PRIVACY NOTICE

BRITISH AMERICAN TOBACCO SWEDEN AB

This Privacy Notice explains how British American Tobacco Sweden AB ("we", "us" or “BAT”) processes your personal information as a data controller depending on your relation to BAT.

We are always committed to protecting and respecting your privacy and to process your personal data in accordance with relevant data protection legislation, i.e. the General Data Protection Regulation (the “GDPR”) and Swedish Data Protection Act.

If you have any concerns or questions regarding BAT’s processing of your personal data, please do not hesitate to contact us using the below listed contact information.

1. DATA CONTROLLER

The entity responsible for the processing of your personal information is:

British American Tobacco Sweden AB

Box 30244

104 25 Stockholm

Sweden

Email:gdpr_emails@bat.com

Phone:+46 8 546 730 00

2. DESCRIPTION OF THE PROCESSING

In the following schedules you will find information about how BAT processes your personal data depending on your relation to BAT and the purposes of which we process your personal data.

In the schedules you will find information on how we process your personal data, including information on our purposes with processing, the categories of personal data we process about you, how we collect your personal data, the legal basis on which we rely on when processing your personal data, information on the parties that we may share your personal data with and information on how long we retain your personal data.

You can choose between information on how we process your personal data, when:

  • you visit our website
  • you receive and participate in BAT marketing
  • you create an account on our websites
  • you purchase our products
  • you communicate with us and our customer service
  • you are a customer, supplier or other third-party representative

Please choose the schedule that is relevant for you.

When visiting our website

BAT processes your personal data when you visit our websites by setting cookies that collect personal data about you and by collecting information about your age to ensure that you are old enough to visit our website. BAT may use personal data collected through cookies for statistics, analysis, optimization and functionality purposes as well as marketing and targeting purposes.

BAT only uses non necessary cookies if you have given your consent to do so. You can always withdraw or change your consent by deleting or blocking cookies in your browser or in the cookie overview or by contacting us.

See more about BAT’s use of cookies, including how to delete and block cookies in our cookie overview and policy https://www.golyft.se/se/en/cookie-policy and see more in section 6 on how to withdraw your consent by contacting us.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Information about your behaviour on our website and technical information about your visit, including details of your visits on our website and your navigation around the website, traffic data, information about the device you use, your MAC address, your IP address and information from your IP address such as location, browser type etc.

Further, we process the consent that you have given.

Also, we collect confirmation that you are above 18 years old to ensure that you are old enough to visit our website.

Sources:

We collect your personal data directly from you through your use of our website.

BAT may also process your personal data for communication and customer service purpose if you choose to communicate with us through our website, e.g. by using chat functions or contact formulas available on our websites.

Please refer to “When communicating with us and our customer service” for information on how we process your personal data for this purpose.

Legal basis

We process your personal data on the following legal bases:

  • Article 6.1.a (consent to the processing of personal data through the use of non-necessary cookies)
  • Article 6.1.c (necessary to comply with our legal obligations, including regulation that we are subject to for the purpose of ensuring that you are old enough to visit our website)
  • Article 6.1.f (necessary for the pursuit of our legitimate interest in business operations and business and product development, including compiling statistics and analysis of the use of our website and to optimize the user experience on our website)
Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, service providers, technical and IT and digital support)
  • Group entities
  • Social media
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
  • Third parties as described in our cookie overview and policy:

BAT may use third party cookies e.g. to remember your settings, for traffic measurements, statistics, to show targeted advertisements and to track your use of our website.

For these types of processing BAT will in some cases be a joint controller with the provider of the third-party cookie(s).

You can read more about our use of third parties and also find links to the relevant third parties’ own privacy policies in the cookie overview and policy on our website https://www.golyft.se/se/en/cookie-policy.

Data retention

The retention periods depend on each cookie that are being set on our websites.

You can read more about our cookies and the retention period in our cookie policy https://www.golyft.se/se/en/cookie-policy.

Information about whether you are old enough to visit our website will be deleted when you no longer use the site and then asked for again the next time you visit the site.

When receiving and participating in BAT marketing

BAT processes your personal data for marketing purposes, when you have signed up to receive newsletters and other marketing material, from BAT, if you follow and/or interact with our accounts on social media or if you participate in any BAT marketing activities, such as events, parties, competitions, lotteries etc.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Name, email address, information about your age, information about your social media account, information about how you interact with us on social media platforms.

Information that you choose to give us when interacting with us on marketing platforms or as part of marketing activities, e.g. lotteries or competitions.

If you participate in any BAT events we might also take pictures and videos from the event but only with your consent to do so.

Sources:

We collect your personal data directly from you

Legal basis

We process your personal data on the following legal bases:

  • Article 6.1.a (consent)
  • Article 6.1.f (necessary for the pursuit of our legitimate interest in marketing of our business and our products)
Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, service providers, technical and IT and digital support)
  • Group entities
  • Social media
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
Data retention

We will retain personal data processed for this purpose as long as you are signed up to receive newsletters from us.

Don’t forget - you can always unsubscribe in the bottom of the newsletters that we send you! See more below on how to withdraw your consent.

Marketing material will be kept in accordance with our agreement and the specific case in question, but will be deleted as soon as possible, e.g. when a competition or lottery is over.

Pictures and videos of you will be kept for a maximum of 2 years.

Some personal data follow the retention periods under “When communication with us and our customer service” below.

When creating an account on our website

BAT processes your personal data when you create an account on our websites for the purpose of ensuring that you are old enough to be able to purchase and receive information about the products that we offer.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Name, address, email address, birthday, gender, account information, telephone number and payment information if you choose to save such information on your account

Information about your age to ensure that our products are not sold to consumers under the age of 18. When you create an account we will ask you to validate your age by identifying you using online identification services such as Bank ID in order for us to ensure that we do not market or sell products to people under 18 years old.

Sources:

We collect your personal data directly from you when you create your account.

Legal basis

We process your personal data on the following legal bases:

  • Article 6.1.b (necessary for the performance of a contract with our customers and consumers in case you create an account to purchase our products)
  • Article 6.1.c (necessary to comply with our legal obligations, including regulation that we are subject to for the purpose of ensuring that you are old enough to purchase and receive information about our products)
  • Article 6.1.f (necessary for the pursuit of our legitimate interest in business operations and development)
Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, service providers, technical and IT and digital support)
  • Group entities
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
Data retention

We will retain personal data processed for this purpose as follows:

You can always delete your account on our website, but if you have purchased our products we will retain your personal data as mentioned under “When purchasing our products”.

When purchasing our products

BAT processes your personal data when you buy our products for the purpose of providing you the service and products that we offer, including to verify your age and for us to execute your order and to dispatch it to you and to follow up on purchases. Further, we might process your personal data after your purchase if we send out information, surveys and questionnaires about our products.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Name, address, email address, birthday, gender, account information, information about your order, telephone number, payment information and any information included in communication before and after you have purchased our products.

Information about your age to ensure that our products are not sold to consumers under the age of 18. When you visit our website we will ask for confirmation that you are 18 years old, and when you are about to purchase our products and creating an account we will ask you to validate your age by identifying you using online identification services such as Bank ID in order for us to ensure that we do not market or sell products to people under 18 years old.

Information about your experience with our products.

Sources:

We collect your personal data directly from you and/or from the person placing the order on your behalf.

Legal basis

We process your personal data on the following legal bases:

  • Article 6.1.b (necessary for the performance of a contract with our customers and consumers)
  • Article 6.1.c (necessary to comply with our legal obligations, including bookkeeping regulation and regulation that we are subject to for the purpose of ensuring our that you are old enough to visit our website and to purchase our products)
  • Article 6.1.f (necessary for the pursuit of our legitimate interest in business operations and development, including selling and distributing our products and sending them to the recipient and customer service in this regard and also necessary for our interest in improving our products)
Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, service providers, technical and IT and digital support)
  • Group entities
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
  • Carriers
  • Social media
Data retention

We will retain personal data processed for this purpose as follows:

We will as a main rule retain the personal data for as long as necessary as required pursuant to relevant bookkeeping regulation.

Personal data from surveys, questionnaires etc. will be kept until the survey or questionnaire is over.

Information included in communication before and after your purchase will be retained as described in “When communicating with us or our customer service”.

Also, you can always delete your account on our website.

When communicating with us and our customer service

BAT processes your personal data for the purpose of providing customer service to you and to handle any questions, inquiries, claims etc. that you might have about our products and services. BAT communicates with you through email, phone and website communication such as contact formulas and chats depending on how you choose to contact us.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Name, email, telephone number, job title and any information that you give us in your inquiry when you contact, e.g. the questions you might have and the information related to these as well as further information that we might need to handle your inquiry.

Information related to any claims or complaints that you might have about our products, e.g. your experience with our products.

When you call our customer service, we might record our conversation for internal training purposes if you give us your consent to do so.

Sources:

We collect your personal data directly from you when you contact us.

Legal basis for the processing

We process your personal data on the following legal bases:

  • Article 6.1.a (consent) with respect to recordings
  • Article 6.1.b (necessary for the performance of a contract)
  • Article 6.1.c (necessary to comply with our legal obligations), including

    -regulation that we are subject to for the purpose of handling any claims or complaints that you might have about our products, including regulation that set out our obligations towards you

  • Article 6.1.f (necessary for the pursuit of our legitimate interest in operating and developing our business, including providing customer services to you, optimizing our products and our customer service and to handle claims and complaints)
Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, call centres, service providers, technical and IT and digital support)
  • Group entities
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
Data retention

We will retain personal data processed for this purpose for:

We will retain your personal data for as long as it is necessary in order for us to find a solution on your inquiry, i.e. to answer your questions and/or handle your complaints and claims. As a main rule this is up to 6 months from the end of the communication or the end of the case your inquiry is about.

If your inquiry is or might develop into a potential dispute, we may retain your personal data for a longer period of time. The retention period is hereafter depending on the circumstances around your inquiry, including what your inquiry is about, if it involves any damages etc., and we will only retain the personal data in order to be able to document the case and handle a potential (legal) dispute arising from or involving your inquiry and only for the period of time we might be met with a dispute etc. in accordance with the limitation regulation.

Any recordings of conversations that you are a part of based on your consent will be deleted after 30 days.

When you are a customer, supplier, business partner or other third-party representative

BAT processes your personal data for business operations purposes when you represent your employer or have a relation to a company when your employer or such company is a customer, supplier or other third-party to BAT or if you are a business partner of BAT (e.g. influencers), for example if you communicate with BAT as a part of you working for one of BAT’s business partners, suppliers etc. or other parties that BAT is communicating and co-operating with.

Examples of such communication could be as a part of marketing of our products, sale and distribution of BAT’s products, contact with public authorities, contact with journalists, use of third-party suppliers and agencies to support our business, organisations, retailers, external consultants, BAT ambassadors, cleaning firms, food suppliers, on site guards, etc.

Categories of personal data and sources

We may process the following categories of personal data about you:

Ordinary personal data:

Name, job title, workplace, signature and contact information such as your email and telephone number as well as other information that you choose to give us.

Information about the task/job/case etc. that our relationship concern, including all communication in this regard.

If you are visiting or working at our locations, we will also process information about you through our use of CCTV surveillance and logging of the use of access cards.

For this purpose, we will only process your personal data in the case that you are employed with or have a relation to one of BAT’s customer, suppliers or other third-parties that BAT is communicating with as part of our business operations.

Sources:

We collect your personal data either directly from you or from the company that you work for or have a relation to: BAT’s customer, supplier or other third-party that we work with or have a relation to.

Legal basis for the processing

We process your personal data on the following legal bases:

  • Article 6.1.f (necessary for the pursuit of BAT’s legitimate interest in business operations and development), including:

    - communication and co-operations with customers, suppliers and other third parties and business partners that we work with or have a relation to,

    - production of products,

    - sale and distribution of products,

    - marketing of our products

    - security measures, such as the use of surveillance and access cards

    - as well as other business-related matters.

Recipients

We may share your personal data for the described purpose with:

  • Business partners and third parties, including suppliers and vendors, that we work with to assist our company (e.g. suppliers, service providers, technical and IT and digital support)
  • Social media depending on the character of our agreement
  • Group entities
  • The company that you work with or have a relation to; BAT’s customer, supplier or other third parties and business partners
  • (Potential) purchasers, sellers and advisors in case of a sale or purchase
Data retention

We will retain personal data processed for this purpose for:

As a main rule we will retain your personal data for up to five years as from the end of the year in which the last purchase or delivery was made, or as from the end of our relationship/collaboration or the relationship/collaboration with the party that you represent or have a relation to.

However, we may store the personal data for an extended period if deemed necessary in a specific case, e.g. for establishing legal claims or in order for BAT to be able to document the relationship and/or certain circumstances with respect to the customer, supplier or other third-party.

Some inquiries follow the retention periods as mentioned under “When communicating with us or our customer service” – please refer to this purpose for more information.

3. TRANSFERS TO COUNTRIES OUTSIDE THE EU/EEA

In some cases, we will be transferring personal data to countries outside the EU/EEA.

Such transfers will take place on the basis of the following legal basis:

  • a) The country/countries has/have been deemed by the Commission of the European Union to have an adequate level of protection of personal data, i.e. the country is a “secure/adequate third country”
  • b) The country/countries has/have not been deemed by the Commission of the European Union to have an adequate level of protection of personal data. We will provide appropriate safeguards for the transfer:
    • through the use of "Model Contracts for the Transfer of Personal Data to Third Countries", as published by the Commission of the European Union, or any other contractual agreement approved by the competent authorities. You may obtain a copy of the contract/agreement by contacting us at gdpr_emails@bat.com.
    • through the use of binding corporate rules between BAT entities. You may obtain a copy of these by contacting us at gdpr_emails@bat.com.
  • c) In the absence of a decision that the country is secure/adequate and appropriate safeguards as mentioned above the transfer might in some, however limited cases take place if i) you have given your consent to the transfer, ii) the transfer is necessary for the performance of a contract between you as a data subject and BAT as data controller or the implementation of pre-contractual measures taken at your request, or iii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of you as a data subject between BAT as the controller and another third party.

4.AUTOMATED DECISIONS

We will not use automated decision-making pursuant to GDPR article 22.

5.MANDATORY INFORMATION

Some of the information we process about you might be mandatory for us to collect in order to provide you the service that you request, e.g. when buying or receiving our products it is mandatory for us to collect certain information about you to sell you the products as well as it is mandatory for you to provide us with certain information with respect to customer service. The consequence of not providing us any mandatory information is however alone that we will not be able to provide you the requested service.

6.YOUR RIGHTS

You have the following rights:

  • You have the right to:
    • - request access to your personal data (GDPR article 15)
    • - request rectification of your personal data (GDPR article 16)
    • - request erasure of your personal data (GDPR article 17)
    • - have the processing of your personal data restricted (GDPR article 18)
    • - receive your personal information in a structured, commonly used and machine-readable format (data portability) (GDPR article 20)

If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting us at gdpr_emails@bat.com and +46 8 546 730 00. If you wish to withdraw your consent with respect to cookies, please also see our cookie overview and policy.

Furthermore, you have the right to object to processing of your personal data as follows.

  • If processing of your personal data is based on article 6(1)(e) or article 6(1)(f), see above regarding legal basis, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
  • Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such marketing.

You can take steps to exercise your rights by contacting us at gdpr_emails@bat.com and +46 8 546 730 00.

There may be conditions or limitations on these rights. It is therefore not certain that for example you have the right of data portability in the specific case - this depends on the specific circumstances of the processing activity.

You may also always lodge a complaint with the local data protection supervisory authority:

The Swedish Data Protection Agency, Datainspektionen,

Drottninggatan 29, plan 5, 111 51 Stockholm

Email:datainspektionen@datainspektionen.se

Phone:+46 (0)08-657 61 00

Last updated: 30 September 2020

close
Close menu