the related administrative costs.

Your right to correct personal data

  • If the personal data that we hold about you is inaccurate or incomplete, you are entitled to have it corrected. You can personally do so by updating you user account information. If you do not want to personally update or you do not have a user account, you can submit a request and we shall perform the necessary changes.
  • If we’ve shared your personal data with others, we’ll let them know about the changes where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal data with so that you can contact them directly.
  • In order to keep personal data accurate, we may request you to reconfirm/renew your personal data from time to time.

Your right to delete personal data

In brief

  • Also known as the "right to be forgotten", this right enables you to request deletion of your personal data in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). We shall comply with your request unless we have a reason for keeping your personal data.
  • If we’ve shared your personal data with others, we shall let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we shall also inform you who we’ve shared your personal data with so that you can contact them directly.

In detail

  • You may ask us to delete your personal data and we will respond to your request without undue delay, if one of the following circumstances:
    1. Data is no longer required for the purposes for which it was collected or processed;
    2. You withdraw consent to the processing of your data when your data processing is based on your consent and there is no other legal basis on which to process your personal data;
    3. You oppose the processing of your data on our legitimate interest, including the creation of profiles based on this ground, or you oppose data processing for direct marketing purposes, including the creation of profiles for direct marketing purposes;
    4. Your data has been processed unlawfully;
    5. Personal data should be deleted to comply with a legal obligation under Union law or national law;
    6. Personal data have been collected in connection with the provision of information services to children and the basis of processing is consent.
  • Unless this proves impossible or involves disproportionate efforts, we shall notify each recipient to whom your personal data has been disclosed for erasure purpose. Upon your request, we shall inform you of those recipients.
  • We reserve the right to refuse deletion of your data when processing is required:
  1. For the exercise of the right to free expression and information;
  2. In order to comply with a legal obligation that applies to us as a personal data controller;
  3. For purposes of archiving in the public interest, scientific or historical research or for statistical purposes, insofar as the deletion of the data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
  4. To establish, exercise or defend a right in court.

Your right to restrict us from using your data

In brief

  • In certain circumstances (including where we use legitimate interests as set out below) you can ask us to stop processing your personal data or ask for us to limit the ways in which we process this data. However, we can refuse a request in some cases - we shall provide you with information explaining why we have refused your request if we do this.

In detail

  • You may ask us to block and restrict the processing of your personal data in one of the following circumstances:
    1. Contest the accuracy of the data - in this case, at your request, we will restrict the processing for the period we perform the necessary checks on the accuracy of your data;
    2. Data processing is illegal and you do not want to delete your data;
    3. We no longer need your data for processing, but processed data about you is necessary to establish, exercise or defend a right in court;
    4. You opposed the processing of your data under our legitimate interest, including the creation of profiles based on this basis - in this case, at your request, we will restrict the processing for the period in which we verify that our legitimate rights do not prevail over your rights.
  • If your data processing has been restricted, we shall only be able to store your data. Any other way of processing out of storage will be done only:

after obtaining your consent;

for finding, exercising or defending a right in court;

to protect the rights of another natural or legal person;

for reasons of public interest of the Union or of a Member State.

  • We will inform you before lifting any processing restriction as set out above.
  • Unless this proves impossible or involves disproportionate efforts, we will communicate to each recipient to whom your data has been disclosed restricting the processing of such data. At your request, we will inform you of those recipients.

Your right to data portability

  • You have the right to receive the data that concerns you and that you have provided us with in order to transmit such data to another controller, in the following circumstances:
    1. Your data processing is based on your consent or on a contract between us and you;
    2. Your data is processed by automatic means.

We will provide your personal data in a structured, commonly used and machine-readable format.

  • If technically feasible, you can request that your personal data be transmitted directly to the controller indicated by you.

Your right to object

  • You may request us not to further process your personal data for reasons relating to your particular circumstances and if the processing of your data is based on our legitimate interest. We will cease processing of your data unless we demonstrate that we have legitimate and compelling reasons that justify processing and those reasons prevail over your interests, rights and freedoms, or whether the purpose of the processing is to establish, exercise or defend a right in court.
  • In addition to the above, you may request that we no longer process your personal data for direct marketing purposes, including the creation of profiles related to that direct marketing.

Your rights in relation to automated decision-making and profiling

In brief

  • You have the right not to be subject to a decision when it is based on automatic processing, including profiling and if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.

In detail

  • You have the right not to be subject to a decision when it is based on automatic processing, including not being profiled, if the automatic decision or profiling has legal effects or significantly affects you, except in the following cases:
    1. automatic decision is required to conclude or execute a contract between you and us;
    2. the automatic decision is authorized by European Union or national law applicable to LC Waikiki and also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;
    3. Automatic decision is based on your express consent.
  • If the cases indicated in (a) and (c) above apply, you may request that you exercise the following correlative rights:

the right to obtain human intervention on our part;

the right to express your point of view;

the right to challenge the automatic decision.

Your right to withdraw consent

  • If we rely on your consent as our legal ground for processing your personal data, you are entitled to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of your personal data on the basis of your consent prior to its withdrawal.
  • Your right to stop direct marketing
  • You are entitled to stop us from using your personal data for direct marketing purposes. You can do this by accessing the unsubscribe link at the bottom of our emails or by sending us a request.

Your right to lodge a complaint with the supervisory authority

  • You have the right to contact the National Supervisory Authority for Personal Data Processing of Romania (“ANSPDCP”) or the supervisory authority from your homeland or workplace if you believe the processing of your data is not in compliance with the applicable law.
  • More information about ANSPDCP can be obtained by visiting http://www.dataprotection.ro/.

Your right to seek judicial remedy

  • Without prejudice to any other administrative or non-judicial remedy, you have the right to pursue an effective judicial remedy against:
  • a controller/processor that infringed the rights granted to you by the GDPR;
  • a legally binding decision of ANSPDCP or any other supervisory authority.

To the extent that you have suffered a moral or material damage as a result of GDPR infringement, you have the right to obtain compensation.

How You Can Exercise Your Rights as Data Subject and Our Data Subject Requests Procedure?

  • Submitting a request. For the exercise of any rights above, please submit your request in writing or by phone, using the contact details indicated below.
  • Identification of the applicant. In order to be able to properly address and manage your request, we urge you to identify yourself as completely as possible. In case we have reasonable doubts as to the identity of the applicant, we will ask for further information to confirm the alleged identity.
  • Response time. We will respond to your requests without undue delay, and in any case within one month from the receipt of the request. Insofar as your application is complex or we are in a position to process a large number of requests, we may reasonably postpone the delivery of your response for up to two months with your prior notice.
  • Providing our answer. We will provide you with our response and any requested information in electronic format, unless you request them to be provided in another format.
  • In case of refusal. In so far as we refuse to meet your request, we will inform you of the reasons which led to this decision and of the possibility to submit a complaint to ANSPDCP or another competent supervisory authority and to apply for a judicial remedy.
  • Taxes. Exercising your rights as a data subject is free. However, to the extent that your claims are manifestly unfounded or excessive, especially by taking into account their repetitive character, we reserve the right to refuse the fulfillment of such requests.

How can you contact LC WAIKIKI’S Data Protection Officer?

The contact details of LC WAIKIKI’s Data Protection Officer are:
Mailing Address: Bucharest, Blvd. Timisoara, no. 26Z, 11th Floor, 11C-02 Bureau, Sector 6.
Email Address: [data.protection@lcwaikiki.com]
Telephone: +40758.020.946

Terms and definitions used in this Privacy Policy

Legal term/notion

Definition/Explanation

GDPR

EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The entire text of the Regulation is available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&qid=1531857927851&from=EN

Personal data

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data subject

an identified or identifiable natural person whose personal data is processed.

Processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Joint controllers

two or more controllers that jointly determine the purposes and means of processing.

Processor

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Consent

Freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Online identifiers

internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.

Profiling

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.


To view LC WIAKIKI’s previous Privacy Policy valid until 11.07.2019, download the PDF version HERE.