PMI CONSUMER PRIVACY NOTICE
We take privacy seriously. This notice tells you who we are, what information about you we collect, and what we do with it. Click on “find out more” in each section for further information. Please also read our terms of use relating to the service you are interested in. They provide more information about the way we do business, and any restrictions on eligibility that may apply.
Who are we?
We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you at the time of collecting information about you through, for example, a notice on an app or a website.
Find out more…
Philip Morris International is the world’s leading international tobacco company. It is made up of a number of companies or “affiliates”.
• PMI affiliates: Each member of the Philip Morris International group of companies is a “PMI affiliate”. “We” (or “us” or “our”) refers to the PMI affiliate that first collected information about you. We may share your information with other PMI affiliates as described later in this notice.
• PMI product: means a product of ours or of another PMI affiliate.
How do we collect information about you?
We may collect information about you in various ways.
• You may provide us with information directly (e.g. filling in a form, or making a call to us)
• We may collect information automatically (e.g. when you use a PMI app or website)
• We may acquire information from third parties (e.g. publicly-available information on social media platforms such as Facebook and Twitter).
In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints” (some of which may be digital – for example, apps and websites).
Find out more…
We may collect information that you provide directly. Typically this will happen when you:
• sign up to be a member of our databases (this could be, for example, in person, via app, or online);
• purchase PMI products or services at a retail outlet;
• download, or use, a digital PMI touchpoint (e.g. an app or a website);
• contact us through a PMI touchpoint, or by e-mail, social media or telephone;
• register a device with us;
• subscribe to a PMI panel portal;
• register to receive PMI press releases, e-mail alerts, or marketing communications;
• participate in PMI competitions, promotions or surveys; or
• attend an event that a PMI affiliate has organised.
We may collect information about you automatically. Typically this will happen when you:
• visit an outlet that sells PMI products (e.g. through sensors at the outlet, or through collecting data at check-out);
• attend an event that a PMI affiliate has organised (e.g. through sensors at the event; or through purchases at the event);
• communicate with us (for example, through a PMI touchpoint; or social media platforms);
• use PMI touchpoints (e.g. through tracking mechanisms in an app or a website); or
• make public posts on social media platforms that we follow (for example, in order to understand public opinion, or to respond to requests concerning PMI products).
We may also collect information about you automatically through the use of cookies and similar tracking technologies on digital PMI touchpoints. The specific cookies and technologies used will depend on the touchpoint in question. To learn about the cookies (including Google analytics cookies) and similar technologies used on a touchpoint, including how you can accept or refuse cookies, please see the cookie notice made available on or through that touchpoint. For example, to learn about cookies or similar technologies used on the www.pmi.com website, visit the pmi.com cookie notice, a link to which is available in the footer to every page of the website. The pmi.com cookie notice is also available here.
Where permitted by law, we may acquire information about you from third parties. This may include information shared between PMI affiliates, publicly-available profile information (such as your preferences and interests) on third party social media sites (such as Facebook and Twitter), and marketing lists acquired from third party marketing agencies.
We may also collect information in other contexts that were made apparent to you at the time.
What information about you do we collect?
We may collect various types of information about you:
• information necessary to fulfil your orders
• information you give us in forms or surveys
• information about your visits to our outlets
• information you give us in calls you make to call centres
• information about your preferences and interests
Find out more…
Information that we collect from you directly will normally be apparent from the context in which you provide it. For example, if you order a product from us through a PMI touchpoint, you provide your name, contact, billing details, and the products you have chosen in order for us to fulfil your order; you may also provide information on your product preferences and interests in order for us to offer your products and services that will interest you.
Information that we collect automatically will generally concern:
• details of your visit or call (such as time and duration);
• in a sales outlet, which areas you visit;
• your use of digital PMI touchpoints (such as the pages you visit, the page from which you came, and the page to which you went when you left, search terms entered, or links clicked within the touchpoint); and
• your device (such as your IP address or unique device identifier, location data, details of any cookies that we may have stored on your device).
Information that we collect from third parties will generally consist of publicly-available profile information (such as your preferences and interests).
For what purposes do we use information about you, and on what legal basis?
We use information about you for various purposes, which will be specified to you, or be clear from the context, at the point information about you is first collected.
These purposes mainly comprise:
• fulfilling your orders
• processing payments
• dealing with your inquiries and requests
• enabling you to use PMI touchpoints
• administering your accounts
• administering loyalty programs (where permitted by law)
• correspondence
• administration and troubleshooting
• product improvement
• market research
• developing marketing strategies
• administering marketing campaigns
• allowing us or our business partners to inform you of potential opportunities to get involved in promoting PMI products
The legal basis for our use of information about you is:
• the performance of a contract to which you are a party: or
• for a legitimate business interest that is not overridden by interests you have to protect the information; or
• where neither of the above applies, your consent (which we will ask for before we process the information).
Find out more…
The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:
| Purpose | Method of collection and legal basis for Processing |
|---|---|
|
This information is generally provided to us by you directly (typically, name, address, payment information) and we use it to discharge our contractual obligations to you |
|
This information is generally provided to us by you directly and we use it because we have a legitimate business interest that is not overridden by interests you have to protect personal data |
|
This information is generally collected automatically and we use it because we have a legitimate business interest that is not overridden by interests you have to protect personal data |
|
This will typically be a combination of information that you provide to us; information that we collect automatically; and (where permitted by law) information that we acquire from third parties. We use it on the grounds that we have a legitimate business interest that is not overridden by interests you have to protect personal data |
Where we do not base our use of information about you on one of the above legal bases, we will ask for your consent before we process the information (these cases will be clear from the context). In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
Who do we share your information with, and for what purposes?
We may share information about you with:
• PMI affiliates;
• third parties who provide PMI affiliates or you with products or services;
• PMI affiliates’ carefully-selected business partners and advertisers so that they can contact you with offers that they think may interest you, in accordance with your preferences; and
• other third parties, where required or permitted by law.
Find out more…
Sharing data with other PMI affiliates
• Information about you will be shared with Philip Morris International Management SA (based in Lausanne, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Philip Morris International Management SA processes the information about you for all the purposes described in this notice.
• Information about you may be shared with the PMI affiliate that is responsible for the country in which you live (if it wasn’t the PMI affiliate that first collected the information) for all the purposes described in this notice.
• Information about you may be shared with any other PMI affiliate that you contact (for example, if you travel and you want to know where to buy PMI products in a new country) in order to enhance our service to you.
Details of PMI affiliates and the countries in which they are established are available on the relevant country pages of www.pmi.com.
Sharing data with Third Parties
• We may share information about you with third parties who provide PMI affiliates or you with products or services (such as advisers, payment service providers, delivery providers, retailers, information services providers and age verification providers).
• We may share information about you with PMI affiliates’ carefully-selected third party business partners and advertisers so that they can contact you with products, services and promotions that they think may interest you, in accordance with your preferences.
• We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.
Where might information about you be sent?
As with any multinational organisation, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (if your information is collected within the European Economic Area, this means that your information may be transferred outside it).
Find out more…
As with any multinational organisation, PMI affiliates transfer personal information globally. Accordingly, when using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country, territory or international organisation that may not have equivalent data protection standards.
For example, PMI affiliates within the European Economic Area (“EEA”) may transfer personal information to PMI affiliates outside the EEA. In all cases, the transfer will be on the basis of a European Commission adequacy decision or PMI affiliates will implement adequate measures, for example the EU Model Contracts, in all cases including appropriate security measures, for the protection of personal information in those countries, territories or international organisations in accordance with applicable data protection laws.
How do we protect information about you?
We, like other PMI affiliates, implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy requirements.
How long will information about you be kept?
The period for which we may retain information about you will depend on the purposes for which the information was collected, whether you have requested the deletion of the information, and whether any legal obligations require the retention of the information (for example, for tax and accounting purposes). We will not retain information about you for longer than is necessary to fulfil the purposes for which the information was collected.
Find out more…
Typically, we retain data based on the criteria described in the table below:
| Type | Explanation/typical retention criteria |
|---|---|
| • incomplete registrations | For example, if you commence registering yourself in a database, but do not complete the process, we will retain your data for a short period to allow you to complete the process if you return. |
| market research | If you are not registered in our database, and we use publicly available information about you in order to understand the market or your preferences, we will retain the information about you for a short period in order to perform the particular item of market research. |
| database member (not using database or not contactable) | If you are registered in our database, but don’t use it for a longer period, we will send you a communication to notify you, and if you don’t contact us we will remove you from the database. We will do the same kind of thing if the information you give us to contact you with doesn’t work, or if it does work, but you don’t make use of our communications (for example, you don’t click through to an invitation to an event). The reason is that in these circumstances, we assume you would prefer not to receive the communications. |
| profile information | Some elements of your profile, such as your purchase history, naturally go out of date after a period of time, so we delete them automatically after defined periods as appropriate for the purpose for which we collected them. |
| • system audit logs | System audit logs are retained typically for a period of only a few months. |
What rights and options do you have?
You may have some or all of the following rights in respect of information about you that we hold:
• request us to give you access to it;
• request us to rectify it, update it, or erase it;
• request us to restrict our using it, it in certain circumstances;
• object to our using it, in certain circumstances;
• withdraw your consent to our using it;
• data portability, in certain circumstances;
• opt out from our using it for direct marketing; and
• lodge a complaint with the supervisory authority in your country (if there is one).
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address, in messages you receive.
Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.
Find out more…
The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the final paragraph “who should you contact with questions?”) to find out more.
| Right in respect of the information about you that we hold | Further detail (note: certain legal limits to all these rights apply) |
|---|---|
| • to request us to give you access to it | This is confirmation of whether or not we process information about you; the purpose of the processing; the categories of data concerned; and the categories of persons with whom we share the information; and the criteria for determining the period for which we will store the information. On your request we will provide you with a copy of the information we use. |
| • to request us to rectify or update it | This applies if the information we hold is inaccurate or incomplete. |
| • to request us to erase it |
This applies if: • the information we hold is no longer necessary in relation to the purposes for which we use it; • we use the information on the basis of your consent and you withdraw your consent; • we use the information on the basis of legitimate interest and we find that, following your objection, we do not have an overriding interest in continuing to use it; • the information was unlawfully used; or • to comply with a legal obligation. |
| • to request us to restrict our processing of it |
This right applies, temporarily while we look into your case, if you: • contest the accuracy of the information we use; or • have objected to our using the information on the basis of legitimate interest (if you make use of your right in these cases, we will tell you before we use the information again). This right applies also if: • our use is unlawful and you oppose the erasure of the data; or we no longer need the data, but you require it to establish a legal case. |
| • to object to our processing it |
You have two rights here: (i) if we use information about you for direct marketing: you can “opt out” (without the need to justify it) and we will comply with your request; and (ii) if we use the information about you on the basis of legitimate interest for purposes other than direct marketing, you can object to our using it for those purposes, giving an explanation of your particular situation, and we will consider your objection. |
| • to data portability |
This right applies: (i) to data that you have provided to us; and (ii) if we use that data on the basis either of your consent, or on the basis of discharging our contractual obligations to you. If both (i) and (ii) apply, you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else. |
| • to lodge a complaint with the supervisory authority in your country | Each European Economic Area country must provide for one or more public authorities for this purpose. |
Who should you contact with questions?
If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, on the relevant country page of www.pmi.com. Contact details will also be given in any communications that a PMI affiliate sends you.
If your country has a data protection authority, you have a right to contact them authority with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.