Data protection policy

DATA PROTECTION POLICY

Last update : January 2021

Shiseido is committed to building strong and lasting relationships with its customers, based on trust and transparency. In accordance with this philosophy, the protection of your personal data is essential to us and we wish to inform you, through this privacy policy, of the way in which we collect and process this data.

This Data Protection Policy ("Policy") describes how we use personal data (or "Data") - meaning any information about you - that we may collect when you use the Shiseido Friends&Family website. (hereinafter the "Site") or how we ensure the protection of this Data.

Information notices or requests for consent may be sent to you in certain specific cases, not covered by this Policy, where Shiseido may process your Data.

We hope this document will answer all your questions. If this was not the case, you can contact us viathis form for more information.

Who is responsible for processing your Data?

This Site is operated by Beauté Prestige International, whose trading name is Shiseido EMEA.

Beauté Prestige International is responsible for processing your Data.

This means that Shiseido EMEA determines the reasons (i.e. the purposes) for which your Data is processed as well as the resources (i.e. the means) allocated to these purposes.

What Data do we collect and how do we get it?

When you use our Site, we may collect different categories of Data about you, described in more detail below.

a) Data that you provide to us directly

Identification data : this is information such as your first and last name, your age or age group, your title, your date of birth, your general geographical location (for example, postcode or city), etc. .

Contact information : this is any information that allows us to contact you personally, such as your postal address, your e-mail address or your telephone number (home, mobile), etc.

Order and Product Information : These are details of the products you have ordered, the date and time of your orders, etc.

Payment and Transaction Information : This is any information you use to make a purchase, such as your payment card details. Payments made on our Site are made through our payment gateway provider: ADYEN. Please note that we do not have access to the bank details that you transmit to this service provider, which operates independently. For more information, please refer to its privacy policy.

Information concerning adverse effects : this may include information on your allergies or intolerances or any other information relating to your health that you may communicate to our customer service as part of a notification of adverse effects that may be linked to the use of our products. Please note that we use this information in order to comply with our legal obligations in terms of monitoring adverse effects, in accordance with the European regulation on cosmetic products n°1223/2009 transposed into French law.

b) Data collected automatically

The following categories of Data may be collected automatically when you browse our Site, through various tracking technologies such as cookies:

Technical information : this may be your IP address, the browser you use or other technical data relating to your device, etc.

Connection data : this may be your identifiers, your date and time of connection to your account, to our Site, etc.)

Data relating to the use of our Site : this may be the pages consulted, products searched, the duration of your visit, etc.

On what legal basis do we process your Data?

We generally use your Data on the basis of the following grounds:

Execution of the contract we have concluded with you: in certain cases, your Data is necessary to execute our contractual obligations. For example, if you buy products from our Site, we need your name and contact details to communicate with you and deliver the products you have ordered. If you do not provide your Data, we will not be able to provide you with the requested products and services;

Your prior consent: in some cases, we may ask for your consent before using your Data. For example, we will always ask for your permission to send you promotional communications;

Compliance with a legal obligation applicable to us: sometimes we need to collect and use your Data in order to comply with our own legal obligations. For example, tax regulations require us to keep track of invoices related to your purchases;

Our Legitimate Interest: This is a legal term which means that we have a valid reason to use your Data and we do so in a way that does not adversely affect your rights and interests. For example, we analyze how you interact with our Site to better understand which elements of the Site work and which do not. This allows us to improve and develop the quality of the online experience we provide to our users.

For what purposes do we process your Data?

We may collect, use and disclose your Data for the following main purposes:

For what purposes do we use your Data?	What Data do we use?	On what legal basis?
Manage your online activities
Create and manage your registration	· Identification and contact information Login data	Your prior consent
Manage your product orders online	· Identification and contact information · Order and product information Information relating to payments and transactions Login data	Execution of the sales contract with you
interact with you
To interact with you when you contact us through our customer service or through any other channel (email, SMS, telephone, compliments, comments, requests, etc.)	· Identification and contact information · Order and product information · Technical informations Login data	Your prior consent
Manage your adverse reaction notifications	· Identification and contact information · Order and product information Adverse event information, including health information and photos of you that you may send us	Your prior consent
Manage your requests on your personal data	· Identification and contact information	Compliance with a legal obligation
Analyze traffic on our Sites
Offer you online content tailored to your preferences and browsing habits	Login data Data relating to your use of our Site · Technical informations	Your prior consent
Manage and track traffic to our Sites	Login data Data relating to your use of our Site · Technical informations	Your prior consent
Others
Carry out analyzes and statistics	· Order and product information Login data Data relating to your use of our Site · Technical informations	Our legitimate interest
Exercise our rights in the event of a dispute or legal proceeding	· Identification and contact information · Order and product information Information on adverse events	Our legitimate interest
Ensuring the security of our Sites	· Identification and contact information · information · Technical informations Data relating to your use of our Site Login data	Our legitimate interest

With whom do we share your Data?

Depending on the type of Data and the purpose for which we use it, your Data may be shared with the following persons:

Other subsidiaries and entities of the Shiseido group : your Data may be shared with other subsidiaries of the Shiseido group involved in the management of our customer relationship.

Third-party suppliers and service providers : your Data may be made accessible to suppliers or service providers acting on our behalf and according to our instructions, for the purposes described in section 4. For example, our carriers will need to have access to your Data to deliver the products you have ordered, our marketing service providers will need access to your Data to send you our communications, our technical maintenance service providers may have access to your Data in the event of a technical incident, etc.

In all cases, we ensure that these third parties:

are subject to strict contractual obligations in terms of Data protection and confidentiality;

undertake to comply with all applicable Data protection laws and not to use your Data for purposes other than those provided for in the contracts we have signed with them;

implement appropriate technical and organizational security measures to protect the integrity and confidentiality of your Data.

Public authorities and judicial authorities : we may share your Data with public authorities when the law requires us to do so. For example, we may be asked to provide invoices to tax or financial authorities, or to provide health authorities with information relating to adverse reactions related to the use of our products. We may also be required to share your Data with the legal authorities in the event of a dispute.

Our professional advisers : we may also share your Data when necessary with our various advisers, such as our accountants, auditors, lawyers, insurers, etc.

Potential acquirers and other actors involved in our business transfer operations : we may share your Data in the event of an acquisition, merger, sale or business restructuring. In this context, the acquirer will act as the new controller of your Data.

In any case, rest assured that we only provide access to your Data when it is justified and necessary to achieve the purpose for which it is granted. Under no circumstances do we rent, exchange or sell your Data to third-party companies.

Where can your Data be transferred?

Shiseido is a multinational organization with subsidiaries, suppliers and partners located in many countries around the world. Thus, Shiseido may need to share your Data with entities located in other jurisdictions, including outside the European Economic Area, in countries which may not be considered to offer the same level of data protection as the jurisdiction in which you reside.

Shiseido EMEA, our European headquarters in charge of our e-commerce operations, customer relationship management and marketing operations in Europe, is located in France.

Your Data may also be shared with our American subsidiary and our Japanese headquarters, which in particular ensure the overall management of our customer relationship management system.

In all cases, we ensure that the adequate safeguards required by applicable data protection legislation are in place. These guarantees include:

Adequacy decisions published by the European Commission;

European Commission standard contractual clauses;

The binding corporate rules of our suppliers (“BCR” or “Binding Corporates Rules”).

For more information on the transfer of your Data, you can contact our Data Protection Officer (for this, please refer to the section “Your rights and choices”).

How do we protect your Data?

Shiseido knows how important Data security is. We take all appropriate measures to protect your Data against unauthorized access, modification, disclosure or destruction. We pay particular attention to Sensitive Data, such as your bank details and data relating to your allergies or intolerances.

Please note, however, that any information you choose to share in public areas, for example through the social media features of our Sites, is by definition considered public and can be seen by anyone accessing the relevant platform.

How long do we keep your Data?

We keep your Data for the duration(s) necessary for the purposes described in this Privacy Policy (see section 4). The criteria used to determine these retention periods include:

the duration of our relationship with you;
the existence of legal obligations to which we may be subject;
the legal necessity or authorization of a longer retention period.

Your identification and contact information is kept for the duration of the sale, then deleted at the end of each sale.

Note however that you have placed an order, information relating to orders and products will be kept for the legal periods.

Data relating to children

Our Sites are not directed to children under the age of 16. We do not solicit or collect any type of information from anyone known to be under the age of 16.

In the event of accidental collection of data relating to a child under the age of 16, we will delete this information from our files as soon as possible after becoming aware of it.

Your rights and choices

In accordance with applicable data protection law, you have the right to ask us:

Access to the Data we hold about you;

The correction of your Data if they are incomplete or inaccurate;

The deletion of your Data, in the cases provided for by law. Please note that in some cases, we may refuse to erase your Data, to meet our legal obligations or if authorized in the context of our legitimate interest;

Stopping the use of your Data, withdrawing your consent at any time when our "legal basis" for using your Data is your consent, or objecting to the use of your Data when our "legal basis" is our legitimate interest and that we have no overriding legitimate interest in continuing to use your Data;

The limitation of the use of your Data, in the cases provided for by law;

In certain cases provided for by law, obtaining a copy of the Data that you have provided to us, in a commonly used format, in order to transmit it to another data controller.

To exercise your rights or for any question relating to the use of your Data, please contact our Data Protection Officer:

Via our online form: https://privacy.emea.shiseido.com

By post: Data Protection Officer

Shiseido EMEA

57 rue de Villiers

92200 Neuilly-sur-Seine

France

Please note that in order to process your request, we may ask you for proof of identity.

If you believe that your Data has not been processed correctly, or if you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.