Marks and Spencer plc is a company registered in England and Wales which is part of the M&S group of companies (collectively referred to as "M&S", "we" or "us" in this policy).
Maintaining the security of your data is a priority at M&S, and we are committed to respecting your privacy rights. We pledge to handle your data fairly and legally at all times. M&S is also dedicated to being transparent about what data we collect about you and how we use it.
This policy, which applies to personal data collected via the M&S website at here aimed at customers in Costa Rica (the “Website”) whether, you use your mobile device or go on line, provides you with information about:
- how we use your data;
- what personal data we collect;
- how we ensure your privacy is maintained; and
- your legal rights relating to your personal data.
M&S (and trusted partners acting on our behalf) uses your personal data:
Our international sales facilitation and fulfilment partner is Globale U.K. Limited (“Global-E”), a company registered in England and Wales (company registration number 08632376) whose registered office is at 2nd Floor, 167-169 Great Portland Street, London, W1W 5PF.
M&S uses your personal data to send you promotional messages by email, text and other electronic communication channels (with your consent) and may send you postal mail to update you on the latest M&S offers.
M&S aims to update you about products & services which are of interest and relevance to you as an individual.
You have the right to opt out of receiving promotional communications at any time, by:
If you are a member of Sparks, we may collect data directly from you, as well as analysing your browsing and purchasing activity, both on-line and in store, and your responses to marketing communications. The results of this analysis, together with other demographic data, allows us to ensure that we contact you with information on products and offers that are relevant to you. To do so, we use software and other technology (automated processing).
If you visit our websites, you may be served personalised advertisements for M&S branded products and services whilst using other websites (including social media platforms). Any advertisements you see will relate to products you have viewed whilst browsing our websites on your computer or other devices, or which we believe are of interest to you.
In order to make certain services available to you, we may need to share your personal data with some of our service partners. These include IT, delivery and marketing service providers and fraud prevention and identification partners.
M&S only allows its service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection and security, which mean they can only use your data to provide services to M&S and to you, and for no other purposes.
Aside from our service providers, M&S will not disclose your personal data to any third party, except as set out below. We will never sell or rent our customer data to other organisations for marketing purposes.
We may share your data with:
If you have an account with Facebook (or Instagram) and accept cookies on our website, your personal data including purchasing and browsing activity may be shared with Facebook so they can serve M&S advertisements to you when you are using Facebook platforms and apps (including Facebook and Instagram). For certain data processing activities relating to the marketing, Facebook Ireland will act as Joint Controller.
Further information on how Facebook Ireland processes your personal data, including the legal basis Facebook Ireland relies on and the ways to exercise data subject rights against Facebook Ireland, can be found in Facebook Ireland’s Data Policy at .
In accordance with data privacy laws, M&S has entered into an agreement (a ‘Controller Addendum’) with Facebook Ireland to determine the parties’ respective responsibilities for compliance with the obligations under the General Data Protection Regulation (GDPR) relating to the Joint Processing.
We have agreed that M&S is responsible for providing data subjects with the information set out above, and agreed that between the parties, Facebook Ireland is responsible for enabling data subjects’ rights under Articles 15-20 of the GDPR with regard to the personal data stored by Facebook Ireland after the joint processing.
In the event that a separate business acquires all or part of our business or its assets, for example in the context of a merger or takeover, we may need to disclose your personal data to that company, so they can continue to provide services to you. In this situation, your data will only be used by the other business for the purposes set out in this Policy.
In certain circumstances, it is possible that your personal data could be transferred to a company with whom we’re discussing selling or transferring all or part of the M&S business, but only where strictly necessary for the evaluation of the transaction. If this happens, the data will be kept secure and confidential and will be deleted if the business sale does not go ahead.
To deliver products and services to you, it is sometimes necessary for M&S to transfer your data outside of the European Economic Area to jurisdictions which have less stringent data protection laws to protect personal data . This will typically occur when we use overseas service providers located outside the European Economic Area (EEA) or if you are based overseas and outside the EEA. These transfers are subject to special rules under data protection laws.
If this happens, we will ensure that the transfer will be compliant with data protection law and all personal data will be secure. Our standard practice is to use ‘standard contractual clauses’ which have been formally approved by the European Commission and the relevant UK authorities for such transfers. Those clauses can be accessed here
We will not retain your data for longer than necessary for the purposes set out in this Policy. Different retention periods apply for different types of data, however the longest we will normally hold any personal data is 7 years.
M&S may collect the following information about you:
Our website are not intended for children and we do not knowingly collect data relating to children.
This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Policy. Some of the above personal data is collected directly, for example when you set up an on-line account on our websites, or send an email to our customer services team. Other personal data is collected indirectly, for example your browsing or shopping activity. We may also collect personal data from third parties who have your consent to pass your details to us, or from publicly available sources.
M&S is committed to keeping your personal data safe and secure.
Our security measures include: -
M&S will never ask you to confirm any bank account or credit card details via email. If you receive an email claiming to be from M&S asking you to do so, please ignore it and do not respond.
If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.
In addition, we recommend that you take the following security measures to enhance your online safety both in relation to M&S and more generally:-
- keep your account passwords private. Remember, anybody who knows your password may access your account.
- when creating a password, use at least 8 characters. A combination of letters and numbers is best. Do not use dictionary words, your name, email address, or other personal data that can be easily obtained. We also recommend that you frequently change your password. You can do this accessing your account, clicking ‘your account’, clicking ‘your data’ and selecting ‘change password’.
- avoid using the same password for multiple online accounts.
You have the following rights:
If you wish to exercise any of the above rights, please contact us using the contact details set out below.
We are required to set out the legal basis for our ‘processing’ of personal data.
M&S collects and uses customers’ personal data because it is necessary for:
In general, we only rely on consent as a legal basis for processing personal data in relation to sending direct marketing communications to customers via email or text message.
Customers have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
The normal legal basis for processing customer data, is that it is necessary for the legitimate interests of M&S, including:-
What are cookies?
The cookies stored on your computer or other device when you access our websites are designed by:
The main purposes for which cookies are used are: -
Cookies will remain on your device for various lengths of time dependant on their type and purpose. Some cookies may only be used throughout the duration of the visit and others may persist over time to enable us to view how you interact with our services.
Note - if you have already consented to cookies on our website, you can change your preferences at any time by clearing cookies from your browser and re-entering our site. This will cause the pop-up banner to re-display, and you can choose to use the site(s) without consenting to cookies.
If you want to disable cookies you can also change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
This depends on which cookies you disable, but in general the websites may not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to complete a purchase on our sites.
Our Data Protection Officer helps us to ensure we protect the personal data of our customers (and others) and comply with data protection legislation.
If you have any questions about how M&S uses your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact our Data Protection Officer’s team by
You have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.
M&S has partnered with certain trusted third parties to make additional products and services available to you, including:
M&S Lunch to You on our M&S for Business site (under partnering arrangements with EWA Ltd) accessible by clicking here.
M&S Made-to-Measure Shirts (under partnering arrangements with Bivolino) accessible by clicking here.
M&S Personalised (under partnering arrangements with Hallmark Cards PLC) accessible by clicking here.
These products and services can be accessed online through the relevant third party's "microsite". These websites, and others linked to from this Policy, are owned and operated by a third party and they are responsible for processing personal data in accordance with their own privacy policies.
This policy was last updated in March 2023
and 'Add to Home Screen'
Speed up your shopping experience by adding M&S to your home screen!