Method of collection and legal basis for Processing
Comply with regulatory obligations
· verify your age
This information is generally provided to us by you directly.
We use it because it is necessary for us to comply with a legal obligation to sell products only to adults, or, in countries where there is no such legal obligation, because we have a legitimate business interest to sell our products only to adults that is not overridden by your interests, rights and freedoms to protect information about you.
Enabling PMI touchpoint usage, public relation articles for media and email notification
· to enable usage of PMI touchpoints (for example, enabling you to stay logged in the touchpoint’s section reserved for authorized users only, administering your working language)
· to deliver PMI public relations articles or email notifications
· to personalize your experience with PMI touchpoints (for example, to personalize your visits with greetings or suggestion that might be of your interest)
· administration and troubleshooting
This will typically be a combination of information that you provide to us (for example, your name and contact and social media details); information that we collect automatically (for example, using technology to monitor use of PMI touchpoints).
We use it on the grounds that we have a legitimate business interest to do business by using PMI touchpoints, and to personalize your experiences, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
To fulfill contractual obligation towards you in the user-generated part of content (where it is applicable)
· when you fill in the content on PMI touchpoint, we use information about you and the content you’ve filled in, in accordance to our conditions that regulate user generated content
This information is generally provided to us by you directly.
We use it because we have a legitimate business interest to lead our business operations, manage relations with you and maintain security and integrity of our IT systems in the way that is not overridden by your interests, rights and freedoms to protect information about you.
System security and surveillance
· autentification and control of access and log-in, where it is applicable
This information is automatically collected via various tools like automated systems and surveillance systems.
We use it because we have a legitimate business interest to ensure trust, integrity and safety of our digital infrastructure in the way that is not overridden by your interests, rights and freedoms to protect information about you.
Business analytics and improvements
· for analytics and business improvement (including for PMI products, outlets that sell PMI products, events, digital PMI touchpoints and the information that we (or our affiliates) provide to our customers)
This will typically be a combination of information that you provide to us; information that we collect automatically; and (where permitted by law) information that we acquire from third parties.
We use it on the grounds that we have a legitimate business interest to analyze and to improve our business performance, our products, PMI touchpoints, outlets and events, and to invite others to get involved in promoting PMI products, that is not overridden by interests, rights and freedoms to protect information about you.
Where we do not base our use of information about you on one of the above legal bases, we will ask for your consent before we process the information (these cases will be clear from the context).
In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
Who do we share your information with, and for what purposes?
We may share information about you with:
Find out more…
Sharing data with other PMI affiliates
Sharing data with Third Parties
Where might information about you be sent?
As with any multinational organisation, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (if your information is collected within the European Economic Area, this means that your information may be transferred outside it).
Find out more…
When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.
For example, PMI affiliates within the European Economic Area (“EEA”) may transfer personal information to PMI affiliates outside the EEA. In all cases, the transfer will be:
In all cases, appropriate security measures for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.
How do we protect information about you?
We implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.
How long will information about you be kept?
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.
find out more…
Typically, we retain data based on the criteria described in the table below:
If you registered for receiving email notification (and similar) or for usage of PMI touchpoints, majority of information on your profile is kept during the period you receive notifications, or use digital touchpoints, or respond to our communication. However, some of the elements in your profile, like history of digital touchpoint usage, naturally outdate after certain period, so we automatically delete them after defined period customized for the reasons they were collected.
· system audit logs
System audit logs are retained typically for a period of only a few months.
· business analytics
Business analytics data is typically collected automatically when you use PMI touchpoints and anonymised/aggregated shortly afterwards.
What rights and options?
You may have some or all of the following rights in respect of information about you that we hold:
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address, in messages you receive.
Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.
find out more…
The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.
Right in respect of the information about you that we hold
Further detail (note: certain legal limits to all these rights apply)
· to request us to give you access to it
This is confirmation of:
· whether or not we process information about you;
· our name and contact details;
· the purpose of the processing;
· the categories of information concerned;
· the categories of persons with whom we share the information and, where any person is outside the EEA and does not benefit from a European Commission adequacy decision, the appropriate safeguards for protecting the information;
· (if we have it) the source of the information, if we did not collect it from you;
· (to the extent we do any, which will have been brought to your attention) the existence of automated decision-making, including profiling, that produces legal effects concerning you, or significantly affects you in a similar way, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; and
· the criteria for determining the period for which we will store the information.
On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).
· to request us to rectify or update it
This applies if the information we hold is inaccurate or incomplete.
· to request us to erase it
This applies if:
· the information we hold is no longer necessary in relation to the purposes for which we use it;
· we use the information on the basis of your consent and you withdraw your consent (in this case, we will remember not to contact you again, unless you tell us you want us to delete all information about you in which case we will respect your wishes);
· we use the information on the basis of legitimate interest and we find that, following your objection, we do not have an overriding interest in continuing to use it;
· the information was unlawfully obtained or used; or
· to comply with a legal obligation.
· to request us to restrict our processing of it
This right applies, temporarily while we look into your case, if you:
· contest the accuracy of the information we use; or
· have objected to our using the information on the basis of legitimate interest (if you make use of your right in these cases, we will tell you before we use the information again).
This right applies also if:
· our use is unlawful and you oppose the erasure of the data; or
· we no longer need the data, but you require it to establish a legal case.
· to object to our processing it
You have two rights here:
i. if we use information about you for direct marketing: you can “opt out” (without the need to justify it) and we will comply with your request; and
ii. if we use the information about you on the basis of legitimate interest for purposes other than direct marketing, you can object to our using it for those purposes, giving an explanation of your particular situation, and we will consider your objection.
· to withdraw your consent to our using it
This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context.
· to data portability
i. you have provided data to us; and
ii. we use that data, by automated means, and on the basis either of your consent, or on the basis of discharging our contractual obligations to you, then you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else if it is technically feasible for us to do so.
· to lodge a complaint with the supervisory authority in your country
Each European Economic Area country must provide for one or more public authorities for this purpose.
You can find their contact details here:
Country-specific additional points
According to which country you are in, you may have some additional rights.
If you are in France, find out more…
Your instructions may require us to transfer information about you to a third party (but where the information contains information about others, our obligation to respect also their privacy rights might mean that we can’t follow your instructions to the letter). You may appoint a third party to be responsible for ensuring your instructions are followed. If you do not appoint a third party in that way, you successors will (unless you specify otherwise in your instructions) be entitled to exercise your rights over information about you after your death:
You may amend or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, see Article 40-1 of the law 78-17 dated 6 January 1978. When you die, by default, you will stop using your account and we will delete information about you in accordance with our retention policies (see the paragraph “How long will information about you be kept?” for details).
Who should you contact with questions?
If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.
If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.
Changes to this notice
We may update this notice (and any supplemental privacy notice), from time to time. We will notify you of the changes where required by law to do so.