Group

Third-Party Privacy Policy

Effective Date: June 22nd 2022

 

1. WHAT IS COVERED BY THIS PRIVACY POLICY?

This privacy policy covers situations where we, Kering, access, collect, store, process, use, disclose, transfer or delete (hereinafter collectively referred to as "use”) personal information in paper or electronic form about natural persons working for or acting as our service providers, contractors, partners, suppliers (hereinafter collectively referred to as “third parties”).

 

2. WHO COLLECTS & USES YOUR PRSONAL INFORMATION?

We, Kering, act as the “data controller”, which means that we determine “why” and “how” your personal information is collected and used. We are a French corporation, located in 40 rue de Sèvres, 75007 Paris, France and registered under number Paris with the company registry of 552 075 020.

 


Your local legislation may not refer to the terms “data controller” or “data processor”, but respectively to terms such as “data user”, “owner”, “business”, “responsible party”, etc., and as “data intermediary”, “operator”, etc. In order to understand our role, please note that we are the entity who decides on the methods and purposes of the processing of your personal information by determining “why” and “how” your personal information is collected and used. Our “data processors” are entities who use your personal information on our behalf by receiving instructions from us on “how” and “when” they are allowed to use it (see section “with whom do we share your personal information?”).

 

3.WHY DO WE COLLECT YOUR PERSONAL INFORMATION?

We will use your personal information for the purposes described in this section. The processing of your personal information will comply with the applicable privacy legislation and rely on the legal bases set out in this section. Where we rely on our legitimate interests, we will only do so to the extent that your own interests or fundamental rights do not override our interests.

 

The purposes for which we process your personal information are as follows: The processing of your personal information is justified on the following legal basis:
To organise and manage our procurement and contractor selection process (e.g. Request For Proposal (RFP), Request For Information (RFI), etc.) For all countries not listed below:

Performance of a contract

Or our legitimate interest (where applicable) to identify and select the most adequate contractor for fulfilling the assignment at stake
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To conduct background checks to ensure we are not precluded from working with you or the legal entity that employs you For all countries not listed below:

Compliance with a legal obligation

Our legitimate interest (where applicable) to conduct our business in compliance with our rules and policies
China:

Your consent when you enter into a contract or voluntarily share your information with us
To manage our relationship with you or the legal person you are working on behalf of. For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico, China:

Your consent when you enter into a contract or voluntarily share your information with us
To enable you to carry out the assignments we have requested from you For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico,China:

Your consent when you enter into a contract or voluntarily share your information with us
To compensate you or the legal entity that employs you for the provision of your products or services For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To allow you access to our training courses attach to the assignment we have requested form you For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To ensure follow-up, support and business continuity activities with respect to the products or services supplied to us, including notably by accessing your professional mailbox and/or devices, as may be made available to you, to the extent legally permitted For all countries not listed below:

Performance of a contract

Or our legitimate interest (where applicable) to request and/or retrieve follow-up and business continuity information about your products and services
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To provide you access to our information systems, internal platforms, applications or for hardware loaned to enable you to carry out your assignments For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To allow you access to our premises or participate to our event or fashion show attach to the collaboration with us For all countries not listed below:

Performance of a contract

Or when the relationship is managed via a legal person, our legitimate interest (where applicable) for the contract execution
Kuwait, South Korea, Philippines, Chile, Mexico:

Your consent when you enter into a contract or voluntarily share your information with us
To implement prevention, detection and investigation measures to ensure physical security and cybersecurity Compliance with a legal obligation

Our legitimate interests (where applicable) which include protecting us against fraud and cybersecurity threats and ensuring the safe conduct of our business
To monitor and ensure compliance with applicable laws and policies Compliance with a legal obligation

Our legitimate interests (where applicable) which include, when not prescribed by law, complying with regulations and recommended guidelinesbusiness
To conduct business analytics & financial reporting For all countries not listed below:

Performance of a contract

Our legitimate interest (where applicable) to understand, improve and optimise our resources
China:

Your consent when you enter into a contract or voluntarily share your information with us
To implement activities related to the protection of intellectual property rights and management of litigation cases Compliance with a legal obligation

Our legitimate interest (where applicable) in protecting our rights

The regular exercise of our rights in lawsuits and proceedings, where applicable in your country of residence
To archive and keep records of relevant documentation in order to comply with our legal obligations Compliance with a legal obligation

Our legitimate interest (where applicable) in protecting our rights

The regular exercise of our rights in lawsuits and proceedings, where applicable in your country of residence
To comply with our financial or accounting management obligations, and in particular to share necessary information with auditors, law firms, or similar corporate professional service providers Compliance with a legal obligation

Our legitimate interest (where applicable) to better understand and improve our business
To sell or reorganise any part of our business or assets For all countries not listed below:

Our legitimate interest (where applicable) to manage our business
Kuwait, South Korea, Philippines, Chile, Mexico, United Arab Emirates, Vietnam:

Your consent when you enter into a contract or voluntarily share your information with us

 

4.WHAT PERSONAL INFORMATION DO WE USE ?

 

We may collect or receive the following personal information about you:

  • Contact details such as name, personal and professional addresses, telephone numbers, and internal & external email addresses,
  • Identity documents, signature,
  • Title, position, function, company information, photograph, prior experience and education background,
  • Attendance when entering our facilities,
  • Emails exchange, including when we do provide you and external email address,
  • Electronic identification data (including login, password, IP address and other online identifiers, and information on your access to our systems and networks),
  • For natural persons acting as contractor, services (provided for or by us), products (loaned, sell or entrusted for sell) and financial information (including contract, invoice & bank account information),
  • Information relating to prior criminal prosecutions and/or convictions.

 

5. WHEN DO WE COLLECT YOUR PERSONAL INFORMATION

You may share with us your personal information when:

  • You are directly appointed by us to provide products and services or when you participate in our procurement process;
  • The company you work for is appointed by us and you have a work assignment with us in this context.

 

6. HOW DO WE COLLECT YOUR PERSONAL INFORMATION? 

We mainly obtain information directly from you and process them by automated means when you interact with us. We may also collect your personal information through the legal entity that employs you.

From time to time, we may also obtain information on you from other third-party sources. Our third-party source categories could include our affiliates and subsidiaries, notably our parent company Kering and its affiliates.

As part of procurement operations, and in order to comply with our obligations in terms of anti-corruption, we may also have to consult public registers in order to verify that your company or its legal representatives are not subject to prosecution or of criminal convictions.

 

7. SHOULD YOU ALWAYS SHARE YOUR PERSONAL INFORMATION?

We will only process personal information strictly necessary for the realization of the purposes defined above. As a result, in the event you do not provide such information, we will not be able to pursue such purposes. For example, if you want your application to be considered as part of a RFP, you must necessarily provide the information and supportive documentation required.

 

8. FOR HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

Our general approach is to retain your personal information only for as long as it is needed.

We generally retain your personal information for the duration of the agreement that you (or you employer) have entered into with us and, after the expiration or termination of this agreement for any reason, until legal claims under that agreement become subject to the applicable statutes of limitations.

We may retain some of your personal information for a shorter or longer time, for instance, where we are obliged to do so in accordance with relevant legal requirements.

 

9.HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We are strongly committed to keeping your personal information safe. 


To do so, we design our services with your safety in mind. Within our group, we have dedicated teams managing and ensuring the security and privacy of your personal information. We have adopted specific technical and organisational security measures to protect personal information against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access. 


For example, whenever personal information is passed between your device and our servers, we ensure, when necessary, that it is encrypted using Secure Sockets Layer (“SSL”) and/or other security methods. All your personal information is stored on secured servers.


We have also established a specialised personal information security management system. For example, we strictly control the scope of authorisation of our employees who have access to the personal information that we collect and process. We regularly review our information collection, storage and processing practices, including physical security measures, to guard against any unauthorised access and use.


We conduct security and privacy protection training courses and tests on a regular basis to enhance our employees’ awareness of the importance of protecting personal information. We take commercially reasonable steps to make sure that our business partners and third-party service providers are able to protect your personal information. Our employees and those of our business partners and third-party service providers who have access to your personal information are subject to enforceable contractual obligations of confidentiality and specific contractual privacy provisions.


In the event of a security incident resulting in any breach of personal information, as qualified by law, we have an emergency response plan in place to prevent the expansion of such security incidents. In addition, as and where required by applicable law, we will report such personal information breach to the relevant supervisory authority and inform you via an appropriate channel. 


Please also note that in order to keep your personal information secure, we may from time to time have to reset your password. 


However, you should be aware that no service can be completely secure, and you play a key role in keeping your personal information safe. For the best possible protection of your personal information outside the limits of our control, your devices should be protected (e.g. by updated antivirus software) and your Internet service providers should take appropriate measures for the security of personal information transmission over the network (e.g. with firewalls and anti-spam filtering). When you perform your assignments within our premises or access to our IT system, you agree to comply with the Kering group guidelines in terms of cybersecurity defined in the documentation provided when you enter our services. You accept the inherent security implications of interacting over the Internet and will not hold us or our partners responsible for any security incident or breach of personal information unless it is due to our negligence.


If you have any concerns that your personal information has been put at risk, for example if someone could have found out your password or login, please contact us as soon as possible.

 

10. WHERE DO WE STORE YOUR PERSONAL INFORMATION? 

 

As a general principle, the personal information we collect from you will be stored in servers located in the European Union or Switzerland. However, please note that due to legal and/or technical constraints, we may store your personal information in other locations than the European Union or Switzerland.

This is notably the case where we rely on processors located outside the European Union or Switzerland to carry out processing activities on our behalf. In such a case, your personal information is then deemed transferred to such countries.

For more information about the location where your personal information is stored, you can contact us at privacy@kering.com (or see How can you contact us?)

We want to ensure that your personal information is always safely used and available to you, wherever you want to access it and for whatever reason you wish to use it.

When we share, use or transfer personal information in particular from the country of your residence , we use standard contractual clauses approved by the European Commission, or put in place other measures under applicable privacy legislation, to ensure that such transfer provides adequate safeguards. You can contact us at privacy@kering.com (or see How can you contact us?) for more information about these safeguards including how to obtain copies of this information.

 

11.DO WE SELL YOUR PERSONAL INFORMATION?

 

We do not sell your personal information to third parties.

However, to the extent our transfer of your personal information to certain third-parties may be interpreted as a “sale” under California privacy law, if you are a Californian resident you have the right to opt out of that sale.

12.WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? 

We may share and disclose your personal information for the abovementioned purposes with the categories of recipients listed below. We may also receive personal information about you from some of them as our third-party sources.

All are bound by an obligation to implement appropriate security measures to protect personal information they process, and are bound by a strict confidentiality agreement and specific contractual terms on “how” and “when” they are allowed to use your personal information on our behalf.

If you would like more information about the sharing of your personal information, including the list of recipients, please contact our privacy team and Data Protection Officer at privacy@kering.com (or see How can you contact us?).

  • Our parent company Kering and its affiliates;
  • Delivery providers, fulfilment companies and transaction partners;
  • Other contractors that provide services to us (for example IT services providers, accountants, attorneys);
  • Law enforcement bodies, regulatory bodies, government agencies, courts and/or lawyers to comply with applicable laws and defend our rights and interests
  • Stakeholders involved in the selling or reorganisation of any part of our business or assets (for example potential buyers and their advisors).

 

13.WHAT ARE YOUR RIGHT REGARDING YOUR PERSONAL INFORMATION?

Subject to your applicable privacy legislation, you may be entitled to one or more of the following rights and exercise them on your own or via a legal representative acting on your behalf. We are committed to protecting your rights and allowing you to exercise them. You will never be discriminated against when you exercise your right in good faith under any applicable privacy law.

If you need any further information regarding your rights, how to exercise them, or if you have any complaints or questions regarding our privacy practices, please contact our privacy team and Data Protection Officer at privacy@kering.com or by completing the form available here (or see How can you contact us?).

  1. Right of access, rectification and erasure

Under certain circumstances you may have the right to request access to and obtain a copy of any of your personal information that we may process. Such right of access also includes the right to receive information in particular about the purposes of the processing, the categories of personal information concerned, the categories of recipients to whom your personal information may be disclosed, and the envisaged period for the retention of your personal information.

You may also request correction of any inaccurate personal information relating to you and to request the deletion of your personal information. You can obtain and update this personal information by emailing our privacy team at privacy@kering.com (or see How can you contact us?).

  1. Right to personal information portability

Under certain conditions, you may have the right to receive personal information you have provided to us within a structured, commonly used and machine-readable format, and also to require us to transmit it to another data controller where this is technically feasible.

  1. Right to restriction of processing

Subject to privacy legislation applicable to you, you may have the right to restrict our processing of your personal information in particular where: 

  •  
  • you contest the accuracy of the personal information (until we have taken sufficient steps to correct or verify its accuracy); 
  • the processing is unlawful, but you do not want us to erase the personal information;
  • we no longer need your personal information for the purposes of the processing, but you require such personal information to establish, exercise or defend legal claims; or 
  • you have objected to processing that has been justified on legitimate interest grounds, pending verification as to whether we have compelling legitimate grounds to continue processing.

Where personal information is subject to restriction in this way, we will only process it with your consent or to establish, exercise or defend legal claims, in accordance with local legislation.

  1. Right to object to processing

Where we rely on legitimate interest to process personal information, you may have the right to object to that processing. In this case, we must stop using your personal information for that purpose unless we can either demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or where we need to process the personal information in order to establish, exercise or defend legal claims. Where we rely on legitimate interest as a justification for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

  1. Deceased person rights to privacy

To exercise rights on behalf of a deceased individual, you may be required to provide us with proof that you are an immediate family member or executor of the deceased person. Subject to applicable privacy laws, we may not be able to support your request. Please be informed that under certain laws (for example in France), you can define directives relating to the storage, erasure and communication of your personal information after your death.

  1. Right to lodge a complaint

You also have the right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal information infringes applicable law.

If you are a resident of a Member State of the European Economic Area, you may refer to the list of data protection authorities in the European Economic Area available here.

  1. Modalities of response to your requests, additional information or assistance

If you need any further information regarding your rights or how to exercise them, or if you have any complaints or questions regarding our privacy practices, please contact our privacy team and Data Protection Officer at privacy@kering.com or by completing the form available here (or see How can you contact us?).

To help protect your privacy and maintain security, we will take steps and may require you to provide certain information to verify your identity before granting you access to your personal information or complying with your request.

Where permissible under applicable law, we reserve the right to charge a fee for instance if your request is manifestly unfounded or excessive, to cover the administrative costs incurred by your request. We will endeavour to respond to your request as soon as possible and in any case within the applicable timeframe.

 

14. CAN THE PRICACY POLICY CHANGE? 

 

We may occasionally make changes to this privacy policy, for example to comply with new requirements imposed by applicable laws or technical requirements.

We may notify you in case of material changes and, where required by applicable law, we will seek your consent to those changes.

If we wish to process your personal information for a new purpose not described in this privacy policy, where necessary we will inform you and where required we will seek your consent.

 

15.HOW CAN YOU CONTACT US?

If you have any questions regarding our privacy practices or how we handle your personal information, please contact our privacy team and Data Protection Officer by sending an email to privacy@kering.com or by using the form available here.