This Privacy Policy is valid from 11.07.2019

Changing the Privacy Policy

Under certain circumstances, LC WAIKIKI may, as a personal data controller, modify this policy on the processing of personal data to reflect changes in legislation, internal practices and procedures for processing personal data, or technological advances made over a certain period of time. In the event that we make changes in the way your personal data is processed or used, they will be published in the updated policy and the date of entry into force of the policy so amended will be published at the beginning of the processing note updated personal data. Therefore, this Privacy Policy must be consulted periodically in order to keep up with the latest policies and practices in this field.

In accordance with the provisions of Regulation (EU) No. No 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC, known as the "General Data Protection Regulation" or, in short, "GDPR", we bring you the following aspects regarding the processing of your personal data:

Who we are

LC Waikiki is a global ready-made clothing retailer based in Turkey, operating in more than 30 countries (list of LC Waikiki’s subsidiaries) with its more than 40,000 employees thus all related data processing activities are jointly operated and carried out by the following entities from the LC Waikiki Group of companies as joint controllers:

  1. Mainly by LC WAIKIKI RETAIL RO S.R.L., daughter company registered and functioning under Romanian laws, with headquarters in Romania, Bucharest, 6th District, 26Z Timisoara Blvd., 11th Floor, duly registered with the Trade Registry Office attached to the Bucharest Tribunal under no. J40/9674/2009, having fiscal registration and VAT no. RO 26054330, for all operations related to the conclusion and execution of the distance sale agreement (orders, shipment etc.);
  2. In subsidiary by LC WAIKIKI MAĞAZACILIK HIZMETLERI TIC. A.Ş., mother company and sole shareholder of LC WAIKIKI RETAIL RO S.R.L, registered and functioning under Turkish laws, with headquarters in Turkey, 15 Temmuz Mahallesi Gülbahar Cad. No:41 Bağcılar, 34212 İstanbul, Turkey.

What personal data we process

If you visit our Stores

For issuing product invoices, return invoices and payment orders we will need your name, surname, address and signature. For resolving complaints received from you through the Register of Complaints, you will process your full name, surname, e-mail address and telephone number. To ensure store security, monitor access routes and activity in LC WAIKIKI stores through CCTV systems we will process video footage in which you might appear. We also use the images to best organise the store activity for optimal customer satisfaction (making sure all the products are displayed and easy to access, completing empty shelves with new merchandise, clearing the hangers near the exchange cabins, etc.).

If you visit our website

If you want to be part of the LC WAIKIKI Team

If you contact our Call Center

Where do we obtain personal data from

As a rule, the personal data we process is obtained directly from you. However, there are situations in which we will also be in possession of your personal data through other legitimate means, such as executing a contract to which you are not a party:

Purposes of the processing

Your personal data are processed by LC WAIKIKI for legitimate purposes, according to the legal regulations in force, as follows:


If LC WAIKIKI wishes to process your personal data for purposes other than those originally declared, you will be provided with a separate information note detailing the subsequent purpose of the processing, the legal basis of the processing, and the retention period of your personal data, along with any other useful information in relation to further processing to enable you to express your consent freely, knowingly and expressly for each processing operation (if such processing is conditional upon your express consent being obtained).

Legal Basis of processing

For how long we keep personal data

When personal data processing conditions set forth in the legislation no longer apply, LC WAIKIKI has to delete, destroy, or anonymize personal data ex-officio, or upon request of the data subject. Personal data, which is processed in compliance with the legislation, is deleted, destroyed or anonymized by the data controller ex-officio, or upon request of the data subject, when such personal data is no longer necessary for the purposes of processing.

In some circumstances, such as to meet our legal or regulatory obligations, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may hold on to your personal data after we’ve finished providing services to you, or for longer than our general retention policy.

Who do we share personal data with

Under certain expressly regulated conditions, your personal data may be processed by LC WAIKIKI, through processors or jointly with other companies, in the latter case, as a relationship of the type of Joint Controllers who will establish in common goals and means of processing, according to the provisions of art. 26 of RGPD.

In some situations, service providers such as, but not limited to, service providers and IT systems, various contractual partners such as: Microsoft Corporation, Iron Mountain, etc. You will also be able to send your data to lawyers, accountants, auditors, or other professionals who are required to keep professional secrecy.

For reporting to state authorities, in accordance with the legal obligations in force, it will be necessary to transmit your data to various public institutions.

The full list of our partners can be found here .

Personal data transfers to third countries

If your data will be transferred to other companies in other countries to initiate, conclude, and develop contracts and/or projects with such an entity as, but not limited to: travel management and order processing and delivery, you will be informed and will be done only by ensuring the safeguards provided by art. 44-49 of GDPR.

Personal data security

LC Waikiki takes all necessary measures to ensure that its employees, and all companies and organizations it works with, exercise due care and have awareness related to data security. LC Waikiki, provides training on data security to its employees when they first start working at the company, and at later stages as well to update their knowledge on this matter. All employees that access personal or sensitive personal data are required to provide a letter of undertaking in relation to security and privacy of such data.

In case of any non-conformity with policies and procedures, disciplinary action is taken. The security of personal data is provided with password-protected protocols, firewalls, and access control mechanisms. Data is classified and labeled. Physical security measures are taken against external and peripheral threats. Changes made in the information systems are recorded. To avoid data losses, back up of personal data is taken according to data backup policy. Information systems are regularly scanned for security vulnerabilities and any detected vulnerability is eliminated. In case of any breach of information security, non-conformities are determined immediately and all necessary measures are taken to eliminate and prevent recurrence of such non-conformities.

We also hold an ISO/IEC 27001- Information Security Management System certificate meaning that we employ the highest standards in protecting all the data we process and we are periodically audited by an independent security auditor.

Technical measures are listed below:

Your rights in relation to the personal data processing

You have the following rights in relation to the personal data we hold about you:

Your right to be informed about how your personal data is being used

You have the right to be provided with sufficient information, in a concise, transparent and easily understandable form, in order for you to gain insight and understanding of our processing activities and thus to ensure transparency of personal data use. For such informational purposes we have designed and made available to you this Privacy Policy.

This Privacy Policy will keep you informed about how we will use your personal data. All necessary details have been provided hereto, so please read it carefully.

Your right of access

In brief

If you submit an access request to us, we shall confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (along with certain other details).

In detail

Your right to correct personal data

Your right to delete personal data

In brief

In detail

  1. For the exercise of the right to free expression and information;
  2. In order to comply with a legal obligation that applies to us as a personal data controller;
  3. For purposes of archiving in the public interest, scientific or historical research or for statistical purposes, insofar as the deletion of the data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
  4. To establish, exercise or defend a right in court.

Your right to restrict us from using your data

In brief

In detail

after obtaining your consent;

for finding, exercising or defending a right in court;

to protect the rights of another natural or legal person;

for reasons of public interest of the Union or of a Member State.

Your right to data portability

We will provide your personal data in a structured, commonly used and machine-readable format.

Your right to object

Your rights in relation to automated decision-making and profiling

In brief

In detail

the right to obtain human intervention on our part;

the right to express your point of view;

the right to challenge the automatic decision.

Your right to withdraw consent

Your right to lodge a complaint with the supervisory authority

Your right to seek judicial remedy

To the extent that you have suffered a moral or material damage as a result of GDPR infringement, you have the right to obtain compensation.

How You Can Exercise Your Rights as Data Subject and Our Data Subject Requests Procedure?

How can you contact LC WAIKIKI’S Data Protection Officer?

The contact details of LC WAIKIKI’s Data Protection Officer are:
Mailing Address: Bucharest, Blvd. Timisoara, no. 26Z, 11th Floor, 11C-02 Bureau, Sector 6.
Email Address: [data.protection@lcwaikiki.com]
Telephone: +40758.020.946

Terms and definitions used in this Privacy Policy

Legal term/notion



EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The entire text of the Regulation is available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&qid=1531857927851&from=EN

Personal data

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data subject

an identified or identifiable natural person whose personal data is processed.


means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Joint controllers

two or more controllers that jointly determine the purposes and means of processing.


a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.


Freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Online identifiers

internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.


any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

To view LC WIAKIKI’s previous Privacy Policy valid until 11.07.2019, download the PDF version HERE.