M&S CUSTOMER PRIVACY POLICY

Marks and Spencer plc is a company registered in England and Wales which is part of the M&S group of companies (collectively referred to as "M&S", "we" or "us" in this policy).

OVERVIEW

Maintaining the security of your data is a priority at M&S, and we are committed to respecting your privacy rights. We pledge to handle your data fairly and legally at all times. M&S is also dedicated to being transparent about what data we collect about you and how we use it.

This policy, which applies to personal data collected via the M&S website at http://www.marksandspencer.com/je aimed at customers in [Jersey] )the “Website”) whether, you use your mobile device or go on line, provides you with information about:

- how we use your data;

- what personal data we collect;

- how we ensure your privacy is maintained; and

- your legal rights relating to your personal data.

• • HOW WE USE YOUR DATA
• • WHAT PERSONAL DATA DO WE COLLECT?
• • HOW WE PROTECT YOUR DATA
• • WHAT YOU CAN DO TO HELP PROTECT YOUR DATA
• • YOUR RIGHTS
• • LEGAL BASIS FOR USING DATA
• • COOKIES
• • CONTACT INFORMATION
• • THIRD PARTY SITES AND MICROSITES
• • UPDATES

HOW WE USE YOUR DATA

General

M&S (and trusted partners acting on our behalf) use your personal data:

• - to provide goods and services to you;
• - to make a tailored website available to you;
• - to manage any registered account(s) that you hold with us;
• - to verify your identity;
• - for crime and fraud prevention, detection and related purposes;
• - with your agreement, to contact you electronically about promotional offers and products and services which we think may interest you;
• - for market research purposes - to better understand your needs;
• - to enable M&S to manage customer service interactions with you; and
• - where we have a legal right or duty to use or disclose your information (for example in relation to an investigation by a public authority or in a legal dispute).

Our fulfilment partner – Global E

Our international sales facilitation and fulfilment partner is Global-E U.K. Limited (“Global-E”), a company registered in England and Wales (company registration number 08632376) whose registered office is at 2nd Floor, 167-169 Great Portland Street, London, W1W 5PF.

If you purchase products from this Website, your personal data will be collected and used by Global E for the purposes of fulfilling your order and delivering products to you. This Privacy Policy only relates to the use of your data by M&S Please refer to the privacy policy of Global E for further details on how your personal data will be used by them.

Our franchise partner – SandpiperCI

Our international franchise partner is SandpiperCI Retail Limited, a company incorporated in Jersey, whose registered office is at P.O. Box 4, 1 – 3 L’Avenue Le Bas, Longueville, St. Saviour, Jersey JE4 8NB (“SandpiperCI”).

If you purchase products from this Website, your personal data may be used by SandpiperCI for the purposes of fulfilling your order and delivering products to you if you choose to collect or return your order in stores located in Jersey. This policy only relates to the use of your data by Marks and Spencer. Please refer to the privacy policy of SandpiperCI here for details of how they use your data.

Marketing

Promotional communications

M&S uses your personal data for electronic marketing purposes (with your consent) and may send you postal mail to update you on the latest M&S offers.

M&S aims to update you about products & services which are of interest and relevance to you as an individual.

You have the right to opt out of receiving promotional communications at any time, by:

1. changing marketing preferences via your M&S account;
2. making use of the simple “unsubscribe” link in emails or the “STOP” number for texts; and/or
3. contacting M&S via the contact channels set out in this Policy.

Web Banner Advertising

If you visit our websites, you may receive personalised banner advertisements whilst browsing other websites. Any banner advertisements you see will relate to products you have viewed whilst browsing our websites on your computer or other devices.

These advertisements are provided by M&S via market leading specialist providers using ‘cookies’ placed on your computer or other devices (see further information on the use of cookies in our Cookie Policy). You can remove or disable cookies at any time - see below for further information.

Sharing data with third parties

Our service providers and suppliers

In order to make certain services available to you, we may need to share your personal data with some of our service partners. These include IT, delivery and marketing service providers.

M&S only allows its service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection and security, which mean they can only use your data to provide services to M&S and to you, and for no other purposes.

Other third parties

Aside from our service providers, M&S will not disclose your personal data to any third party, except as set out below. We will never sell or rent our customer data to other organisations for marketing purposes.

We may share your data with:

• - our carefully selected partners who provide ‘M&S’ branded products and services (for example energy suppliers), if we have your consent to do so;
• - credit reference agencies where necessary for card payments;
• - a business which acquires all or part of the M&S business, as set out further below
• - governmental bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we are required to do so: -
• - to comply with our legal obligations;
  • - to exercise our legal rights (for example in court cases);
  • - for the prevention, detection, investigation of crime or prosecution of offenders; and
  • - for the protection of our employees and customers.
    

Mergers and Takeovers

In the event that a separate business acquires all or part of our business or its assets, for example in the context of a merger or takeover, we may need to disclose your personal data to that company, so they can continue to provide services to you. In this situation, your data will only be used by the other business for the purposes set out in this Policy.

In certain circumstances, it is possible that your personal data could be transferred to a company with whom we’re discussing selling or transferring all or part of the M&S business, but only where strictly necessary for the evaluation of the transaction. If this happens, the data will be kept secure and confidential and will be deleted if the business sale does not go ahead.

International transfers

To deliver products and services to you, it is sometimes necessary for M&S to share your data outside of the European Economic Area. This will typically occur when service providers are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under data protection laws.

If this happens, we will ensure that the transfer will be compliant with data protection law and all personal data will be secure. Our standard practice is to use ‘standard data protection clauses’ which have been approved by the European Commission for such transfers. Those clauses can be accessed here.

How long do we keep your data?

We will not retain your data for longer than necessary for the purposes set out in this Policy. Different retention periods apply for different types of data, however the longest we will normally hold any personal data is 6 years.

WHAT PERSONAL DATA DO WE COLLECT?

M&S may collect the following information about you:

• - your name, age/date of birth and gender;
• - your contact details: postal address including billing and delivery addresses, telephone numbers (including mobile numbers) and e-mail address;
• - purchases and orders made by you;
• - your on-line browsing activities on M&S websites;
• - your password(s);
• - when you make a purchase or place an order with us, your payment card details;
• - your communication and marketing preferences;
• - your interests, preferences, feedback and survey responses;
• - your location;
• - your correspondence and communications with M&S; and
• - other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed or public Facebook page).

Our websites are not intended for children and we do not knowingly collect data relating to children.

This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Policy. Some of the above personal data is collected directly, for example when you set up an on-line account on our websites, or send an email to our customer services team. Other personal data is collected indirectly, for example your browsing or shopping activity. We may also collect personal data from third parties who have your consent to pass your details to us, or from publicly available sources.

HOW WE PROTECT YOUR DATA

Our controls

M&S is committed to keeping your personal data safe and secure.

Our security measures include: -

• - encryption of data;
• - regular cyber security assessments of all service providers who may handle your personal data;
• - regular scenario planning and crisis management exercises to ensure we are ready to respond to cyber security attacks and data security incidents;
• - daily penetration testing of systems;
• - security controls which protect the entire M&S IT infrastructure from external attack and unauthorised access; and
• - internal policies setting out our data security approach and training for employees.

WHAT YOU CAN DO TO HELP PROTECT YOUR DATA

M&S will never ask you to confirm any bank account or credit card details via email. If you receive an email claiming to be from M&S asking you to do so, please ignore it and do not respond.

If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.

In addition, we recommend that you take the following security measures to enhance your online safety both in relation to M&S and more generally: -

- keep your account passwords private. Remember, anybody who knows your password may access your account.

- when creating a password, use at least 8 characters. A combination of letters and numbers is best. Do not use dictionary words, your name, email address, or other personal data that can be easily obtained. We also recommend that you frequently change your password. You can do this accessing your account, clicking ‘your account’, clicking ‘your data’ and selecting ‘change password’.

- avoid using the same password for multiple online accounts.

YOUR RIGHTS

You have the following rights:

• 1. The right to ask what personal data that we hold about you at any time;
• 2. The right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you free of charge; and
• 3. (as set out above) the right to opt out of any marketing communications that we may send you.

If you wish to exercise any of the above rights, please contact us using the contact details set out below.

LEGAL BASIS FOR USING DATA

We are required to set out the legal basis for our ‘processing’ of personal data.

Click here for further information

Legal basis for M&S processing customer personal data

General

M&S collects and uses customers’ personal data because it is necessary for:

• - the pursuit of our legitimate interests (as set out below);
• - the purposes of complying with our duties and exercising our rights under a contract for the sale of goods to a customer; or
• - complying with our legal obligations.

In general, we only rely on consent as a legal basis for processing in relation to sending direct marketing communications to customers via email or text message.

Customers have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.

Our legitimate interests

The normal legal basis for processing customer data, is that it is necessary for the legitimate interests of M&S, including:-

• - selling and supplying goods and services to our customers;
• - protecting customers, employees and other individuals and maintaining their safety, health and welfare;
• - promoting, marketing and advertising our products and services;
• - sending promotional communications which are relevant and tailored to individual customers (including administering the Sparks loyalty scheme);
• - understanding our customers’ behaviour, activities, preferences, and needs;
• - improving existing products and services and developing new products and services;
• - complying with our legal and regulatory obligations;
• - preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies;
• - handling customer contacts, queries, complaints or disputes;
• - managing insurance claims by customers;
• - protecting M&S, its employees and customers, by taking appropriate legal action against third parties who have committed criminal acts or are in breach of legal obligations to M&S;
• - effectively handling any legal claims or regulatory enforcement actions taken against M&S;
• - fulfilling our duties to our customers, colleagues, shareholders and other stakeholders. and
• - managing corporate transactions, including selling or transferring any parts of our business to third parties, acquiring new businesses, entering into mergers or undertaking corporate restructuring activity.

COOKIES

Our websites use cookies to collect information. This includes information about browsing and purchasing behaviour by people who access our websites. This includes information about pages viewed, products purchased and the customer journey around our websites. Detailed information is set out in our Cookie Policy.

Cookies Policy

What are cookies?

Like most websites, M&S websites use cookies to collect information. Cookies are small data files which are placed on your computer or other devices (such as smart ‘phones or ‘tablets’) as you browse this website. They are used to ‘remember’ when your computer or device accesses our websites. Cookies are essential for the effective operation of our websites and to help you shop with us online. They are also used to tailor the products and services offered and advertised to you, both on our websites and elsewhere.

Information collected

Some cookies collect information about browsing and purchasing behaviour when you access this website via the same computer or device. This includes information about pages viewed, products purchased and your journey around a website. We do not use cookies to collect or record information on your name, address or other contact details. M&S can use cookies to monitor your browsing and purchasing behaviour.

How are cookies managed?

The cookies stored on your computer or other device when you access our websites are designed by:

• - M&S, or on behalf of M&S, and are necessary to enable you to a make purchases on our website;
• - third parties who participate with us in marketing programmes; and
• - third parties who broadcast web banner advertisements on behalf of M&S.

What are cookies used for?

The main purposes for which cookies are used are: -

1. For technical purposes essential to effective operation of our websites, particularly in relation to on-line transactions and site navigation.
2. For M&S to market to you, particularly web banner advertisements and targeted updates.
3. To enable M&S to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
4. To enable M&S meet its contractual obligations to make payments to third parties when a product is purchased by someone who has visited our website from a site operated by those parties.

How do I disable cookies?

If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below: -

For Microsoft Internet Explorer:

1. Choose the menu “tools” then “Internet Options”
2. Click on the “privacy” tab
3. Select the setting the appropriate setting

For Google Chrome:

1. Choose Settings> Advanced
2. Under "Privacy and security," click “Content settings”.
3. Click “Cookies”

For Safari:

1. Choose Preferences > Privacy
2. Click on “Remove all Website Data”

For Mozilla firefox:

1. Choose the menu “tools” then “Options”
2. Click on the icon “privacy”
3. Find the menu “cookie” and select the relevant options

For Opera 6.0 and further:

1. Choose the menu Files”> “Preferences”
2. Privacy

What happens if I disable cookies?

This depends on which cookies you disable, but in general the website may not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to complete a purchase on our sites.

DATA PROTECTION OFFICER

M&S has appointed a Data Protection Officer to ensure we protect the personal data of our customers (and others) and comply with data protection legislation.

If you have any questions about how M&S uses your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please contact our Data Protection Officer’s team by

• • phone: 0333 014 8555;
• • e-mail: customer.DPO@marks-and-spencer.com or
• • write to: Data Protection Officer, Marks & Spencer, Retail Customer Services, Chester Business Park, Wrexham Road, Chester CH4 9GA

You have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.

OTHER M&S PRIVACY POLICIES AND SITES

For information about how personal data collected via our UK website or UK stores is used please visit see our UK Privacy Policy.

M&S has partnered with certain trusted third parties to make additional products and services available to you, including:

• - M&S Bank (previously M&S Money) accessible by clicking here
• - M&S Energy (under partnering arrangements with SSE Energy Supply Limited) accessible by clicking here

These products and services can be accessed online through the relevant third party's "microsite". These websites, and others linked to from this Policy, are owned and operated by a third party and they are responsible for processing personal data in accordance with their own privacy policies.

UPDATES

This policy was last updated in January 2019