Effective date: September 22nd 2022

 

This addendum (“Addendum”) applies to customers located or residing in the Republic of Korea.


1. Items of personal data to be processed

We process the following items of personal information

  • Information that you provide by filling in enquiry forms, creating an account with Graff, or by placing an order. Such information provided at the time of registering to use our website or requesting further services including, for example, name, home and/or business address, email address, telephone number, demographic information such as age and/or other information that may identify you as an individual. We may also ask you for information when you make an enquiry or when you report a problem with our website.
  • Customer name (first name and surname)
  • Customer title
  • Customer email address
  • Customer telephone number
  • Customer delivery address
  • Customer billing address
  • Customer payment details
  • Data collated for verification or AML checks, provided that no resident registration numbers or similar data will be collected or used
  • Data collated for essential website functionality
  • Correspondence records
  • If you contact us, we may keep a record of that correspondence.
  • Details of your visits to our website including, but not limited to, traffic information, location information, weblogs and other communication information, whether this is required for our own billing purposes or otherwise and the resources that you access.
  • If you purchase products from us in our boutiques, we may ask for photo identification if you pay in cash.

We also gather anonymous demographic information, such as age, gender, preferences, interests, and favorites.

We collect information relating to your interactions with us and our Site, including your IP address, browser type, domain names, access times and referring website addresses and other information we collect through the use of cookies and similar technology. 

2. Provision of personal data

We provide your personal data to third parties as described below:

Recipients Purpose of Use of Personal Information by Recipients Items of Personal Information Provided to Recipients Period(s) of Retention/Use by Recipient(s)
Graff Diamonds Limited: matteo.cassarino@graff.com completion of sales transaction and provision of its aftersales service The items of personal information collected by us as described in Section 1 above, including in particular but not limited to name, address, phone number, email address and purchase details including the details of the products purchased.1 year from the customer’s last purchase of products from us.
Graff Diamonds (Hong Kong) Limited:

matteo.cassarino@graff.com

completion of sales transaction and provision of its aftersales service The items of personal information collected by us as described in Section 1 above, including in particular but not limited to name, address, phone number, email address and purchase details including the details of the products purchased. c1 year from the customer’s last purchase of products from us.


3. Processing of personal data

We outsource the processing of your personal data to third-party service providers and contractors (“Outsourcees”)

The following are the details on domestic Outsourcees to whom we outsource the processing of your personal information:

 

Outsourcee / Outsourced Tasks

Adyen N.V.

Online payment

Ferrari Logistics (Korea) Co., Ltd

Delivery service

 

The following are the details on foreign Outsourcees to whom we outsource the processing of your personal information:

th> Date/Time/Method of Transfer >

 

4. Retention period for personal data

Notwithstanding Section 6 (HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?) of the Privacy Notice, the following provisions will apply to customers located or residing in the Republic of Korea.

We will retain your personal data for as long as we need to use it for the reasons set out in the Privacy Notice except where we need to keep any personal information to comply with our legal obligations, resolve disputes, or enforce agreements.

 

If required to retain your personal data pursuant to applicable laws, we retain personal data for such duration as prescribed thereby. In the foregoing case, we will use your personal data solely for the purposes of such retention, and applicable durations are set out below.

1) Records on contracts or withdrawal of offers and the like

- Reasons for retention: Article 6 of the Act on Consumer Protection, etc. in E-commerce (“E-commerce Act”); and Article 6 of the Enforcement Decree thereof

- Duration of Retention: 5 years

2) Records on payment settlement and supply of goods, etc.

- Reasons for retention: Article 6 of the E-commerce Act; and Article 6 of the Enforcement Decree thereof

- Duration of Retention: 5 years

3) Records on processing of customer disputes and complaints

- Reasons for retention: Article 6 of the E-commerce Act; and Article 6 of the Enforcement Decree thereof

- Duration of Retention: 3 years

4) Records on access

- Reasons for retention: Article 15-2 of the Communications Secrecy Protection Act; and Article 41 of the Enforcement Decree thereof

- Duration of Retention: 3 months


The process and method for destroying personal data are set out below:

- Destruction Process

We select the relevant personal data to be destroyed and destroy it with the approval of our Privacy Officer.

- Destruction Method

We destroy personal data recorded and stored in the form of electronic files by using a technical method (e.g., low level format) to ensure that the records cannot be reproduced, while personal data recorded and stored in the form of paper documents shall be shredded or incinerated.

 

5. Your rights

Notwithstanding Section 7 (YOUR RIGHTS) of the Privacy Notice, the following provisions will apply to customers located or residing in the Republic of Korea.

You and your legal representative (the same in this Section) have the right to withdraw your consent for the processing of your personal data, which consent is the legal ground to process your personal data. You also have rights regarding your personal data including, without limitation, the right to access, delete/suspend, or correct your personal data. We will process your request without undue delay unless we have the right to refuse such request under applicable laws. To exercise your rights, please contact us by using the contact details set forth in Section 9 (Contact Us) of the Privacy Notice or Section 7 (Contact details) of this Addendum.

 

6. Safeguards to ensure data protection

The following safeguards are implemented by us to protect your personal data:

(1) Managerial measures: Establishment/implementation of an internal control plan, regular training of Graff’s employees.

(2) Technical measures: managing/controlling access to Graff’s personal data processing system and the like, establishment of an access control system, encryption of certain personal data such as unique identification information, installment of security programs.

(3) Physical measures: Access control with respect to computer/data archive rooms.

 

7. Contact details

Contact details of our departments responsible for performing tasks related to the protection of personal data and handling related complaints are as follows.

 

 

Department/Contact

Details

CFO - Asia


E-Commerce Department - Korea

 

 

PRIVACY AT A GLANCE

We collect information about you to process your order, manage your account, respond to your queries, ensure the continuity of our business and, if you agree, send you information about our products and offers tailored to your interests and preferences. 

We will share your information with our service providers and our affiliates for the purposes above, as well as with regulatory authorities where required by law. We will not share your personal information for marketing purposes with any other organisation.

To learn more about your rights and how we use your personal data, please read our detailed Privacy Notice below. 


1.              INTRODUCTION

Welcome to Graff’s Privacy Notice. Graff respects your privacy and is committed to protecting your personal data and making sure you understand our privacy practices. This Privacy Notice describes the personal data we collect through our website www.graff.com (“Site”), how it is used, and your choices regarding this data. 


2.              WHO IS GRAFF?

Graff Diamonds Branches Limited (referred to as “Graff”, "we", "us" or "our" in this Privacy Notice) is the controller and responsible for your personal data.

If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us using the details set out below:


Graff Diamonds Branches Limited 

1F, Galleria Luxury Hall East, 407 Apgujeong-ro, Gangnam-gu, Seoul 

clientservices.kr@graff.com



3.              WHAT PERSONAL DATA DO WE COLLECT FROM YOU?

We collect and use the following information about you:

  • Information that you provide by filling in enquiry forms, creating an account with Graff, or by placing an order. Such information provided at the time of registering to use our website or requesting further services including, for example, name, home and/or business address, email address, telephone number, demographic information such as age and/or other information that may identify you as an individual. We may also ask you for information when you make an enquiry or when you report a problem with our website.
  • If you contact us, we may keep a record of that correspondence.
  • Details of your visits to our website including, but not limited to, traffic information, location information, weblogs and other communication information, whether this is required for our own billing purposes or otherwise and the resources that you access.

We also gather anonymous demographic information, such as age, gender, preferences, interests, and favorites.

We collect information relating to your interactions with us and our Site, including your IP address, browser type, domain names, access times and referring website addresses and other information we collect through the use of cookies and similar technology.  See the Digital Advertising & Analytics section of this privacy notice to learn more about the use of this information and the choices available to you.  


4.              WHY DO WE USE YOUR PERSONAL DATA AND WHAT BASIS DO WE RELY ON?

We may process your personal data for the purposes below and based on the following legal bases:

Outsourcee (if the Outsourcee is a corporation then the name of the corporation and the contact information of the person in charge of the management of personal information) Outsourced Tasks Items of Personal Information to be Transferred Countries Where Personal Information is Transferred Outsourcee’s Purposes of Use and Periods of Retention/Use of Personal Information
Adyen N.V., Contact: Mariëtte Swart (Chief Legal & Compliance Officer), Contact: dpo@adyen.com Online payment - Name

- Address

- Credit card details

- Phone number

- Email

Netherlands Immediately upon collection of personal information, or from time to time as necessary, through the information and communications network.Until the completion of the outsourced tasks and the expiration of the outsourced contract.

Ferrari Logistics (Korea) Co., Ltd, Contact: dh.kim@ferrarigroup.net Delivery service - Name

- Address

- Phone number

- Email

UK Immediately upon collection of personal information, or from time to time as necessary, through the information and communications network > Until the completion of the outsourced tasks and the expiration of the outsourced contract.
PurposeLegal Basis for processing
Purchasing process and delivery of products which includes taking and handling orders, deliver products and communicate with you about your orders.Necessary for the performance of our contract with you.
Managing payments for the services we provide you which includes billing process where you purchase a product through our website.Necessary for the performance of our contract with you.
Service Relationship which includes managing your account, providing customer support and communicating with you about our products and about your engagement with us, such as changes in our terms.Necessary for the performance of our contract with you.
Communicating with you at your request to provide you with information of our products or solve your enquiries before purchasing any of our products.Necessary for taking steps prior to entering into a contract with you.
Ensuring proper administration of our business which includes keeping appropriate records, resolving complaints and managing our business relationships and opportunities. Necessary for our legitimate interest pursued by us or our service providers acting on our behalf or by a third-party insofar as such interests do not pose a high risk to your rights and freedoms.
Our legitimate interest is ensuring the continuity of our service.
Preventing, detecting and fighting fraud or other illegal or unauthorized activities which includes monitoring operations, user activity and networks for fraud prevention and crime detection purposes. Necessary for our legitimate interest pursued by us or our service providers acting on our behalf or by a third-party insofar as such interests do not pose a high risk to your rights and freedoms.
Our legitimate interest is preserving the security of our service.
Sending marketing communications about our services, products and our organisation.Where you signed up for our newsletter or other content, we will send you relevant information based on your consent.
Where consent is not required, as you are an existing customer who purchased a similar product in the past, we may send you marketing communications based on our legitimate interest pursued by us insofar as such interests do not pose a high risk to your rights and freedoms. Our legitimate interest would be promoting our business and to provide you with offers of relevant services and products.
Please note that we will include an unsubscribe link in all our email communications, which removes you from receiving further communications.
Profiling activities to make sure the commercial communications you receive are relevant to you and tailored to your preferences and expectations.Based on your consent.
To establish, exercise or defend legal claims in suspected or actual legal proceedings.Necessary for compliance with applicable laws and regulations.
To provide any requested information to the tax, regulatory, anti-money laundering or any other relevant authorities or public bodies, where required to do so, as well as any processing of your personal data in connection to specific legislation, statutory codes of practice and other legal or tax related obligations.Necessary for compliance with applicable laws and regulations.
To ensure your safety and for the prevention and detection of crime, CCTV is in operation during your visit to any of our retail outlets.
Please be aware that if we are requested to provide CCTV images of you or any other personal information relating to you by the police or any other regulatory or government authority investigating suspected illegal activities, we are obliged do so.
Necessary for our legitimate interest pursued by us or our service providers acting on our behalf or by a third-party insofar as such interests do not pose a high risk to your rights and freedoms.
Our legitimate interest would be to ensure the safety and security of our facilities, employees and visitors against theft and vandalism.


5.              WHO DO WE SHARE YOUR PERSONAL DATA WITH?

We may disclose your personal data in accordance with the applicable laws and for the above-stated purposes, to the following parties:

·       Third-party service providers acting on our behalf and that provide services such as website hosting, data analytics and information technology assistance. We have appropriate contracts in place that define the legitimate use and sharing of personal information in accordance with this Privacy Notice and oblige such service providers to only process personal information that is necessary for the performance of the contract or are required by applicable laws.

·       Our affiliates, subsidiaries and/or divisions.

·       Regulatory authorities, as required by applicable laws, for the purposes of including, without limitation to, responding to any governmental or regulatory authority request, cooperating with law enforcement investigations and mutual assistance, or upon receipt of any court order.

·       Parties including prospective or actual buyers or seller in the event of a merger, acquisition, or other reorganization or sale or disposition of all or any portion of our business and/or assets.


6.              DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE OF YOUR COUNTRY?

We do not usually send your personal information outside of your country unless it is strictly necessary for the purposes stated in this Privacy Notice. When we do send personal information abroad, we have in place adequate safeguards to do so. This includes standard contract clauses approved by the European Commission or other suitable safeguard to permit personal information transfers from the United Kingdom or the European Economic Area (“EEA”) to other countries in accordance with the applicable laws.


7.              HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

Your personal information will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this Privacy Notice. How long we keep your personal data will depend on:

·       what type of product or service we are providing for you;

·       how long laws or regulations say we must;

·       what we need for fraud and other financial crime prevention;

·       what we need to lend responsibly;

·       other legitimate business reasons (for example because we need to respond to a complaint or legal claim).


8.              YOUR RIGHTS

In certain circumstances, if you are an EEA resident, you may exercise the rights available to you under applicable data protection laws as follows:

·       If you wish to access, correct, update or request deletion of your personal information.

·       You can object to processing of your personal information when such processing is based on legitimate interests, ask us to restrict processing of your personal information or request portability of your personal information.

·       If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

·       You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact the Information Commissioner's Office in this link https://ico.org.uk/make-a-complaint/ or your local data protection authority. 

You can exercise your rights at any time by contacting us using the contact details included in this Privacy Notice. 

We respond to all requests we receive from users in accordance with applicable data protection laws. We may ask you to provide proof of identity before we can answer the above requests. In some cases, we may reject requests for certain reasons (for example, if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another individual).


9.              WHAT COOKIES AND SIMILAR TECHNOLOGIES DO WE USE?

Please see our Cookies Policy for more information on what cookies we use, why we use them and how you can better control their use through your browser and other tools. 


10.              CONTACT US

If you have questions regarding your privacy and rights, please let us know how we can help.

·       Email: data@graff.com

·       Postmail: 1F, Galleria Luxury Hall East, 407 Apgujeong-ro, Gangnam-gu, Seoul, South

Korea


11.              CHANGES TO THIS PRIVACY NOTICE

We reserve the right to change this Privacy Notice from time to time. If we make any changes, the updated Privacy Notice will be posted with a revised effective date. 


Effective date: August 2022