We are committed to protecting and respecting your privacy. Please read this document carefully.
The specific legal grounds for each type of processing are set out below.
- What personal data do we collect about you?
- Verifying your age
- How do we process your personal data?
- For how long do we keep your personal data?
- Where do we store your personal data?
- Transfers of your personal data
- The legal basis for processing of your personal data
- Your rights
- How to contact us
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
We collect and process the following data about you (“your personal data”):
- Data that you submit online via the Website: your name, email address, telephone number, login credentials, payment details such as your credit or debit card details or your financial bank details and the reason why you provided the data (e.g. in connection with an order, when you create an account on the Website, when you make a purchase on the Website and/or because you wish to receive our newsletter);
- Any correspondence you send us and, if you have given your consent thereto, information you provide when you contact our customer service;
- Details of your visits to the Website and the resources you access (which may include traffic data and communication data);
- Data concerning the orders you place via the Website or in connection with an activity arranged by us;
- Data you provide when you participate in customer surveys carried out by, or on behalf of, us;
- Data you provide when you register your participation in competitions/lotteries arranged by us; and
- Images and videos of you when you give your consent.
We are aware that your personal data may be confidential, and we will protect your privacy in accordance with our normal routines and legal requirements.
You are not obliged to provide us with any data, but if you do not give us access to certain items of essential data, we may be unable to provide access to all of our products and services. For example, if you do not provide data allowing us to verify your age, it may not be possible for us to communicate with you or allow you to access the content of the Website. See below for further details.
VERIFYING YOUR AGE
As this Website relates to nicotine products, we must make sure that users are verified on the Website and are aged 18 years or over. This also applies to any activities arranged by us and to purchases of products from the Website. Failing age verification will mean you cannot access the Website, complete purchases of our products and/or in some cases that you cannot participate in activities arranged by us.
For age verification in connection with product orders, we collect your national ID number, forename, surname and telephone number (this data is used for the banking application).
A request from the Website to the BankID service will leave some temporary traces in BAT’s website system. The Website makes no changes to the data (national ID number) submitted for BankID or the data that is downloaded (national ID number, forename and surname) and transferred back to the Website. Since transfers of personal data are considered as processing of personal data under the GDPR, such transfers must comply with applicable data protection legislation and the traces of personal data which are registered in our system will be erased on a regular basis.
We may request further data in certain cases to verify your age. We will contact you and explain why if this is necessary.
HOW DO WE PROCESS YOUR PERSONAL DATA?
We process your personal data in the following ways:
- To ensure that the content of the Website is presented as effectively as possible for you;
- To carry out our obligations arising from any contracts with you when you make a purchase of our products on the Website, such as processing for billing and delivery purposes;
- To respond to your queries and otherwise to resolve your complaints when you contact our customer service as well as, if you have given your consent thereto, use recordings of your calls to improve our customer service;
- For our internal purposes, such as quality control, Website performance and system administration, and to evaluate use of the Website, so that we can provide you with enhanced services;
- To notify you of changes to our services, to provide you with information about products or services that you request from us or which we feel may interest you and to tailor the marketing communications we send you (where necessary, after obtaining your consent);
- To create reports to assist with future marketing including eligibility to answer questionnaires sent by us;
- To evaluate and improve the products and services we provide, by means of customer surveys;
- To verify your age (see section above for further details);
- To enable you to participate in the features of the Website, when you choose to do so;
- To enable us to send a copy of the consent provided by you in connection with an activity arranged by us;
- To authenticate you when logging in to your account, if you have created one, and to allow you to register accounts on other websites and for other services we or other BAT entities operate;
- To save and publish images and videos of you on social media and internally in BAT (after we have obtained your consent); and
- To deal with competitions/lotteries that you participate in and to provide information on winners in connection with such arrangements.
We may monitor your use of the Website and record your email address, operating system and browser type, for system administration and to report aggregate data to our advertising partners. The data we report to our partners is statistical data about our users’ browsing actions and patterns and does not identify any individual.
We collect aggregated statistical data about visitors to the Website and sales and traffic patterns. For the sake of clarity, this data does not identify users in any personal capacity, nor do we use this data to build profiles on individual users: it only contains generalised data about the users of the Website.
FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will not keep your personal data for any longer than is necessary for the purposes for which we collect it unless we believe that the law or other regulation requires us to preserve it (for example, because of a request by a tax authority or in connection with any anticipated litigation). When it is no longer necessary to retain your personal data, we will delete the personal data we hold about you from our systems. Your personal data will be processed for as long as is required for us to administer the order and provide service to you and to address any claims and demands in relation to legislation, but for no longer than six months after your order unless we have a legal obligation to store data for longer than this. This shall also apply in connection with activities that we arrange unless otherwise specified by the privacy notice for the specific activity.
If you have registered an account on the Website, we will keep your personal data for as long as your account is open. If you no longer wish to hold an account with us, you may at any time close and delete your account by selecting this option in your account settings.
If you have given your consent to receive a newsletter from us, we will retain your details until you withdraw your consent. We will then store only those details necessary to document that we have had your consent for less than two years.
If you have given your consent for us to use an image and video of you, we will retain the image and video for as long as we have your consent, subject to a maximum of two years.
WHERE DO WE STORE YOUR PERSONAL DATA?
All your personal data that is processed by us is stored on our secure servers. Any actions you perform on the Website which are related to your account will be encrypted. If you have a user name, password or other login detail which enable you to access certain parts of the Website, you must not allow any other person to use them and must treat them as confidential. If you believe or suspect that someone else knows your login details, you must contact us at firstname.lastname@example.org as soon as possible.
Unfortunately, the transmission of data via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your personal data, we cannot guarantee the security of your personal data transmitted to the Website and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
The Website may from time to time contain links to and from other websites. If you follow a link to any of those sites, please note that those sites ought to have their own privacy policies and that we do not accept any responsibility or liability for those sites or for their privacy policies. Please check those privacy policies before you submit your personal data to those sites.
We may contact you via email for marketing purposes if you have given your consent to this or if you have purchased any of our products on the Website and in connection therewith not objected to receiving such marketing. In addition, we may contact you for marketing purposes via phone/text message provided that you have not previously objected to this.
If you do not want us to process your personal data in this way, you should not give your consent and you may also clarify this by the choices you are given when completing a purchase on the Website. You may ask us at any time not to process your personal data for marketing purposes by contacting us at email@example.com. You may also cancel or unsubscribe from receiving marketing from us by clicking on the ‘Unsubscribe’ link at the bottom of our email communications.
If you do not complete a purchase on the Website and have not indicated that you would prefer otherwise, we may send a reminder to you about your incomplete purchase or ask why you did not complete the purchase so that we may better refine the service we offer.
TRANSFERS OF YOUR PERSONAL DATA
Your personal data may be transferred to third parties in accordance with the following:
- With other organisations if we sell or buy any business or assets (as we may share your personal data with the prospective seller or buyer);
- With other organisations if we or substantially all our company assets are acquired by another party, in which case your personal data will be one of the transferred assets;
- With any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries;
- With our payment providers when you make a purchase on the Website;
- With business partners, agencies, suppliers (such as the supplier of our customer service) or sub-contractors for the performance of any contract we enter with them or you or to publish your image and video on social media (after we have obtained your consent); and
- With other organisations if we have to share your personal data to comply with legal or regulatory requirements, or if we have to enforce or apply our Terms and Conditions or any other agreements or to protect our rights, property, customers, etc. This may involve exchanging data with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We may share the aggregated statistics data about visitors to the Website with third parties.
We may pass your email address to selected third parties (as described above under the heading ‘Marketing’) provided that you explicitly consent to this when we take your order.
We do not send any personal data that we collect about you on the Website to any social media sites that you link to your account, e.g. Facebook. We will not share data with social media sites such as Instagram, Facebook and YouTube if we have not obtained your consent for this. Moreover, we shall not collect any personal data about you from such websites.
British American Tobacco Sweden AB does not collect any data about individuals under 18 years. If we discover that an individual under 18 years has submitted data, this will immediately be erased from our records.
TO WHAT COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?
Your personal data may be transferred outside the European Economic Area to the types of entities described in the section “Transfers of your personal data” above.
We aim to ensure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data outside the European Economic Area (EEA – i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) if this is done in accordance with data protection legislation and the means of transfer provides adequate safeguards in relation to your personal data, for example:
- By way of an intra-group agreement between BAT entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
- By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
- By transferring your personal data to an entity which has signed up to the EU-US Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
- By transferring your personal data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
- Where it is necessary for the conclusion or performance of a contract between us and a third party and the transfer is in your interest for the purposes of that contract (for example, if we need to transfer your personal data to a benefits provider based outside the EEA); or
- Where you have consented to the data transfer.
THE LEGAL BASIS FOR PROCESSING OF YOUR PERSONAL DATA
There are different legal bases that we rely on to process your personal data, namely:
- Performance of a contract – The use of your personal data may be necessary to perform a contract that you have with us. For example, we need to process your personal data to enable you to use certain parts of our Website and so that we can process and deliver your order of our products from the Website.
We may make automated decisions about you based on your personal data in the following circumstances:
- To select personalised offers, discounts or recommendations to send you based on your Website browsing history and other data you provide us with; and
- In order to verify your age when you attempt to access the Website (see the explanation above for further information about this).
You can access and update certain parts of your personal data by logging in to your account.
Consistent with legal requirements and limitations, you have various rights in relation to the data which we hold about you. We have set these out below.
RIGHT TO OBJECT
This right enables you to object to the processing of your personal data when done by us for one of the following reasons:
- Because it is in our legitimate interests to do so (for further information please see the section “The legal basis for processing of your personal data”);
- To enable us to perform a task in the public interest or exercise official authority;
- To send you direct marketing materials; or
- For scientific, historical, research or statistical purposes.
RIGHT TO WITHDRAW CONSENT
Where we have obtained your consent to process your personal data for certain activities (for example, for marketing), you may withdraw that consent at any time by contacting us using the contact details below and we will cease to use your personal data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your personal data for that purpose, in which case we will inform you of that condition.
DATA SUBJECT ACCESS REQUESTS
You may ask us for a copy of the data we hold about you at any time, and request that we modify, update or delete such data. If we provide you with access to the data we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this data from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
RIGHT TO ERASURE
You have the right to request that we ‘erase’ your personal data in certain circumstances. Normally, this right exists where:
- The data is no longer necessary;
- You have withdrawn your consent to us using your personal data, and there is no other valid reason for us to continue;
- The data has been processed unlawfully;
- It is necessary for the data to be erased in order for us to comply with our obligations under the law; or
- You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we would always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
RIGHT TO RESTRICT PROCESSING
You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
RIGHT TO RECTIFICATION
You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for that decision.
RIGHT OF DATA PORTABILITY
If you wish, you have the right to transfer your personal data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your personal data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
RIGHT TO COMPLAIN
You also have the right to lodge a complaint with your national supervisory authority, which is the Swedish Data Protection Authority in Sweden. You may contact them in the following ways:
If you would like to exercise any of these rights or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact us using the ‘Contact us’ form on our Website or write to us at the address given below. Please note that we may keep a record of your communications to help us process your case.
Please note that we may require additional information from you in order to process your case.
If you would like to discuss or exercise such rights, email us at firstname.lastname@example.org.
You can unsubscribe or opt out from receiving marketing communications from us by clicking the ‘Unsubscribe’ link at the bottom of our email communications.
You also have the right to ask us not to process your personal data (or transfer your personal data to other companies or organisations) for marketing purposes. You can tick the appropriate box on the forms when we collect your personal data or submit a separate request at any time by contacting us at email@example.com.
HOW TO CONTACT US
If you wish to contact us with any queries or concerns, please visit our Website under ‘Contact us’ or email us at firstname.lastname@example.org write to us at
British American Tobacco Sweden AB
Organisation number: 556098-6779
104 25 Stockholm
Phone: +46 8 546 730 00