Gerald Charles

PRIVACY NOTICE

Your personal data is very important to Gerald Charles SA, a company having its registered office in Lugano, Via Nassa 62, CHE-431.656.687 (“Gerald Charles”).

This notice (the “Privacy Notice”) is to inform you about the processing of personal data we may collect as data controller when you access our online and offline services, including the personal data we collect through our various channels, such as our website, applications, social networks, our customer relations centers, boutiques, points of sale and the events we organize.

Gerald Charles Cookie Policy is a supplement to this Privacy Notice and describes what a cookie is, what Gerald Charles can do with them and the way in which any person can accept or refuse to receive a cookie operated by Gerald Charles on his/her terminal. The Cookie Policy is available at the following address:

WWW.GERALDCHARLES.COM/EN/COOKIE-POLICY

This Privacy Notice applies to all entities of the Gerald Charles SA group. Whenever you provide your personal data to a Gerald Charles entity, such entity is responsible for the collection and processing of your personal data, at the local level, for the purposes of managing the commercial or contractual relationship relating to Gerald Charles products and services, in accordance with the applicable local laws. At the group level, the Swiss company Gerald Charles SA is responsible for defining the overall policy for the processing and management of your personal data for commercial and marketing purposes (such as management of the central group CRM system and promotional campaigns at the group level as opposed to local campaigns), as well as the management of the Geraldcharles.com Website.

In accordance with EU General Data Protection Regulation 2016/679 (the “GDPR”) and the Federal Act on Data Protection as amended on 25 September 2020 (the “FADP”), this Privacy Notice is governed and interpreted by the GDPR and the FADP, under the control of the Federal Data Protection and Transparency Officer, in so far as the Swiss company Gerald Charles SA is responsible, at the Gerald Charles group level, for the definition of the global policy on the processing and management of your personal data for commercial and marketing purposes, as well as the management of the Gerald Charles website. However, Gerald Charles may take into account provisions that are stricter than those of the GDPR or the FADP, when required by law. We invite you to take the time to read this Privacy Notice in its entirety.

We are available at the e-mail address privacy@geraldcharles.com to answer any questions you may have, particularly in the exercise of your rights to your personal data described in Section VIII.

I. WHEN DO WE COLLECT PERSONAL DATA?

This Privacy Notice applies to any personal data we may collect from you or about you (see below) from the following sources:

(i) Visiting our websites and using Gerald Charles mobile applications (including the mini-sites we have on social networks such as WeChat) (the “Website”): in particular, for the registration on our Website, the response to a form or the use of a service (subscription to our newsletter, list of favorites), or of a feature or resources published on our Website. You will be asked to log in, but you can also visit our Site without registering;

(ii) Electronic and telephone communications between Gerald Charles and yourself;

(iii) Boutiques and points of sale managed by Gerald Charles;

(iv) Purchases of Gerald Charles products or requests for after-sales service;

(v) Calls to Gerald Charles customer relations centers;

(vi) Registration forms that we collect, either printed or available on electronic tablets, especially in our boutiques and points of sale or in the context of events;

(vii) The submission of applications to our partners in charge of the online collection of applications for employment positions to be filled at Gerald Charles;

(viii) Data that you share publicly on social networks as part of your interaction with Gerald Charles (for example, when you “like” a Gerald Charles page on social networks).

II. PERSONAL DATA WE COLLECT

We may collect different types of information from you depending on the purpose and the manner in which you interact with Gerald Charles (online, offline, over the phone, etc.), as indicated below:

(i) Identifying and Contact Data: any information you provide us that would allow us to contact you, (i.e. your name, surname, age range, birthdate, e-mail address, postal address or telephone number), as well as to manage your purchase history and any after-sales services that you may request (i.e. any information describing your demographic and behavioural characteristics, for example, your date of birth, gender, nationality, language preference; and other preferences, such as your favourite products, your list of favourites, your professional situation, your marital status, your interests and your lifestyle).

(ii) Images: We may also process the images taken as part of the surveillance systems in place in boutiques and points of sales managed by Gerald Charles.

(iii) Navigation Data: when you interact with our Website, we may collect traffic data using automated data collection technologies, including a dialogue between the website server and your browser. Traffic data may include the browser name and the type of device you are using, as well as technical data about how you connect to our Website, including your operating system, the IP address of your device connected to the Internet, the identifier of your Internet access point, the date and time of your last visit and the Internet service providers called. Such data is used for statistical purposes and the analysis of such data is used to improve our Website, so as to provide you with a personalized browsing experience tailored to your preferences and interests, for example, by directly displaying the pages in your preferred language on your next visit.

Such information is captured using automated technologies such as cookies (browser cookies) and web beacons (such as Java Script); they are also collected through external tracking services (Google Analytics). Please consult our Cookie Policy to find out how you can adjust your cookie settings and obtain detailed information about cookies we use and how we use them.

(iv) Customer feedback: information that you voluntarily share with us about your experience using our products and services

(v) Data collected through social networks: we may have access to information that you share publicly on third-party social networks (such as Facebook). If you wish to stop sharing this information, we recommend that you read the terms of use of the social network concerned.

(vi) Payment Data: any of the information that we need to carry out an order or that you use to make a purchase, and, if you so request, the data necessary to refund the VAT (the name of the cardholder, credit card number, expiry date, a copy of your identity card, etc.) and information or documents required by anti-money laundering laws.

Links to other websites. Our Site may contain or use links to third-party websites (such as advertising, our partners or social networks). Such third-party websites have their own privacy policy (including on the use of cookies), which we invite you to review. We do not accept any responsibility for the privacy policies of any such third-party websites that you access at your own risk.

Privacy and protection of minors. Our Site is not intended for users under 16 years old. We do not knowingly collect personal data from children under 16 years of age. If you are a parent or guardian and you know that your child has provided us with personal data, please contact us. If we realize or are aware that we collected personal data from a child under the age of 16 without verification of parental consent, we will take steps to remove such information from our servers, unless we are required to retain it by law (accounting or purchase data, data necessary for applicable guarantees or the management of complaints, etc.). In any event, users under 16 who provide us with personal data have the discretionary right to the erasure of their data that they can exercise, at any time and without cause, alone or through their usual guardian, by contacting us at the address mentioned in Section VIII “Contact Us”.

Requests for erasure will be processed in the conditions and subject to the reservations described above.

III. PURPOSE OF THE PROCESSING

We collect and use your personal data for the purposes described below. Please note that the types of use listed below depend on your use of our services and do not systematically affect each user:

(i) Performance of contract: processing of your purchases, orders (including any VAT refund requests) and deliveries, providing after-sales services, including in the context of calls upon warranty, answering your queries, questions and/or requests of any kind, improving customer service and managing customer relations, including managing VIP programs and loyalty programs. The data collected helps us respond to your requests, meet your needs more effectively and improve our products and services;

(ii) Marketing: sending you regular information, in particular about Gerald Charles, news on our products and after-sale services, our events, the opening of new boutiques, points of sale or satisfaction surveys concerning our products and services, with your consent when required;

(iii) Profiling: addressing you advertising offers and chatting with you on social networks when you interact with third-party social networking features such as “like” features.

We recommend that you review the terms of use of the relevant third-party networks to learn about these features and, if necessary, terminate your registration; managing our Website and your accounts, to personalize your user experience on our Website by presenting you content specific to Gerald Charles that corresponds to your interests. We are also likely to cross-reference this data to better understand how users, as a group, use the services and/or resources available on our Website;

(iv) Legal obligations: managing and registering lost, stolen or counterfeit products, taking the necessary steps to detect fraud, complying with our billing and accounting obligations (such as those arising from anti-money laundering laws);

(v) Right of defense: dealing with any claims or litigation (particularly in the context of the exercise of legal claims and defenses in the event of litigation);

(vi) Recruiting: managing the process of recruiting applications submitted to our partners in charge of the online collection of applications for employment positions to be filled at Gerald Charles;

(vii) Security: guaranteeing the safety of boutiques and points of sale managed by Gerald Charles;

(viii) Reports: producing reports and statistics, particularly for the purpose of measuring traffic on the Website IT security and IT operations.

IV. LEGAL BASIS OF PROCESSING

Gerald Charles will process your data for the purposes above on the basis of the following legal basis:

(i) Performance of contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6, par. 1 lett. b), GDPR);

(ii) Marketing: the data subject has given explicit consent to the processing of those personal data (art. 6, par. 1, lett. a), GDPR);

(iii) Profiling: the data subject has given explicit consent to the processing of those personal data (art. 6, par. 1, lett. a), GDPR);

(iv) Legal obligations: processing is necessary for compliance with a legal obligation to which Gerald Charles is subject (art. 6 lett. c), GDPR);

(v) Right of defense: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, par. 1, lett. f), GDPR), in order to ensure Gerald Charles’ right of defense in court with reference to any disputes relating to the performance of contracts concluded with the samethat does not imply a high level of risk for your rights and freedoms, due to the fact that the data is also processed in your interest as part of the contract;

(vi) Recruiting: processing is necessary in order to take steps at the request of the data subject prior entering into a contract (art. 6, par. 1 lett. b), GDPR);

(vii) Security: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, par. 1, lett. f), GDPR), in order to ensure the security of its staff and customers, in the Gerald Charles’ stores and on its Website;

(viii) Reports: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6, par. 1, lett. f), GDPR), in order to obtain statistical data on our business performance with a view to optimizing and improving management and planning business activities. Such processing does not imply a high level of risk for your rights and freedoms, since profiling data is rendered anonymous and aggregated in such a manner that the data subject is not or no longer identifiable.

V. HOW WE PROTECT YOUR PERSONAL DATA

We have put in place adequate security practices and measures relative to the processing of personal data in order to prevent unauthorized third-party access to your personal information and to protect it from being altered, disclosed or destroyed.

These security measures consist primarily in a strict control of access and administrators, encryption of all personal data in our database of customer and potential customer relationships, periodic review of access, constant supervision of the infrastructure, as well as a risk analysis and remediation strategy.

Nevertheless, even if we strive to protect your personal data, we cannot guarantee the security of the information transmitted on our Website during its transit through the Internet by means of any unsecured protocol.

VI. SHARING AND TRANSFER OF YOUR PERSONAL DATA

We undertake not to sell, exchange, rent or transfer in any way your personal data without your consent (which may be given after receipt of prior information notice) and subject to the cases listed below:

(i) Transfers within the Gerald Charles’ group: the various Gerald Charles entities can share your personal data with each other in order to ensure the continuity of our services, our relationship with our customers, our potential customers and the users of our Website, as well as to ensure the continuity of our offers and information intended for you. Your personal data may thus be collected, stored and processed by a Gerald Charles entity located in the following countries/regions: Canada; Latin America; Caribbean; Middel East (including not limited to Baharain, Saudi Arabia, Qatar, UAE); Switzerland; the United States; the European Economic Area; China; Hong Kong, China; Taiwan, China; Macau, China; Japan; Singapore; Malaysia; Thailand; Lebanon and Russia. To ensure a sufficient level of protection, transfers are governed, if necessary, by the contractual clauses in force adopted by the Federal Data Protection and Information Commissioner (FDPIC)  and by the the European Commission or through mechanisms validated by the latter or by the competent authorities in charge of the protection of personal data within Switzerland or the European Economic Area and, if applicable, by additional measures that may be required in other jurisdictions.

(ii) Transfers to third-party service providers: in addition, we may share your personal data with third parties located abroad, for the following purpose:

a. We may use third-party service providers to help us operate our business (for example, in carrying out orders, payment processing, frauds detection, identity verification, management of our customer relations centers, the sending of newsletters, the organisation of events, the management of our information systems, etc.), and administer the Website, in particular by using Google Analytics, as described in the Cookie Policy available at the following address:

www.geraldcharles.com/en/cookie-policy;

b. For the purposes described in Section III hereinabove, we may share with our commercial and advertising partners cross-references of demographic information of a generic nature, containing no direct identification of our visitors, for statistical purposes.

c. We may disclose such information to a third party in connection with any merger or acquisition, or to any organisation involved in any transfer or sale of our business or our capital.

We always require these third parties to provide sufficient guarantees of confidentiality and security and to take the necessary organisational and technical measures to protect your personal data in accordance with the applicable legislation. To ensure a sufficient level of protection, transfers are governed, if necessary, by the contractual clauses in force adopted by the European Commission or through mechanisms validated by the latter or by the competent authorities in charge of the protection of personal data within the European Economic Area and, if applicable, supplemented by measures that may be required in other jurisdictions. In addition, service providers are only allowed access to your personal data and use it on our behalf in relation to the specific tasks assigned to them, based on our instructions.

(iii) Transfers to third parties for legal reasons: we may disclose personal data to meet legal requirements, respond to a request from a competent law enforcement agency, exercise our rights or defend ourselves in the context of a claim or legal proceeding or to provide evidence to protect the interests of a Gerald Charles entity and to fight against fraud.

VII. DETAILED INFORMATION ON PERSONAL DATA PROCESSING ACTIVITIES

Here are the detailed information regarding the data processing activities we set in place:

1. Browsing the Site

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: enabling the use of the website;

  • Categories of personal data processed: (i) IP address of the device used by the user; (ii) pages visited by the user;

  • Recipients or categories of data recipients: no recipient;

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.shopify.com/legal/privacy);

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) however, we do not collect personal data, web analytics are processed with Shopify .

2. Shopify

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: see paragraphs III and IV above for details - (i) Performance of contract; (ii) Marketing; (iii) Profiling; (iv) Legal obligations; (v) Right of defense; (vi) Recruiting; (vii) Security; (viii) Reports.

  • Categories of personal data processed: see paragraph II above for details - (i) Identifying and Contact Data; (ii) Images; (iii) Navigation Data; (iv) Customer feedback; (v) Data collected through social networks; (vi) Payment Data.

  • Recipients or categories of data recipients: Shopify.

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.shopify.com/legal/privacy).

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.1. Shopify Plugins

1.

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;

  • Categories of personal data processed: (i) none;

  • Recipients or categories of data recipients: Shopify; Controller;

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.shopify.com/legal/privacy).

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

2.

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;

  • Categories of personal data processed: ((i) name; (ii) email address; (iii) phone number; (iv) user's IP address; (v) geolocation; (vi) browser and operating system;

  • Recipients or categories of data recipients: Shopify; Controller;

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.shopify.com/legal/privacy).

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify

3. User Area (Account)

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes;

  • Categories of personal data processed: (i) email address; (ii) user's IP address; (iii) name and surname of the data subject; (iv) language; (v) interests and activities ;

  • Recipients or categories of data recipients: Shopify;

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.shopify.com/legal/privacy);

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Shopify.

4. Setmore (“Book your visit” section of the website)

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes; (iv) customer service purposes.

  • Categories of personal data processed: (i) email address; (ii) user's IP address; (iii) name and surname of the data subject; (iv) language; (v) interests and activities;

  • Recipients or categories of data recipients: Setmore;

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://www.setmore.com/our-mission#privacy-policy);

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Setmore.

5. Mailchimp

  • Identity and contact details of the data controller: Gerald Charles SA;

  • Purpose of processing and legal basis: (i) identifying the user; (ii) sales purposes; (iii) statistical purposes; (iv) customer service purposes.

  • Categories of personal data processed: (i) email address; (ii) user's IP address; (iii) name and surname of the data subject; (iv) language; (v) interests and activities;

  • Recipients or categories of data recipients: Mailchimp (The Rocket Science Group LLC);

  • Transfers abroad and protection measures adopted (with respect to Switzerland): no data transfer abroad except for data processed by the Shopify platform which processes data in accordance with the GDPR or the FADP (https://mailchimp.com/legal/privacy);

  • Rights of the data subject: see paragraph IX below;

  • Supporting elements for the transparency principle: (i) you can request detailed information on the personal data retention policy within a specific processing by writing to privacy@geraldcharles.com; (ii) the personal data collected is used for the sale of the requested products, for providing the requested services, and even for direct marketing and/or profiling purposes; (iii) data analyses are processed with Mailchimp.

VIII. STORAGE OF YOUR PERSONAL DATA

We keep your personal data for the time necessary to satisfy the different purposes set out in Section III here in above, except in cases in which the law allows us or requires us to keep such data longer. Following the expiring of the periods listed below, the personal data will be deleted or rendered anonymous.

(i) Performance of contract: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, for no longer than 10 years from last purchase (or any other retention period provided by applicable local statute of limitation),

(ii) Marketing: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 7 years after collection;

(iii) Profiling: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 7 years, after collection;

(iv) Legal obligations: the data are collected to fulfil legal obligations, for a period not exceeding the period necessary to achieve the purpose and, in any case, not exceeding the statutory limitation periods;

(v) Right of defense: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 10 years from the termination of the contractual relationship between Gerald Charles and the data subject;

(vi) Recruiting: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 12 months from the date of receipt of the curriculum vitae;

(vii) Security: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 72 hours after collection;

(viii) Reports: the data are collected only for the time strictly necessary to achieve the purpose and, in any case, no longer than 2 years after collection.

IX.YOUR RIGHTS TO YOUR PERSONAL DATA

(i) Access to personal data, modification, updates and deletion: if applicable law provides so, you may (i) request access to your personal data held by a Gerald Charles entity, consult such data and obtain a paper or electronic copy thereof, and (ii) request the correction, limitation, updating or deletion of your personal data or oppose the processing of such data.

You may exercise such rights by sending a written request, along with a copy of an identity document, to the Gerald Charles entity with which you interact or to the postal or electronic address indicated in Section XI “Contact Us”, below. We will endeavor to present the personal data concerned, to correct or delete such data, according to your request and under the conditions provided by the applicable law.

Please note that in some cases, we may not be able to delete your personal data without also deleting your user account. We may also have to keep some of your personal data after a removal request, in order to meet our legal or contractual obligations. We may also be permit- ted by applicable law to retain some of your personal data to comply with our legal obligations.

(ii) Opt-out: you may also ask to no longer receive information or offers from us at any time, either by following the unsubscribe process described in the messages you may receive from us, or by writing to us at the address indicated in Section IX “Contact Us”, below.

(iii) Data portability: given the extreme specificity of the fine watchmaking products designed and marketed by Gerald Charles, as well as the services associated therewith, Gerald Charles cannot, unless a written and specific individual request is addressed to us and justified by a legitimate reason, be subject to portability as defined by the GDPR.

(iv) Complaint to a supervisory authority: without prejudice to any other legal remedy, you have the right to lodge a complaint with the European Union supervisory authority for the application of the rules of the GDPR or with the Federal Data Protection and Transparency Officer under the conditions laid down in the FAPD.

X.AMENDMENTS TO OUR PRIVACY NOTICE

We reserve the right to change this Privacy Notice at any time. You will be notified by the publication of a notification on the homepage. We encourage you to check this page periodically for updates and to stay informed about the steps we take to protect the personal data we collect. You agree and acknowledge that it is your responsibility to regularly review our Site to be aware of any changes made there to.

XI. CONTACT US

If you have any questions about this Privacy Notice, please contact us:

• by e-mail, privacy@geraldcharles.com; or

• by post, at Gerald Charles SA, Attn: Data Protection Officer, via Nassa 62, Lugano, 6901, Switzerland.

To contact our Data Protection Officer in respect of the processing of your personal data please send an email to cpd@geraldcharles.com.

This document was last updated on [18-12-24].