Effective as of September 18, 2018
It’s likely that we’ll need to update this Policy from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.
We hope the following sections will answer any questions you have but if not, please do get in touch with us.
- 1. Who are we?
- 2. Legal basis for processing your data
- 3. When do we collect data from you?
- 4. What data do we collect and why do we use it?
- 5. We are not responsible for third party sites/features
- 6. Safety of our cosmetic products
- 8. Do we share your Personal Information?
- 9. How do we protect your Personal Information?
- 10. How long do we retain your Personal Information?
- 11. Your rights and choices
- 12. Data about Children
- 13. International Privacy Laws
- 14. Dispute Resolution / Contacting the Regulator
- 15. Any questions? How to contact us
The NARS brand belongs to the Shiseido Group. The Sites are operated by Beauté Prestige International SA doing business as Shiseido EMEA (56 A, rue du Faubourg St Honoré - 75008 Paris - France) which is part of the Shiseido Group and works as controller of your data. Shiseido EMEA runs our local operations and is in charge of leading our customer relations and marketing efforts for Europe.
Data protection law in the European Union contains a number of "lawful bases" for processing personal data. These are really legal justifications which mean organisations like us are allowed to have your personal information in the first place. We have been careful to ensure we have a lawful basis for all processing of data we undertake. Our lawful bases include:
Performing the contract we have with you - In certain circumstances, we need your personal data to comply with our contractual obligation to deliver products you order or in order to take steps at your request prior to entering into a contract. For example, if you buy our products through our Site, we need your name and contact details so we can communicate with you and deliver the products to you. In this case, provision of your personal data will be necessary to provide you with the products, information and services you request and to perform the activities as explained above. If you do not provide your personal data we will not be able to provide you with the requested products and services.
Legal compliance - Sometimes the law says we need to collect and use your data. For example, we can pass on details of people involved in fraud or other criminal activity to law enforcement and tax laws require us to retain records of orders and payments for our products. In this case, provision of your personal data will be necessary to provide you with the products, information and services you request and to perform the activities as explained above. If you do not provide your personal data we will not be able to provide you with the requested products and services.
Legitimate interests - this is a technical term in data protection law which really means we have a good and fair reason to use your data and we do so in ways which does not hurt your interests and rights. We sometimes use your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we will send you promotional communications about our service, subject to your legal rights to control whether we do so. We do analyse how users interact with our Site so we can understand better what elements of the design are working well and which are not working so well. This allows to improve and develop the quality of the online experience we offer all our users.
Consent – in certain cases we may ask for your consent before using your information.
- When you visit one of our Sites, use your account to buy products and services, or redeem vouchers from us on the phone, in a shop or online.
- When you make an online purchase and check out as a guest (in which case we just collect transaction-based data).
- When you create an account or profile with us.
- When you sign up online or in our shops to receive electronic newsletters, blog posts, special offers and other materials.
- When you join one of our loyalty programs online or in a shop.
- When you enter competitions or quizzes we may hold.
- When you choose to complete any surveys we send you.
- When you comment on or review our products.
- When you participate in our user community or otherwise contribute content to the Sites, such as by authoring a post on our forums or commenting on a blog post.
- When you engage with us on social media.
- When you book any kind of appointment with us or book to attend an event with us, for example appointments with our beauty consultants in shops and department stores for beauty consultation, make up sessions and tutorials and events around new product launches
- When you contact us in some way – online chat, email, text message, telephone help line for any reason, compliments, feedback or a request.
- When you fill in any forms. For example, if an accident happens in a store.
- When you submit an employment application and/or resume, or fill out other employment documentation.
- When you download or install one of our apps.
- When you’ve given a third party permission to share with us the information they hold about you.
Depending on how you interact with us (online, in-store, on the phone, etc.), we may collect from you various types of information, which are described in more detail below. In some instances, we may combine one type of information with another type of information, and store them together in our records. In all cases, however, we strive to limit the amount of information we collect and store to that which is necessary for the lawful reason we have your information in the first place. We inform you wherever possible whether we need information requested or whether you have the choice not to provide it, but can still make an order, subscribe for our updates and offers etc. We may not be able to provide a service if you do not disclose the information requested.
a) Information your provide to us when you interact with us
- Account information: such as your name, customer number, login ID, screen name, password, and/or security question and answer, and other registration information. Certain login information, such as your customer number, may be generated by us and then sent to you. We only collect (or create for you) unique login information for those activities that require an account. Your unique login information, especially your password, should always be kept confidential and should never be shared with anyone else.
- Personal contact information: This includes any information that would allow us to personally contact you, such as your name, home or mailing address, phone number (home, mobile), or email address. In some cases, this could include information that you give us about someone else (for example, if you ask us to ship a product to a friend). We typically collect personal contact information in connection with a variety of activities, including account registration (e.g. online shopping and website community features, newsletter sign-up, etc.), product orders, customer service, contests and promotions, and customer feedback. If you create an account with us, some of your personal contact information may be stored under your account profile.
- Order and product information: This includes details of the products you have ordered and searched for online or in our shops, the time, date of orders and searches, the shops you prefer to visit (which we know from records of the purchases you have made in our shops). We use this information send you promotional emails and communications (with your consent), to make personalised recommendations of products when you return to the Site, to advertise to you (with your consent) when you visit other websites and to better understand our customers so we can improve our products and our customer's experience of our business both offline and online.
- Demographic information and preferences: This includes any information that describes demographic characteristics and preferences, such as age, gender, preferences, interests, date of birth, age or age range, with your consent facial attributes (e.g., hair color, eye color, skin type, skin tone, - these are only provided if you choose to do so and you can order products without providing facial attribute data), general geographic location (e.g., post code or city and state), favorite products, hobbies and interests, or lifestyle information. We typically collect demographic information in connection with a variety of activities, including account registration (e.g., online shopping, website community features, newsletter sign-up, etc.), contests and promotions, and customer surveys. If you create an account with us, you may be allowed to modify certain demographic information stored under your account profile. We use this information to send you promotional emails and communications (with your consent), to make personalised recommendations of products when you return to the Site (with your consent), to advertise to you (with your consent) when you visit other websites and to better understand our customers so we can improve our products and our customer's experience of our business both offline and online.
- Employment related information: This includes information you provide when submitting an employment application online and provide during the recruitment process, such as your CV, cover letter, employment history education history, professional qualifications, language and other relevant skills, and other information included in a or as part of our online application process. We use this to take necessary steps with a view to entering into a possible contract with you and in our legitimate interests in assessing candidates for employment.
- Your feedback: This includes information that you voluntarily share with us about your experience in using our products or services, including our beauty products, our Site, and our shops. Examples include comments and suggestions, testimonials, or other feedback you send us about what you may have liked (or disliked) about your experience in using our products or services. We typically collect this information in the form of customer surveys, feedback forms, and email correspondence. We use your feedback to understand what our customers think of our products and the experience they have of us, to improve our products and the customer experience and – if you agree to - to discuss your feedback with you.
- User-generated content and posts: This refers to any content that you create and then share with us (and perhaps others) by uploading it to one of our websites or applications, such as our Facebook fan pages or applications. Examples include photos, videos, personal stories, or other similar media or content. We mostly collect customer-generated content in connection with contests and promotions, website community features, customer engagement, and third party social networking. Any other information you choose to make public on the Site (e.g. information shared with other members of our user community).
- Information on allergies and intolerance for the safety of our cosmetic products: This includes information on your allergies or intolerance, as provided by you to us through our customer service. Examples may include intolerance regarding our products or a component of a product. We only use this information with your explicit consent to follow-up on allergies and intolerance you may encounter when using our products as the case may be and in developing and improving our products. It’s always your choice whether you share such details with us.
- CCTV: Your image may be recorded on CCTV when you visit one of our shops. We use for security reasons and regularly delete the footage unless an incident or alleged incident requires investigation or action.
b) Automatically collected information
When you interact with us through the Site or our application, we use various technologies (including cookies, as further described below) to collect certain information (described below) about your visits to and use of the Site and application. We use this information to understand your needs and preferences better so we can offer you a better experience online and instore, to monitor and maintain our online infrastructure improve our Site and applications generally.
In accordance to the information provided in the banner or notice emerging in our Site when you first visit our Site, browsing and remaining on our Site will be understood as you are consenting to the use of the abovementioned cookies as set out in this Policy and the Cookies Policy.
A number of cookies and similar technologies we use last only for the duration of your web or app session and expire when you close your browser/or exit the app. Others are used to remember you when you return to the Site and will last for longer.
c) Info we receive and collect from other sources
We may obtain information, including personal data, from third parties and sources other than our Site, such as our partners, advertisers. If we combine or associate information from other sources with personal data that we collect through the Service, we will treat the combined information as personal data in accordance with this Policy.
d) Social media and advertising partners
We work with social media platforms and digital advertising platforms to:
- Make it easier for you to log onto your account (for instance by using your Facebook account)
- Show you advertising for our products and the products of other companies in the Shiseido group on other websites and social media platforms. For instance, if you show an interest or buy a product on our Site or in one of our shops, we may advertise that or other products we think may be of interest and you may see them on other websites and on your Facebook or other social media feeds. To do this we will share information with our social medial and digital advertising partners about your age, gender and interests for instance so they can better understand what you are interested in. Our partners may also keep this information about you and use it to help other companies, unrelated to Shiseido, show you adverts online. You cannot be identified "in the real world" by any of this information. For more information about how to turn this feature off see below or visit https://www.youronlinechoices.eu.
We want to bring you offers and promotions that are most relevant to your interests at particular times, in emails (where we have your consent) and on the Site when you visit. To help us form a better, overall understanding of you as a customer, we may combine your information gathered across various channels, for example your online and offline shopping history. For this purpose we also combine the data that we collect directly from you with data that we obtain from third parties to whom you have given your consent to pass that data onto us. In doing this, we may put you into one or more categories of customer which we use to help build our promotional and marketing strategies, and that category will in part dictate the promotional communications and recommendations you receive from us.
Our Site may provide links to, or features from, other third party sites (such as third party social networks) that we do not own or control. If you click on such links or use such features, you do so at your own risk. We are not responsible for the content or practices of any third party site, application, or feature.
In the event you would experience allergies or intolerance when using our cosmetic products, your requests or claims regarding safety of our cosmetic products should be submitted by contacting:
Regulatory Department – Cosmétovigilance
56 A, rue du Faubourg St Honoré
Phone : + 33 1 86 76 50 00
The data you provide for safety reasons is your name, contact details and health data relating to allergy or intolerance. The processing of this data is for safety of our cosmetic products only, and based on your consent. This data is used only for this purpose, and in separate digital environments and channels from the general commercial and marketing purposes. We will process it to adapt our marketing messages to you only upon your prior consent.
We may also have to transmit information on the safety of our cosmetic products to the competent health authorities, on an anonymous basis.
Although most Web browsers automatically accept cookies, the decision of whether to accept or not is yours. You have the choice to accept or decline cookies by way of consent. You may adjust your browser settings to prevent the reception of cookies, or to provide notification whenever a cookie is sent to you.
Shiseido is a leading beauty care and perfume company with products sold in over 120 countries. As a global business, we may share your personal information with Shiseido Group companies and trusted third parties based outside the country in which you live so that they may process that data on our behalf. We will never rent, trade or sell your personal information to third party companies for their own marketing use.
Affiliates and Shiseido group entitiesWe may share (or receive) information about you, including personal information, with our affiliated Company Shiseido Americas Corporation which headquarter is 900 Third Avenue, New York NY 10022, in the US ("SAC").
Shiseido EMEA is in charge of leading our customer relations and marketing efforts for the Europe, Middle East and Africa region and this means they are also a joint controller of your personal data under European data protection law.
SAC is in charge of administering the IT aspects of our Sites, and providing technology infrastructure, including through their third party suppliers, which helps us for instance host the Site and your information, provide customer relationship management or "CRM" services. As such, SAC acts as a data processor on our behalf.
Third party vendors and providersWe sometimes share your personal data with trusted third parties. For example, delivery couriers, for fraud management, to handle complaints, to help us personalise our offers, website, application development, hosting, maintenance, customer relationship management and promotional services to you and so on. You can see the main companies we work with who collect information relating to you directly through the Site here.
Where we use any of these providers:
- We provide only the information they need to perform their specific services.
- They may only use your data for the purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
For some suppliers, we and our group companies need to transfer your information to locations outside the European Union, such as to the United States.
Legal disclosures (when necessary)This is when we may need to share your information for law enforcement or other legal purposes. This type of sharing may be necessary in connection with a lawsuit, claim or investigation, governmental inquiry, court order, enforcement of legal rights (e.g., contract terms, intellectual property rights, etc.), safety issue, or other similar legal or security matter. Sharing your information for these reasons is not a regular event, but could arise from time to time. We will strive to limit the types and amount of information we may need to share for legal purposes to that which is reasonably necessary and will make sure that any transfers outside the European Union is made on the appropriate legal basis.
Business transfers (e.g., sale or acquisition of company)To the extent allowed by the law, we may share (or receive) information about you, including personal contact information, in the event of an acquisition, merger, sale, corporate restructuring, bankruptcy, or other similar event that involves our parent or affiliated companies. If such an event occurs, we will take reasonable steps to require that your information be handled in accordance with this Policy, unless it is not practicable or permissible to do so and will make sure that any transfers outside the European Union is made on the appropriate legal basis.
Shiseido is headquartered in Japan, and we have operations, affiliates, entities, and service providers in Europe and throughout the world, including in the United States. As such, we and our service providers may transfer your personal information to, or access it in, jurisdictions that may not provide equivalent levels of data protection as your home jurisdiction.
Whenever we transfer your personal data out of the EEA or Switzerland, we ensure a similar degree of protection is afforded to it by ensuring that these transfers are based on standard contractual clauses, in compliance with the model clauses validated by the European Commission or, for some transfers to the United States, under the Privacy Shield program, details of which you can find here: https://www.privacyshield.gov/welcome. When such sharing of information involves transfers outside Europe to SAC, these transfers are based on its Privacy Shield certification. SAC complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of your information transferred from the Europe to the United States. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.
Shiseido knows how much data security matters to all our customers. So we take great care to treat your data and take all appropriate steps to protect it, and require the same of our suppliers who we share your data with.
Secure operating environmentsWe secure access to all transactional areas of our websites and apps using ‘https’ technology.
Encryption for payment infoAccess to your personal data is password-protected, and sensitive data (such as payment card information) is secured by SSL encryption.
Other security measuresIn addition to the methods above, we may take other measures to protect your information, depending on the sensitivity of the data and other considerations (such as how the information is collected and where it is stored). These measures may include (among other things) additional access restrictions, password requirements, and physical protections (e.g., secure data centers, etc.).
Measures you can takeDespite all of our efforts, no security safeguards or standards are guaranteed to provide 100% security. It is also important for you to play a role in keeping your information safe and secure. When signing up for an online account, please be sure to choose an account password that is hard for others to guess and never to reveal it to anyone else. If you use a shared or public computer, never choose to have your login ID or password remembered and make sure to log out of your account every time you leave the computer.
Please note, however, that these protections do not apply to any information you choose to share in public areas such as our website community features or other social areas. We pay particular attention to sensitive data, in particular payment card data, allergy or intolerance data, etc
We will retain your personal information for the period necessary to fulfil the purposes outlined in this Policy. The criteria used to determine such retention periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal or business obligation to which we are subject; or (iii) whether a longer retention period is required or permitted by law.
You have the legal right to request:
- Access to the personal data we hold about you.
- The correction of your personal data which is wrong.
- In some specific cases, the erasure of your personal data.
- That we stop using your data where our 'lawful basis' is consent by withdrawing your consent at any time, or to object to our use of your data where our 'lawful basis' is legitimate interests and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- In specific cases, that we restrict our processing of your personal data;
- That we stop using your personal data for direct marketing.
- If your data is processed automatically based on your consent or the performance of a contract with you and, to obtain a copy of the personal data you provided us, in a commonly used format, to transmit it to another data controller.
You have the right to request a copy of any personal data we hold that relates to you. To ask for your information, please contact our Data Protection Officer in the Contact section, To ask for your information to be amended, please update your online account, or contact our Customer Services team.
If we choose not to action your request we will explain to you the reasons for our refusal.
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Policy. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
Our Sites are not directed to anyone under 16 years of age. We do not solicit or collect any type of information from a person known to be under the age of 16. If we become aware that we have accidentally collected information from a child, we will remove that information from our records as soon as feasibly possible (or obtain the necessary parental permission to retain it).
This Policy represents our accepted privacy principles but does not supplement or replace existing national law. It complements the respective national data protection law. The respective national law supersedes in case where it requires deviations from this Policy or sets more stringent requirements. Likewise, the contents of this Policy shall apply if no corresponding national data protection law exists.
If you have any complaints regarding our compliance with this Policy, please first contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this Policy.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the French Privacy Commission (CNIL), who is our 'lead supervisory authority' under data protection law. That means they are the data protection regulator with primary responsibility for overseeing our compliance with data protection law. You can contact them by calling: +33 (0)1 53 73 22 22 or go online to www.cnil.fr (opens in a new window; please note we can't be responsible for the content of external websites).
Additionally, Spanish users may contact directly with the Spanish Data Protection Authority by writing to C/ Jorge Juan, 6. 28001, Madrid or go online to www.agpd.es.
If you are based outside of France or Spain, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence (see https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html).
We hope this Policy has been helpful in setting out the way we handle your personal data and your rights to control it.
If you have further questions related to this Policy or have any concerns regarding your personal data, please contact our Data Protection Officer who will be pleased to help you:
•Email us at:DPO@emea.shiseido.com
•Or write to us at :
Data Protection Officer
56 A, rue du Faubourg St Honoré
Please contact the above company for all processing described in this Policy, except for the safety of cosmetic products. For safety of cosmetic product please refer to Section 6 of this Policy.