Sometimes, all that's needed is a helping hand. So allow Penhaligon's Aficionados to be of service.
1 IMPORTANT NOTICE
1.1 This is the Privacy Notice of Penhaligon’s Limited (Company Number 02110619) whose registered office is at 3rd and 4th Floor, 1 Cathedral Piazza, 123 Victoria Street, London, SW1E 5BP.
1.2 This Privacy Notice sets out how Penhaligon’s Limited (‘we’, ‘us’ or ‘our’) and our group companies (including Puig S.L.) collect and process your personal information when you access and use our site www.penhaligons.com (‘our site’). This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data.
1.3 We take our data protection responsibilities very seriously and we comply with all applicable Data Protection Legislation in force from time to time. For the purposes of this Privacy Notice, ‘Data Protection Legislation’ means: (i) the Data Protection Act 2018 and all related regulations in force from time to time; and (ii) the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (‘GDPR’) and any laws in England giving effect to its provisions.
1.3 This Privacy Notice relates to personal information identifying you. We refer to this information throughout this Privacy Notice as ‘personal data’ and section 2 sets out further detail of what this includes. This Privacy Notice is not intended for children and we do not knowingly collect personal data relating to children.
1.4 This Privacy Notice may vary from time to time so please check it regularly. These terms were most recently updated on 5th August 2019.
2 THE PERSONAL DATA WE COLLECT ON YOU
We may collect the following personal data about you:
2.1 Personal data you provide to us via our site, including information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site and when you make purchases from our site. For example:
2.1.1 Your name and title;
2.1.2 Your billing and delivery postal address, phone, fax and email addresses;
2.1.3 Your gender (although this is not mandatory);
2.1.4 Where you have registered with us, your user name and password; and
2.1.5 How you heard about us.
2.2 Personal data you provide when you enter a competition or promotion sponsored by us, and/or when you report a problem with our site;
2.3 We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them;
2.4 Details of transactions you carry out through our site and of the fulfilment of your orders;
2.5 Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access;
2.6 Information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual;
2.8 Personal data you provide when you request our marketing material or email newsletter or submit a query to us or which is collected via social media;
2.9 Personal data you provide when using interactive features of our site; and
2.10 Personal data you provide when apply for a job advertised or submit a speculative job application and/or your CV.
3 KEY INFORMATION ABOUT YOUR PERSONAL DATA
3.1 Data controller and contact details
3.1.1 For the purposes of the Data Protection Legislation, we are the controller of the personal data you provide to us and as a controller we use (or ‘process’) the personal data we hold on you in accordance with this Privacy Notice.
3.1.2 If you have a concern or question regarding your privacy, you can contact our Data Protection Assistant by emailing [email protected].
3.2 Legal grounds for processing
3.2.1 We collect and process your personal data for a variety of different purposes which are set out in further detail below.
3.2.2 In some cases, we will ask for your consent in order that we can process your personal data. However, in certain circumstances Data Protection Legislation allows us to process your personal data, without needing to obtain your consent. As examples, this may be because we need to use your personal data in order to provide you with the services or goods you have elected to receive from us (i.e. in the ordinary course of our business), to operate our site or for legitimate business or legal purposes.
3.3 How we use your personal data – matters which require your consent
3.3.1 We may ask for your consent to contact you by telephone, SMS, post and/or email about other offers, products, promotions, developments or services which we think may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.
3.3.2 We may ask for your consent to group companies including Puig S.L. to contact you by telephone, SMS, post and/or email about other offers, products, promotions, developments or services which may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.
3.3.3 We may ask for your consent to allow third parties to contact you by telephone, SMS, post and/or email about other third party offers, products, promotions, developments or services which may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.
3.4 Withdrawing your consent
3.4.1 In the event that we rely on your consent, you may at any time withdraw the consent you give to our processing your personal data for those purposes set out in section 3.3 above by contacting us at [email protected].
3.4.2 If you want to stop receiving future marketing messages and materials at any time, you can do so alternatively by clicking the 'unsubscribe' link which is included in all of our email marketing messages.
3.5 How we use your personal data – where your consent is not obtained
3.5.1 In some instances we may not obtain your consent to our processing of your personal data and instead we can rely on another lawful basis in order to do so. These lawful bases include those in the table below, along with the linked purposes for which we will process your personal data:
HOW WE USE YOUR PERSONAL DATA
THE LEGAL BASIS ON WHICH WE CAN DO THIS (THIS IS WHAT THE LAW ALLOWS)
In order to perform our contractual obligations to you. This would include our fulfilling orders you have placed for goods or services, contacting you in relation to any issues with your order or where we need to provide your personal data to our service providers (e.g. our courier company).
The processing is necessary for the performance of a contract which you have entered into, or where you request us to process your data prior to entering into a contract
In order to comply with our own legal obligations or to assist in an investigation (e.g. from the police).
The processing is necessary for compliance with a legal obligation to which we are subject
In order to use your personal data to operate our business and that of our group companies (including Puig S.L.), but otherwise than in performing our contractual obligations to you. These would be our and our group companies' 'legitimate interests’ and include as follows:
(ii) Sending you surveys in connection with our goods and services;
(iii) To send you important notices such as communications about changes to our terms and conditions and policies;
(iv) To assist in the investigation of suspected illegal or wrongful activity. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;
(v) To deal with any misuse of our site;
(vi) To contact you about other offers, products, promotions, developments or services our ours which we think may be of interest to you and for other marketing purposes.
(vii) To deal with your enquiries;
(viii) To allow you to participate in interactive features of our service, when you choose to do so;
(ix) Where you have submitted a job application we may for a reasonable period keep your details on file for future reference should a suitable position subsequently become available and we may send you information about job opportunities;
(x) To develop, deliver and improve our goods or services;
(xi) To help us develop our site to be more useful to you;
(xii) For internal purposes for research, analysis, testing, monitoring, customer communication, risk management and administrative purposes;
(xiii) To protect and defend our rights or property or those of our customers or others;
(xiv) To sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers; and
(xv) In order to enforce or apply our site’s Terms of Website Use or Terms and Conditions of Sale and other agreements with third parties.
Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party for our business activities
3.5.2 We will do our best to inform you when we carry out any of the above activities, but it may be that we are unable to do so in each case.
3.6 Who receives the personal data you provide to us
3.6.1 We will share your personal data with the following recipients:
(a) RedEye in relation to our marketing email communications with our customers;
(b) Feedspark for our affiliate programme which allows us to see anonymously which website you came from right before you visited our site
(c) SagePay – and PayPal, Amazon Pay, Klarna and Apple Pay – to process payments made on our site;
(d) Winparf in relation to point of sale
(e) One Market in relation to electronic receipts
(f) Sprout in relation to social media marketing with our customers
(g) CDL Logistics in relation to order fulfilment and delivery services
(h) Hybris in relation to online transactional services
(i) Facebook in relation to our social customer audience segments
(j) Zendesk in relation to customer support software
(k) LogicMelon in relation to recruitment
(l) Mention Me in relation to referral progrmmes
(m) SAP for finance and logistical purposes
(n) Puig S.L. for management of Group Company data
(o) Use of first party data (cookie data, email addresses) to build remarketing audiences on Google Adwords and Bing
(p) Use of first party data (cookie data, email addresses) to build custom audiences for targeting on Facebook and Instagram
(q) Google Firebase in relation to online fragrance profiling;
(r) Hero in relation to our clienteling app to connect with stores
(s) Use of first party data (cookie data, email addresses) to build remarketing audiences in Criteo Display advertising;
(t) Use of first party data (cookie data, email addresses) to build remarketing audiences in Snapchat advertising;
(u) HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation;
(v) External professional advisers such as accountants, bankers, insurers, auditors and lawyers;
(w) Law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights; and
(x) Third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
However, we do not forward personal data to these third parties for any promotional purposes by those companies.
3.6.2 In addition, we may disclose the personal data you provide to us to our group companies or any third party data processors other than those listed above who may process data on our behalf for the purposes set out in section 3.5 above.
3.6.3 We may also disclose your personal information to other third parties in order to undertake any of the activities listed in sections 3.3. and 3.5.
3.7 Transfers of your personal data to other countries
3.7.1 The personal data we collect from you is currently held within the European Economic Area (‘EEA’). However, it is possible that in the future such personal data may be transferred, stored and/or processed outside the EEA.
3.7.2 By submitting your personal data, you agree to this transfer, storing and/or processing. You should be aware that countries outside the EEA may not offer the same level of data protection as the United Kingdom. In connection with such transfer we will ensure that:
- There are appropriate safeguards in place such as binding corporate rules or the approved EU model contractual clauses between us and the recipient (as per Article 46 GDPR (or English law equivalent)). A copy of the appropriate safeguard can be obtained by contacting us using the contact details set out in section 3.1.2 above; or
- The transfer is to a country that the European Commission has decided provides an adequate level of protection such as to a country approved by the European Commission or to certain organisations with the US pursuant to the Privacy Shield (as per Article 45 GDPR (or English law equivalent)); or
- One of the derogations for specific situations in the first sub-paragraph of Article 49 (1) of GDPR (or English law equivalent) applies to the transfer including explicit consent or necessary for the performance of a contract or exercise or defence of legal claims.
3.8 How long we will hold your personal data for
3.8.1 We will only hold your personal data for so long as is necessary for us to do so, in accordance with the following criteria:
- The on-going business operation / relationship that we have with you;
- The completion of the purpose for which the personal data was given;
- Our legal obligations in relation to that personal data and other legal requirements;
- The type and size of the data held and whether any of it is deemed to be special category personal data; or
- Our accounting requirements in relation to that personal data.
We keep the length of time that we hold your personal data for under review.
3.8.2 Where we no longer need to process your personal data for the purposes set out in this Privacy Notice then we will delete your personal data from our system.
3.9 Why should you provide us with personal data?
3.9.1 Please be aware that we do need to use certain of your personal data in order to fulfil our contractual obligations to you and to provide you with the goods and services you have elected to receive. If you do not provide it then we may not be able to perform the contract to the level you expect or at all. Please see our Terms and Conditions of Sale for further details.
3.9.2 Where we ask for your consent to process your personal data, you are free to withdraw any consent you may give (see section 3.4 above). In addition you are entitled to object to any other processing of your personal data we carry out where we do so in accordance with our own legitimate interests, a list of which is set out in section 3.5 (please also see section 4.5 below for a list of your rights in this respect). Please note, however, that where you do withdraw your consent or otherwise object to our processing of your personal data then this may impact on our ability to provide you with goods and services or (in the case of cookies) affect the functionality of our site
3.10 Automated decision making
3.10.1 We use automated decision making tools in our processing of your personal data.
3.10.2 We employ the following logic in relation to such automated decision making:
(a) Product recommendations based on previous shopping experience
3.10.3 We consider that the significance of such automated decision making and the consequences for you of our employing these techniques are as follows:
(a) Different product recommendations being offered
3.11 Where we store your personal data
3.11.1 All information you provide to us is stored on our secure servers.
3.11.2 We will keep your information secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage.
3.11.3 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
3.11.4 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
3.11.5 Payment transactions are made using payments providers. All credit/debit card transactions on our site are processed using, a secure online payment gateway that encrypts your card details and cannot be accessed by us.
3.12 Accuracy of your personal information
It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us either by logging onto your account on the website or by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
4 SUBJECT ACCESS RIGHTS
4.1 Your right to access your personal data in our possession
4.1.1 You have the right in certain circumstances to obtain from us confirmation as to whether or not we are processing your personal data and, where that is the case, access such personal data and be made aware of the information set out in this Privacy Notice in relation to such data.
4.1.2 If you would like to exercise this right, please contact us using the contact details set out above.
4.2 Your right to have inaccurate personal data rectified
4.2.1 You have the right in certain circumstances to obtain from us the rectification of inaccurate personal data that we hold and which concerns you. This includes the right to request that incomplete personal data is completed (and you may submit a supplementary statement to us in order to do so).
4.2.2 We will rectify inaccurate personal data without undue delay, and will do the same in respect of incomplete personal data although in such instances we are entitled to take account of the nature of our processing of the data in assessing whether we are required to complete the missing information. If you would like to exercise this right, please contact us using the contact details set out above.
4.3 Right to erasure (“right to be forgotten”)
4.3.1 You have the right to obtain from us the erasure of personal data that we hold and which concerns you. This right applies in certain circumstances where:
(a) the relevant personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) You withdraw your consent using the mechanism set out above and there is no other legal ground for our processing your personal data;
(c) Where you object to our processing your personal data using the mechanism set out in section 4.5.1(a) below and there are no overriding legitimate grounds for our processing your personal data, or where you object to our processing your personal data using the mechanism set out in section 4.5.1(b) below;
(d) Where we have processed your personal data unlawfully;
(e) The relevant personal data have to be erased in order to comply with law; or
(f) Where the personal data have been collected in relation to the offer of information society services directly to a child.
4.3.2 If you would like to exercise this right, please contact us using the contact details set out above. We will do this without undue delay unless there is a legal reason as to why we should not comply with your request.
4.4 Right to restriction of processing
4.4.1 You have the right to restrict the way we process your personal data in certain circumstances:
(a) if you contest the accuracy of the relevant personal data, we will suspend our processing of your personal data for such a period as we require in order to verify the accuracy of such personal data;
(b) Where the processing of the relevant personal data is unlawful and you would prefer that we restrict how we process it rather than erase the data altogether;
(c) Where we no longer need the relevant personal data for the purposes of processing it, but the personal data are required by you for the establishment, exercise or defence of legal claims; or
(d) Where you object to our processing your personal data using the mechanism set out in section 4.5.1(a)below, you may request that we restrict the way we process your personal data pending verification of whether our legitimate grounds for processing your personal data override yours.
4.4.2 Except for storing the personal data, we will only process it with your consent or for limited reasons such as the establishment, exercise or defence of legal claims, for the protection of the rights of another person or for reasons of important public interest.
4.4.3 If you would like to exercise this right, please contact us using the contact details set out above.
4.5 Right to object to processing of personal data
4.5.1 In addition to your ability to withdraw your consent, you have the right:
(a) To object, on grounds relating to your particular situation, at any time to our processing of your personal data where we consider that processing your personal data is necessary for: (i) the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or (ii) the purposes of the legitimate interests pursued by us or by a third party, including in each case profiling based on those provisions. In such instances we will no longer process the relevant personal data unless we can demonstrate to you compelling legitimate grounds for our processing the relevant personal data which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims; and/or:
(b) To object at any time to our processing your personal data for direct marketing purposes, which includes profiling to the extent related to such direct marketing. In such instances we will cease to process your personal data for such purposes.
4.5.2 If you would like to exercise these rights, please contact us using the contact details set out above.
4.6 Right to data portability
4.6.1 You have the right to receive from us the personal data concerning you which you have provided to us, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from us. This right shall include the right to require us to transmit the relevant personal data to another controller on your behalf, where technically feasible. This right only applies to personal data that: (i) we gain your consent to process pursuant to section 3.3; or (ii) we obtain in order to perform our contractual obligations to you, and in each case to the extent we process your personal data by automated means.
4.6.2 If you would like to exercise this right, please contact us using the contact details set out above.
4.7 Right to lodge a complaint about us to the Information Commissioner
You are entitled to complain to the Information Commissioner’s Office about the way we process your personal data. Please see https://ico.org.uk/concerns/ for how to do this.
5 LINKS TO OTHER WEBSITES
This policy only applies to Penhaligon’s Limited. Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices or policies and that we do not accept any responsibility or liability for any use of your personal data that is made by unconnected third party websites. You should remember to read and understand those websites’ privacy notices or policies as well.