Depending on how you interact with us (online, offline, by phone, etc.), we may collect from you various categories of Data, which are described in more details below.

a) Data you provide to us

You may provide the following categories of Data when you interact with us for instance when you visit our Sites, our stores, or when you participate in one of our promotional operations, etc.

• Identification information: this includes information such as your name, surname, age or age range, title, date of birth,  general geographic location (e.g., postcode or city and state), etc.

• Contact information: this includes any information that would allow us to personally contact you, such as your home address, billing address, your email address, or your phone number (home, mobile), etc.

• Order and product information: this includes details of the products you have ordered and searched for online or in our shops, the date and time of your orders and searches and the shops you prefer to visit, etc.

• Habits and preferences: this includes any information related to your preferences and interests such as your favorite products, lifestyle information, your concerns in terms of beauty and care, etc.

• Payment and transaction-related information: this includes any information that you use to make a purchase, such as your payment card details. Payments made on the Site are made through our payment gateway providers, ADYEN, PAYPAL, APPLE PAY, or AFTERPAY. Please note that we do not have access to the payment details you provide to these providers which operate autonomously. For more information please refer to the relevant service providers privacy policy.

• User-generated content and posts:  this refers to any content (suggestions, testimonials, surveys or other any other feedback) that you voluntarily share with us about your experience in using our products or services. This also includes your posts on our applications, such as our Facebook fan pages (photos, videos, personal stories, or other similar media or content).

• Information on adverse events: this might include information on your allergies, intolerances and other health-related information, which might be related to our products, that you provide to our customer service. Please note that we only use this information in accordance with our legal obligations to follow-up on adverse events reported to us by our customers (in accordance with EU Regulation on cosmetic products no.1223/2009 as transferred under UK law).

• CCTV:  your image may be recorded on CCTV when you visit one of our shops. We might have to use it for security reasons. We regularly delete the footage unless an incident or alleged incident requires investigation or action.

b) Automatically collected Data

The following categories of Data may be collected automatically when you navigate though our Sites, thanks to various tracking technologies such as browser cookies:

• Technical information: such as your IP address, the browser you use or other technical data related to your device, etc.

• Connection data: such as your identifiers, date and time of connection to your account, to our Sites, etc.)

• Data relating to your use of our Sites and applications: pages viewed, products you searched for, duration of your visit, etc.

c) Data we receive and collect from other sources

• Third parties and advertising partners: we may obtain information, including Data, from third parties and sources other than our Site, such as our partners or advertisers. This may be the case when you accept cookies, which help us understand your activities, how you use our services, the purchases you make, the advertisements you watch, etc.

• Social media partners: we might receive information from social media platforms when you use your social network account such as Facebook, to access one of our services (e.g. to participate in one of our promotional operations or to make a purchase without having to create an account on our site) or when using social media plug-ins (e.g. “like” and “share” buttons).

We generally use your Data on the basis of the following grounds:

• The performance of the contract we have with you: in certain circumstances, we need your Data to execute our contractual obligations. For example, if you buy products through our Site, we need your name and contact details so we can communicate with you and deliver the products you ordered. If you do not provide your Data, we will not be able to provide you with the requested products and services;

• Your prior consent: in certain cases, we may ask for your consent before using your Data. For instance, we will always ask for your permission to send you promotional communications;

• Compliance with a legal obligation applicable to us: sometimes we have to collect and use your Data in order to comply with our own legal obligations. For example, tax laws require us to keep trace of invoices related to your purchases;

• Our legitimate interests: this is a legal term which means we have a good and fair reason to use your Data and we do so in ways which do not hurt your rights and interests. For instance, we do analyse how you interact with our Site so we can better understand what elements of the design are working well and which are not working so well. This allows us to improve and develop the quality of the online experience we offer to our users.

We may collect, use and disclose your Data for the main following purposes:

For what purpose do we use your Data?	What Data do we use?	On which ground?
Manage your online activities
Create and manage your online account	· Identification and contact information · Order and product information · Habits and preferences · Connection data	Your prior consent
Manage your online product orders	· Identification and contact information · Order and product information · Payment and transaction-related information · Connection data	Performance of the sales contract with you
Manage your participation in one of our promotional operations (game-contests, sample operations, promotional offers…)	· Identification and contact information · Order and product information · User-generated content	Your prior consent
Offer you quality services in store
Create and manage your personal profile to offer you personalised services and advices in store, according to your preferences	· Identification and contact information · Order and product information · Habits and preferences (might include information related to your allergies)	Your prior consent
Manage your appointments with us (with your beauty consultants, make-up sessions, tutorials and events, etc.)	· Identification and contact information · Habits and preferences	Your prior consent
Manage cabin treatments	· Identification and contact information · Order and product information · Habits and preferences (might include health related data)	Your prior consent
Manage your registration to our loyalty programs	· Identification and contact information · Order and product information	Your prior consent
Manage distance selling (click & collect, orders by phone, etc.)	· Identification and contact information · Order and product information · Payment and transaction-related information	Performance of the sales contract with you
Interacting with you
Manage promotional communications (via email, SMS or phone), either because you consented to receive our promotional offers or to exchange with your beauty consultants in store	· Identification and contact information · Order and product information · Habits and preferences · Technical information · Connection data · Data relating to your use of our Sites and applications	Your prior consent
Interact with you when you contact us via our customer service or via any other channel (online chat, email, text message, telephone help line for any reason, compliments, feedback or a request, etc.)	· Identification and contact information · Order and product information · User-generated content · Technical information · Connection data	Your prior consent
Manage your comments and reviews on our products	· Identification and contact information · Order and product information · User-generated content	Your prior consent
Assess your satisfaction	· Identification and contact information · Order and product information · Habits and preferences · User-generated content	Our legitimate interest
Carry out market surveys	· Identification and contact information · Order and product information · Habits and preferences · User-generated content	Your prior consent
Managing back-in stock emails notifications	· Identification and contact information	Your prior consent
Manage adverse events notifications	· Identification and contact information · Order and product information · Habits and preferences · Information on adverse events including health-related information and pictures of you and those you might send us · User-generated content	Your prior consent Compliance with a legal obligation applicable to us
Manage your requests on your Personal Data	· Identification and contact information · User-generated content	Compliance with a legal obligation applicable to us
Website analysis
Offering you online content adapted to your preferences and online behaviour	· Habits and preferences · Connection data · Data related to your use of our Sites and applications · Technical information	Your prior consent
Managing and following traffic on our Sites	· Connection data · Data related to your use of our Sites and applications · Technical information	Your prior consent
Others
Performing analysis and statistics	· Order and product information · User-generated content · Habits and preferences · Connection data · Data related to your use of our Sites and applications · Technical information	Our legitimate interest
Exercise our legal rights in case of litigation or legal proceedings	· Identification and contact information · Order and product information · Information on adverse events · User-generated content	Our legitimate interest
Ensuring our Sites security	· Identification and contact information · Technical information · Data related to your use of our Sites and applications · Connection data	Our legitimate interest
Managing video surveillance in our shops	· CCTV images	Our legitimate interest

To have a better overall understanding of you as a customer, we may combine information about you gathered across various channels. For example, Data collected in the course of your online activity (e.g. shopping, account creation, etc.) may be combined with Data we collect when you visit one of our stores (if you have consented).

This Data enrichment may also occur between different brands of the Shiseido group. For example, if you make an online purchase on the Shiseido website and then create an online account with the same email address on the NARS website, the Data collected through these two websites may be combined to enrich your customer profile.

This helps us to propose products and advice that is most relevant to your interests at particular times, by email (where we have your consent) or when you visit one of our stores.

Under no circumstances will this enrichment allow us to send you communications relating to another brand of the Shiseido group if you have not consented to it.

You can object to these "profiling" operations at any time by contacting us. Please refer to the "Your rights and choices" section.

Depending on the type of Data and purpose of processing, access may be granted to the following authorized persons:

• Other brands of the Shiseido group: Some of your Data may be shared with the other brands of the Shiseido group, for example, to enrich your customer profile and to update your Data as regularly as possible.

• Other Shiseido affiliates and group entities: your Data may be shared with the other affiliates of the Shiseido group who are involved in our customer relationship management.

• Third party vendors and providers: your Data may be accessible to selected third parties vendors or providers acting on our behalf and our instructions, for the needs of the purposes described above in section 4. For example, our transporters will need to access your Data to deliver the products you ordered, our marketing campaign providers will need to access your Data to send you the relevant communications, our maintenance providers might need to access your Data in case of technical incident, etc.

  In any case, we require such third parties to:

  • be subject to strict contractual data protection and confidentiality obligations;
  • undertake to comply with all applicable data protection laws and exclusively for the purposes specified in the contract with have with them;
  • implement appropriate technical and organizational security measures designed to protect the integrity and confidentiality of your Data.

• Public and judicial authorities: we might need to share your Data with public authorities when the law requires us to do so. For instance, we might be requested to provide invoices to tax or financial authorities, or to provide information related to adverse events linked to the use of our products to health authorities. We might also need to share your Data with judicial authorities in the event of a litigation.

• Our professional advisers: we also may share your Data when necessary with our professional advisers, such as our accountants, auditors, lawyers, insurers, etc.

• Potential acquirers and other stakeholders involved in our business transfers: we might share your Data in the event of an acquisition, merger, sale, corporate restructuring. In this context, the acquirer will act as the new controller of your Data.

In any case, please rest assured that we only grant access to your Data on a need-to-know basis, and that such access is limited to the Data that is strictly necessary to perform the purpose for which such access is granted. We will never rent, trade or sell your Data to third party companies.

Shiseido is a multinational organization with affiliates, vendors and partners located in many countries around the world. For that reason, Shiseido may need to share your Data with entities located in other jurisdictions, in countries which may not be regarded as providing the same level of protection as the jurisdiction you are based in.

Shiseido EMEA, our European headquarters which is in charge of leading our ecommerce, customer relations and marketing efforts in Europe, in the UK and in Switzerland, is located in France. As a consequence, your Data is transferred to France.

They may also be shared with our American and Japanese affiliates, which are notably in charge of the overall management of our group customer relationship management system.

In any cases Shiseido ensures that adequate safeguards, as required under the applicable data protection legislation, are in place. Such safeguards include:

• Adequacy decisions released by the European Commission, provided that they are recognised under UK law;

• The European Commission’s Standard Contractual Clauses also recognised under UK law as providing an appropriate safeguard for restricted transfers from the UK;

• Our providers’ Binding Corporate Rules (“BCR”)

For more information about the transfer of your Data, you can contact our Data Protection Officer (please refer to the "Your rights and choices" section).

We know how much data security matters to all our customers and take all appropriate steps to protect your Data from unauthorized access, alteration, disclosure, or destruction. We pay particular attention to sensitive data, especially payment card data, allergy or intolerance data.

Please note, however, that any information you choose to share in public areas such as our website community features, or other social areas is by definition considered as public and can be seen by anyone accessing the related platform.

We will retain your Data for the period necessary to fulfil the purposes outlined in this Policy (see section 4).

The criteria used to determine such retention periods include:

• the length of time we have an ongoing relationship with you;
• whether there is a legal obligation to which we are subject imposing or authorizing us to keep you Data.

Our Sites are not directed to anyone under 16 years of age. We do not solicit or collect any type of information from a person known to be under the age of 16.

If we become aware that we have accidentally collected information from a child, we will remove that information from our records as soon as feasibly possible.

In accordance with the applicable data protection law, you have the right to request:

• Access to the Data we hold about you;

• The correction of your Data if they are incomplete or inaccurate;

• The erasure of your Data, in the cases provided by law. Please note that in some cases, we may be obliged to retain your Data anyway, for legal or legitimate reasons;

• The interruption of the use of your Data by withdrawing your consent at any time where our “lawful basis” is consent, or by objecting to the use of your Data where our “lawful basis” is our legitimate interests and that we have no legitimate overriding interest;

• The restriction of the use of your Data, in the cases provided by law;

• To obtain a copy of the Data you provided us, in a commonly used format, to transmit it to another data controller, in the cases provided by law.

To exercise your rights or for any further questions related to the use of your Data, please contact our Data Protection Officer:

• Via our online contact form

• Via our postal address:
    Data Protection Officer
    Shiseido EMEA
    56 A, rue du Faubourg St Honoré
    75008 Paris
    France

Please note that to process your request, we may ask you for proof of identity.

If you feel that your Data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your Data, you have the right to lodge a complaint with your local data protection authority.