Steinhoff takes its obligations with regard to data protection seriously. As such, we are providing this notice (“Privacy Notice”) to you so that you are provided with information about how Steinhoff collects and uses your Personal Data in accordance with applicable data protection law, including the General Data Protection Regulation 2016/679 (“GDPR”). Please read this Privacy Notice, as it contains important information of which you should be aware.
For the purposes of this Privacy Notice, (“Steinhoff Customers”, “you” or “your”) means customers of Steinhoff and “Steinhoff” (“we”, “us” or “our”) means Steinhoff UK Retail Ltd (a company incorporated in the UK with company registration number 0040754).
Steinhoff is the data controller with regard to the processing of your Personal Data (as defined below). The data controller is the entity that determines how and why Personal Data is processed.
In order for Steinhoff to deliver its products and services to you and manage its business efficiently, it is necessary for us to collect, maintain and process Personal Data about you. “Personal Data” is information which (either on its own or in combination with other information Steinhoff holds) allows Steinhoff to identify a Steinhoff Customer and thus enable us to manage our relationship with Steinhoff Customers. We may collect information from you when you visit our website, purchase goods or services from us, contact us by telephone, email or post or receive a communication from us relation to your purchase.
The Personal Data which we process may include the following:
Personal Data will primarily be collected from you directly. However, some Personal Data may, where lawful to do so, be collected by Steinhoff from third parties or publicly available information about you (e.g. from marketing agencies). We will only accept and use information about you from reputable organisations who have either obtained your permission to share your information with us or who have collated information about you from publicly available sources.
Please note that you are under no obligation to provide Steinhoff with your Personal Data; however, not providing some of the Personal Data described above could prevent Steinhoff from performing its obligations in relation to your purchase of goods and services (and any related services) from us.
Please note: this list may be updated from time to time and we will provide notice as and when such updates are made.
The term “processing” means any action taken, also with the help of electronic means, in connection with Personal Data, including collection, handling, use, transfer and disclosure by transmission, dissemination or otherwise making available, as well as recording, organisation, storage, retention, adaptation or alteration, access, retrieval, consultation, alignment or combination, blocking, anonymising, erasure, disposal or destruction.
|Personal Information||Basis of Processing||Purposes of Processing|
||Processing that is necessary to perform a contract or when taking steps in connection with a contract with you.||
Where necessary, processing based on your freely given, specific, informed and unambiguous consent.
Where we process special categories of personal data about you, this will be with your explicit consent.
||Processing that is necessary to comply with a legal obligation to which we as the data controller are subject (other than a contractual obligation).||
||Processing that is necessary for our own legitimate interests or those of third parties provided these are not overridden by your interests and fundamental rights and freedoms. A description of our legitimate interests is set out below.||
Personal Data – Legitimate Interests
The specific legitimate interest pursued and how this is balanced against your interests:
We may convert your Personal Data into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from that data. We may use this aggregated data to conduct research and analysis, including to produce statistical research and reports. We may share such anonymous aggregated data with third parties. Aggregated and anonymous information does not personally identify you and is therefore not Personal Data, (and so not caught within the GDPR).
Personal data will be shared and transferred from us to other Steinhoff group companies for the purposes noted above (or for such other purposes as are notified by Steinhoff to you from time to time).
Steinhoff may otherwise disclose Personal Data to third parties that are performing services under contract for Steinhoff, such as IT hosting and/or maintenance providers. Personal Data may also be disclosed upon lawful request by government authorities, law enforcement and regulatory authorities, where required or permitted by relevant local law and/or for tax or other purposes. Further, Personal Data may be disclosed to third parties in response to legal process and when required to comply with laws, or to enforce Steinhoff’s agreements and corporate policies or to protect the rights, property or safety of Steinhoff, its employees, agents and/or others, as well as to parties to whom the relevant Steinhoff Customer has authorised Steinhoff to release his Personal Data.
We may share any of your personal data with a prospective purchaser or purchaser of any part of our business, on the basis of our legitimate interests and the interests of our purchaser, so that they can appropriately value the business and assess any risks and continue doing business with you after the acquisition.
For the purposes described above (or for such other purposes as are notified by Steinhoff to you from time time), your personal information may be transferred to, and stored, and otherwise processed in, one or more countries outside of the European Economic Area (“EEA”). The jurisdiction of other organisations outside the EEA may not have adequate data protection laws equivalent to those in place within the EEA. For transfers of your Personal Data to third parties outside of the EEA, we take additional steps in line with data protection laws. We have implemented appropriate technical and organisational measures to protect your Personal Data in the form of EU Commission approved forms of contract with the relevant recipient(s) of your personal information. In addition, we will take reasonable steps to ensure that your personal information is adequately protected in accordance with the requirements of the UK data protection law. If you would like to obtain a copy of the EU Commission approved forms of contract, please contact us by using the details below.
Steinhoff may also, where permitted (and having obtained any necessary consents as may be required by law), disclose Personal Data outside of the EEA for the purposes noted above in respect of Steinhoff, or:
As stated above, Steinhoff takes the protection of your Personal Data seriously and we have implemented technical, physical and organisational measures to ensure the Personal Data (and Sensitive Personal Data) of Steinhoff Customers is kept accurate, up to date and protected against unauthorised or accidental destruction, alteration or disclosure, accidental loss, unauthorised access, misuse, unlawful processing and/or damage.
Steinhoff will retain your Personal Data only for such period as is necessary to perform the purpose(s) for which it was collected. In many cases this means that Personal Data will be retained for the duration of the time that we provide goods and services to you and then for a reasonable time thereafter in order to manage any problems, process any returns, manage our relationship with you, defend any claims, for tax purposes and/or for any other record keeping purposes. This period is typically a period of not less than 6 years from the date of delivery of your last order with us.
You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
|Your right||What does it mean?||Limitations and conditions of your right|
|Right of access||Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).||
If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, eg privacy and confidentiality rights of other individuals.
|Right to data portability||Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.||
If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.
This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (ie not for paper records). It covers only the personal data that has been provided to us by you.
|Rights in relation to inaccurate personal or incomplete data||
You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable.
We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number.
|This right only applies to your own personal data. When exercising this right, please be as specific as possible.|
|Right to object to or restrict our data processing||Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.||As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.|
|Right to erasure||Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), eg where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.||We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.|
|Right to withdrawal of consent||As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.||If you withdraw your consent, this will only take effect for future processing.|
Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
If you would like to exercise any of your rights as described above (or if you have any questions about this Privacy Notice or concerns about our dealings with your Personal Data), please contact email@example.com.
We will try to resolve any concerns you may have. However, if you consider that we are in breach of our obligations under data protection laws, you may lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns/).
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR.
Steinhoff may change this Privacy Notice from time to time in order to reflect changes in the law and/or its privacy practices. When this happens and where Steinhoff is required to do so by law, it will provide you with a new and/or updated Privacy Notice.