PRIVACY POLICY

MARKS & SPENCER

MARKS & SPENCER MARINOPOULOS GREECE (hereinafter referred to as “M&S“) having its registered office and headquarters in Athens, at Ermou Street, no. 33-35, in its capacity as Data Controller, collects and processes your personal data in compliance with the applicable EU and Greek legislation on the protection of personal data, in particular the General Data Protection Regulation 2016/679 (EU) (General Data Protection Regulation, hereinafter “Regulation” or “GDPR”), the Greek law 4624/2019, as well as the general national and EU legislation that may be issued in the context of the implementation of the GDPR, the relevant directives, decisions, regulations that may be issued by the Hellenic Data Protection Authority (“HDPA”) in this context. M&S takes all appropriate technical and organizational measures to ensure the integrity, availability and confidentiality of personal data.

Definitions

For the purposes of this Privacy Policy, the following terms have the following meanings:

  • Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
  • Special categories of personal data (“sensitive data”): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as the processing of genetic data, biometric data for the purpose of positive identification of a person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Processing: any operation or set of operations which is performed, whether or not by automated means, on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Anonymisation: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
  • Pseudonymisation: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of supplementary information, provided that such supplementary information is kept separately and subject to technical and organisational measures to ensure that it cannot be attributed to an identified or identifiable natural person.
  • Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, or the specific criteria for their appointment may be provided for by Union or Member State law. For the purposes of this Policy, M&S shall act as the Data Controller.
  • Data Processor: the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller.
  • Data Subject: the natural person whose personal data are processed.
  • Recipient: the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities shall be carried out in accordance with the applicable data protection rules, depending on the purposes of the processing.
  • Third Party: any natural or legal person, public authority, agency or body, with the exception of the data subject, the data controller, the data processor and persons who, under the direct supervision of the Data Controller or the Data Processor, are authorised to process personal data.
  • Consent: any freely given, specific, explicit and informed indication of intent by which the data subject signifies his or her agreement, by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.
  • Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of personal data transmitted, stored or otherwise processed.
  • Applicable Legislation: The applicable national and EU data protection legislation, in particular the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and the Greek Law 4624/2019, as applicable, as well as the Decisions, Directives and Opinions of the European Data Protection Board (hereinafter referred to as “EDPS”) and the Hellenic Data Protection Authority (hereinafter referred to as “HDPA”).

Personal Data that M&S collects & processes

Α. Customers

New Member Registration – Account Creation

M&S collects and processes data such as name, surname, date of birth, telephone number, e-mail address, membership code.

Purposes of processing – legal basis: The purpose of the abovementioned processing is the creation of an account for the user/customer, which allows him/her, among other things, to make purchases in the M&S e-shop. The legal basis is the legitimate interest of M&S to improve the services provided to its users/ customers.

Shopping via e-shop

M&S collects and processes data such as name, surname, delivery address, billing address, postal code, payment and debit/credit card details, contact details, etc.

Purposes of processing – legal basis: The purpose of the processing is to complete the order and send the selected product to the customer/user. Our legal basis is the performance of the contractual obligations we have assumed towards the customer/user.

Please note that M&S does not keep a record of your credit card details under any circumstances. Our website does not store any credit/debit card details you enter when placing your order, nor are they recorded in the case of a telephone order (https://www.marksandspencerfood.gr/oroi-proypotheseis/). Before approving any transaction, you are referred directly via a hyperlink to another website that uses an online credit card clearing technology under the responsibility of the EUROBANK ERGASIAS S.A. bank.

Contact form

The user may contact M&S by filling in a special contact form that includes the following fields: first name, last name, email address, the user’s message-request.

Purposes of processing – legal basis: The purpose of the abovementioned processing is providing the optimal response and services to the user/customer. The legal basis is the legitimate interest of M&S to provide high quality services to customers and users of the website.

M&S BONUS CARD

By registering for the BONUS CLUB Privilege Program, as well as when using your Bonus Card, M&S collects and processes data such as name, surname, home address, city, postal code, mobile phone, date of birth, purchase details, etc.

Purposes of processing – legal basis: The purpose of the above processing is to complete your registration to the Privilege Program, improve the services offered, send special offers based on your preferences, etc. The legal basis is the performance of contractual obligations towards the customer/user, compliance with our legal obligations, our legitimate interest or your consent.

For more information, please read the “Privacy Notice” concerning the M&S Bonus Card at: https://bonuscard.marksandspencer.gr/TermsofUse.aspx.

Finally, please note that as part of the Privilege Program, we may collect information and data directly from you, record your shopping habits when you visit our stores, and monitor your response to our promotional communications. The results of this analysis, combined with your demographic data, enable us to inform you about products and offers that may interest you. In order to provide you with the above personalised information, we use special software and technology (automated processing).

Β. Data of potential employees of M&S

M&S collects and processes data such as name, surname, patronymic, matronymic, contact details, education, work experience, CV and information contained therein, letters of recommendation, certifications, qualifications, assessment data during the interview process.

Purposes of processing – legal basis: M&S collects the abovementioned data for the purpose of assessing your suitability for the – to be filled – position and collecting recommendations from previous employers. The legal basis for processing is M&S’s compliance with its legal obligations as your potential employer.

  1. M&S employee data

M&S collects and processes personal data, such as: First name, surname, patronymic, matronymic, gender, date of birth, home address, telephone (landline/mobile), email (corporate/personal), nationality, family status, ID number, VAT, tax office, AMA, IBAN, educational qualifications, professional certifications, certificates of military service, seminars, training courses, educational qualifications, previous experience, date of recruitment, salary data, allowances, evaluation reports, exit data, photo data

Purposes of processing – legal basis. This data allows M&S to effectively manage the employment relationship with each employee, to offer its staff additional benefits and training programs, to evaluate performance and reward the employees’ performance, to manage any employee grievances-requests, etc.

  1. Data of M&S suppliers & external partners

M&S collects and processes data such as: name, registered office, headquarters, telephone (fixed/mobile), email (corporate/personal), ID card/passport number, VAT number, tax number, tax office, IBAN, professional certificates, as well as such further data as may be required by national legislation (e.g. tax legislation, payment/debt cards, documents, etc.).

Purposes of processing – legal basis: M&S collects the above data for the purpose of managing contractual relationships with partners and invoicing of services provided. The legal basis for processing is the performance of contractual obligations, as well as M&S’s compliance with the applicable national tax legislation.

Ε. Personal data collected for security reasons

Image/ video surveillance data

M&S collects, processes and stores images and footage through the video surveillance system (closed circuit television, hereinafter referred to as CCTV), where installed, for security purposes, in accordance with the requirements and standards set by national and EU legislation for the processing of data, audio and video.

Purposes of processing – legal basis: The purpose of the above processing is the security of employees, customers, premises, shops and equipment. The legal basis is the legitimate interest of M&S to protect the security of its customers, employees and premises.

In compliance with the requirements of the Hellenic Data Protection Authority, M&S provides its customers with full information about the operation of cameras before entering a supervised area. Detailed information on the use of the CCTV system can be found here: www.marksandspencerfood.gr/cctv-prosopika-dedomena.

  1. Data we collect when you subscribe to the M&S newsletter, as well as while visiting our website
  2. When you subscribe to our newsletter, we collect and store your email address. We use the data you provide us with when you subscribe to our newsletter to contact you and send you information about our services, products and offers. We will process your data if we have your prior consent.
  3. Personal data collected while browsing the M&S website, such as the IP address of the user’s device when browsing the M&S website https://www.marksandspencer.com/en-gr/home, the type of browser being used, etc. For more information about the use of cookies on our website, please refer to the M&S Cookies Policy.

Personal Data of Minors

In general, M&S does not directly or indirectly collect and process data of minors (i.e. persons under the age of 18). However, since it is impossible to cross-check and verify the age of persons entering or using the website, parents and guardians of minors are advised to contact M&S directly if they become aware of any unauthorised disclosure of data by minors for whom they are responsible, in order to exercise their rights accordingly, such as to have their data deleted. If M&S becomes aware that personal data of a minor has been collected, M&S undertakes to delete it immediately and to take all necessary measures to protect such data.

Transfer of personal data

M&S may transfer the above personal data to:

  • Third parties to whom it has delegated the processing of personal data on its behalf. In particular, M&S may transfer personal data to its partners, acting on its behalf, who are contractually bound to M&S to provide independent services or to third party affiliates who process personal data on behalf of M&S. In any case, the third parties are contractually bound to M&S to ensure the confidentiality obligation, as well as all obligations provided for by the Applicable Legislation. In all the above cases, M&S, defines the individual elements of the processing, signs specific contracts with the third parties to whom it entrusts the performance of specific processing activities, ensuring that the processing is carried out in accordance with the Applicable Legislation. Third parties are contractually bound to only process data subjects’ personal data for specific and contractually defined purposes and will not transfer/ or disclose them to third parties, unless required by law.
  • To judicial and prosecutorial authorities, as well as other public authorities (e.g. tax authorities, etc.) in the exercise of their duties ex officio or at the request of a third party with a legitimate interest and in accordance with the legal procedures. In addition, for reasons of public interest protection in the field of public health, M&S may, in accordance with the relevant legislation, transfer your personal data to the competent authorities.
  • To financial institutions/ banks, for the execution of payments by card.

Transfer of Personal Data outside the EU

In some cases, we may need to transfer your personal data to third countries (outside the EU and outside the EEA) in order for M&S to better meet its obligations and provide its services effectively. In particular, this may occur in case the third-party provider of a service is established in a third country or the data subject is located in a third country. Such transfers are subject to specific rules in order to safeguard personal data.

In the event of a transfer of your personal data to a country outside the European Economic Area (EEA) or an International Organisation, M&S will first ensure that one of the legal bases of Article 6 of the Regulation is complied with and cumulatively ensure that:

  1. a) the European Commission has issued an adequacy decision for the third country to which the transfer is to be made (Article 45 of the GDPR); or

(b) there are appropriate safeguards in accordance with the GDPR for the transfer of such data (Article 46 GDPR); or

(c) for occasional processing, one of the exceptions provided for in Article 49 of the GDPR applies.

Otherwise, the transfer to a third country is prohibited and the Company will not transfer your personal data to that country, unless one of the specific exceptions provided for in the GDPR applies.

Retention period

The personal data collected by M&S are kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted and/or securely destroyed, unless a different retention period is provided or permitted by Applicable Legislation. The data retention period shall be defined on the basis of specific criteria and on a case-by-case basis. Indicatively:

(a) Personal data must be kept for the entire period required for the purpose of their processing and/or the applicable legal framework. Upon expiry of this period, the data shall be kept in accordance with the applicable legal framework for the period provided by the termination of the business relationship or for as long as required to defend the rights of M&S before a court of law or other competent authority.

(b) Where the processing is imposed as an obligation by provisions of the applicable legal framework, the personal data will be stored at least for as long as the relevant provisions require.

(c) In any other case where the processing is based on the individual’s consent, the personal data shall be kept until the withdrawal of consent, without this withdrawal affecting the lawfulness of the processing up to that point. In order to withdraw consent, you must submit a request to the M&S Data Protection Officer (DPO) (see below for contact details). Alternatively, to withdraw your consent and unsubscribe from M&S’s mailing lists, there are unsubscribe options by clicking on the corresponding link in M&S’s electronic communications. For as long as the data subject’s email address remains in the M&S database, the data subject will receive periodically email updates from M&S.

Data Breach

In the event of a data breach incident, M&S has a specific Data Breach Management Policy. If you become aware or suspect that a personal data breach may/has occurred, please notify M&S without delay at GR.dataprivacy@marks-and-spencer.com.

Personal Data Security

Taking into account the latest technological developments, the implementation costs and the nature, scope, context and purposes of the processing, as well as the varying intensity and extent of the risks of occurrence and severity for the rights and freedoms of the data subjects arising from the processing of their personal data, M&S takes the necessary technical and organisational measures to protect their relevant rights. Although no method of transmission through the Internet or method of electronic storage is completely secure, M&S takes all necessary digital data security measures (e.g. antivirus) in compliance with its obligations under the Applicable Law. At the same time, M&S adopts the required security measures such as the installation of a video surveillance system (CCTV), alarm system, etc.

As for physical records that contain personal data of natural persons, M&S takes appropriate measures to prevent unauthorised access to them (e.g. locking, transmission in a sealed envelope, confidentiality classification), as well as damage or destruction (e.g. fire protection system, storage in cabinets inaccessible in case of flooding).

Protect your data

M&S will never ask you for your bank account or credit card details by email. If you receive such an email claiming to be from M&S requesting such data, please ignore it and do not reply.

Your Rights

M&S shall ensure that it is able to respond promptly to the requests of data subjects regarding the exercise of their rights in accordance with the Applicable Legislation.

In particular, these rights are as follows:

(a) Right of access and to be informed: In particular, the data subject may request to obtain a copy of his/her personal data held by M&S and to check the lawfulness of their processing.

(b) Right to rectification: The data subject may request the rectification of his/her personal data in case they are inaccurate or incomplete.

(c) Right to erasure: The data subject may request the erasure of his/her personal data if they are not necessary for the purposes they were collected and if their retention is not based on any legitimate basis or legitimate interest.

(d) Right to restriction of processing: The data subject may request the restriction of the processing of his/her personal data: a) when he/she questions the accuracy of the personal data and until verification is carried out; b) when the processing of the personal data is unlawful and the data subject requests, instead of deleting them, the restriction of their use; c) when M&S no longer needs the personal data, but they are necessary for the establishment, exercise or support of the data subject’s legal claims; and d) when the data subject opposes the processing of the personal data.

(e) Right to portability: The data subject may request portability/transmission of his/her personal data either to him/her or to another Data Controller. In particular, the data subject may, upon identification, obtain his or her personal data free of charge in a structured, commonly used and machine-readable format (pdf, word, etc.). The data subject may exercise this right regarding the data that he or she has provided to M&S and that are processed by automated means on the basis of the data subject’s consent or in performance of a relevant contract.

  1. f) Right to object: the data subject may object to the collection and processing of his or her personal data and automated individual decision-making, including profiling.

(g) Right to withdraw consent: The data subject may at any time withdraw the consent given to the processing of his or her personal data, without this withdrawal affecting the lawfulness of the processing up to that point.

In case you exercise any of the above rights, M&S will respond promptly and in any case within thirty (30) days from the submission of the request, informing you in writing of the progress of its gratification.

For any complaint regarding this Privacy Policy or data protection issues, if we do not satisfy your request, you may contact the Hellenic Data Protection Authority through the following link: www.dpa.gr,  at the following contact details: 1-3 Kifissia Avenue, P.C. 115 23, Athens, +30 210 6475600, +30 210 6475628, contact@dpa.gr.

Data Protection Officer (DPO) contact details

To exercise all of the above rights, as well as for any issue regarding the processing of your personal data by M&S, you can contact the M&S Data Protection Officer at the following contact details:

  • e-mail: dataprivacy@marks-and-spencer.com
  • in writing: to the attention of the Data Protection Officer, Mr. Konstantinos Anastasopoulos, “MARKS & SPENCER MARINOPOULOS GREECE” 33-35 Ermou Street, Athens, P.O. Box 105 63

Disclaimer for Third Party Websites

In the event that there are links on our website that redirect you to third party websites, we inform you that M&S does not control or is responsible for the content of such websites, nor for the way your personal data is processed.

On M&S’s website there are social media widgets (e.g. Facebook, Instagram). By using them, a special digital footprint is created after the user logs in to the social network. Regarding this footprint both M&S and the social network itself act as Joint Controllers.

M&S processes this data in order to improve the functionality of the website and its services as well as to analyse its traffic. The lawful basis for processing personal data is to achieve M&S’s legitimate interest and in particular interoperability with applications used by M&S.

M&S does not control nor is responsible for any subsequent processing carried out by the Joint Controllers.

For more information regarding the processing of the data and the options for configuring these networks, you can visit the following websites:

Updates to the Privacy Policy

This Privacy Policy may be modified/revised in the future, in the context of the M&S’s regulatory compliance as well as the optimization and upgrade of our website services. We therefore recommend that you refer each time to the updated version of this Policy for adequate information.

Last modified: September 2023