DATA PRIVACY NOTICE
(GENERAL DATA PROTECTION REGULATION – Reg UE 679/2016)
Skin Analysis via Skincare Pro App

Beiersdorf Hellas AE, with legal office in Theotokopoulou 4, Marousi
P.C. 151 25, Athens, Greece (“Beiersdorf”), - Data Controller – according to art. 13 of the General Data Protection Regulation (afterwards “GDPR”) hereby provides you with the relevant information about your personal data processing connected to the skin analysis via the Skincare Pro App, provided by Perfect Corp. Your personal data will be collected and processed in compliance with the main principles set in the chapter 2 of the GDPR.

1. Data Controller 
Data Controller is: Beiersdorf Hellas AE, with legal office in Theotokopoulou 4, Marousi
P.C. 151 25, Athens, Greece. You can contact the Data Controller sending an e-mail to: DataProtectionHellas@beiersdorf.com. You can get information about your personal data processing, exercise your right to access, ask for rectification or data deletion, and in general exercise the rights the GDPR recognizes to you as data subject.

2. Purposes and Legal Basis 
Your personal data– including special categories of data (images, biometric data) – is collected for the following purposes (“Purposes”):

(i) to provide the skin analysis experience via the Skincare Pro App, developed and provided by Perfect Corp; - the legal basis for this processing is the consent of the data subject (art. 6 (1), art 9 (2) GDPR;

(ii) to manage individuals requests according to art. 15 GDPR: legal basis as per the art. 6 (1) lett. b) GDPR, performance of a contract or similar activities;

(iii) to comply with specific obligations as per applicable laws or regulations (e.g. tax, fiscal, accounting) – the processing is required to comply with legal obligations as per art. 6, (1), lett. c) GDPR), 

(iv) to manage any disputes (this is a legitimate interest of the Controller) - art. 6 (1) lett. f) GDPR.

The provision of data is optional, but without this it won’t be possible for us to provide you with the skin test experience and to enable you to perform your skin analysis.
You can revoke your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us. 

3. Categories of personal data, processing of data, data retention 
The data processing will involve, your image collected through the use of the Skincare Pro app. This also involves the collection and subsequent processing of biometric data. The use of such App may also allow the collection of information related to your health, specifically skin diseases.
The processing of your data for the above-mentioned purposes will take place by automated and manual means, according to logical criteria functional to the Purposes for which the data were collected.
The data collected for the Purposes as stated above, will be kept for the time strictly necessary to carry out the treatments for which they are collected. Specifically, for the Purposes stated above in (i), i.e., for the skin analysis activity via Skincare Pro App, the data will be temporarily stored on Perfect Corp's cloud platform and removed within 24 hours from the collection, this also to allow the consumer to get the skin analysis report via QR code. Some personal data may be retained for a longer period if necessary for supervening reasons connected to the App operation or in case of any requests from relevant public Authorities or other legal purposes.

4. Use of Artificial Intelligence
The Skincare Pro App allows to run a scientific analysis of the skin, also carried out with the support of the so-called artificial intelligence tools and uses skin simulation technologies made by software that also adopts features that fall under the definition of artificial intelligence. In addition, upon completion of the test, the Skincare Pro App provides detailed skin reports and personalized recommendations on skin care products and routines. This recommendation is not to be intended as medical advice which is clearly reserved for licensed professionals.
In this regard, please note that your personal data will not be collected or stored to train artificial intelligence.

5. Transfer of personal data 
The personal data may be transferred to third parties falling within the following categories:

a. Service providers required to support Beiersdorf to manage its activities; in particular: i) ΑΤ EPAPHY COM IKE, Advertising Services, Fleming Street, Agioi Anargyroi, 13561, Tax Office KE.FO.DE Attikis, VAT 800871907, Greece (Media e Adv Agency) appointed as Data Processor according to art. 28 GDPR; ii) Adverteam S.r.l.– with legal head office in Via Antonio da Recanate n. 1, Milano, C.F. e P.IVA 05509480967 - Subprocessor , iii) Perfect Corp., (Developer and Provider of the Skicare Pro App, provider of AR and AI services) – with legal head office in 14F, 98, Minquan Rd Xindian District, New Taipei City 231, Taiwan, sub-processor of Adverteam, iii) Amazon Web Services (service cloud provider): the data collected via the Skincare Pro App is temporarily stored in AWS cloud based in Europe (Ireland) or Japan (adequate Country as defined by the European Commission). The transfer of data to Third countries is done as per standard contractual clauses and/or adequacy decision. For more information it is possible to connect with the Data Controller (details above).

b. Other Third Parties to whom the right to access Personal Data is recognized by provisions of law or regulation (e.g., competent Authorities or law enforcement agencies in accordance with Art. 6 (1) c GDPR (legal obligation).

c. Additional Data Processors or Sub-Processors may be identified and appointed due to any supervening needs consistent with the stated purposes and processing; in this case, the integrated list of appointed subjects will also always be available updated upon request of the data subjects.

6. Rights of the Data Subjects 
At any time you may exercise, directly contacting the Controller (contact details indicated in this document), the rights set forth in Articles 15 et seq. of the GDPR, i.e. the right to request access, rectification, cancellation or restriction of processing or to object to the processing, as well as the right to data portability, where applicable, and withdrawal of the given consent.
In any case, as a data subject, you are granted the right to lodge a complaint with the competent supervisory Authority: The Hellenic Data Protection Authority (Αρχή προστασίας δεδομένων προσωπικού χαρακτήρα) is the national Data Protection Authority for Greece.
In order to follow up on your requests to exercise your rights above, we may require proof of your identity.