THE NET-A-PORTER GROUP PRIVACY AND CONFIDENTIALITY POLICY
1. General Provisions
1.1. The Net-A-Porter Group Limited ("NAP" or "Operator") respects the privacy rights of its customers and recognizes the importance of protecting the information collected about them.
1.2. The present NAP Privacy and Confidentiality Policy ("Policy"), which constitutes a public document, covers all personal data ("PD") processed by NAP and has been developed in line with the applicable laws ("Law") related to PD.
1.4. The purpose of the Policy is to inform PD owners ("Data Subject/s") and other persons engaged in PD processing of NAP adherence to the fundamental principles of legitimacy, justice, non-redundancy, correlation of the content and scope of the PD processed to the declared processing purposes.
2.1. The following definitions apply to PD protection:
2.1.1. "Personal data": data which relates to a living individual who can be identified a) from that data or, b) from that data and other information in our possession or likely to come into our possession).
2.1.2. "Data subject": an individual who is the subject of PD. Data subjects have legal rights in relation to handling and processing of their PD.
2.1.3."Operator" a person who (either alone or jointly with other persons) determines the purpose for which, and the manner in which, any PD is to be processed. They have a responsibility to establish practices and policies in line with the Law.
2.1.4."Data processors" any person, other than an employee of the Operator) who processes PD on behalf of an Operator, i.e. third parties that process or handle PD on our behalf.
2.1.5."Processing" any activity that involves the use of PD. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying. Processing also includes transferring PD to third parties.
2.1.6. "Sensitive Personal data" includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, condition, sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive Personal data can only be processed under strict conditions, and usually requires the express consent of the Data Subject.
3. Objectives of PD Processing
3.1. NAP legal obligations and requirements under the Law for the processing of PD are to ensure that all PD processed by NAP in the course of its activities is:
3.1.1. collected, stored and processed for justifiable reasons;
3.1.2. processed by authorized persons with a legitimate reason;
3.1.3. stored safely;
3.1.4. retained only for the defined time period after which it is appropriately destroyed;
3.1.5. not disclosed to unauthorized persons.
3.2. NAP will actively seek to meet its obligations and duties in accordance with the Law and in so doing will not infringe the rights of its employees, customers, third parties or others.
4. Legal Grounds for PD Processing
4.1. PD are processed by NAP:
4.1.1. upon acquisition of appropriate consent of the Data Subject to the processing of his/her PD;
4.1.2. for the purpose of being compliant with the Law;
4.1.3. for the purpose of performing an agreement of which the Data Subject is a party or beneficiary.
4.2. PD may only be processed for the specific purpose notified to the Data Subject when it was first collected, or for purposes specifically permitted by the Law. PD must not be collected for one purpose and subsequently used for another. If it becomes necessary to change the purpose for which the data is being processed, the Data Subject must be informed of the new purpose before any processing occurs.
5. Purposes of PD Processing
5.1. NAP processes PD for the following purposes:
5.1.1. comply with Law requirements, organize its activities and its employees' activities;
5.1.2. verify the identity of customers and their eligibility to register as users on the NAP website;
5.1.3. process users' registrations, providing customers with a sign in ID for the NAP website and maintain and manage such registrations;
5.1.4. process, fulfill and deliver orders and manage customers' accounts;
5.1.5. provide customers with relevant customer care and respond to their queries, feedback, claims or disputes;
5.1.6. perform research or statistical analysis for marketing and promotional purposes in order to improve the content and layout of the NAP website and improve the NAP product offerings and services;
5.1.7. subject to obtaining consent in such form as may be required under the Law, NAP may use PD from its customers to provide them with notices, surveys, product alerts, communications and other marketing materials relating to goods and services offered by NAP sites including its exclusive membership programs, value added services ancillary to the memberships, and other products and services offered by NAP from time to time to its registered users.
5.2. NAP is entitled to disclose PD as may be required for any of the purposes above or as required by the Law, by State bodies or in respect of any claims or potential claims brought against NAP.
5.3. If the customer voluntarily submits any information for publication on the NAP website through the publishing tools, including but not limited to, Company Profile, Product Catalog, Trade Leads, Trust Pass Profile and any discussion forum, then the customer is deemed to have given consent to the publication of such information.
5.4. NAP does not sell PD to third party marketing companies.
5.5. NAP may employ third party business partners to collect and process PD on its behalf. NAP may also share PD with third party business partners to provide the customer with targeted advertising and other services. In such cases, these third parties will be subject to confidentiality agreements as outlined in articles 7.6 and 11 below and accordingly instructed by NAP to comply with the Law and NAP internal regulations.
5.6. NAP may collate information about site traffic, sales, wish lists, and other commercial information which can be transferred to third parties. This information cannot lead to the customer being identified and it is therefore not regarded as PD.
6.1. NAP collects PD in several ways when the customer places an order, buys a gift card for a friend or registers for a service. By registering, the customer expresses their consent to the collection of his/her PD.
6.2. In order to process and fulfill a customer's order, NAP needs to collect the following information: name, surname, email address, phone numbers, home address, shipping and credit/debit card billing address(es).
6.3. PD can be accepted from a person other than the Data Subject, provided that the Data Subject has provided their consent to submit their PD to NAP for processing.
6.4. Saved bank card details are never shared with third parties and are only used to process the customer's order using NAP partners' payment systems. NAP may also ask further information as a result of authentication or identity checks.
6.5. The NAP Live Chat provider stores all chat conversations for 13 months. These transcripts are only accessed by NAP for training purposes to improve the service offered. The customer can request a copy of their chat conversation when exiting Live Chat or contact the NAP customer care team by emailing email@example.com.
7. PD processing
7.1. NAP will maintain an inventory of categories of PD it processes relating to its employees and customers, and for the purposes of which each category is used. The inventory shall indicate high-risk categories of PD processed in accordance with the Law, including but not limited to:
7.1.1. sensitive PD;
7.1.2. personal bank accounts, credit/debit cards and other financial information;
7.1.3. national identifiers, i.e. National Insurance or National Identity Numbers;
7.1.4. material relating to meetings, interviews or negotiations which could adversely affect individuals if such information were to be divulged.
7.2. NAP is responsible for ensuring that all PD processed within its systems are adequate, relevant and not excessive and are only collected on the basis of a real and justifiable business reason. Periodic reviews of NAP technology, processes and procedures implemented for PD processing are to be conducted to ensure they continue to be adequate and fit-for-purpose. Any anomalies identified are to be recorded and appropriate action must be taken to address the findings.
7.3. Processed PD must correspond to real and justifiable business reasons, for this purpose:
7.3.1. NAP will only process the minimum amount of PD required to meet its legitimate purposes;
7.3.2. additional information which is not relevant or is excessive for the stated purpose is not processed;
7.3.3. new systems and processes involving PD are to be developed and reviewed to ensure their compliance with the Law and NAP internal regulations.
7.4. NAP implements appropriate technical and organizational measures to prevent unauthorized or unlawful processing, accidental loss, destruction and damage to PD. Such measures align to the basic information security principles of:
7.5.1. Confidentiality - only those persons specifically authorized can access and or use PD;
7.5.2. Integrity - PD shall be accurate and relied upon for the purpose for which it is being processed;
7.5.3. Availability - PD are only provided to authorized persons upon receipt of a validated request;
7.5.4. Security - PD are stored in accordance with technical/security requirements provided by the Law and are not disclosed orally, in writing or in any electronic form to any unauthorized person, either deliberately or accidentally.
8. Storage Period and PD Retention
8.1. NAP is to ensure that PD is not kept for any longer than necessary and will adhere to any legal, regulatory or specific business reason justifying PD processing.
8.2. PD relating to customers' is only to be retained for as long as a business justification remains. PD relating to employees is normally retained for six years after the individual leaves the company. Some information however will be kept for longer; this could include information necessary in respect of pensions, taxation, potential/current disputes or litigation regarding the employment and information required for job references.
8.3. Appropriate processes and procedures are applied to ensure the regular backup of PD, and backups can be restored when required, irrespective of the period for which relevant PD have been retained.
9. Rights of Data Subjects
9.1. Everyone has the right to request access to any PD about them that is held or processed by NAP.
9.2. NAP complies with requests for access to PD as established by the Law. The supplied information shall be in an intelligible form that is easily understood by everyone.
9.3. NAP is allowed to require further information to determine whether the person submitting the request is the Data Subject (this is to avoid PD about one individual being send to another, inadvertently, or as a result of deception).
9.4. The Data Subject is entitled to modify their own PD by signing in to their account on the NAP site. The customer is able to delete saved credit/debit card details. If the customer changes their billing or shipping address while an order is still being processed, the order will be re-processed through security validation checks. PD can be also amended by the NAP customer care team by emailing firstname.lastname@example.org.
9.5. At all times the customer has the right to opt-out of subscribing to NAP regular service updates which may be sent to them: (i) email alerts for new products, features, enhancements, special offers, upgrade opportunities, contests, events of interest, and one-off marketing promotions; and (ii) direct mail alerts for new products, features, enhancements, special offers, upgrade opportunities, contests, events of interest, and one-off marketing promotions. Any email sent by NAP to the customer contains an easy automated unsubscribe link. Alternatively the customer can change their email preferences or opt out of all emails by signing in to their account on the NAP site or emailing email@example.com.
9.6. NAP sites and their contents are not targeted to minors (those under the age of 18). However, NAP cannot ascertain the age of individuals who access its site. If a minor has provided NAP with PD without parental or guardian consent, the parent or guardian should contact NAP to have the relevant information removed.
10. Transfer and Cross-border Transfer ("CBT") of PD
10.1. NAP performs transfer and CBT of PD, i.e. transmission of PD to a recipient located in a foreign jurisdiction, in conformity with the rules established by the Law and exclusively for the purposes of PD processing indicated in par. 5 above.
10.2. PD can be transferred without written consent of the Data Subject to foreign countries that ensure proper protection of Data Subjects' rights in conformity with the Law.
10.3. PD can be transmitted across the borders to the countries that are incapable of ensuring proper protection of PD owner rights:
10.3.1. upon written consent of the Data Subject to CBT of their PD given as established by the Law;
10.3.2. for the purpose of performing an agreement of which both the Data Subject and the Operator are parties;
10.3.3. in other cases established by the Law.
10.4. The Operator could transfer PD to recipients located in foreign countries, including but not limited to: the United Kingdom of Great Britain and Northern Ireland, the United States of America and Italy.
10.5. In case NAP shares PD with any (national or foreign) third party a Confidentiality Agreement ("NDA") shall be stipulated with such subject. In this case: (i) the NDA shall clearly indicate and describe the purposes for which the information may be used by the recipient and any eventual limitation or restriction to the possibility to use the information; and (ii) the recipient must provide an undertaking or other form of evidence of its commitment to process the information in a manner that will not contravene the Law and NAP applicable internal regulations.
11. Information on Third Parties Engaged in PD processing
11.1. Upon consent of the Data Subject, and unless otherwise provided by the Law, NAP is entitled to charge a third party ("Processor") with performing PD processing activities by virtue of a Data Processor Agreement ("DPA") to be mandatorily concluded with this subject.
11.2. The DPA shall define the list of actions (operations) with PD to be conducted by the Processor, the processing purposes, the confidentiality obligations towards the PD assumed by the Processor, as well as the obligations to protect PD as they are processed, and the requirements for the protection of the processed PD.
11.3. The Processor shall not be obliged to obtain consent from the Data Subject for the processing of their PD.
12. Information on Applicable Requirements to PD Protection
12.1. In the course of PD processing, NAP shall take all required legal, organizational and technical measures provided by the Law to protect PD from unlawful or accidental access, destruction, adjustment, blocking, copying, submission, sharing or other unlawful actions.
12.2. Namely, but not exclusively, PD shall be protected by means of the following:
12.2.1. appointment of persons responsible for organizing PD processing and safety;
12.2.2. issuance of internal regulations/procedures on PD processing and protection focused on prevention and tracing violations of the Law, elimination of respective consequences;
12.2.3. make employees engaged in PD processing aware of their participation in personal data processing, as well as the rules for personal data processing and protection set by NAP regulatory acts;
12.2.4. registration and recording of operations with PD;
12.2.5. internal transmission of PD solely among the persons holding positions included in the list of positions that require PD processing of the persons filling such positions;
12.2.6. organization of PD processing procedures within protected areas and with the use of required technology and systems, as well as ensuring physical protection of PD storage media, locations and tools for their processing;
12.2.7. setting access rules to PD, tracing cases of unauthorized access to PD and taking relevant measures;
12.2.8. implement a process for assessing the level of risk to individuals associated with processing PD;
12.2.9. organize periodic internal controls/audits over compliance of the PD protection measures taken in accordance with the Law and internal regulations of NAP.
13. The Data Protection Officer
13.1. NAP is responsible through its Data Protection Officer ("DPO") for the implementation of the present Policy and all operations connected with the processing of PD. In particular, the DPO is responsible for:
13.1.1. ensuring that NAP complies with the Law;
13.1.2. ensuring that appropriate ?fair processing' statements are made when NAP, its agents, contractors or service providers collect or process PD on its behalf, and that these reflect the purposes for which the information may be used and any other parties to whom the information may be revealed;
13.1.3. ensuring that PD is only obtained for specified and lawful business purposes indicated in this Policy and is not subsequently processed in a manner incompatible with those purposes;
13.1.4. ensuring that Data Subjects provide appropriate consent to their PD being held and processed by NAP;
13.1.5. ensuring NAP conducts periodic reviews of computer and hard copy records to verify that PD held is: (i) adequate, relevant, and not excessive for its purpose; (ii) accurate and up to date; and (iii) not kept longer than is necessary;
13.1.6. ensuring that NAP complies with article 9 of the present Policy in case of requests submitted by Data Subjects;
13.1.7. ensuring NAP applies all appropriate technical and organisational measures provided for by the Law to safeguard against unauthorised or unlawful processing of PD and against any accidental loss or destruction of, or damage to PD;
13.1.8. ensuring that training is provided to employees on joining NAP and annually thereafter and that a record of attendance is maintained.
13.2. The DPO is appointed by NAP executive body and receives instructions directly from that body.
14. Responsibility for Violation of PD Processing Rules
14.1. NAP employees engaged in PD processing shall bear disciplinary, civil, administrative or criminal responsibility for violation of PD processing rules in conformity with the Law and internal regulations of NAP.
15. Modification of this Policy
15.1. NAP has the right to amend and/or update this Policy in whole or in part in conforming with the Law. Each modification shall be clearly communicated on the NAP website and will be effective immediately upon publication.
16. Contact Details
16.2. To obtain further information on the PD policy, please refer to the Contact Us section of the NAP website and email the relevant department. Alternatively, NAP customer care team is available by calling +44 330 022 5700 (from a mobile or internationally) or emailing firstname.lastname@example.org.
16.3. Registration number in the register of PD operators:
16.4. NAP person responsible for PD processing and protection: