- Respect your privacy and your data
OUR PRIVACY PROMISE
- We respect your privacy and your choices.
- We make sure that privacy and security are embedded in everything we do.
- We do not send you marketing communications unless you have asked us to. You can change your mind at any time.
- We never offer or sell your data.
- We are committed to keeping your data safe and secure. This includes only working with trusted partners.
- We are committed to being open and transparent about how we use your personal data.
- We do not use your personal data in ways that we have not told you about.
- We respect your rights, and always try to accommodate your requests as far as is possible, in line with our own legal and operational responsibilities.
For more information about our privacy practices, below we set out the types of personal data that we might collect or hold about you, how we use it, who we shared it with, how we protect is and keep it secure, and your rights around your personal data.
2. Who we are and who is Concerned about this Policy ?
- Who is the data controller?
L’Oréal (UK) Limited
255 Hammersmith Road
London, W6 8AZ
L’Oréal is responsible for the personal data that you share with us and is the “data controller” for the purposes of applicable data protection laws.
- Professionals or partners; and
- Non-L’Oréal employees, interns or temporary workers or apprentices.
3. What is Personal Data & Data Processing?
- The term "personal data" refers to any information that may identify you directly or indirectly.
- Personal data that can identify you directly include:
- Your name and surname;
- Your email/postal address/phone number;
- Your username;
- Your birthday;
- Your picture;
- Content you create;
- Your financial information; and
- Information relating to your education and your career.
- Personal data that can identify you indirectly include:
- Your IP address,
- The MAC address of your mobile devices,
- What is a Data Processing?
It is any operation performed on personal data such as collecting, recording, hosting, sending, organising, structuring, storing, keeping/retaining, adapting/modifying, retrieving, consulting/access, using, disclosing by transmission or otherwise making available, alignment or combination, restriction, erasing/deleting etc.
4. What personal data do we collect from you and how do we use it?
- How do we collect, generate or receive your personal data?
- We may collect or receive your personal data directly from you, through for example, one of the following means:
- Our information system, via the use of our webmail;
- Our extranet/intranet;
- The applications and software that you use;
- The badging system;
- The CCTV system;
- The forms or questionnaires that you fill-in; and/or
- The social networks or any other tool made available.
- In other cases we collect your personal data ourselves (e.g. when CCTV system or badging system is implemented or the data generated by the tools we use as part of the management of the event).
- When we collect personal data from you, we identify the required fields with an asterisk. Some of the personal data we require from you is mandatory for example:
- To assist in the organisation of the event you are attending (e.g. knowing that you are attending);
- To respond to a request you may have made (e.g. to send you an information, to validate your registration/subscription to a service, to make catering arrangements);
- To comply with legal obligations.
Failing to provide the required information may have consequences on the performance of the services and tools that we provide you or that are available.
Under no circumstances will we collect your personal data via tools that you are not aware of.
In the event that your personal/professional situation changes and that requires a modification of your personal data, you must let us know by contacting us at [email protected], or applicable method we described to you during the event.
5. Table summarizing the purposes, data processed, grounds of the processing and retention period
The table below provides detailed information relating to the following items:
- In what context is your personal data collected?
This column explains what activity or scenario you are involved in when we use or collect your personal data. For example, the type of event you are participating in.
- What personal data may we hold about you?
This column explains what types of personal data we may collect when you take part in a particular activity.
- How and why do we use your personal data?
This column explains what we do with your personal data, and the purposes for collecting and using it.
- What is our legal basis for using your personal data?
Whenever we use your personal data, we will have a legal basis to do this. For example, you have asked us to provide a service, you have given us your consent, we have a legitimate interest in using your personal data. The legal basis for the processing of your personal data can be:
- Your consent – This applies where you provide your personal data and specifically consent to us using it to provide you with a specific service, for example, so that:
- you can receive marketing communications from us. If you later ask us to stop sending you marketing communications, we need to keep some of your personal data on a suppression list so that we can make sure we do not contact you again. This is a legal obligation; and
- we can store certain cookies on your device. We may place targeted advertising cookies (these allow us to tailor services we offer, specifically to you), analytical cookies (these measure your interaction with our site so we can make improvements) on your device
- The performance of a contract – This applies where you provide us with your personal data in order for us to provide you with a service (e.g. you request a place at an event we are holding).
- Our legitimate interests –This applies where you provide us with your personal data and we use it to:
- improve our products and services. By providing us with your personal data, we are able to better understand your needs and expectations when it comes to the products and services we offer. This understanding means we can improve our products and services so they match your needs. This might involve performing analytics on how you use our products, services, and websites/apps/devices, or trying out new functions which we think you might like based on what we know about you.
- better engage with you. Where you provide us with your personal data, we may use it to encourage you to be more actively engaged with our products and brands and increase your overall brand engagement and awareness. One way we do this is by tailoring the marketing communications we send you so that you receive the information most relevant to you.
- prevent fraud. Where you provide us with your personal data, it means we can action any payment you make when you purchase any of our products and/or services, and importantly, check that your payment is free from fraud.
- To comply with a legal obligation – This is where you provide us with your personal data which we need to keep for our legal reasons (e.g. when you make a purchase we need to keep your transaction information to comply with our tax and financial reporting obligations
- To protect the vital interests of an individual – This is where we use your personal data to protect you (or someone else) where there is evidence of danger to your (or someone else’s) health and/or safety.
In what context is your personal data collected?
What personal data may we hold about you?
How and why do we use your personal data?
What is our legal basis for using your personal data?
Use of website (anonymised data)
Run analytics and statistics to learn about and optimise user experience
To fulfil your request for a sample and send you marketing emails where opted in
Information you have shared with us about yourself via the chat function
To respond to your questions and otherwise interact with you
6. Automated Individual decision making & profiling
- Automated individual decision-making
Automated decision making means the ability to make decisions using technology, without human involvement.
L’Oréal does not use automated systems for individual decision-making.
This means automatically processing personal data to evaluate certain personal aspects about an individual, in particular to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Where you provide us with content (feedback, text, images etc.) during events, or we send or display personalised communications or content to you, we may use some profiling techniques. This means that we may collect personal data about you in the different scenarios mentioned in the table above, and use this data to analyse, evaluate, or predict your personal preferences, interests, behaviour and/or location. Based on our analysis, we then send or display communications and/or content specifically tailored to your interests and needs.
You may have the right to object at any time to the use of your personal data for “profiling”. Please see “Your Rights and Choices” section below.
7. Who can access to your personal data ?
Firstly, we want to be clear that we do not sell your personal data.
- We may share your personal data within the L’Oréal Group.
Depending on the purpose for which your personal data is processed, any member of the L'Oréal’s organisation staff of the event, may have access to your personal data, provided that:
- They need to have access to your personal data;
- If possible, your personal data is in a pseudonymised form (not allowing any direct identification); and
- It is necessary as part of your participation process within L'Oréal, or to meet our legal obligations, to prevent fraud and/or to secure our tools, for reasons of physical security, or after having obtained your consent to do so.
This means that we may communicate your personal data to our holding company, L'Oréal S.A., and its subsidiaries worldwide.
- We decide who has access to your personal data
Your personal data is only available to people and employees who need to access it as part of their duties within L'Oréal (e.g. the organisation team of the event), as well as the trusted third parties we work with. Access rights have been defined internally for this purpose.
- Your personal data may also be processed on our behalf by trusted service providers.
We may share your personal data with some of our service providers who perform a range of business operations on our behalf, including those that are located outside your country. In this case, L'Oréal imposes strong commitments to these service providers regarding the processing, confidentiality and security measures regarding your personal data that these service providers have access to. Thus, we only provide them with your personal data it is necessary for them to have to perform the services they have been assigned, and we require that they do not use your personal data for any other purposes.
As part of this, your personal data may be shared with, for example:
- third parties that provide us with Saas solutions and tools to organise your participation to events, trainings, games, or to manage the services you have opted to receive;
- third parties that assist and help us in providing IT services, such as platform providers, hosting services, maintenance and technical assistance services for our databases as well as for our software and applications that may contain data relating to you (these providers may sometimes require access to your personal data to perform the requested tasks);
- third parties that provide us with administrative services, such as file archiving; and/or
- third parties that help us to ensure the security and monitoring of our premises.
- We may also disclose your personal data to third parties in certain specific situations:
- If we are obliged to disclose or share your personal data to comply with a legal obligation, a court or administrative order or decision, or to protect the rights, property or safety of L'Oréal, its customers or employees;
- If you have given your consent to do so; and/or
- If the law allows us to do so.
8. How long do we retain your personal data?
- We retain your personal data only for the period necessary to achieve the purpose for which we hold it, to meet to your needs or to fulfil our legal obligations. Generally, most of your personal data is retained for the duration of the event and its consequences.
- When we do not need to use you personal data we delete it from our systems and files or anonymise it so that you can no longer be identified.
- We may retain certain aspects of your personal data in order to fulfill our legal or regulatory obligations and to allow us to exercise our rights (e.g. filing a claim before the courts) or for statistical or historical purposes.
- We may fully anonymise your personal data and use it to generate statistics and other type of reports.
9. Where do we store your personal data and what security measures are implemented to protect it?
- Location of your personal data:
The personal data that we collect from you may be transferred to, accessed in, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.
For further information, please contact us as per the “Contact Us” section below.
- Security measures implemented
- We take all reasonable measures regarding the nature of your personal data and the risks incurred by its processing, to preserve the security of your personal data and, in particular, to prevent it from being distorted, damaged, or accessed by unauthorised third parties.
- In addition, we require third party service providers who have access to your personal data on our behalf, through an agreement, to commit to the same obligations.
As no transmission of information via the internet is completely secure, we cannot guarantee the security of your personal data transmitted to us via the internet. Any transmission is therefore at your own risk.
10. Your rights and your choices
L'Oréal respects your right to privacy: it is important that you control your personal data. You have the following rights:
- Accessing and obtaining a copy: You have the right to access, and receive a copy of, any personal data we hold about you (subject to certain restrictions). In exceptional circumstances we may charge a reasonable fee for providing such access but only where permitted by law.
- Right to rectify: You have the right to access, and receive a copy of, any personal data we hold about you (subject to certain restrictions). In exceptional circumstances we may charge a reasonable fee for providing such access but only where permitted by law.
- Right to erasure and right to be forgotten: In some cases, you have the right to have your personal data erased or deleted. Note this is not an absolute right, as we may have legal or legitimate grounds for retaining your personal data.
- Right to direct marketing, including profiling, and any processing based on our legitimate interests: You can unsubscribe or opt out of our direct marketing communication at any time. The easiest way to do this is by clicking on the “unsubscribe” link in any email or communication we send you. In circumstances where you have the right to object to profiling or any processing based on our legitimate interests, you should contact us using the details below.
- Right to withdraw your consent at any time for processing based on consent: You can withdraw your consent to our processing of your personal data when such processing is based on consent. Where you withdraw your consent, this does not affect the lawfulness of our processing before your withdrawal. Please see the table in section “How and why do we use your personal data?” specifically the column “What is our legal basis for processing your personal data?” to see where/when our processing is based on consent.
- Right to object to processing based on legitimate interests: You may object at any time to our processing of your personal data when such processing is based on our legitimate interests. Please see the table in section “How and why do we use your personal data?” specifically the column “What is our legal basis for processing your personal data?” to see where/when our processing is based on legitimate interests.
- Right not to be subject to a decision based solely on automated decision-making: Where we use your personal data to make an automated decision about you (please see “Automated Decision Making” above for examples), you have the right to object to our decision. Your right does not apply if: (i) you gave us your explicit consent to use your personal data to make our decision; (ii) we are allowed by law to make our decision; or (iii) our automated decision was necessary to enable us to enter into a contract with you.
- File a complaint before a supervisory authority: You have the right to contact the data protection authority of your country in order to lodge a complaint against our data protection and privacy practices. Do not hesitate to contact us at the details below before lodging any complaint with the competent data protection authority as we will always seek to resolve your complaint in the first instance.
- Right to data portability: You have the right to move, copy or transfer personal data from our database to another. This only applies to personal data that you have provided, where processing is based on a contract or your consent, and the processing is carried out by automated means. Please see the table in section “How and why do we use your personal data?” specifically the column “What is our legal basis for processing your personal data?” to see where/when our processing is based on consent or the performance of a contract.
- Right to restriction of processing: This right means that our processing of your personal data is restricted, so we can store it, but not use nor process it further. It applies in the following limited circumstances set out in the General Data Protection Regulation:
- the accuracy of the personal data is contested by you, for a period enabling L’Oréal to verify the accuracy of the personal data;
- the processing is unlawful and you object the erasure of your personal data and request L’Oréal restricts the ways in which it processes your personal data;
- L’Oréal no longer needs your personal data for the purposes of its processing, but you require the personal data for the establishment, exercise or defence of legal claims;
- You object to L’Oréal’s processing of your personal data based L’Oréal’s legitimate interests, pending the verification whether the L’Oréal’s legitimate grounds override your rights and freedoms.
To exercise each of the rights listed above, please contact us at the contact details below. We may ask you to prove your identity and provide additional information about your request before processing your request.
11. Contact us
If you have any questions or concerns about how we treat and use your personal data, or would like to exercise any of your rights above, please contact us at [email protected] or by writing to us at:
Data Protection Officer
L’Oréal (UK) Limited
255 Hammersmith Road
If you would like to get in touch with our Data Protection Officer, please contact us at [email protected].