privacy
Privacy Policy for the Processing of Personal Data
(in accordance with Article 13 of EU Regulation No. 2016/679 "GDPR")
As the data controller for the processing of personal data, in accordance with EU Regulation No. 2016/679, the General Data Protection Regulation (GDPR), KARLA, represented by Kofler Katharina, hereby provides the following information regarding the protection of individuals and other legal entities concerning the processing of personal data. The processing of personal data in collection, processing, and use adheres to the principles of accuracy, lawfulness, transparency, as well as the preservation of confidentiality and the rights of the data subjects. Personal data may only be collected, processed, and used in accordance with the provisions of the GDPR and the confidentiality obligations contained therein.
1. DATA CONTROLLER
The data controller for the collection, processing, and use of personal data is the sole proprietorship KARLA, located at Niederrasnerstraße 26, 39030 Rasen-Antholz (BZ), tel. +39 3407157636, email: info@karlabags.com.
2. DATA PROTECTION OFFICER
The data controller has appointed a Data Protection Officer (DPO), who can be reached via the following channels: Email: info@karlabags.com.
3. DATA SUBJECTS
Data subjects include (a) visitors to the website and (b) individuals who provide their data in the following ways:
- Upon registration on the controller's websites;
- When registering for various services;
- During purchases via e-commerce;
- When contacting customer service (by phone, email, etc.);
- When registering to receive the controller's newsletters;
- When registering for outdoor events regularly organized by the controller's brands;
- When participating in online and offline contests;
- When participating in partnership events with third-party companies;
- During purchases at regularly organized sample sales.
4. PURPOSE, LEGAL BASIS FOR PROCESSING, AND RETENTION PERIOD OF PERSONAL DATA
The provided personal data may be processed for the following purposes:
- For website visitors: for the proper operation of the website itself. Information systems and programs used for the functioning of the website may capture some personal data, the transmission of which is implicit in the use of internet communication protocols (e.g., IP addresses or domain names of computers used by visitors to connect to the website, URI addresses - Uniform Resource Identifier - of the requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, numerical code indicating the status of the server's response - successful, error, etc. - and other parameters related to the user's operating system and computer environment). While these pieces of information are not collected to be associated with identified individuals, their nature could, through processing and linking with data held by third parties, allow the identification of users. These data serve solely the purpose of obtaining statistical information about the use of the website, not associated with user identification data, and to verify the correct functioning of the website, being deleted immediately after processing. The data may be used to ascertain responsibility in case of computer crimes against the website. The legal basis for processing is therefore the controller's legitimate interest in the proper operation and security of the website, as well as the protection of its rights and compliance with legal provisions.
- For those providing data in the manner described under letter (b) above:
 a) Use of offered services and fulfillment of online store purchase contracts: Personal data of data subjects are processed to enable them to use the services and carry out the concluded purchase contracts in the online store. In particular, the data is processed for the following purposes:
5. TYPE OF PROCESSING
Personal data may be processed in the following ways:
- Processing of data through datasheets, vouchers, and questionnaires;
- Electronic and automated processing;
- Manual processing using paper archives;
- Processing of data collected by third parties;
- Transfer of data to third parties for processing. For marketing purposes, it is explicitly stated that personal data may also be processed using the following methods:
6. DISCLOSURE
The provided personal data is stored at the headquarters of the data controller and is exclusively disclosed to individuals capable of providing the necessary services for the proper handling of business relationships with the affected individuals and the fulfillment of contracts, always guaranteeing the protection of the rights of the affected individuals. The provided personal data is only collected, processed, and utilized by employees expressly authorized by the responsible entity. This includes, in particular, the following categories:
• Group Administration;
• Group IT;
• Group Brand & Marketing;
• Group Business Development;
• Group Logistics;
• Group Retail BU;
• Group Distribution BU.
In the course of its activities and for the aforementioned purposes, the data controller may engage the services of third parties, who act either as independent controllers or as data processors on behalf and under the instructions of the data controller. Personal data may only be transmitted to these individuals for this reason, especially to:
• Freight forwarders, transport companies, postal service providers, logistics companies;
• Consultants and professionals, individually or collectively;
• Banks and financial institutions;
• Companies providing information technology services.
The provided personal data will only be disclosed to public authorities, such as the tax office, police, and judicial authorities, in the cases legally provided for. The provided personal data will not be disseminated. Personal data will not be transferred to third countries outside the European Union.
7. RIGHTS OF THE DATA SUBJECT
The data subject has the right to request information, communication, correction, completion, update, deletion, and transfer of the personal data concerning them from the data controller and can generally exercise all rights set out in Section III of the GDPR and listed below:
a. Right of access to personal data: the right to obtain information free of charge about the personal data stored by the data controller and the corresponding processing, as well as to receive a copy thereof in an accessible format;
b. Right to rectification: the data controller will correct or complete data that is not correct or incomplete, also due to a lack of updating, after being notified by the data subject;
c. Withdrawal of consent: the data subject may withdraw their consent at any time, but the legality of processing based on the consent given before the withdrawal is not affected thereby;
d. Right to erasure ("right to be forgotten"): the data subject may, for example, request deletion if the data is no longer necessary for the purposes for which it was collected or processed, if the data has been processed unlawfully, if the data must be deleted to fulfill a legal obligation, if the data subject has withdrawn their consent, and there is no other legal basis for processing, or if the data subject objects to processing;
e. Right to restriction of processing: the data subject may request the restriction of processing in certain cases, such as disputing the accuracy of the data for the necessary duration of the verification, disputing the lawfulness of processing and objecting to deletion, the need for the data for the data subject's defense rights while the data controller no longer needs the data for processing purposes, or if the data subject objects to processing and the necessary checks are being carried out. The data is kept in a way that allows its possible restoration, but during this time, the data controller cannot access this data unless it is necessary to verify the validity of the data subject's request or their disputes;
f. Right to object to processing, in whole or in part, for reasons related to the data subject's particular situation and based on legitimate interests (and under certain circumstances, the data subject can oppose the processing of their personal data in any case: In particular, if personal data is processed for direct marketing purposes, the data subject has the right to object to processing at any time, including profiling related to direct marketing. However, it should be noted that in the specific case, the newsletter is sent based on the consent given by the data subject, and therefore, the simple withdrawal of consent by the data subject is sufficient to stop the processing);
g. Right to data portability: if processing is based on the data subject's consent or on a contract and the processing is carried out by automated means, the data subject, upon request, can receive their personal data in a structured, commonly used, and machine-readable format and can transmit this data to another controller without hindrance from the data controller who provided the personal data, and if technically feasible, can obtain the said transmission directly from one controller to another. The data subject also has the right to file a complaint with the supervisory authority for the protection of personal data if they believe that the processing of their data violates the provisions of legislation on the protection of personal data. In any case, we would like the opportunity to address any concerns of the data subject in advance, who can contact the email address info@karlabags.com or the other contact details of the data controller or the DPO to clarify the processing of their personal data and the exercise of their rights, including the withdrawal of consent.
8. CHANGES
The data controller reserves the right to make changes to this privacy statement at any time for organizational reasons or in compliance with new legal provisions. It is therefore advisable to regularly visit this page and check the date of the last modification indicated at the bottom of the page. This information document was last updated on 29/02/2024.

