Molton Brown Limited, 130 Shaftesbury Avenue, London W1D 5EU ("Kao Company" or "we" or "our") provides this Vendor/Business Partner Data Protection Notice ("Notice") to explain our practices as the responsible data controller regarding the collection, processing, and use of personal data relating to our vendors, suppliers, and business partners (collectively, "Vendors") and our Vendors' employees.
This Notice applies to you if you are a Vendor of the Kao Company as an individual (e.g., a consultant or sole entrepreneur) or if you are an employee of a Vendor who interacts with the Kao Company on such Vendor's behalf.
The Kao Company collects, processes, and uses the following categories of personal data about you from you or from authorized third parties (e.g., your supervisor, public authorities or public resources) (collectively, "Vendor Data"):
Vendor Data is collected, processed, and used for purposes of performing the contractual relationship with the Vendor (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and Customer Relationship Management ("CRM") activities, and for security and fraud prevention activities (collectively, "Processing Purposes").
The Kao Company relies on the following legal grounds for the collection, processing, and use of personal data:
The provision of Vendor Data is necessary for the conclusion and/or performance of the Vendor contract, and is voluntary. However, if you do not provide Vendor Data, the affected Vendor management and administration processes might be delayed or impossible.
The Kao Company may transfer your Vendor Data to third parties for the Processing Purposes as follows:
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfill their job responsibilities. The Kao Company may also disclose your personal data as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
International transfers. The personal data that we collect or receive about you may be transferred to and processed by recipients that are located inside or outside the European Economic Area ("EEA"). For recipients located outside of the EEA, some are certified under the EU-U.S. Privacy Shield and others are located in countries with adequacy decisions, and, in each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective. Other recipients might be located in countries which do not adduce an adequate level of protection from a European data protection law perspective. We will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority, approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 7 below.
Your personal data is stored by the Kao Company and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws. When the Kao Company no longer needs to use your personal data, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which the Kao Company is subject).
Personal data contained in contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 10 years. Any other Vendor Data will in principle be deleted 5 years after the termination of the business relationship between you and the Kao Company.
Right to withdraw your consent: If you have declared your consent regarding certain collecting, processing and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. Please contact us as stated in Section 7 below to withdraw your consent. Further, you can object to the use of your personal data for the purposes of marketing without incurring any costs other than the transmission costs in accordance with the basic tariffs.
Additional data privacy rights: Pursuant to applicable data protection law you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data.
Please note that these aforementioned rights might be limited under the applicable local data protection law. Below please find further information on your rights to the extent that the GDPR applies:
Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Such right to object may especially apply if we collect and process your personal data for profiling purposes in order to better understand your interests in our products and services or for direct marketing.
If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. You may exercise this right by contacting us as stated in Section 7 below.
Such a right to object may, in particular, not exists if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
If you no longer want to receive direct marketing via email, SMS/MMS, fax, and telephone, you need to withdraw your consent as explained above.
To exercise your rights please contact us as stated in Section 7 below. You also have the right to lodge a complaint with the competent data protection supervisory authority.
If you have any questions about this Notice or if you want to exercise your rights as stated above in Section 6, please contact us at:
Molton Brown Limited,
130 Shaftesbury Avenue,
London W1D 5EU
Tel: 0808 178 1188
Email: customerservice@moltonbrown.com.