Wishlist
My Cart
Search
Advanced Search

PRIVACY POLICY

This Privacy Policy sets out the rules for the processing of personal data collected through this website and its derivatives (hereinafter referred to as the "Website") and its online store (hereinafter referred to as the "Online Store"). The purpose of this policy is to provide clear, centralised information on how personal data is processed, in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of data, and repealing Directive 95/46/EC (the "GDPR"), and the Data Protection Act, Chapter 586 of the laws of Malta. In certain cases, information about specific data processing activities, may also be provided in the relevant regulations.

The Controller applies appropriate technical and organisational measures to protect personal data, including access controls, staff confidentiality obligations, encryption and pseudonymisation where appropriate, regular monitoring of IT security, and procedures for handling potential security incidents. These measures are designed to ensure a level of security appropriate to the risks associated with the processing of personal data.

To fulfil your orders, we may share your personal data (e.g. name, delivery address and contact details) with trusted logistics and warehousing partners, such as FREE Company s.r.o., who act as data processors under our instructions. These partners help with order preparation, delivery, returns and cash on delivery processing.

The information in this Privacy Policy complements the General Terms and Conditions (the “Terms”) of the Website. In case of any conflict or doubt, the Terms take precedence. .

 01 | Data Controller

  • The controller of your personal data is SF1 Clips s.r.o., with its registered office at Pribinova 4, 811 09 Bratislava, Slovakia (hereinafter referred to as the "Controller" or "SF1 Clips").
  • The Controller can be contacted by email at: info@victoriassecret.mt

 02 | Purpose and legal basis for the processing of personal data

We do not process personal data for purposes other than those described in this Privacy Policy, unless required by law or based on your consent.

Depending on the specific processing purpose, the Controller processes personal data on the basis of the following legal bases:

  • Performance of a contract or steps taken prior to entering into a contract – Article 6(1)(b) GDPR.
  • Compliance with a legal obligation – Article 6(1)(c) GDPR.
  • Consent – Article 6(1)(a) GDPR.
  • Legitimate interests of the Controller – Article 6(1)(f) GDPR.

Where processing is based on legitimate interests, these interests are always balanced against your fundamental rights and freedoms.

1. Processing of personal data (online account) Your personal data is processed to provide complaint handling services. Data processed: identification data (name and surname), contact data (phone number and e-mail) and order reference data in order to facilitate returns/complaint resolution through our logistics partners. Legal basis: performance of the concluded sales contract (Article 6(1)(b) GDPR) and fulfilment of warranty obligations (Article 6(1)(c) GDPR). Provision of personal data is voluntary, but necessary to process complaints. Refusal to provide personal data will result in the inability to handle complaints. Retention period: data is stored for the duration of the service and the prescriptive period for civil claims.
2. Processing of personal data (complaints) Your personal data is processed for the purpose of ensuring the provision of complaint handling services. In this case, we process identification data (name and surname), contact data (phone number and e-mail address) and order reference data in order to facilitate returns/complaint resolution through our logistics partners. The legal basis for the processing of your personal data is the performance of the concluded sales contract (6 (1)(b) of the GDPR) and the fulfilment of legal obligations regarding warranties (Article 6(1)(c) GDPR). The provision of personal data is voluntary, but it is necessary to enable the service of handling complaints or returns. Refusal to provide personal data will result in the inability to use these services. The provision of personal data is necessary to enable the complaint or return services. Refusal to provide personal data will make it impossible to use these services. Personal data is stored for the duration of the complaint handling and the limitation periods for potential civil claims.
3. Processing of personal data (promotions)Your personal data is processed to organise promotions. Data processed: identification data (name and surname) and contact data (telephone number, e-mail and delivery address). Legal basis: legitimate interest of the Controller, to organise the promotions for the benefit of customers (Article 6 (1)(f) GDPR). Provision of personal data is voluntary, but necessary to participate in promotions. Refusal to provide personal data will result in the inability to participate in promotions. Retention Period: Personal data is deleted when a justified objection is lodged or when the purpose of their processing ceases to exist.
4. Processing of personal data (satisfaction surveys)Your personal data is processed to send satisfaction surveys. Data Processed: identification data (name and surname) and contact data (e-mail). Legal basis: legitimate interest of the Controller, to ensure an appropriate level of service (Article 6(1)(f) GDPR). Provision of personal data is voluntary, but necessary to receive satisfaction surveys. Refusal to provide personal data will result in the inability to participate in a satisfaction survey. Retention Period: Personal data is deleted when a justified objection is lodged or when the purpose of their processing ceases to exist.
5. Processing of personal data (direct marketing communications)Your personal data is processed to send marketing messages, including e-newsletters and profiling. Legal basis: your consent (Article 6(1)(a) GDPR); and legitimate interest (Article 6(1)(f) GDPR) for direct marketing of our own products or services, provided you have not objected. Personal data may be used to tailor content and analyse past purchases for predictive profiling. Withdrawal of consent does not affect prior lawful processing. Provision of personal data is voluntary, but necessary to receive marketing messages. Refusal to provide personal data will result in the inability to receive marketing messages. Retention Period: Personal data is stored until consent is withdrawn, objection implemented or the purpose of processing ceases.
6. Processing of personal data (third-party marketing)Your personal data is used to send marketing messages from third parties, without transferring your personal data. Legal Basis: Your consent (Article 6(1)(a) GDPR). Third-party marketing is carried out exclusively on the basis of your freely given, specific and informed consent. Provision of personal data is voluntary, but necessary to receive marketing messages. Refusal to provide personal data will result in the inability to receive marketing messages. Retention Period: Personal data is stored until consent is withdrawn or the purpose of processing ceases. Withdrawal of consent does not affect prior lawful processing.
7. Processing of personal data for performance of contractYour personal data is processed to conclude and perform contracts. Data processed: identification data (name and surname) and contact data (telephone number, e-mail and delivery address) and order reference data. We also process your IP address (which is anonymised after 30 days from the date of purchase). 1. Contract fulfilment, Logistics and warehousing providers to facilitate the preparation of orders, packaging, delivery, returns/complaint resolution, communication with end customers regarding the status of delivery; 2.to comply with legal obligations we have, in particular for accounting/tax purposes, Legal basis: 1. contract performance (Article 6(1)(b) GDPR); 2.legal obligation (Article 6(1)(c) GDPR); 3. legitimate interest - maintaining contact, answering questions, defending claims (Article 6(1)(f) GDPR). Provision of personal data is voluntary, but necessary for performance of the contract. Refusal to provide personal data will result in the impossibility of concluding and performing the contract. Retention period: personal data is stored for the duration of the contract and customer service, accounting/tax obligations and prescriptive period for civil claims.
8. Processing of personal data (contact persons of entities)If you represent a client, contractor or other entity, your contact information is processed for contractual and legal purposes. Purpose: 1. Comply with legal obligations, in particular for accounting purposes; 2. Maintain contact for servicing and performance of contract concluded with the entity on whose behalf you are acting, providing answers to questions asked and establishing, investigating and defending against claims. Legal basis: 1. fulfilment of our obligations (Article 6(1)(c) GDPR), 2. Legitimate interest (Art. 6(1)(f) GDPR). Provision of personal data is voluntary, but necessary to liaise with the entity you represent. Refusal to provide personal data will result in the impossibility of maintaining contacts necessary for the performance of the contract. Retention Period: Personal data is stored for the period necessary to establish and continue liaison, customer service/contractor service and to send promotions in the future. As the data is necessary for regulatory purposes (e.g. tax obligations) and for the purposes of establishing, investigating and defending against claims, the data may also be stored until expiry of the limitation period for tax liabilities relating to contracts, which may be extended beyond the prescriptive period for civil claims, if applicable.
Processing of personal data (recruitment) Personal data is processed to carry out recruitment procedures and select candidates. Depending on whether the recruitment procedure leads to the conclusion of a contract based on an employment relationship and is therefore governed by the provisions of labour law, or whether it leads to the conclusion of a civil law contract or a contract for the provision of services, the legal basis for the processing of personal data varies: I. Employment Contracts In the case of recruitment for positions for which the conclusion of an employment contract is envisaged, the legal basis for the processing of personal data is: a) to the extent required under the Labour and Social Security Records Act (ZEPDSV) and the Employment Relations Act (ZDR-1). The legal obligation and basis for processing are also set out in Article 6(1)(c) GDPR. This applies to information such as: first and last name, date of birth and contact details provided by job applicants. Where necessary to perform a specific type of work or job, this also includes information on education, professional qualifications and previous employment. The Controller’s legal obligation also includes personal data required for the exercise of rights or the fulfilment of obligations arising from the law. b) where personal data is provided beyond the scope required by the legislation referred to in point (a), above, the legal basis for processing such data is consent under Article 6(1)(a) GDPR. This applies, for example, to the results of competency tests and any information contained in a CV, cover letter or provided during interviews. We do not require the provision of such data, but treat its voluntary submission as consent to its processing. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Please note that the provision of personal data referred to in point I(a) is mandatory under applicable labour law provisions. Failure to provide such data makes participation in the recruitment process impossible. The provision of personal data referred to in point I(b) is voluntary. Failure to provide such data cannot result in less favourable treatment, negative consequences or refusal of employment. II. Civil Law Contracts & Service Contracts In the case of recruitment for positions performed under civil law contracts or contracts for the provision of services, the legal basis for processing personal data is consent under Article 6(1)(a) GDPR. This applies to all information contained in a CV, cover letter or obtained during interviews. Please note that providing personal data for the purpose of concluding these contracts is voluntary, and such voluntariness requires consent. However, consent for the processing of basic identification and qualification data, such as name, date of birth contact details and where relevant, information about education, professional qualifications and employment history, is necessary for your application to be considered. Retention Period: Application documents will be deleted after the recruitment process has been completed, unless you have provided consent for further processing.
10. Processing of personal data (contact requests)If you contact us, the data we process consists of your contact details and data derived from your message. This data is obtained directly from you. Your personal data is processed based on legitimate interest, namely to enable us to receive, review and respond to your message and any questions arising from it. The legal basis for the processing of your personal data is our legitimate interest under Article 6(1)(f) GDPR, as described above. Providing personal data is voluntary, however, it is necessary for us to process and respond to your message. Refusal to provide personal data will result in the inability to process your message and it may therefore be deleted. Personal data is processed for the duration necessary to handle and respond to your message, unless the processing falls under another category of processing that requires a different retention period.

 03 | Recipients of personal data

1. For the proper functioning of the Online Store, including the execution of concluded sales contracts, it is necessary for the Controller to use the services of external entities (such as software providers, couriers or payment service providers). The Controller uses only processors that provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and ensures the protection of data subjects’ rights.

2. The Controller may transfer personal data to a third country, provided that the controller ensures that in such a case this will be done in relation to a country ensuring an adequate level of protection, in accordance with the GDPR and the data subject shall have the possibility to obtain a copy of his or her data. The Controller transfers personal data only when necessary for the specific processing purpose indicated in this Privacy Policy. Transfers of data take place on the basis of mechanisms approved by the European Commission, ensuring appropriate protection for personal data in a third country.

3. Data transfers by the Controller do not occur in every case or to all recipients listed in this Privacy Policy. The Controller transfers data only when it is necessary to achieve the specific purpose of processing and only to the extent required. For example, if a customer purchases a purely digital product, such as a gift voucher, their data will not be transferred to logistics or shipping providers. .

4. Personal data of users and customers of the Online Store may be transferred to the following recipients or categories of recipients:

  • carriers/freight forwarders/courier intermediaries – for customers using postal or courier delivery, the Controller shares personal data with the selected carrier, freight forwarder or intermediary to the extent necessary to deliver the product.
  • entities processing electronic payments or card payments – for customers using these methods, the Controller shares the necessary personal data with the payment service provider for the execution of the payment.
  • Technical, IT and organisational service providers - including providers of software used to operate the Online Store, e-mail and hosting providers, providers of business management software and technical support. data is shared only when needed to fulfil the specific processing purpose. ,
  • providers of accounting, legal and consulting services - including accounting offices, law firms or debt collection companies, to the extent necessary for the performance of such services, in accordance with this Privacy Policy. .

Logistics and warehousing providers - for order preparation, packaging, delivery, returns/complaint handling, customer communication,. Shared personal data includes: first name, last name, delivery address, phone number, email address and order reference data. These processors act exclusively on documented instructions from the Controller, in accordance with Article 28 GDPR.

Personal data is not subject to automated decision-making, including profiling. Personal data may also be transferred to third countries (outside the EEA), including entities belonging to the Controller’s group of companies, for reporting, financial and technical continuity purposes. The transfers are performed on the basis of mechanisms approved by the European Commission, ensuring an adequate level of protection.

Personal data will not be disclosed to third parties for purposes other than those specified in this Privacy Policy, and in particular, will not be shared with other entities for the purpose of sending third-party marketing materials.

When transferring personal data outside the EU, we take the following safeguards:

  • Standard contractual clauses (SCCs): For transfers to countries without an adequacy decision, we use European Commission-approved SCCs to ensure a level of protection equivalent to that within the EU. Logistics service providers (e.g. FREE Company s.r.o.) may use subcontractors in third countries to fulfil contractual obligations. Such transfers are protected by SCCs or other mechanisms permitted under the GDPR.
  • Additional safeguards: When necessary we implement additional measures (such as internal policies and technical safeguards) to ensure that data is protected in accordance with the GDPR.
  • Information about transfers: If data is transferred to a country lacking an adequacy decision, we will notify you and provide details of the safeguards applied.

     04 | Use of external technology

    Our website contains plugins for social networks Facebook and Instagram,

    • • Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA): The Facebook plugin on our website is marked with the Facebook logo and links directly to our Facebook profile. Facebook may obtain information that you have visited our website from your IP address. If you visit our website while logged in to your Facebook account, Facebook may associate the visit with your user account. Even if you are not logged in, Facebook may still obtain information about your IP address. Please note that Facebook does not provide us with full information about the data it collects or how it processes it. More information is available at: https://www.facebook.com/about/privacy/.

    • Our website may also include Instagram plugins. If you are logged in to your Instagram account, Instagram may associate your visit to our website with your user account. More information is available at: https://privacycenter.instagram.com/.

    If you do not want these platforms to collect information about your visit, please log out of your social media accounts beforehand and/or block third-party cookies in your browser settings. More information about third-party cookies may be found in our Cookie Policy.

     05 | Your rights under the General Data Protection Regulation

    Under the GDPR, you have the following rights in relation to your personal data:

    1. Right of access: You have the right to obtain confirmation as to whether we process your personal data and, if so, to access this data and receive information about the purposes of processing, categories of data, recipients and data retention periods.
    2. Right to rectification: You have the right to request the correction of inaccurate or incomplete personal data relating to you.
    3. ight to erasure: You may request the deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected or when you withdraw your consent.
    4. Right to restriction of processing: You may request the restriction of processing if you contest the accuracy of the data, if the processing is unlawful, if we no longer need the data but you require it for the establishment, exercise or defence of legal claims, or if you have objected to the processing.
    5. Right to object: You may object to the processing of your personal data where it is based on our legitimate interests or where the data is processed for direct marketing purposes.
    6. Right to withdraw consent: If the processing of your personal data is based on your consent, you may withdraw this consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal.
    7. Right to lodge a complaint: If you believe that your rights have been violated, you may lodge a complaint with the data protection supervisory authority in your country. If you are based in Malta, you may lodge your complaint with the Information and Data Protection Commissioner, at Floor 2, Airways House, Triq Il-Kbira, Tas-Sliema SLM 1549, Malta or via e-mail on: idpc.info@idpc.org.mt.

    You can submit a request to exercise your rights using the contact details provided at the beginning of this Privacy Policy.

    We strive to respond to all requests within 30 days. If your request is complex or if you submit multiple requests, the response period may be extended. We will notify you of any delay. If you are not satisfied with our response, you may lodge a complaint with the competent data protection authority.

     06 | Use of personal data for automated decision-making, including profiling

    Your personal data will not be used for automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. We may, however, use your personal data to tailor the content of marketing messages (e.g. newsletters) to your interests, including age (as derived from data you provide), your behaviour on our Website and your previous purchases. This may also include analysing such data for the purpose of making future predictions (profiling). In this way, we create customised user profiles to better align displayed or downloaded content with your individual interests.

    This processing of personal data is carried out in connection with the legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR, unless a different legal basis (e.g. consent for marketing communications) applies.

     07 | Changes to the privacy policy

    This Privacy Policy is subject to change at our discretion. If we make changes that significantly impact your privacy, we will notify you through appropriate communication channels (for example, by displaying a banner, pop-up message or push notification, or, where required by the GDPR, by email.

    If you have any questions about this Privacy Policy, please contact us at: info@victoriassecret.mt

     08 | Cookies and website tracking

    Our website uses cookies to improve the user experience. By using the website, you agree to the use of cookies, unless you have adjusted your browser settings to refuse cookies.

    You can manage your cookie preferences at any time through your browser settings or through the cookie management section on our website.

    Our website uses cookies to improve your user experience. More information about cookies may be found in our Cookie Policy.

    _________________________

     

    Last update: 18.04.2025

Back to Top
© 2026 Victoria’s Secret. All rights reserved.
Website Terms
Privacy Policy
Secure Payment via SSL
Product Catalog