In this Privacy Notice we will cover:
1. Who is the data controller?
The data controllers for any personal data we hold about you are THE NET‑A‑PORTER GROUP LIMITED of 1 The Village Offices, Westfield London, Ariel Way, London, W12 7GF, United Kingdom and our parent company, YOOX NET‑A‑PORTER GROUP S.p.A. of Via Morimondo 17, 20143 Milan, Italy, a company with sole shareholder subject to direction and coordination by Compagnie Financière Richemont S.A,.
We are responsible for ensuring that your data is held securely, that you are given accurate information about how your data is used, and that your rights regarding your data are respected. The products we sell are not aimed specifically at individuals under the age of 18, we do not promote our products to this market and we cannot identify individuals of this age and under, on our database. Please refer to our Terms & Conditions for more information. Please also read our Registration & Account Terms and Conditions which apply to you when you register for an account on our website or App.
2. What personal data do we process, for which purpose and what is our legal basis for processing it?
We collect data from you when you visit our website or while using our associated apps (“websites and Apps”). The data we collect includes your name, email address, telephone number and shipping/billing address, your day and month of birth, your favourite designers and information regarding your browsing and shopping behaviour. Data is collected when you place an order, call our Customer Care team, register with us, opt in to our marketing communications, browse our site and use other services offered by our site. The data we collect is used to take your order, process payment and deliver your purchase to you. We also use it to deliver marketing communications, give access to services for registered users, personalise your visit to our site and provide assistance via our Customer Care team.
We must have a valid reason for processing your personal data and we may not collect, store or use data about you that is not compatible with that reason. There are four valid reasons for our use of your personal data: Performance of a Contract, our Legitimate Interests as a business, a Legal Obligation we are required to follow and Consent which you provide to us.
If you have given your consent to our use of your personal data, you are entitled to withdraw this consent at any time.
The data we process, and the legal basis we use to process it is detailed below:
3. Who will process your data?
Your personal data will be processed by the internal staff of the THE NET‑A‑PORTER GROUP LIMITED who have been specifically trained and authorised for this processing. In carrying out the processing for distribution of our products and managing our supply chain, the data may also be transmitted to our parent companies YOOX NET‑A‑PORTER GROUP S.p.A and Compagnie Financière Richemont S.A,
Your personal data will also be transmitted to third parties that we use to provide our services; these parties have been rigorously assessed for the way in which they manage personal data and may only use your data for the exact purposes that we specify in the contract with them.
The third parties in question belong to the following categories:
Companies such as payment service providers that help us to process your order.
Companies that help us to deliver your purchases such as couriers and parcel delivery companies who deliver your goods and act as Data Controllers for the duration of the delivery process.
Professional service providers, such as email delivery suppliers, IT software providers, marketing and research agencies, analytics companies and website hosts who help us to run our business,
Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.
Governmental bodies and regulators to comply with our legal obligations.
Aggregated data that does not identify individuals is shared with internal teams, relevant service providers and brand partners for business planning purposes
4. Data transfer outside of the European Union
Some of the third parties listed in the previous section 'Who will process your data?' may be located in countries outside the United Kingdom (UK), European Union (EU) or European Economic Area (EEA) that nevertheless offer an adequate level of data protection, as established by specific decisions of the European Commission.
The lawful transfer mechanism of your personal data to countries that do not belong to the UK, EU or EEA and that have not been assessed as offering adequate levels of protection will be performed only
- after Standard Contractual Clauses have been put in place alongside any supplementary measures that are deemed necessary on a case-by-case basis;
- if the transfer is necessary for the purchase of goods offered on our website or for registration on the website or use of services on the website;
- for the management of your requests or fulfilment of a legal obligation.
5. How long do we keep your data?
We keep your personal data for a limited period of time in line with our data retention policy. The specific retention period will vary according to the reason for processing your personal data. After this period, your data will be permanently erased or otherwise irreversibly rendered anonymous.
6. Your rights
You have the following rights under data protection law:
The right to request a copy of the personal data that we hold about you. The right to ask us to correct any inaccuracies in the personal data we hold about you.
The right to withdraw your consent to marketing.
The right to object to our processing of your personal data on the basis of our legitimate interest.
The right to request the deletion of your personal data in certain circumstances.
The right to data portability to transfer your data to another entity.
The right related to automated decision making including profiling. We use profiling to make relevant and tailored recommendations to you. Profiling is the automated processing of personal data to evaluate certain things about an individual, for example, people who are interested in particular designers or products. We do not use automated decision-making processes that would have a potentially damaging effect on you. But if we did, you have the right to obtain human intervention, express your point of view, obtain an explanation of the decision and challenge it.
To exercise any of these rights, you can sign in to your account, contact our Customer Care team at email@example.com or +44 330 022 5700 or write to our Data Protection Officer (DPO) by writing to "Data Protection Officer" at one of the addresses below, or by email to the DPO address (DPO@ynap.com).
Data Protection Officer (DPO) THE NET‑A‑PORTER GROUP LIMITED, 1 The Village Offices, Westfield London, Ariel Way, London, W12 7GF, UK.
Data Protection Officer (DPO) YOOX NET‑A‑PORTER S.p.A, Via Morimondo 17, 20143 Milan, ITALY.
If you believe that NET‑A‑PORTER GROUP LIMITED are processing your data illegally, you have the right to lodge a complaint with the Supervisory Authority. In the UK, this is the ICO. https://ico.org.uk/make-a-complaint/
As the UK is no longer part of the European Union (EU) we are required to appoint a 'representative in the Union' to handle privacy matters and act as a point of contact for European residents whose data we process. We have appointed YOOX NET‑A‑PORTER GROUP S.p.A as our representative.
We are committed to taking appropriate technical, physical and organisational measures to protect personal information against unauthorised access, unlawful processing, accidental loss or damage, and unauthorised destruction.
In particular, we use security measures that employ pseudonymisation or encryption of your data to ensure the confidentiality, integrity, and availability of your data as well as the resilience of the systems and services that process them. We have the ability to restore the availability and access to personal data in the event of a physical or technical incident. Furthermore, NET‑A‑PORTER GROUP LIMITED undertakes to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to ensure continuous improvement in the safety of processing.
8. Changes to this notice