Privacy Policy
Last update: July 2024
We are committed to building strong and lasting relationships with our customers based on trust and transparency. In accordance with this philosophy, the protection of your Personal Data (“Data” i.e. any information about or related to you) is essential to us and we wish to inform you via this Privacy Policy of how we collect and process this Data.
This Privacy Policy (“Policy”), in compliance with applicable Data Protection Regulation, explains how we use the Data we may collect when you interact with us either online, when you use our websites and applications (hereinafter referred to as the “Services”, the “Site” or the “Sites”) or offline, when you visit one of our stores, and how we ensure the protection of this Data.
Specific privacy and data protection information notices and/or consent requests will, if necessary, be communicated to you in specific situations not covered in this Policy where Shiseido may process your Data. Such data protection information notices and/or consent requests may however refer to this Policy.
-
1. Who controls the processing of your Data?
The brand NARS is part of the Shiseido Group’s brand portfolio.
Beauté Prestige International, Shiseido’s European headquarters based in Paris, France, whose trade name is Shiseido EMEA, is the controller of the processing of your Data, jointly with SHISEIDO UK.
This means that Shiseido EMEA determines for what reasons (i.e. the purposes) your Data is processed as well as the resources (i.e. the means) allocated to such processing and is responsible for the processing of your Data.
Shiseido EMEA is in charge of leading our ecommerce, customer relations and marketing efforts for Europe, the UK and Switzerland. The related Data processing is carried out by or on behalf of Shiseido EMEA.
Shiseido EMEA may further share information with the whole Shiseido Group in accordance with the safeguards foreseen in this policy (see Section 7).
Shiseido EMEA, as well as all companies of the Shiseido Group, are hereafter designated or referred to as “We”, “Our” or “Us”.
-
2. What Data do we collect and from what sources?
Depending on how you interact with Us (online, offline, by phone, etc.), we may collect from you various categories of Data, which are described in more details below.
a) Data you provide to us
You may provide the following categories of Data when you interact with Us for instance when you visit Our Sites, Our stores, or when you participate in one of Our promotional operations, etc. We may also generate Data based on your activity and interactions with Us.
- Identification information: this includes information such as your name, surname, age or age range, title, date of birth, account ID, general geographic location (e.g., postcode or city and state), etc.
- Contact information: this includes any information that would allow Us to personally contact you, such as your home address, billing address, your email address, your phone number (home, mobile), communication language, etc.
- Marketing information: when you subscribe to Our newsletter or other marketing communication in order to receive information on Our products or activities we will collect Marketing information through the subscription form, such as consent form to receive communications. We will also track your activity regarding Our brand and products in order to assess wether it is still relevant for you to keep receiving newsletters or other marketing communications.
- Order and product information: this includes details of the products you have ordered and searched for online or in Our shops, the date and time of your orders and searches your related customer ID if any, and the shops you prefer to visit, etc. We will also collect information related to any return, transaction number, shipping amount, currency, taxes, net sales amount and keep your purchase history
- Habits and preferences: this includes any information related to your preferences and interests such as your favorite products, lifestyle information, your concerns in terms of beauty and care, reaction to marketing campaigns, etc.
- Payment and transaction-related information: this includes any information that you use to make a purchase, such as your payment card details. Payments made on the Site are made through Our payment gateway providers. Please note that we do not have access to the payment details you provide to these service-providers which operate autonomously. For more information please refer to the relevant service providers privacy policy.
- User-generated content and posts: this refers to any content (suggestions, testimonials, surveys or any other feedback) that you voluntarily share with Us about your experience in using Our products or services. This also includes your posts on Our applications, such as Our Facebook fan pages (photos, videos, personal stories, or other similar media or content). While submitting any such content, please ensure it is accurate, it does not infringe any third party intellectual property and do not transmit any sensitive data such as political opinions, your religion, your sexual orientation, ethnic or racial origin.
- Particular Data: this might include, in case of adverse effects, information on your allergies, intolerances and other health-related information, which might be related to Our products, that you provide to Us. Please note that We only use this information in accordance with Our legal obligations to follow-up on adverse events reported to Us by Our customers (in accordance with EU Regulation).
- Request information: in order for Us to comply with applicable Data Protection Regulation (eg GDPR in EU countries) and ensure you are able to exercice any of your related rights, We may collect information related to you such as last name, first name, type of request (e.g., personal information rectification or deletion request), further request details necessary to process your request (e.g. identification details), and the content of your request provided to Us.
- CCTV: your image may be recorded on CCTV when you visit one of our shops. We might have to use it for security reasons. We regularly delete the footage unless an incident or alleged incident requires investigation or action.
b) Automatically collected Data
Subject to the set up of your internet browser, the following categories of Data may be collected automatically when you navigate through Our Sites, due to various tracking technologies such as browser cookies. Such information may include:
- Technical information:part of your IP address, the browser (type and version) you use, the name of your access provider, your operating system and interface or data related to your device, language preference, etc.
- Connection data: logs (identifiers, date and time of connection to your account, to Our Sites, etc.)
- Data relating to your use of our Sites and applications: pages viewed, the website from which you are visiting Us, your navigation actions, searched products, date, time and duration of your visit, , etc.
c) Data we receive and collect from other sources
- Third parties and advertising partners: We may obtain information, including Data, from third parties and sources other than Our Site, such as Our advertisers. This may be the case when you accept cookies, which will help Us understand your activities, how you use Our services, the purchases you make, the advertisements you watch, etc. Such information are necessary in order for Us to optimize Our media campaign and ensure We are not delivering to you ads that do not fit with your preferences and profile.
- Social media partners: subject to your cookie consent, We might receive information from social media platforms (such as Facebook and Instagram) when you use your social network account, to access one of Our services (e.g. to participate in one of Our promotional operations or to make a purchase without having to create an account on Our site) or when using social media plug-ins (e.g. “like” and “share” buttons) The mere use of Our Sites does generally not involve Data processing activities or Data transfers by or to social media platforms. However, depending on your cookies choices or confidentiality set up, social media platforms may independantly collect and otherwise process personal Data about or related to you in order to provide personalized advertising, including Our ads. For more information about the scope and purposes of such Data processing by the social media platform, please see their own privacy notices.
-
3. On which legal grounds do We process your Data?
We generally use your Data on the basis of the following grounds:
- The performance of the contract we have with you: in certain circumstances, We need your Data to execute Our contractual obligations. For example, if you buy products through Our Site, We need your name and contact details so We can communicate with you and deliver the products you ordered. If you do not provide your Data, We will not be able to provide you with the requested products and services. We generally indicate the mandatory fields with asterisks;
- Your prior consent: in certain cases,We may ask for your consent before using your Data. For instance, We will always ask for non customer’s permission to send promotional communications;
- Compliance with a legal obligation applicable to us: sometimes We have to collect and use your Data in order to comply with Our own legal obligations. For example, tax laws require Ws to keep trace of invoices related to your purchases;
- Our legitimate interests: this is a legal term in data protection law which means We have a good and fair reason to use your Data and We do so in ways which does not hurt your interests and rights. For instance, We do analyse how you and other users interact with Our Site so We can better understand what elements of the design are working well and which are not working so well. This allows Us to improve and develop the quality of the online experience We offer all Our users.
-
4. For what purposes do we use your Data?
We may collect, use and disclose your Data for the main following purposes:
For what purpose do we use your Data?
What Data do we use?
On which legal ground?
Manage your online activities
Create and manage your online account
· Identification and contact information
· Order and product information
· Habits and preferences
· Connection data
Your prior consent
Manage your online product orders
· Identification and contact information
· Order and product information
· Payment and transaction-related information
· Connection data
The execution of pre-contractual and contractual measures.
Send you customized communication based on your profile
· Habits and preferences
· Our legitimate interest
Only for Our Italian websites: commercial profiling purposes carried out by the Data Controller, both with human intervention and in automated mode
· Habits and preferences
Your prior consent for Our Italian Websites
Manage your participation in one of our promotional operations (game-contests, sample operations, promotional offers…)
· Identification and contact information
· Order and product information
· User-generated content
Your prior consent
Offer you quality services in store
Create and manage your personal profile to offer you personalised services and advices in store, according to your preferences
· Identification and contact information
· Order and product information
· Habits and preferences (might include information related to your allergies)
Your prior consent
Manage your appointments with us (with your beauty consultants, make-up sessions, tutorials and events, etc.)
· Identification and contact information
· Habits and preferences
Performance of the service contract with you
Manage cabin treatments
· Identification and contact information
· Order and product information
· Habits and preferences (might include health related data)
Performance of the service contract with you
Your prior consent
Manage your registration to our loyalty programs
· Identification and contact information
· Order and product information
The execution of pre-contractual and contractual measures
Manage distance selling (click & collect, orders by phone, etc.)
· Identification and contact information
· Order and product information
· Payment and transaction-related information
Performance of the sales contract with you
Interacting with you
Manage promotional communications (via email, SMS or phone), either because you consented to receive our promotional offers or to exchange with your beauty consultants in store
· Identification and contact information
· Order and product information
· Habits and preferences
· Technical information
· Connection data
· Data relating to your use of our Sites and applications
Our legitimate interest
Your prior consent
Interact with you when you contact us via our customer service or via any other channel (online chat, email, text message, telephone help line for any reason, compliments, feedback or a request, etc.)
· Identification and contact information
· Order and product information
· User-generated content
· Technical information
· Connection data
The execution of pre-contractual and contractual measures
Our legitimate interest
Manage your comments and reviews on our products
· Identification and contact information
· Order and product information
· User-generated content
Assess your satisfaction
· Identification and contact information
· Order and product information
· Habits and preferences
· User-generated content
Our legitimate interest
Carry out market surveys
· Identification and contact information
· Order and product information
· Habits and preferences
· User-generated content
Our legitimate interest
Managing back-in stock emails notifications
· Identification and contact information
Performance of the sales contract with you
Manage adverse events notifications
· Identification and contact information
· Order and product information
· Habits and preferences
· Information on adverse events including health-related information and pictures of you and those you might send us
· User-generated content
Your prior consent
Compliance with a legal obligation applicable to usManage your requests on your Personal Data
· Identification and contact information
· User-generated content
The execution of pre-contractual and contractual measures
Website analysis
Offering you online content adapted to your preferences and online behaviour
· Habits and preferences
· Connection data
· Data related to your use of our Sites and applications
· Technical information
Our legitimate interest
Your prior consentManaging and following traffic, navigation and use of Our Sites
· Connection data
· Data related to your use of our Sites and applications
· interaction with social networks and external platforms
· Technical information
Our legitimate interest
Your prior consentOthers
Performing analysis and statistics
· Order and product information
· User-generated content
· Habits and preferences
· Connection data
· Data related to your use of our Sites and applications
· Technical information
Our legitimate interest
Exercise Our legal rights in case of proceedings
· Identification and contact information
· Order and product information
· Information on adverse events
· User-generated content
Legal obligation
Legitimate interestEnsuring Our websites security
· Identification and contact information
· Technical information
· Data related to your use of our Sites and applications
· Connection data
Our legitimate interest
Managing video surveillance in our shops
· CCTV images
Our legitimate interest
-
5. Data Enrichment and Profiling
To have a better overall understanding of you as a customer, We may combine information about you gathered across various channels. For example, Data collected in the course of your online activity (e.g. shopping, account creation, etc.) may be combined with Data We collect when you visit one of Our stores.
This Data enrichment may also occur between different brands of our group. For example, if you make an online purchase on of Our brand website and then create an online account with the same email address on another brand website, the Data collected through these two websites may be combined to enrich your customer profile.
This helps Us to propose products and advice that is most relevant to your interests at particular times, by email or when you visit one of Our stores.
You can object to these "profiling" operations at any time by contacting Us. Please refer to section 11.
-
6. With whom do We share your Data?
Depending on the type of Data and purpose of processing, access may be granted to the following authorized persons:
- Other brands of our group: To the extent permitted by law and taking into account the protection of your rights and freedom in respect of the processing of your Data, and the consent you have given (if need be), some of your Data may be shared with the other brands of our group, for example, to enrich your customer profile, to develop other brands Media audience and to update your Data as regularly as possible. Your Data will only be accessible to a limited and defined number of recipients within Our group on a strict need to know basis.
- Other affiliates and group entities: your Data may be shared with the other affiliates of our group who are involved in the processing of your Data.
- Third party vendors and providers: Your Data will generally not be shared with recipients outside Our group. In some cases, however, We may make your Data accessible to selected third parties vendors or providers acting on Our behalf and Our instructions (this may include other affiliates or brands of Our group) or to partners acting as data controller in the course of delivering specific services to You. The sharing of your Data will only take place for the needs of the purposes described in above section 4.
- The transporters will need to access your Data to deliver the products you ordered
- The marketing campaign providers will need to access your Data to send you Our communications,
- The IT maintenance providers might need to access your Data in case of technical incident
- The Digital and social media partners may have access to some of Your online activities
- The online payment provider will need to process your bank account information in order to finalize online transactions in its capacity as data controller (We will not have access to any such Data)
In any case, We require such third parties to:
- be subject to strict contractual data protection and confidentiality obligations;
- undertake to comply with all applicable data protection laws and exclusively for the purposes specified in the contract We have with them;
- implement appropriate technical and organizational security measures designed to protect the integrity and confidentiality of your Data. - Digital and social media partners: In order to share content on or through social media, Our Sites may use functionalities, links or icons owned by Our digital and social media partners. It may consist, for example, of the like or sharing buttons on social networks such as Facebook or Instagram. Such functionalities allow you to view content or share content, preferences and opinion on or in relation with Our products. We are also using online tools such as Google, Facebook or Instagram (Google Analytics, Facebook Custom Audience or Conversion API) in order for Us to optimize Our ad targeting campaigns and ensure to deliver advertising content that suits to you at best. The providers of these tools, functionalities, links or icons can directly identify you when you use it, or even if you do not use it but (i) you have an account to such social network or platform, or (ii) you are already known and identified by such providers. As soon as you view content or share content, preferences and opinion, Our partners may connect your activities on Our Sites to other information they already own on you in their capacity as Data controller.
We may also use the lookalike functionalities (for example from Facebook) to build audiences similar to your profile in order to allow Us or other brands of Our Group to target prospects that match your profile. You will not be the subject of related prospecting, your data being only used to create profiles similar to yours.
Such above processing is governed by Our partners’ own privacy policies in their capacity as data controller. We invite you to visit and check privacy policies of such online tools and to adapt your choices related to cookies and confidentiality in accordance with your wish. - Public and judicial authorities: We might need to share your Data with public authorities when the law requires Us to do so. For instance, We might be requested to provide invoices to tax or financial authorities, or to provide information related to adverse events linked to the use of Our products to health authorities. We might also need to share your Data with judicial authorities in the event of a litigation. We may also have to transfer your Data to third parties when We receive a request by an authority empowered by law to do so.
- Our professional advisers: We may also share your Data when necessary with Our professional advisers, such as Our accountants, auditors, lawyers, insurers, etc.
- Potential acquirers and other stakeholders involved in Our business transfers: We might share your Data to another legal entity in the event of a collaboration, joint venture, acquisition, merger, sale, corporate restructuring or change of legal form. In this context, the acquirer will act as the new or joint controller of your Data. In case of a merger or sale, your Data will be permanently transferred to the successor company
-
7. Where may We transfer your Data?
We ARE a multinational organization with affiliates, vendors and partners located in many countries around the world. For that reason, We may need to share your Data with entities located in other jurisdictions, in countries which may not be regarded as providing the same level of data protection as the jurisdiction you are based in.
Our European headquarters which is in charge of leading Our ecommerce, customer relations and marketing efforts in Europe, is located in France. As a consequence, your Data may be transferred to France.
Your Data may also be shared with Our American affiliate Shiseido Americas, which is notably in charge of the overall management of Our group customer relationship management system.
In any cases We ensure that adequate safeguards, as required under the applicable data protection legislation, are in place. Such safeguards may include:
- Adequacy decisions released by the European Commission or
- The European Commission’s Standard Contractual Clauses or
- Our providers’ Binding Corporate Rules (“BCR”)
For more information about the transfer of your Data, you can contact Our Data Protection Officer (please refer to section 11). -
8. How do We protect your Data?
We know how much data security matters to all Our customers and take all appropriate steps to protect your Data from unauthorized access, alteration, disclosure, or destruction. We pay particular attention to sensitive data, especially payment card data, allergy or intolerance data, etc.
Please note, however, that any information you choose to share in public areas such as Our website community features, or other social areas is by definition considered as public and can be seen by anyone accessing the related platform.
-
9. How long do We retain your Data?
We will retain your Data for the period necessary to fulfil the purposes outlined in this Policy (see section 4).
The criteria used to determine such retention periods include:
(i) the length of time We have an ongoing relationship with you;
(ii) whether there is a legal obligation to which We are subject;
(iii) whether a longer retention period is required or permitted by law.
We are committed to improving our Data Protection program and.integrating new rules, such as data retention rules, into our systems to always better protect Your privacy. -
10. Data about children
Our Sites are not directed to anyone under 16 years of age even if they have permission from their parents or guardians. We do not solicit or collect any type of information from a person known to be under the age of 16.
We are not able to verify whether a website user is a minor and therefore We recommend parents or guardians to be involved in the online activities of their children in order to prevent data about minors from being processed by Us.
However, if We become aware that We have accidentally collected information from a child under the age of 16, We will remove that information from Our records as soon as feasibly possible.
-
11. Your rights and choices
In accordance with the applicable data protection law, you have the right to request:
- Access to the Data We hold about you. You also have the right to obtain confirmation as to whether Data concerning you is being processed or not ;
- The correction of your Data if they are incomplete or inaccurate;
- The erasure of your Data, in the cases provided by law. Please note that in some cases, We may be obliged to retain your Data anyway, for legal or legitimate reasons;
- The interruption of the use of your Data, by objecting to the use of your Data where Our “lawful basis” is Our legitimate interests and that We have no legitimate overriding interest. You also have the right to object at any time to the processing of your Data for marketing purposes. You may unsubscribe from Our marketing communications simply by clicking on the “unsubscribe” link at the bottom of each communication;
- The restriction of the use of your Data, if provided by applicable law;
- To obtain a copy of the Data you provided Us, in a structured, commonly used and machine-readable format, to transmit it to another data controller, if provided by applicable law. This right only applies when the processing of your Data is based on your consent or on a contract and such processing is carried out by automated means.
- Via Our online contact form here.
- Via Our postal address:
Data Protection Officer Shiseido EMEA 56 A, rue du Faubourg St Honoré 75008 Paris France