ORIFLAME PRIVACY NOTICE - CUSTOMERS
Publication Date: October, 2022
What does this policy cover?
This policy describes the Company's processing of your personal data.
References in this policy to the Company, we or us shall mean Oriflame Holdings BV with registered address Hoogstraat 8.5462 CX Veghel.
For the purposes of applicable data protection law (including UK GDPR Data Protection Act 2018), the General Data Protection Regulation 2016/ 679 (the "GDPR"), the Company is the data controller of your personal data.
What personal data is collected?
The following categories of personal data will be collected about you in connection with this policy:
1. Personal data collected from you: The Company will collect the following data from you when you complete a form on the website, purchase Oriflame products on the website, complete the Customer sign-up process, subscribe to Oriflame newsletters, participate in discussion boards or other social media functions on the website, enter a competition, promotion or survey on the website, use other services offered by Oriflame via website and Oriflame applications or otherwise communicate with the Company (for example, when you contact Customer Services):
· user name*;
· date of birth;
· postal address*;
· product delivery address*;
· email address*;
· phone number and mobile phone number;
· your password*;
The fields above which are marked with a (*) are mandatory fields – if you do not provide such personal data, the Company will not be able to fulfil the applicable purposes which are described below in this privacy notice. For example, if you do not provide your postal address, we may not be able to deliver your order to you.
2. Personal data collected about you:
· The Company processes personal data related to your history of purchases, for example, the items you have purchased, your product preferences and how often you make purchases with us, and whether you were referred to us by any of our Brand Partners.
· Further, with regard to each of your visits to the website and any Oriflame app, or any third-party software/ app used by Oriflame on a SaaS basis, the Company will automatically collect the following personal data:
o technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform;
o information about your visit to the website, including the full Uniform Resource Locators (URL) clickstream to, through and from the website (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number; and
o information obtained via the cookies that the Company or a third-party service provider places on the website – see below for more information.
· The Company processes opinions or statements you make on discussion boards or in communications with us and any other information you provide to us in the course of using our website or corresponding with us or our representatives or posts and messages on social media.
· The Company processes personal data necessary to analyse the effectiveness of the communication with you, for example number of opened emails, click-through rates, websites visited through emailed links or products purchased.
How is your personal data used, and what is the legal basis for this use?
1. The Company processes your personal data for the following purposes:
· Contractual Necessity: As required to establish and fulfil a contract with you, for example, if you make a purchase from it. This will include verifying your identity, taking payments, communicating with you, providing customer services and arranging the delivery or other provision of products, awards or services, enabling you to participate in live video events and chatting during the live video sessions.
· Legitimate Interests: As required by it to pursue its own legitimate interests, in particular:
o to communicate with you;
o to invite you to take part in market research or studies;
o to help it monitor, improve, administer and protect its products, content, services and website, both online and offline;
o to market its products effectively by personalising its website, applications or its products and services for you, and to enable you to participate in interactive features of its website;
o to send you marketing communication via post;
o to investigate and handle any complaints received from you about its website, applications or its products and services;
o to monitor any Customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law; and
o to measure or understand the effectiveness of advertising it serves to you and others, and to deliver relevant advertising to you (including performance of consumer satisfaction and similar studies).
· Legal Compliance: To ensure compliance with applicable laws and the protection of the Company's legitimate business interests and legal rights, including, but not limited to, use in connection with accounting, billing, legal claims, compliance, regulatory, tax, and investigative purposes (including disclosure of such information in connection with legal process or litigation).
- Consent: To use various enhancing tools, products or services offered by the Company we may ask you for a specific consent.
- Direct marketing: The Company may use your contact data, based on its legitimate interest, to contact you in relation to the Company's products and services similar to those which you have already purchased. Direct marketing communications may be provided to you by email, sms and other instant messaging technologies or phone. You may opt out from receiving this marketing communication at the moment of providing your data or later on at any time via “MyPages” and at any time when you receive the communication by clicking on the relevant link.
2. Direct Marketing from a Brand Partner: Subject to the following, a Brand Partner may send you direct marketing in relation to the Company’s products and services similar to those which you have already purchased. Direct marketing communications may be provided to you by email, sms and other instant messaging technologies. You can object to receiving direct marketing from a Brand Partner during registration or later via “MyPages” or at any time when you receive the communication by clicking on the relevant link or directly contacting a Brand Partner. The Brand Partner will be the data controller of the personal data for the purposes described above and will identify themselves and provide contact details when they contact you. Brand Partners are independent from the Company and the Company is not responsible for the use of your personal data by the Brand Partners.
Automated decision-making and profiling
We do not use fully automated decision-making in order to execute our contractual relationship with you;
We do, however, process your data on a partially automated basis with the aim of evaluating certain characteristics of yours (profiling). We use profiling to provide you with tailored information and advise you regarding our products. This enables us to target appropriate communications and advertisements at you like recommending products and services that we think might be suitable for you.
Who will your personal data be shared with, and where?
The Company will share your personal data with:
· other Oriflame group companies, in particular with Oriflame Cosmetics AB, PO Box 1095, SE-101 39 Stockholm, Sweden; Oriflame Kosmetik Vertriebs GmbH, Hegau Tower, Maggistraße 5, 78224 Singen Hohentwiel, Germany; Oriflame Poland Sp. z o.o., ul. Wołoska 22, 02-675 Warsaw, Poland; Oriflame Software s.r.o., Ladova 389/10, Hejčín, 779 00 Olomouc, Czech Republic for group level analytics.
· Government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of its own legitimate interests in compliance with applicable laws; and
· Third party service providers and group companies, who will process it on behalf of the Company for the purposes above. Such third parties include, but are not limited to, couriers for delivery of your orders (which are located in EEA), customer service operations (which are located in EEA), and marketing providers (which are located in EEA) etc;
· Brand Partners if required for the purposes above or based on your contractual need to do so.
· In the event that the business is sold or integrated with another business, your personal data will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
Where will your data be sent?
The Company intends to transfer (including store) your personal data to countries outside of the United Kingdom and outside the European Economic Area (the "EEA") (i.e. all 27 EU Member States plus Iceland, Liechtenstein and Norway) which may not provide the same level of protection as the United Kingdom and those countries within the EEA, in particular: to India, the United States of America and Switzerland.
Where this is the case, and where the transfer is to a Company affiliate or vendor in a country that is not subject to an adequacy decision by the EU Commission, personal data is adequately protected by EU Commission-approved standard contractual clauses (which have been implemented pursuant to Article 46 (2) of the GDPR). If you have any questions about the standard contractual clauses and / or would like to obtain a copy of them, please contact the Company’s data protection officer at email@example.com.
What cookies will be used on the website?
We use Google Analytics to understand how visitors engage with our sites and apps. This means that when you visit our website or use one of our mobile applications your browser automatically sends certain information to Google. This includes, for example, the web address of the page that you're visiting and your IP address. You will find the details of how the Google technology collects and processes data following this link https://www.google.com/policies/privacy/partners/.
You are entitled to ask the Company:
· For a copy of your personal data (in a commonly used electronic form, if you make such a request electronically);
· To correct your personal data (if it is inaccurate, incomplete or not up-to-date);
· To 'port' your personal data (i.e. to transfer in a structured, commonly used and machine-readable format, to you or another data controller);
· To erase your personal data; or
· To restrict its processing (i.e. processing will temporarily stop (save to the extent that personal data will continue to be stored)).
You also have rights to object to some processing that is based on our legitimate interests, and to processing for direct marketing purposes. Further, where the Company has asked for your consent to process your data, you are entitled to withdraw this consent.
These rights are limited in some situations – for example, where the Company can demonstrate that it has a legal requirement to process your personal data. In some instances, this may mean that we are able to retain data even if you withdraw your consent.
Where the Company and/ or your assigned Brand Partner requires your personal data to comply with legal or contractual obligations, then provision of such data is mandatory: if such data is not provided, then the Company and/ or your assigned Brand Partner will not be able to manage its contractual relationship with you, or to meet obligations placed on them. Above, we have described which data fields you are obliged to provide.
The Company hopes that can satisfy any queries you may have about the way they process your personal data. If you have any concerns about how your personal data are processed, the Company's data protection officer can be contacted at firstname.lastname@example.org. You may also contact us at the following address: Oriflame Holdings BV, Hoogstraat 8.5462 CX Veghel.
If you have unresolved concerns you also have the right to complain to data protection authorities. The relevant data protection authority will be the supervisory authority in the country of your habitual residence, place of work or of an alleged infringement of the data protection law.
How long will you hold my data?
The Company will keep your personal data for as long as necessary to perform the purposes set out in this privacy notice, as may be required by law such as for tax and accounting purposes, or as otherwise communicated to you. Different retention periods apply for different types of data, however the longest we will normally hold any personal data relating to processing of orders is 10 years. More information about the Company’s retention practice is available here.
Changes to this privacy notice
Any changes we may make to the privacy notice in the future will be posted on the website and, where appropriate, notified to you by e-mail or otherwise. The amendments will be also available at our premises.