Who are we?
We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on an app or a website, in an e-mail, or in a contract between us, containing a link to this notice. Alternatively you may have been directed to this notice after we collected information about you, but because of the circumstances of the collection, without our contacting you individually at that time.
- PMI: Philip Morris International, a leading international tobacco group. It is made up of a number of companies or “affiliates”.
- PMI affiliates: Each member of the Philip Morris International group of companies is a “PMI affiliate”. “We” (or “us” or “our”) refers to the PMI affiliate that first collected information about you (for example, the PMI affiliate that has contracted to receive goods or services from you or your employer, or the PMI affiliate you contacted or whose office you visited).
- PMI product: means a product of ours or of another PMI affiliate.
How do we collect information about you?
We may collect information about you in various ways.
- You may provide us with information directly (e.g. signing a contract, filling in a form, making a call to us, corresponding with us, or meeting one of our employees).
- We may collect information automatically (e.g. when you use PMI systems, a PMI-issued device such as a laptop or mobile phone, PMI-issued software (e.g. a PMI app) or a PMI website).
- We may acquire information from third parties (e.g. your employer, your representative or publicly-available sources, such as on a company website, internet searches, business information agencies, or on social media platforms such as LinkedIn, Facebook and Twitter).
In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints”. PMI touchpoints include both physical (for example, PMI offices, retail outlets and events), and digital (for example, e-mail correspondence, use of apps and websites).
We may collect information that you provide directly. Typically this will happen when you:
- sign up to be a member of our databases (this could be, for example, in person, via app, or online);
- enter into an arrangement to provide us with products or services, or provide us with information in contemplation of doing so;
- enter into an arrangement with us to sell PMI products;
- download, or use, a digital touchpoint (e.g. an app or a website);
- contact us through a touchpoint, or by e-mail, social media or telephone;
- meet, or correspond with, one of our employees to discuss your business, your views on matters of importance to us, or our business;
- register to receive PMI press releases, e-mail alerts, or marketing communications;
- participate in PMI surveys or (where permitted by law) PMI competitions or promotions; or
- visit our offices or attend an event that a PMI affiliate has organised.
We may collect information about you automatically. Typically this will happen when you:
- visit our offices (e.g. through video (CCTV) recording and building access logs);
- work at, or visit, an outlet that sells PMI products (e.g. by collecting your data at check-out, or through sensors at the outlet that connect with mobile technology);
- attend an event that a PMI affiliate has organised (e.g. through purchases/sales at the event) or through sensors at the event that connect with mobile technology;
- use PMI’s systems, PMI-issued software or PMI-issued devices such as a laptop or mobile phone (e.g. by collecting systems and device usage data, access log files and storing correspondence sent and received using PMI systems and devices);
- communicate with us (for example, through a PMI touchpoint; or social media platforms);
- use PMI touchpoints (e.g. through tracking mechanisms in an app or a website); or
- make public posts on social media platforms that we follow (for example, so that we can understand public opinion, or respond to requests concerning PMI products).
Where permitted by law, we may acquire information about you from third parties, in particular with respect to preparing to do business with you or your employer, or with respect to your publicly known views, opinions, and decisions which may affect public policy and other issues which relate to PMI. This may include information supplied by business information agencies, information shared between PMI affiliates, publicly-available profile information on third party social media sites (such as LinkedIn).
We may also collect information in other contexts made apparent to you at the time.
What information about you do we collect?
We may collect various types of information about you:
- information necessary to manage and administer our relationship with you, your employer or representative (including doing so in contemplation of such a relationship)
- information necessary to purchase products and services
- information necessary to trade in, or to provide advice concerning, PMI products or services (for example, to fulfil orders)
- information necessary to provide support for PMI products or services, or to provide warranty services
- information about what you do in your business concerning our consumers, PMI products, or us (e.g. performing warranty services, displaying PMI products and point of sale materials, etc.)
- information you give us in contracts, forms or surveys
- information about your visits to our offices, outlets and events
- information you give us in calls you make to us, meetings you have with our employees, or e-mails you send to us
- information about your preferences and interests
- information necessary to verify your age, identity and authority to act on behalf of your employer if applicable
- information about your publicly known views, opinions, and decisions which may affect public policy and other issues which relate to PMI
- information submitted to us when using information systems that PMI affiliates operate
- automated records of your use of PMI information systems, including PMI-issued devices
Information that we collect from you directly will be apparent from the context in which you provide it. For example:
- where you are a supplier (or a potential supplier), to manage our relationship with you, your employer or representative, you provide your name, contact, billing details, and details of the products/services (and, where appropriate, expense claims) so that we can fulfil our contract, or to take steps in contemplation of doing so (e.g. financial stability information, information on trade sanctions, background checks), and to manage your access to and use of our buildings, information systems and IT devices;
- where you are a public figure whose views may affect public policy or other issues that relate to PMI, we may note what the views are that you have made public, and the time and date you did so, or where you meet one of our employees, those basic details about that meeting, as well as your views that you have shared with us as being your public views;
- you may provide information on your preferences and interests so that we can offer you reward schemes or invite you to events that will interest you;
- we may collect information that enables us to verify your age and identity, for example a copy of an identity document.
Information that we collect automatically will generally concern:
- details of your visit or call (such as time and duration);
- in our offices, a sales outlet or at an event (including areas in the immediate vicinity), how frequently you visit, and which areas you access/visit and for how long;
- information for building access control systems;
- biometric data for identification purposes (for building access controls, or access to IT devices);
- your use of digital PMI touchpoints (such as the pages you visit, the page from which you came, and the page to which you went when you left, search terms entered, or links clicked within the touchpoint);
- automated records of your use of PMI information systems, including PMI-issued devices
- information submitted to us when using information systems that PMI affiliates operate
- information submitted to us when using PMI online forums;
- information submitted to us in correspondence; and
- your device (such as your IP address or unique device identifier, location data, details of any cookies that we may have stored on your device).
Information that we collect from third parties will generally consist of publicly-available information (such as your role, preferences and interests, and your views, opinions, and decisions which may affect public policy and other issues which relate to PMI), for example from public social media posts.
For what purposes do we use information about you, and on what legal basis?
In this section, we describe the purposes for which we use personal information. However, this is a global notice, and where the laws of a country restrict or prohibit certain activities described in this notice, we will not use information about you for those purposes in that country.
Subject to the above, depending on the nature of our relationship with you, we may use information about you for the following purposes:
- To comply with regulatory obligations, such as verifying your age and identity, undertaking ‘know your supplier’ checks and managing our contractual relationship with you or your employer
- Legal compliance, such as retaining and using your records in relation to any anticipated disputes, for the purposes of obtaining advice from our lawyers and other advisers
- To purchase products or services from you or your employer, including contacting you to manage our relationship, obtain sales-related services and to pay you for goods, services and expenses (where appropriate)
- To sell our products to you, including fulfilling your orders, processing your payments
- To provide sales-related services to you, including dealing with your inquiries and requests, and providing warranty services
- To inform you of updates, promotions, events and manage related aspects of our relationship, including administering loyalty programs, product improvement, market research, developing marketing strategies, administering marketing campaigns, and customizing your experiences at events
- To support all the above, including administering your or your employer’s accounts, enabling you to use PMI touchpoints and sell PMI products, corresponding with you, customizing your experiences of PMI touchpoints, administration and troubleshooting, general record keeping and managing your access to any systems to which we have granted you access
- For business analytics and improvements, including improving PMI products, offices, processes, outlets and events, and the information, systems and devices that we (or our affiliates) provide to our customers, suppliers, service providers, third party contractors, retailers and visitors
- To enable and administer your use of PMI systems, PMI-issued software, PMI devices and PMI information
- To monitor your use of PMI systems and devices, for example to ensure appropriate use of internet and e-mail facilities, and appropriate handling of company information
- To maintain the security of PMI systems, devices, information and buildings
- For us or our business partners to inform you of potential opportunities to get involved in marketing or promoting PMI products
- To understand your views, opinions, decisions, and how they may affect public policy and other issues which relate to PMI
- For other purposes that we notify you of, or will be clear from the context, at the point information about you is first collected
The legal basis for our use of information about you is one of the following (which we explain in more detail in the “find out more” section):
- compliance with a legal obligation to which we are subject;
- the performance of a contract to which you are a party;
- a legitimate business interest that is not overridden by interests you have to protect the information;
- where none of the above applies, or where law requires it, your consent (which we will ask for before we process the information).
The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:
Method of collection and legal basis for Processing
Comply with regulatory obligations
This information is generally provided to us by you directly during the time you have a relationship, or are interacting, with us.
We use it because it is necessary for us to comply with a legal obligation to trade only with adults and to run our business in a compliant way (including in relation to company law and tax compliance), keep financial and tax records, comply with trade sanctions, comply with health and safety laws (which may include keeping records of incidents), produce reports, comply with requests for information from competent authorities and manage any conflicts of interest, or, in countries where there is no such legal obligation, because we have a legitimate business interest to run our business in accordance with good practice requirements that is not overridden by your interests, rights and freedoms to protect information about you.
Purchase products and services
We will generally either receive the information from you directly or via your employer (typically, name, role, business address, business e-mail address, orders, services, payment information, (where appropriate, details of expenses) correspondence).
We use it in relation to the performance of our contract with you or your employer as a purchaser of your or your employer’s products or services or, where there is no such obligation, we use it because we have a legitimate business interest to run our business, contact you in relation to the products or services we are receiving from you or your employer, to process payments, manage our relationship with you or your employer and monitor compliance with our agreement, policies and programs that is not overridden by your interests, rights and freedoms to protect information about you.
Sell our products
This information is generally provided to us by you directly or via your employer as applicable (typically, name, role, business address, business e-mail address, orders, payment information, correspondence).
We use it to discharge our contractual obligations to you or your employer as a buyer of our products.
Provide sales-related services
This information is generally provided to us by you directly or via your employer.
We use it because we have a legitimate business interest in providing sales-related services to you or your employer that is not overridden by your interests, rights and freedoms to protect information about you.
Business promotion and relationship management (where permitted by law)
This will typically be a combination of information that you provide to us (for example, your name and contact and social media details); information that we collect automatically (for example, using technology to monitor use of PMI touchpoints) and (where permitted by law) information that we acquire from third parties (such as public social media posts).
We use it on the grounds that we have a legitimate business interest to manage our relationship and tell you about our business, products and events, to operate PMI touchpoints, and to customize your experiences, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
Business promotion and relationship management (where permitted by law)
This will typically be a combination of information that you provide to us (for example, your name and contact details, your social media handles); information that we collect automatically (for example, using cookies and similar technologies) and (where permitted by law) information that we acquire from third parties (such as public social media posts).
We use it on the grounds that we have a legitimate business interest to inform you about these things that is not overridden by your interests, rights and freedoms to protect information about you.
In certain countries, where required by law, we will send you these materials in electronic format only with your consent.
We will generally either receive the information from you directly or via your employer.
We use it because we have a legitimate business interest to run our business, manage our relationship with you and maintaining the security and integrity of our buildings, information and IT systems that is not overridden by your interests, rights and freedoms to restrict use of information about you.
Security and systems monitoring
This information is collected automatically through various means such as automated systems and device monitoring, and CCTV recording and audio recording at our premises.
We use it because we have a legitimate business interest in ensuring the confidentiality, integrity and security of our physical and digital infrastructure, information and premises that is not overridden by your interests, rights and freedoms to protect information about you.
Support for all the above purposes
This will typically be a combination of information that you provide to us (typically, name, password (or equivalent)) and information that we collect automatically (for example, information about your device, and cookies and similar tracking technologies).
We use it on the grounds that correspond to the purpose for using the information that we are supporting. For example, where we administer your account to support a purchase or to provide after-sales service, we use the information to discharge our contractual obligations to you as a buyer of our products; where we administer your account to update you on our products, we are supporting business development and so we use it on the grounds that we have a legitimate business interest to market our products that is not overridden by your interests, rights and freedoms to protect information about you, and so on.
Business analytics and improvements
This will typically be a combination of information that you provide to us and information that we collect automatically and (where permitted by law) information that we acquire from third parties.
We use it on the grounds that we have a legitimate business interest to analyze and to improve our business performance, our products, systems, processes, offices, outlets, training, events, PMI touchpoints and the devices and information we provide and to invite others to get involved in promoting PMI products, that is not overridden by interests, rights and freedoms to protect your information about you.
Understanding your views, opinions, and decisions
This will typically be information that we acquire from publicly-available third party sources, such as from a company website, internet searches or on social media platforms such as LinkedIn, Facebook and Twitter, or that we acquire directly from you, such as your views that you have shared with us as being your public views.
We use it on the grounds that we have a legitimate business interest to monitor and assess the views and decisions of stakeholders and map out the manner in which their views and decisions may affect PMI and its industry, that is not overridden by interests, rights and freedoms to protect information about you.
Where we do not base our use of information about you on one of the above legal bases, or where law requires it, we will ask for your consent before we process the information (these cases will be clear from the context).
In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
Sharing data with other PMI affiliates
- Information about you will be shared with Philip Morris Products S.A. (based in Neuchâtel, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Information about you may also be shared with Philip Morris International IT Service Centre Sàrl (based in Lausanne, Switzerland) as technology provider for PMI affiliates. Philip Morris Products S.A. and (to the extent it has access) Philip Morris International IT Service Centre Sàrl process the information about you for all the purposes described in this notice.
- If we arrange work-related travel (e.g. where you are visiting another PMI affiliate), information about you may be shared with the PMI affiliate that is our regional centre of operations (if it wasn’t the PMI affiliate that first collected the information) for all the purposes described in this notice, the PMI affiliate that is the regional centre of operations for the PMI affiliate you are travelling to, the PMI affiliate you are travelling to and the PMI affiliate responsible for any security arrangements in relation to the work-related travel.
- Information about you may be shared with any other PMI affiliate that you contact or do business with (for example, if you sell products or services to other PMI affiliates or travel to other PMI offices during the time you have a business relationship with a PMI affiliate).
Details of PMI affiliates and the countries in which they are established are available here.
Country-specific additional points
According to which country you are in, we want you to be aware of some further points.
If you are in Japan, find out more…
If you are in Japan, note that we share information about you, for the purposes described in this notice, with other PMI affiliates on the basis of “joint use” under Japanese data protection laws. When we do this, Philip Morris Japan Limited (PMJ) continues to manage your personal information responsibly, and we require those with whom we share the data to do the same. Further, if they are located outside Japan, we take reasonable measures in accordance with the relevant laws and regulations.
Sharing data with Third Parties
- To the extent permitted by applicable law, we may share information about you with third parties who provide PMI affiliates or you with products or services (such as your employer, advisers, payment service providers, delivery providers, retailers, product coaches, information services providers and age verification providers).
- To the extent permitted by applicable law, we may share information about you with PMI affiliates’ carefully-selected third party business partners and advertisers (in line with the kind of thing you might associate with our products, for example because they have similar or complementary image, style, or functionality) so that they can contact you with products, services and promotions that they think may interest you, in accordance with your preferences.
- We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.
- If we arrange work-related travel (e.g. where you are visiting another PMI affiliate), information about you may be shared with third parties who arrange travel, provide transport or travel-related services, such as travel agents, online booking providers, ticketing agents, airlines, car hire companies, rail providers and hotels. These third parties will use information about you for their own purposes (for example, to discharge their obligations to provide transport or accommodation to you) and you should check their privacy notices for further details about their use of information about you.
Where might information about you be sent?
As with any multinational organisation, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (for example, if you are in the European Economic Area (“EEA”), your information may be transferred outside the EEA; if you are in Australia, you information may be transferred outside Australia).
When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.
PMI affiliates within the EEA will transfer personal information to PMI affiliates, and to their service providers, outside the EEA, for example to facilitate the operation of a global business. In all cases, the transfer will be:
- on the basis of a European Commission adequacy decision;
- subject to appropriate safeguards, for example the EU Model Contracts or binding corporate rules, or
- necessary to discharge obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in relation to travel arrangements.
In all cases, appropriate security measures, for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.
Our service providers are located in many countries throughout the world, including in particular the EEA, Switzerland, the USA, Canada, India, the Philippines, Indonesia, and Australia.
How do we protect information about you?
We implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.
How long will information about you be kept?
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.
Typically, we retain data based on the criteria described in the table below:
Explanation/typical retention criteria
If you are an individual providing us with services (either directly or for your employer), most of the information in your profile is kept for the duration of our relationship with you; for example, while you continue to provide services, purchase products, use the digital touchpoint, or respond to our communications. However, some elements of your marketing profile, such as your purchase history, naturally go out of date after a period of time, so we delete them automatically after defined periods as appropriate for the purpose for which we collected them.
We keep records of invoices, sales, purchases, payments made and received and supporting documents (such as contracts and e-mails) in accordance with company and tax requirements, typically 11 years. We also keep records of checks carried out on suppliers for as long as we are required to comply with our legal and regulatory obligations.
If you visit our buildings, visitor records are retained typically for a period of only a few months.
If you visit our buildings, CCTV records retained typically for a period of only a few days, up to a few weeks, depending on the specific purpose for the recording.
If you purchase goods, we will retain details of this for so long as required to complete the sale, and to comply with any legal obligations (for example, for tax and accounting record-keeping purposes). If you also register for a warranty for a PMI product, we will retain details of this for so long as relevant to the warranty.
If you contact customer care, we will make a record of your enquiry and retain it while it remains relevant to our relationship, for example if you need us to replace a device under warranty. Other records relevant to customer care (for example, an automated recording of a telephone call in which you ask us to direct you to a retail outlet) may be relevant only until more permanent records are made, and will be retained only temporarily.
System audit logs are retained typically for a period of 18 months.
Business analytics data is typically collected automatically when you use PMI touchpoints and anonymised/aggregated shortly afterwards.
What rights and options do you have?
You may have some or all of the following rights in respect of information about you that we hold:
- request us to give you access to it;
- request us to rectify it, update it, or erase it;
- request us to restrict our using it, in certain circumstances;
- object to our using it, in certain circumstances;
- withdraw your consent to our using it;
- data portability, in certain circumstances;
- opt out from our using it for direct marketing; and
- lodge a complaint with the supervisory authority in your country (if there is one).
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address, in messages you receive or by using the contacts in the paragraph “who should you contact with questions?” at the end of this notice.
Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.
The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.
Right in respect of the information about you that we hold
Further detail (note: certain legal limits to all these rights apply)
This is confirmation of:
On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).
This applies if the information we hold is inaccurate or incomplete.
This applies if:
This right applies, temporarily while we look into your case, if you:
(if you make use of your right in these cases, we will tell you before we use the information again).
This right applies also if:
You have two rights here:
This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context.
then you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else if it is technically feasible for us to do so.
Each European Economic Area country must provide for one or more public authorities for this purpose.
You can find their contact details here:
For other countries please consult the website of your country’s authority.
Country-specific additional points
According to which country you are in, you may have some additional rights.
If you are in France, find out more…
- If you are in France, you have the right to give us instructions regarding information we hold about you in the event of your death (specifically, whether we should store or delete it, and whether others should have the right to see it). You may:
- issue general instructions to a digital service provider registered with the French data protection supervisory authority (called “CNIL”) (these instructions apply to all use of information about you); or
- give us specific instructions that apply only to our use of information about you.
Your instructions may require us to transfer information about you to a third party (but where the information contains information about others, our obligation to respect also their privacy rights might mean that we can’t follow your instructions to the letter). You may appoint a third party to be responsible for ensuring your instructions are followed. If you do not appoint a third party in that way, your successors will (unless you specify otherwise in your instructions) be entitled to exercise your rights over information about you after your death:
- in order to administer your estate (in which case your successors will be able to access information about you to identify and obtain information that could be useful to administer your estate, including any digital goods or data that could be considered a family memory that is transferable to your successors); and
- to ensure that parties using information about you take into account your death (such as closing your account, and restricting the use of, or updating, information about you).
You may amend or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, see Article 40-1 of the law 78-17 dated 6 January 1978. When you die, by default, you will stop using your account and we will delete information about you in accordance with our retention policies (see the paragraph “How long will information about you be kept?” for details).
If you are in Australia, find out more…
- If you are in Australia, the following additional information applies to you:
- if you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information, products or services that you request; or enter into or manage a commercial or business relationship with you (or your employer); and
If you are in Taiwan, find out more…
If you are in Taiwan, the following additional information applies to you:
If you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information, products or services that you request.
Who should you contact with questions?
If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.
If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.
Changes to this notice
We may update this notice (and any supplemental privacy notice), from time to time. Where the law requires it, we will notify you of the changes; further, where the law requires it, we will also obtain your consent to the changes.
Last modified 1 June 2021. You can find previous versions of this notice here.