H&M GROUP PRIVACY NOTICE
Customer commitment to data protection and privacy
Protecting personal data and your privacy is of greatest concern for the H&M Group.
The H&M Group consists of company affiliate of H & M Hennes & Mauritz AB and its brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound.
The H&M Group manifests its commitment to privacy and data protection by embracing the following principles.
H&M Group uses personal data lawfully, fairly and in a transparent manner.
H&M Group collects no more personal data than necessary, and only for a legitimate purpose.
H&M Group retains no more data than necessary or for a longer period than needed.
H&M Group protects personal data with appropriate security measures.
About this Privacy Notice
This Privacy Notice intends to establish a clear, concise and transparent communication on the collection, use, processing, storing etc. of personal data relating to customers of the H&M Group.
Within the meaning of this Privacy Notice “customer of H&M Group” means a former, current and potential customer or user of a product or service offered by an H&M Group affiliate and brand, a visitors to one of our official websites or stores, a member of a loyalty program or community.
Who is responsible for processing of your personal data?
The Swedish company, H & M Hennes & Mauritz GBC AB is primarily responsible for the processing of personal data within the scope of this Privacy Notice. Under certain circumstances the responsibility for data protection and your privacy is shared with one or several other legal entities, either being an H&M Group affiliate or a third party.
Under each specific section of this Privacy Notice you will be informed about who is responsible for processing your personal data, the allocation of responsibilities and the modalities for the execution of rights.
Identity of H&M Group controller(s):
H & M Hennes & Mauritz GBC AB
Mäster Samuelsgatan 46
106 38 Stockholm
Companies register: Bolagsverket/Swedish Companies Registration Office
Authorised representative: Helena Helmersson
VAT registration number: VAT NO. SE556070171501
The named H&M Group controller(s) above are throughout this Privacy Notice individually or collectively referred to as “COS”, “we” or “us”.
Where do we store your data?
The personal data that we collect from you is generally stored within a country of the European Union or the European Economic Area (“EU/EEA”) but may also, whenever necessary, be transferred to and processed in a country outside of the EU/EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.
From time to time we may transfer personal data from the EU/EEA to a third country not being approved by European commission as a safe country for such transfer (adequacy decision). Whenever applicable H&M Group will use Standard Contractual Clauses to ensure an equivalent level of protection as granted within the EU/EEA or other lawful grounds for transfer.
Who has access to your data?
Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose. To the extent necessary, your personal data may be shared between the companies and brands within the H&M Group, with suppliers, sub-contractors and independent third-parties (acting as processors and sub-processors) carrying out certain tasks on COS’ behalf.
What is the legal ground for processing?
COS is not allowed to collect, process, use, store etc. personal data without a valid legal ground. Lawfulness may be derived from your consent, by contract, statutory obligations or from our legitimate interest as a business. For each specific purpose of processing of personal data, we will inform you about which legal ground that will apply, what rights you are entitled to exercise, whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.
What are your rights?
Right to access:
You have the right to request information about the personal data we hold on you at any time. Please contact Customer Service and we will provide you with your personal data via e-mail.
Right to portability:
Whenever COS processes your personal data, by automated means based on your consent or based on an agreement, you have the right to get a copy of your data transferred to you or to another party. This only includes the personal data you have submitted to us.
Right to rectification:
You have the right to request rectification of your personal data if the information is incorrect, including the right to have incomplete personal data completed. If you have an account, you can edit your personal data under your account pages.
Right to erasure:
You have the right to erase any personal data processed by COS at any time except for the following situations:
*you have an ongoing matter with Customer Service
*you have an open order which has not yet been shipped or partially shipped
*you have an unsettled debt with COS, regardless of the payment method
*if you are suspected or have misused our services within the last four years
*if you have made any purchase, we will keep your personal data in connection to your transaction for book-keeping purposes
Your right to object to processing based on legitimate interest:
You have the right to object to processing of your personal data that is based on COS legitimate interest. COS will not continue to process the personal data unless we can demonstrate legitimate grounds for the process which overrides your interest and rights or due to legal claims.
Right to restriction:
You have the right to request that COS restricts the process of your personal data under the following circumstances:
* if you object to a processing based COS’ legitimate interest, COS shall restrict all processing of such data pending the verification of the legitimate interest.
* if you have claim that your personal data is incorrect, COS must restrict all processing of such data pending the verification of the accuracy of the personal data.
* if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead
* if COS no longer needs the personal data but it is required by you to defend legal claims.
How do you exercise your rights?
We take data protection very seriously and therefore we have dedicated customer service personnel to handle your requests in relation to your rights stated above. You can always reach us at firstname.lastname@example.org. Please write to us in English.
Data Protection Officer:
We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer by emailing customer service and including DPO as subject matter. You can always reach us at email@example.com. Please write to us in English.
Right to complain with a supervisory authority:
If you have complaints about the way H&M Group processes and protects your personal data and privacy you have the right, at any time, to make a complaint to the Swedish Data Protection Authority the competent supervisory authority in your country of residence: the Information Commissioner’s Office.
Updates to our Privacy Notice:
We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data, the identity of the Controller or your rights.