PMI CONSUMER PRIVACY NOTICE
We take privacy seriously. This notice tells you who we are, what information about you we collect, and what we do with it. Click on "find out more" in each section for further information.
Who are we?
We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on an app or a website, or in an e-mail, containing a link to this notice.
- PMI: Philip Morris International, a leading international tobacco group. It is made up of a number of companies or "affiliates".
- PMI affiliates: Each member of the Philip Morris International group of companies is a "PMI affiliate". "We" (or "us" or "our") refers to the PMI affiliate that first collected information about you.
- PMI product: means a product of ours or of another PMI affiliate.
How do we collect information about you?
We may collect information about you in various ways.
- You may provide us with information directly (e.g. filling in a form, or making a call to us).
- We may collect information automatically (e.g. when you use a PMI app or website).
- We may acquire information from third parties (e.g. publicly-available information on social media platforms such as Facebook and Twitter).
In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints”. PMI touchpoints may be either physical (for example, retail outlets and events) or digital (for example, apps and websites).
We may collect information that you provide directly. Typically this will happen when you:
- sign up to be a member of our databases (this could be, for example, in person, via app, or online);
- purchase PMI products or services at a retail outlet;
- download, or use, a digital touchpoint (e.g. an app or a website);
- contact us through a touchpoint, or by e-mail, social media or telephone;
- register a device with us;
- subscribe to a PMI panel portal;
- register to receive PMI press releases, e-mail alerts, or marketing communications;
- participate in PMI surveys or (where permitted by law) PMI competitions or promotions; or
- attend an event that a PMI affiliate has organised.
We may collect information about you automatically. Typically this will happen when you:
- visit an outlet that sells PMI products (e.g. by collecting your data at check-out, or through sensors at the outlet that connect with mobile technology);
- attend an event that a PMI affiliate has organised (e.g. through purchases at the event or through sensors at the event that connect with mobile technology);
- communicate with us (for example, through a touchpoint or social media platforms);
- use PMI touchpoints (e.g. through tracking mechanisms in an app or a website); or
- make public posts on social media platforms that we follow (for example, so that we can understand public opinion, or respond to requests concerning PMI products).
Where permitted by law, we may acquire information about you from third parties. This may include information shared between PMI affiliates, publicly-available profile information (such as your preferences and interests) on third party social media sites (such as Facebook and Twitter), and marketing lists acquired from third party marketing agencies.
We may also collect information in other contexts made apparent to you at the time.
What information about you do we collect?
We may collect various types of information about you:
- information necessary to fulfil your orders
- information necessary to provide warranty services
- information you give us in forms or surveys
- information about your visits to our outlets and events
- information you give us in calls you make to call centres
- information about your preferences and interests
- information necessary to verify your age
Information that we collect from you directly will be apparent from the context in which you provide it. For example:
- if you order a product from us through a touchpoint, you provide your name, contact details, billing details, and the products you have chosen so that we can fulfil your order;
- you may provide information on your product preferences and interests so that we can offer you products and services that will interest you;
- if you make an appointment to see us (or someone supporting our products or services), we may collect your name and contact details;
- we may collect information that enables us to verify your age, (see under purpose of “age verification”).
Information that we collect automatically will generally concern:
- details of your visit or call (such as time and duration);
- in a sales outlet or at an event (including areas in the immediate vicinity), how frequently you visit, which areas you visit and for how long, and which purchases you make;
- your use of digital PMI touchpoints (such as the pages you visit, the page from which you came, and the page to which you went when you left, search terms entered, or links clicked within the touchpoint); and
- your device (such as your IP address or unique device identifier, location data, details of any cookies that we may have stored on your device).
Information that we collect from third parties will generally consist of publicly-available profile information (such as your preferences and interests), for example from public social media posts.
For what purposes do we use information about you, and on what legal basis?
In this section, we describe the purposes for which we use personal information. However, this is a global notice, and where the laws of a country restrict or prohibit certain activities described in this notice, we will not use information about you for those purposes in that country.
Subject to the above, we use information about you for the following purposes:
- To comply with regulatory obligations, such as verifying your age and status as a user of nicotine products
- To sell our products to you, including fulfilling your orders, processing your payments
- To provide sales-related services to you, including dealing with your enquiries and requests, and providing warranty services
- To market our products (where permitted by law), including administering loyalty programs, product improvement, market research, developing marketing strategies, administering marketing campaigns, and customizing your experiences at outlets that sell PMI products and at events
- For us or our business partners to inform you of potential opportunities to get involved in marketing or promoting PMI products
- • To support all the above, including administering your accounts, enabling you to use PMI touchpoints, corresponding with you, managing your appointments with us or with someone supporting our products or services (for example, regarding a new product, or after-sales service), customizing your experiences of PMI touchpoints, and administration and troubleshooting
- For business analytics and improvements, including improving PMI products, outlets and events, and the information that we (or our affiliates) provide to our customers
- For other purposes that we notify you of, or will be clear from the context, at the point information about you is first collected
The legal basis for our use of information about you is one of the following (which we explain in more detail in the “find out more” section):
- compliance with a legal obligation to which we are subject;
- the performance of a contract to which you are a party;
- a legitimate business interest that is not overridden by interests you have to protect the information;
- where none of the above applies, your consent (which we will ask for before we process the information).
The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:
|Purpose||Method of collection and legal basis for processing|
Comply with regulatory obligations
This information is generally provided to us by you directly.
We use it because it is necessary for us to comply with a legal obligation to sell products only to adults, or, in countries where there is no such legal obligation, because we have a legitimate business interest to sell our products only to adults that is not overridden by your interests, rights and freedoms to protect information about you.
Sell our products
This information is generally provided to us by you directly (typically, name, address, e-mail address, payment information).
We use it to discharge our contractual obligations to you as a buyer of our products.
Provide sales-related services
This information is generally provided to us by you directly.
We use it because we have a legitimate business interest in providing sales-related services to our customers that is not overridden by your interests, rights and freedoms to protect information about you.
Market our products (where permitted by law)
This will typically be a combination of information that you provide to us (for example, your name and contact and social media details), information that we collect automatically (for example, using technology to monitor use of PMI touchpoints) and (where permitted by law) information that we acquire from third parties (such as public social media posts).
We use it on the grounds that we have a legitimate business interest to market our products, to operate PMI touchpoints and to customize your experiences in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
Market our products (where permitted by law)
This will typically be a combination of information that you provide to us (for example, your name and contact and social media details), information that we collect automatically (for example, using cookies and similar technologies) and (where permitted by law) information that we acquire from third parties (such as public social media posts).
We use it on the grounds that we have a legitimate business interest to market these products, services, outlets and events that is not overridden by your interests, rights and freedoms to protect information about you.
In certain countries, where required by law, we will send you these materials in electronic format only with your consent.
Support for all the above purposes
This will typically be a combination of information that you provide to us (typically, name, password (or equivalent)) and information that we collect automatically (for example, information about your device, and cookies and similar tracking technologies).
We use it on the grounds that correspond to the purpose for using the information that we are supporting. For example, where we administer your account to support a purchase or to provide after-sales service, we use the information to discharge our contractual obligations to you as a buyer of our products; where we administer your account to show you our products, we are supporting marketing and so we use it on the grounds that we have a legitimate business interest to market our products that is not overridden by your interests, rights and freedoms to protect information about you, and so
Business analytics and improvements
This will typically be a combination of information that you provide to us, information that we collect automatically and (where permitted by law) information that we acquire from third parties.
We use it on the grounds that we have a legitimate business interest to analyze and to improve our business performance, our products, PMI touchpoints, outlets and events, and to invite others to get involved in promoting PMI products, that is not overridden by your interests, rights and freedoms to protect information about you.
Where we do not base our use of information about you on one of the above legal bases, we will ask for your consent before we process the information (these cases will be clear from the context).
In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
Who do we share your information with, and for what purposes?
We may share information about you with:
- PMI affiliates;
- third parties who provide PMI affiliates or you with products or services;
- PMI affiliates’ carefully selected business partners and advertisers (in areas connected with our products, or consistent with their style and image) so that they can contact you with offers that they think may interest you, in accordance with your preferences; and
- other third parties, where required or permitted by law.
Sharing data with other PMI affiliates
- Information about you will be shared with Philip Morris International Management SA (based in Lausanne, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Philip Morris International Management SA processes the information about you for all the purposes described in this notice.
- Information about you may be shared with the PMI affiliate that is responsible for the country in which you live (if it wasn’t the PMI affiliate that first collected the information) for all the purposes described in this notice.
- Information about you may be shared with any other PMI affiliate that you contact (for example, if you travel and you want to know where to buy PMI products in a new country, or where to find service or support for PMI products) in order to enhance our service to you.
Details of PMI affiliates and the countries in which they are established are available here
Sharing data with third parties
- We may share information about you with third parties who provide PMI affiliates or you with products or services (such as advisers, payment service providers, delivery providers, retailers, product coaches, information services providers and age verification providers).
- We may share information about you with PMI affiliates’ carefully selected third party business partners and advertisers (in line with the kind of thing you might associate with our products, for example because they have similar or complementary image, style, or functionality) so that they can contact you with products, services and promotions that they think may interest you, in accordance with your preferences.
- We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.
Where might information about you be sent?
As with any multinational organisation, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (if your information is collected within the European Economic Area, this means that your information may be transferred outside it).
When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.
For example, PMI affiliates within the European Economic Area (“EEA”) may transfer personal information to PMI affiliates outside the EEA. In all cases, the transfer will be:
- • on the basis of a European Commission adequacy decision;
- • subject to appropriate safeguards, for example the EU Model Contracts; or
- • necessary to discharge obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in relation to travel arrangements.
In all cases, appropriate security measures for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.
How do we protect information about you?
We implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.
How long will information about you be kept?
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.
Typically, we retain data based on the criteria described in the table below:
|Type||Explanation/typical retention criteria|
Most of the information in your marketing profile is kept for the duration of our marketing relationship with you; for example, while you continue to use digital touchpoints, or respond to our communications. However, some elements of your marketing profile, such as records of how we interact with you, naturally go out of date after a period of time, so we delete them automatically after defined periods (typically 3 years) as appropriate for the purpose for which we collected them.
This scenario is the same as the above, but if we don’t have any contact with you for a long period (typically 2 years), we will stop sending you marketing communications and delete your history of responses to them. This will happen, for example, if you never click through to an invitation to an event, log on to a digital touchpoint, or contact customer care, during that time. The reason is that in these circumstances, we assume you would prefer not to receive the communications.
If you have registered to receive marketing communications, but the information you give us to contact you doesn’t work, we will retain your details for a period of typically only 6 months to allow you to return and correct it.
If you are not registered with us for other purposes (e.g. marketing communications, warranty, customer care), and we use publicly available information about you in order to understand the market or your preferences, we will retain the information about you for a short period in order to perform the particular item of market research.
If you purchase goods, we will retain details of this for so long as required to complete the sale, and to comply with any legal obligations (for example, for tax and accounting record-keeping purposes). If you also register for a warranty for a device, we will retain details of this for so long as relevant to the warranty.
If you contact customer care, we will make a record of the matter (including details of your enquiry and our response) and retain it while it remains relevant to our relationship. Temporary records (for example, an automated recording of a telephone call in which you ask us to direct you to a retail outlet) may be relevant only until more permanent records are made, and will be retained only temporarily.
System audit logs are retained typically for a period of only a few months.
Business analytics data is typically collected automatically when you use PMI touchpoints and anonymised/aggregated shortly afterwards.
What rights and options do you have?
You may have some or all of the following rights in respect of information about you that we hold:
- request us to give you access to it;
- request us to rectify it, update it or erase it;
- request us to restrict our using it, in certain circumstances;
- object to our using it, in certain circumstances;
- withdraw your consent to our using it;
- data portability, in certain circumstances;
- opt out from our using it for direct marketing; and
- lodge a complaint with the supervisory authority in your country (if there is one).
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address in messages you receive.
Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.
The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.
|Right in respect of the information about you that we hold||Further detail (note: certain legal limits to all these rights apply)|
This is confirmation of:
On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).
This applies if the information we hold is inaccurate or incomplete.
This applies if:
This right applies temporarily while we look into your case, if you:
(if you make use of your right in these cases, we will tell you before we use the information again).
This right applies also if:
You have two rights here:
This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context.
then you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else if it is technically feasible for us to do so.
Each European Economic Area country must provide for one or more public authorities for this purpose.
You can find their contact details here:.
Country-specific additional points
According to which country you are in, you may have some additional rights.
Age verification in Germany
- To verify your age, we send information about you to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, tel.: +49 (0) 6 11-92 78 0. The SCHUFA company data protection officer may be reached at the address listed above, attn. Department of Data Protection, or by e-mail at firstname.lastname@example.org.
- SCHUFA processes personal data in order to provide recipients with a legitimate interest information needed to evaluate the creditworthiness of individuals and legal entities. Scores are calculated and provided to this end. It only provides information if a legitimate interest in such information is credibly shown in a particular case and processing such information is permissible upon weighing all interests concerned. A legitimate interest is present upon entering into transactions with a financial default risk. A credit assessment serves to protect the recipient against losses in the lending business and, at the same time, provides an opportunity to protect borrowers from unreasonable indebtedness by providing counselling. Furthermore, data is processed for purposes of fraud prevention, integrity assessment, money laundering prevention, identity and age verification, address location, customer service or risk management as well as tariff classification and assessing conditions. Pursuant to Art. 14 (4) GDPR, SCHUFA will provide information regarding any changes to the purposes for which it processes data.
SCHUFA processes information on the basis of the provisions of the General Data Protection Regulation. Data is processed on the basis of consent as well as on the basis of Art. 6 (1) (f) GDPR, provided that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Consents may be revoked at any time by declaration to the relevant contractual partner. This applies in like manner to consents provided prior to the effective date of the GDPR. The revocation of consent does not affect the legality of personal data processed prior to revocation.
SCHUFA receives its data from its contractual partners. They are institutions, finance companies and payment service providers domiciled in the European Economic Area and Switzerland as well third countries as applicable (to the extent an adequacy decision from the European Commission is available) that are exposed to a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as additional contractual partners who use SCHUFA products for the purposes described above, in particular (mail order) retailers, e-commerce companies, service providers, leasing, energy supply, telecommunications, insurance or collections companies. Furthermore, SCHUFA processes information from generally accessible sources such as public registries and official publications (e.g. debtor registers, insolvency announcements).
Categories of personal information that is processed (personal data, payment history and contractual compliance)
- Personal data, e.g. surname (if applicable prior names that may be provided upon special request), given name, date of birth, place of birth, address, prior addresses
- Information regarding the initiation and execution of a transaction in accordance with the contract (e.g. Giro accounts, instalment loans, credit cards, garnishment-exempt accounts, basic accounts)
- Information regarding undisputed, past-due claims subject to repeated dunning or reduced to judgement and their resolution
- Information regarding abusive or otherwise fraudulent activities such as identity theft or credit rating fraud
- Information from public registries and official publications
Recipients comprise contractual partners domiciled in the European Economic Area and Switzerland as well other third countries as applicable (to the extent an adequacy decision from the European Commission is available for such countries). Additional recipients may include external contractors of SCHUFA pursuant to Art. 28 GDPR as well as external and internal SCHUFA recipients. SCHUFA is furthermore subject to the statutory powers of intervention held by public authorities.
SCHUFA stores information about persons only for a certain period. Necessity is the decisive factor for defining this period. SCHUFA has established standard periods for a review of necessity for further storage and/or deletion of personal data. Based on these rules, the general storage period for personal data is three years from the date of their transaction. The foregoing notwithstanding, examples of other deletion periods include:
- Information regarding enquiries twelve months to the date
- Information regarding trouble-free contractual data related to accounts that are documented without the associated claim (e.g. Giro accounts, credit cards, telecommunications accounts or energy accounts), information regarding contracts for which an evidential review is provided by law (e.g. accounts exempt from garnishment, basic accounts) as well as guarantees and trading accounts that are maintained on the credit side, immediately after notification of termination
- Data from debtor registers of the central enforcement courts three years to the day, however earlier if SCHUFA is shown evidence of deletion by the central enforcement court
- Information on consumer/insolvency proceedings or residual-debt exemption proceedings three years to the day following termination of the insolvency proceedings or issuance of a residual debt exemption. Deletion may be also be performed at an earlier date as specially warranted in specific cases
- Information regarding the rejection of an insolvency petition due to a lack of assets, the suspension of a stay or the failure of the residual debt exemption, three years to the day
- Personal prior addresses remain stored for three years to the day; a review of the necessity of an additional three years of storage is conducted thereafter. Thereafter, they are deleted three years to the day, provided that a longer storage period is not required for identification purposes
- Rights of the data subject
In relation to SCHUFA, every person concerned has the right of access under Art. 15 GDPR, the right of rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR and the right to restrict processing under Art. 18 GDPR. SCHUFA has set up a consumer service centre for the concerns of data subjects. It may be reached in writing at SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone at +49 (0) 6 11-92 78 0 and via an online form available at www.schufa.de. Furthermore, it is also possible to contact the supervisory authority responsible for SCHUFA, the Commissioner for Data Protection of Hesse. Consents may be revoked at any time by declaration to the relevant contractual partner.
- Profile creation (Scoring)
The SCHUFA credit report may be supplemented by a so-called score. Scoring involves the creation of a forecast of future events on the basis of information collected and past experience. SCHUFA fundamentally calculates all scores on the basis of information stored by SCHUFA regarding the relevant person; this information is provided in response to a request pursuant to Art. 15 GDPR. Furthermore, SCHUFA complies with the provisions of § 31 Federal Data Protection Act (BDSG). On the basis of entries stored in association with an individual, the individual is assigned to a statistical group of persons who had similar entries in the past. This process is described as “logical regression” and is a well-founded mathematical-statistical method that has proven itself over time for forecasting risk probabilities. The following forms of data are used by SCHUFA when computing a score, whereby not every form of data is used to compute every score: General data (date of birth, gender or number of addresses used in business dealings), prior payment problems, credit activity for the previous year, credit utilisation, length of credit history as well as address data (only if little personal credit-related information is available). Certain information is neither stored nor used for scoring purposes, for example: Information regarding nationality or particular categories of personal data such as ethnic origin or information about political or religious beliefs in accordance with Art. 9 GDPR. Similarly, the assertion of rights pursuant to the GDPR, i.e. access to data stored by SCHUFA under Art. 15 GDPR, has no influence on the calculation of a score. Scores that are provided support the contractual partners in the decision making process and are considered as part of risk management. Risk assessment and the evaluation of creditworthiness are performed solely by the direct business partner, whilst only it has a wide variety of additional information available to it - for example information from the credit application. This even applies in the event the business partner relies solely on information and scores provided by SCHUFA. However, by itself a SCHUFA score is not a sufficient basis to decline the conclusion of a contract. Additional information on the scoring process or the recognition of unusual circumstances is available at www.scoring-wissen.de.
Pursuant to Art. 21 (1) GDPR, data processing may be objected to on grounds relating to the particular situation of the data subject.
An objection may be asserted without formal requirements and should be addressed to SCHUFA Holding AG,
Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne.
Who should you contact with questions?
If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.
If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.
Changes to this notice
We may update this notice (and any supplemental data privacy notice), from time to time. We will notify you of the changes where required by law to do so.
Last modified 22 May 2018. You can find previous versions of this notice .