M&S INTERNATIONAL CUSTOMER PRIVACY POLICY

Marks and Spencer plc is a company registered in England and Wales which is part of the M&S group of companies, which also includes Marks and Spencer (Ireland) Limited registered in the Republic of Ireland, Marks and Spencer Czech Republic, A.S registered in the Czech Republic and Marks and Spencer Greece Single Member S.A. registered in Greece (collectively referred to as "M&S", "we" or "us" in this policy).

OVERVIEW

Maintaining the security of your data is a priority at M&S, and we are committed to respecting your privacy rights. We pledge to handle your data fairly and legally at all times. M&S is also dedicated to being transparent about what data we collect about you and how we use it.

This policy explains how we use customer data obtained in connection with M&S’ operations outside the United Kingdom and Ireland, including any M&S operated websites directed at customers based outside the UK and Ireland and/or M&S run stores outside the UK and Ireland. It provides you with information about:

- how we use your data;

- what personal data we collect;

- how we ensure your privacy is maintained; and

- your legal rights relating to your personal data.

HOW WE USE YOUR DATA

GENERAL

M&S (and trusted partners acting on our behalf) use your personal data:

• to provide goods and services to you;
• to make a tailored website available to you;
• to manage any registered account(s) that you hold with us;
• to verify your identity;
• for crime and fraud prevention, detection and related purposes;
• to safeguard our colleagues, contractors and workers in our supply chain, including in relation to the risk of modern slavery and exploitation;
• with your agreement, to contact you electronically about promotional offers and products and services which we think may interest you;
• for promotional and marketing purposes and to tailor and personalise products and services;
• to operate loyalty or customer reward schemes;
• to train and manage our people and develop products and services;
• for customer insight and market research purposes - to better understand your needs;
• to enable M&S to manage customer service interactions (including refunds) with you; and
• where we have a legal right or duty to use or disclose your information (for example in relation to an investigation by a public authority or in a legal dispute).

OUR INTERNATIONAL FULFILMENT PARTNER – GLOBAL-E

Our international sales facilitation and fulfilment partner is Global-e U.K. Limited (“Global-e”), a company registered in England and Wales (company registration number 08632376) whose registered office is at 2nd Floor, 167-169 Great Portland Street, London, W1W 5PF.

If you purchase products from this website, or any website operated by M&S for customers outside the UK and Ireland, your personal data will be collected and used by Global-e for the purposes of fulfilling your order and delivering products to you. This Privacy Policy only relates to the use of your data by M&S. Please refer to the privacy policy of Global-e for further details on how your personal data will be used by them.

PROMOTIONAL, MARKETING AND LOYALTY

PROMOTIONAL COMMUNICATIONS

M&S uses your personal data to send you promotional messages by email, text and other electronic communication channels (with your consent) and may send you postal mail to update you on the latest M&S offers.

M&S aims to update you about products & services which are of interest and relevance to you as an individual.

You have the right to opt out of receiving promotional communications at any time, by:

1. 1. changing marketing preferences via your M&S online account;
2. 2. making use of the simple “unsubscribe” link in emails or the “STOP” number for texts; and/or
3. 3. contacting M&S via the contact channels set out in this Policy.

ON-LINE ACTIVITY

If you shop with us on-line, we may collect data directly from you, as well as analysing your browsing and purchasing activity, and your responses to marketing communications. The results of this analysis, together with other demographic data, allows us to ensure that we contact you with information on products and offers that are relevant to you. To do so, we use software and other technology (automated processing).

DIGITAL ADVERTISING

If you visit our websites, you may be served personalised advertisements for M&S branded products and services whilst using other websites (including social media platforms). Any advertisements you see will relate to products you have viewed whilst browsing our websites on your computer or other devices, or which we believe are of interest to you.

These advertisements are provided by M&S via our partners using ‘cookies’ and similar technologies placed on your computer or other devices (see further information on the use of cookies in our Cookie Policy). You can reject all (non-essential) cookies at any time - see below for further information.

SHARING DATA WITH THIRD PARTIES

Our service providers and suppliers

In order to make certain services available to you, we may need to share your personal data with some of our service partners. These include IT, delivery and marketing service providers and fraud prevention and identification partners. If you make a ‘click and collect’ order to be collected at a store operated by a franchise partner we will share limited personal information with the partner, who will be acting as our service provider, so they can manage the collection process.

M&S only allows its service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection and security, which mean they can only use your data to provide services to M&S and to you, and for no other purposes.

OTHER THIRD PARTIES

Aside from our service providers, M&S will not disclose your personal data to any third party, except as set out below. We will never sell or rent our customer data to other organisations for marketing purposes.

WE MAY SHARE YOUR DATA WITH:

• - our franchise partners, who operate stores or websites under the M&S brand selling M&S products and services, where lawful and necessary for assisting customers or managing customer queries and complaints or disputes;
• - credit reference agencies, banks and payment card issuers (such as Visa, Mastercard and American Express) for payment and related purposes;
• - Third party marketing partners, including Google, Meta (which owns Facebook and Instagram) or TikTok to deliver advertising to you if you are using Google or registered with one or more of those social media platforms (see further information on Social Media platforms and Search Engines below);
• - a business with acquires all or part of the M&S business, as set out further below; and/or
• - governmental bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we are required to do so: -
• - to comply with our legal obligations;
  • - to exercise our legal rights (for example in court cases);
  • - for the prevention, detection, investigation of crime or prosecution of offenders; and
  • - to safeguard and protect our employees, customers or other individuals.
    

SOCIAL MEDIA PLATFORMS AND SEARCH ENGINES: FACEBOOK, INSTAGRAM, TIKTOK AND GOOGLE

If you have an account with a Meta platform (such as Facebook or Instagram) or TikTok, or use Google, and accept cookies on our website, your personal data, including purchasing and browsing activity, will be shared with them. ‘Meta’ includes Meta Platforms, Inc (a US company) and other Meta Group companies. ‘TikTok’ includes TikTok Information Technologies UK Limited, in the UK, and TikTok Technology Limited, in Ireland. Google includes Google LLC (a US company) and Google Ireland Limited. This data is shared so the social media companies or search engines can serve tailored and personalised advertisements to you (including relevant M&S products and services) when you are using their platforms and apps.

For certain data processing activities, Meta TikTok or Google will be acting as a data controller using data solely for their own purposes. In some circumstances, Meta and/or TikTok will be acting as joint data controller with M&S.

Further information on how these organisations- handle your personal data, including the legal basis for data processing and how you can exercise your data subject rights against them, is set out in their Privacy Policies at the links below:-

Meta | Privacy Centre | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy.

TikTok Privacy Policy.

How Google uses information from sites or apps that use our services – Privacy & Terms – Google.

As required under data privacy laws, M&S has entered into agreements with Meta and TikTok which determine the parties’ respective responsibilities for compliance with the obligations under the GDPR and/or UK GDPR) relating to the joint processing. These agreements are referred to as the Controller Addendum, for Meta and the Joint Controller Terms, for TikTok.

We have agreed that M&S is responsible for providing data subjects with the information set out above, and that, Meta and / or TikTok respectively are responsible for enabling data subjects’ rights under Articles 15-20 of the GDPR / UK GDPR with regard to the personal data stored by Meta and/or TikTok after the joint processing.

FLASHTALKING

M&S uses the Flashtalking platform for advertising creation and delivery, device recognition and campaign analysis. Flashtalking use both cookie-based (if you accept the use of cookies on M&S website) and cookieless technologies to identify and connect devices to M&S customers.

Cookieless technologies means Flashtalking can recognise your device using your IP address or device identifier. This allows them to display personalised ads that are more relevant to you.

Further information on how Flashtalking processes your personal data and how to exercise your data subject rights can be found in their consumer privacy statement. You can also opt out personalised ads displayed by Flashtalking using this link.

MERGERS AND TAKEOVERS

If a separate business acquires all or part of our business or its assets, for example in the context of a merger or takeover, we may need to disclose your personal data to that company, so they can continue to provide services to you. In this situation, your data will only be used by the other business for the purposes set out in this Policy.

In certain circumstances, it is possible that your personal data could be transferred to a company with whom we’re discussing selling or transferring all or part of the M&S business, but only where strictly necessary for the evaluation of the transaction. If this happens, the data will be kept secure and confidential and will be deleted if the business sale does not go ahead.

INTERNATIONAL TRANSFERS

To deliver products and services to you, it is sometimes necessary for M&S to transfer your data from the UK to jurisdictions which have less stringent data protection laws to protect personal data. This will typically occur when we use overseas service providers located outside the European Economic Area (EEA) or if you are based overseas and outside the EEA. These transfers are subject to special rules under data protection laws.

If this happens, we will ensure that the transfer will be compliant with data protection law and all personal data will be secure. Our standard practice is to use ‘standard contractual clauses’ which have been officially approved for such purposes. Those clauses can be accessed here and here.

HOW LONG DO WE KEEP YOUR DATA?

We will not retain your data for longer than necessary for the purposes set out in this Policy. Different retention periods apply for different types of data, however the longest we will normally hold any personal data is 7 years.

WHAT PERSONAL DATA DO WE COLLECT?

M&S may collect the following information about you:

• - your name, age/date of birth and gender;
• - your contact details: postal address including billing and delivery addresses, telephone numbers (including mobile numbers) and e-mail address;
• - purchases and orders made by you;
• - your on-line browsing activities on M&S websites;
• - your password(s);
• - CCTV and other images;
• - when you make a purchase or place an order with us, your payment card details;
• - your communication and marketing preferences;
• - your interests, preferences, feedback and survey responses;
• - your location;
• - your correspondence and communications with M&S; and
• - other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed or public Facebook page).

Our websites are not intended for children and we do not knowingly collect data relating to children.

This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Policy. Some of the above personal data is collected directly, for example when you set up an on-line account on our websites, or send an email to our customer services team. Other personal data is collected indirectly, for example your browsing or shopping activity. We may also collect personal data from third parties who have your consent to pass your details to us, or from publicly available sources.

HOW WE PROTECT YOUR DATA

Our controls

M&S is committed to keeping your personal data safe and secure.

Our security measures include: -

• - encryption of data;
• - regular cyber security assessments of all service providers who may handle your personal data;
• - regular scenario planning and crisis management exercises to ensure we are ready to respond to cyber security attacks and data security incidents;
• - daily penetration testing of systems;
• - security controls which protect the entire M&S IT infrastructure from external attack and unauthorised access; and
• - internal policies setting out our data security approach and training for employees.

WHAT YOU CAN DO TO HELP PROTECT YOUR DATA

M&S will never ask you to confirm or provide any passwords or bank account or credit card details via email. If you receive an email claiming to be from M&S asking you to do so, please ignore it and do not respond.

If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.

In addition, we recommend that you take the following security measures to enhance your online safety both in relation to M&S and more generally:

- keep your account passwords private. Remember, anybody who knows your password may access your account;

- when creating a password, use at least 8 characters. A combination of letters and numbers is best. Do not use dictionary words, your name, email address, or other personal data that can be easily obtained. We also recommend that you frequently change your password. You can do this accessing your account, clicking ‘your account’, clicking ‘your data’ and selecting ‘change password’; and

- avoid using the same password for multiple online accounts.

YOUR RIGHTS

You have the following rights:

• - the right to ask for a copy of personal data that we hold about you (the right of access);
• - the right to request that we delete personal data held on you; where we no longer have a valid reason to retain it (the right of erasure or to be forgotten);
• - the right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you (the right of rectification);
• - the right to opt out of any marketing communications that we may send you and to object to us using / holding your personal data if we have no legitimate reasons to do so (the right to object);
• - the right (in certain circumstances) to ask us to ‘restrict processing of data’; which means that we would need to secure and retain the data for your benefit but not otherwise use it (the right to restrict processing); and
• - the right (in certain circumstances) to ask us to supply you with some of the personal data we hold about you in a structured machine-readable format and/or to provide a copy of the data in such a format to another organisation (the right to data portability).

If you wish to exercise any of the above rights, please contact us using the contact details set out below.

- Phone: 0333 014 8555;

- E-mail: customer.dpo@customersupport.marksandspencer.com

- Address: Retail Customer Services, Chester Business Park, Wrexham Road. Chester, CH4 9GA

LEGAL BASIS FOR USING DATA

We are required to set out the legal basis for our ‘processing’ of personal data.

General

Generally; M&S collects and uses customers’ personal data because it is necessary for:

• • the pursuit of our legitimate interests (as set out below);
• • the purposes of complying with our duties and exercising our rights under a contract for the sale of goods to a customer; or
• • complying with our legal obligations.

In general, we only rely on consent as a legal basis for processing personal data in relation to sending direct marketing communications to customers via email or text message.

Customers have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.

OUR LEGITIMATE INTERESTS

The main legal basis for processing customer data, is that it is necessary for the legitimate interests of M&S, including:-

• • selling and supplying goods and services to our customers;
• • protecting customers, employees and other individuals and maintaining their safety, health and welfare;
• • promoting, marketing and advertising our products and services;
• • sending promotional communications which are relevant and tailored to individual customers (including administering the Sparks loyalty scheme);
• • understanding our customers’ behaviour, activities, preferences, and needs;
• • improving existing products and services and developing new products and services;
• • complying with our legal and regulatory obligations;
• • preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies;
• • handling customer contacts, queries, complaints or disputes (including managing refunds);
• • managing insurance claims;
• • protecting M&S, its employees and customers, by taking appropriate legal action against third parties who have committed criminal acts, infringed our rights or failed to comply with legal duties owed to M&S or others;
• • effectively handling any legal claims or regulatory investigations or enforcement actions taken against M&S;
• • fulfilling our duties to our customers, colleagues, shareholders and other stakeholders; and
• • managing corporate transactions, including selling or transferring any parts of our business to third parties, acquiring new businesses, entering into mergers or undertaking corporate restructuring activity.

SENSITIVE TYPES OF INFORMATION

In exceptional circumstances, M&S may need to hold and/or use the following types of personal information about a customer:-

• • race or ethnicity;
• • political, religious or philosophical beliefs;
• • trade union membership;
• • health data;
• • genetic or biometric data;
• • sex life or sexual orientation; or
• • criminal convictions or criminal offences

These categories of personal data are subject to additional legal safeguards under data protection legislation, and we are required to set out the legal basis for processing this data. The legal bases which we are likely to rely on, and which are set out in detail in applicable data protection laws, are that:-

• • we have obtained consent (including explicit consent where required) for the processing and/or
• • the processing is necessary:-
• • for preventing or detecting unlawful activities or protecting the public from dishonesty, malpractice and/or other improper actions;
• • to protect children or other people at risk of harm or neglect and / or those who are physically or mentally ill or disabled;
• • in connection with our (or your) legal rights or duties relating to employment, social security, welfare or protection;
• • for legal disputes and claims;
• • for protecting the vital interests of individuals;
• • for assisting certain regulators; and/or
• • the personal data has been made public by the individual it relates to.

COOKIES

Please see our Cookie Policy here

DATA PROTECTION OFFICER AND DP REGULATORS

DPO

Our Data Protection Officer helps us to ensure we protect the personal data of our customers (and others) and comply with data protection legislation.

If you have any questions about how M&S uses your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact our Data Protection Officer’s team by:

• • Phone: 0333 014 8555; or
• • E-mail: customer.dpo@customersupport.marksandspencer.com

DATA PROTECTION REGULATORS

If you are located in the European Economic Area, you have the right under the GDPR to lodge a complaint with the relevant data protection regulator. You may also have this right outside the EEA.

WEBSITES NOT COVERED BY THIS PRIVACY POLICY

Franchise Partner sites

M&S has partnered with certain trusted third parties who operate M&S branded websites aimed at customers in certain jurisdictions (‘Franchise Sites’). The Franchise partners are responsible for the collection and use of any data arising from your use of those sites. This Privacy Policy does not apply to those websites and the use of data obtained via them, and you will need to check the policies operated by the partners.

M&S INDIA

This privacy policy does not apply to the M&S India website which is operated by Marks and Spencer Reliance India Private Limited. If relevant, please refer to the privacy policy published on that website for further information.

UK AND IRELAND

For information about how personal data collected via our UK and Irish websites and stores is used please see the relevant policy here for the UK and here for Ireland.

UPDATES

This policy was last updated in November 2024.