Who are we?
We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on an app or a website, or in an e-mail, containing a link to this notice.
- PMI: Philip Morris International, a leading international tobacco group. It is made up of a number of companies or “affiliates”.
- PMI affiliates: Each member of the Philip Morris International group of companies is a “PMI affiliate”. “We” (or “us” or “our”) refers to the PMI affiliate that first collected information about you.
How do we collect information about you?
We may collect information about you in various ways.
- You may provide us with information directly (e.g. filling in a form; making a call to us; registering to receive PMI press releases or e-mail alerts; or submitting content to a digital PMI touchpoint).
- We may collect information automatically (e.g. when you use a PMI app or website).
- We may acquire information from third parties (e.g. contact details from creative and marketing agencies, or publicly-available information on social media platforms such as Facebook and Twitter).
In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints”. PMI touchpoints include both physical (for example, events), and digital (for example, apps and websites).
We may collect information that you provide directly. Typically this will happen when you:
- sign up to be a member of our databases (this could be, for example, in person, via app, or online);
- submit content to a PMI digital touchpoint;
- download, or use, a digital touchpoint (e.g. an app or a website);
- contact us through a touchpoint, or by e-mail, social media or telephone;
- register to receive PMI press releases, e-mail alerts, or corporate communications;
- participate in PMI surveys or (where permitted by law) PMI competitions or promotions in relation to events; or
- attend an event that a PMI affiliate has organized.
We may collect information about you automatically. Typically this will happen when you:
- attend an event that a PMI affiliate has organized (e.g. through sensors at the event that connect with mobile technology);
- communicate with us (for example, through a touchpoint; or social media platforms);
- use PMI touchpoints (for example, through tracking mechanisms (such as cookies and web beacons/pixels) that you receive when you use the PMI touchpoint or get an e-mail from us);
- use third party websites (for example, using technology similar to that described in the bullet above, that you receive when you visit a PMI touchpoint or get an e-mail from us); or
- make public posts on social media platforms that we follow (for example, so that we can understand public opinion, or respond to requests concerning PMI (for example, PMI campaigns).
Where permitted by law, we may acquire information about you from third parties. This may include information shared between PMI affiliates, publicly-available profile information (such as your preferences and interests) on third party social media sites (such as Facebook and Twitter), and marketing lists acquired from third party marketing agencies.
We may also collect information in other contexts made apparent to you at the time.
What information about you do we collect?
We may collect various types of information about you:
- information necessary to arrange your attendance and accommodation at an event
- information required for your participation in activities at an event
- information necessary to provide you with press releases or e-mail alerts
- information you give us in forms or surveys
- information you give us when you submit content to a digital touchpoint
- information about your visits to our events or PMI touchpoints
- information you give us in communications you have with us in connection with an event or a campaign
- information about your preferences and interests
- information necessary to verify your identity and age
- information about your experiences at our events, receiving our communications or our services
Information that we collect from you directly will be apparent from the context in which you provide it. For example:
- if you choose to attend an event that may include the booking of accommodation and transport, you provide your name, contact, passport or identity document details so that we can facilitate the required bookings;
- if you submit content to a digital PMI touchpoint, you may provide your name, username, contact, image, location, interests and preferences;
- you may provide information on your preferences, interests and experiences so that we can offer you services and updates that will interest you, and to improve our events and services;
- if you choose to participate in an event activity;
- we may collect information that enables us to verify your age, for example a copy of an identity document or your facial image.
Information that we collect automatically will generally concern:
- at an event (including areas in the immediate vicinity), which areas you visit and for how long;
- details of your visit or call (such as time, date, and duration);
- recordings (where permitted) of your visit to an event;
your mobile or desktop device and software (such as your IP address or unique device identifier (for example, mobile advertising identifier (MAID) or Android ID (SSAID)), location data (either derived from your IP address or if you choose to share your precise location with us for specified purposes, e.g. store locator), device brand and model, the display settings of your monitor, web browser type, operating system, (some of which may be used in “digital fingerprinting” (see for what purposes we use information about you, below)) and details of any cookies (or similar technologies) that we may have stored on your device).
Information that we collect from third parties will generally consist of publicly-available profile information (such as your preferences, interests and experiences), for example from public social media posts. We may also collect your name and e-mail address from third parties in order to invite you to attend an event and participate in event activities.
For what purposes do we use information about you, and on what legal basis?
In this section, we describe the purposes for which we use personal information. However, this is a global notice, and where the laws of a country restrict or prohibit certain activities described in this notice, we will not use information about you for those purposes in that country.
Subject to the above, we use information about you for the following purposes:
To comply with regulatory obligations, such as (where appropriate) verifying your age and identity
To administer our contract for user generated content with you (where you submit content to a digital PMI touchpoint)
To provide you with press releases, e-mail alerts, and newsletters
To enable you to use PMI touchpoints, and to customize your experiences of PMI touchpoints
To understand whether you are still engaged with our communications and whether you wish to continue to receive them
For general business administration, and to support all the above, including administering your accounts, enabling you to use PMI touchpoints, corresponding with you, managing your appointments with us or with someone supporting our services, customizing your experiences of PMI touchpoints, fraud prevention (for example in the context of our events and surveys, to ensure that they are not taken more than once by the same person), to provide security at events, and administration and troubleshooting
For business analytics, statistical or scientific purposes, including improving PMI touchpoints and services, and the information that we (or our affiliates) provide to those interested in our companies
For other purposes that we notify you of, or will be clear from the context, at the point information about you is first collected
The legal basis for our use of information about you is one of the following (which we explain in more detail in the “find out more” section):
compliance with a legal obligation to which we are subject;
the performance of a contract to which you are a party;
a legitimate business interest that is not overridden by interests you have to protect the information;
where none of the above applies, or where law requires it, your consent (which we will ask for before we process the information).
The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:
|Legal Basis for Processing
Comply with regulatory obligations
This information is generally provided to us by you directly.
We use it because it is necessary for us to comply with legal obligations, in certain areas of our business, to deal only with adults, or, in countries where there is no such legal obligation, because we have a legitimate business interest to deal only with adults, that is not overridden by your interests, rights and freedoms to protect information about you.
Administer our contract for user generated content with you (where applicable)
This information is generally provided to us by you directly.
We use it on the grounds that it is necessary for us to fulfil our contract with you and on the grounds that we have a legitimate business interest to administer our relationship, to use content you submit to a digital PMI touchpoint, and to operate PMI touchpoints, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
Deliver PMI touchpoints, press releases, e-mail alerts and newsletters
This will typically be a combination of information that you provide to us (for example, your name and contact and social media details); and information that we collect automatically (for example, using technology (such as cookies and web beacons/pixels) to monitor your use of PMI touchpoints and e-mails from us, or closed circuit recordings at events), and using similar technology to monitor your use of third party touchpoints.
We use it on the grounds that we have a legitimate business interest to operate PMI touchpoints, and to customize your experiences, and to understand whether you wish to continue to receive our communications, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.
We will generally receive the information from you directly.
We use it because we have a legitimate business interest to run our business (including organising events), manage our relationship with you and maintain the security and integrity of our IT systems and events that is not overridden by your interests, rights and freedoms to restrict use of information about you.
Security and systems monitoring
This information is collected automatically through various means such as automated systems and device monitoring.
We use it because we have a legitimate business interest in ensuring the confidentiality, integrity and security of our digital infrastructure that is not overridden by your interests, rights and freedoms to protect information about you.
Business analytics and improvements
This will typically be a combination of information that you provide to us (such as demographic information, e.g. your age, gender and the city where you live); information that we collect automatically (which will include information about your PMI electronic device and your use of it, but where we seek your consent to use certain data, we won’t use that data for these purposes unless you have given your consent to it); and (where permitted by law) information that we acquire from third parties. Where we have more than one type of information from these categories, we will combine them to improve our analysis.
Where we do not base our use of information about you on one of the above legal bases, or where law requires it, we will ask for your consent before we process the information (these cases will be clear from the context).
In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.
Sharing data with other PMI affiliates
- Information about you will be shared with Philip Morris Products S.A. (based in Neuchâtel, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Philip Morris Products S.A. processes the information about you for all the purposes described in this notice.
- Information about you may be shared with the PMI affiliate that is responsible for the country in which you live (if it wasn’t the PMI affiliate that first collected the information) for all the purposes described in this notice.
- Information about you may be shared with any other PMI affiliate that you contact (for example, if you travel and you want to know about a PMI affiliate’s event, campaign or general activities in another country) in order to enhance our service to you.
Details of PMI affiliates and the countries in which they are established are available.
Country-specific additional points
According to which country you are in, we want you to be aware of some further points.
If you are in Japan, find out more…
If you are in Japan, note that we share information about you, for the purposes described in this notice, with other PMI affiliates on the basis of “joint use” under Japanese data protection laws. When we do this, Philip Morris Japan Limited (PMJ) continues to manage your personal information responsibly, and we require those with whom we share the data to do the same. Further, if they are located outside Japan, we take reasonable measures in accordance with the relevant laws and regulations.
Sharing data with Third Parties
- To the extent permitted by applicable law, we may share information about you with third parties who provide PMI affiliates or you with services (such as travel agents, logistic service providers, advisers, payment service providers, information services providers and age verification providers).
- To the extent permitted by applicable law, we may share information about you with PMI affiliates’ carefully-selected third party business partners (in line with the kind of thing you might associate with our events) so that they can contact you with offers that they think may interest you, in accordance with your preferences.
- We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.
Where might information about you be sent?
As with any multinational organization, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (for example, if you are in the European Economic Area (“EEA”), your information may be transferred outside the EEA; if you are in Australia, you information may be transferred outside Australia).
When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.
For example, PMI affiliates within the EEA may transfer personal information to PMI affiliates outside the EEA. In all such cases, the transfer will be:
- on the basis of a European Commission adequacy decision;
- subject to appropriate safeguards, for example the EU Model Contracts; or
- necessary to discharge obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in relation to travel arrangements.
In all cases, appropriate security measures for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.
Our service providers are located in many countries throughout the world, including in particular the EEA, Switzerland, the USA, Canada, India, the Philippines, Indonesia, and Australia.
How do we protect information about you?
We implement appropriate technical and organizational measures to protect personal information that we hold from unauthorized disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.
How long will information about you be kept?
We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.
Typically, we retain data based on the criteria described in the table below:
|Explanation/typical retention criteria
Most of the information in your profile is kept for the duration of our relationship with you; for example, while you continue to use digital touchpoints, or respond to our communications. However, some elements of your profile, such as records of how we interact with you, naturally go out of date after a period of time, so we delete them automatically after defined periods (typically 15 months as appropriate for the purpose for which we collected them).
This scenario is the same as the above, but if we don’t have any contact with you for a long period (typically 1 year), we will stop sending you communications and delete your history of responses to them. This will happen, for example, if you never click through to an invitation to an event, or log on to a digital touchpoint, during that time. The reason is that in these circumstances, we assume you would prefer not to receive the communications.
|If you have registered to receive communications, but the information you give us to contact you doesn’t work, we will retain your details for a period of typically only 6 months to allow you to return and correct it.
|If you have signed up to receive e-mail alerts (and similar) or to use a PMI digital touchpoint, most of the information in your profile is kept for the duration of the period you continue to receive the alerts, use the digital touchpoint, or respond to our communications. However, some elements of your profile, such as your history of use of the PMI digital touchpoint, naturally go out of date after a period of time, so we delete them automatically after defined periods as appropriate for the purpose for which we collected them.
|System audit logs are retained typically for a period of 18 months.
|Most of the business analytics data is kept for the duration of our relationship with you as described in the first line of this table above. However, some elements of it naturally go out of date after a period of time, so we delete them automatically after defined periods as appropriate for the purpose for which we collected them.
What rights and options do you have?
You may have some or all of the following rights in respect of information about you that we hold:
- request us to give you access to it;
- request us to rectify it, update it, or erase it;
- request us to restrict our using it, in certain circumstances;
- object to our using it, in certain circumstances;
- withdraw your consent to our using it;
- data portability, in certain circumstances;
- opt out from our using it for direct marketing; and
- lodge a complaint with the supervisory authority in your country (if there is one).
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address, in messages you receive.
Some mobile applications we offer might also send you push messages, for instance about the events. You can disable these messages through the settings in your phone or the application.
The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.
|Right in respect of the information about you that we hold
|Further detail (note: certain legal limits to all these rights apply)
This is confirmation of:
On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).
This applies if the information we hold is inaccurate or incomplete.
This applies if:
This right applies, temporarily while we look into your case, if you:
(if you make use of your right in these cases, we will tell you before we use the information again).
This right applies also if:
You have two rights here:
This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context (for example, if you gave your consent using the preference center in one of our apps, you can withdraw your consent by turning off the corresponding toggle).
(i) you have provided data to us; and
Each European Economic Area country must provide for one or more public authorities for this purpose.
You can find their contact details here:
For other countries please consult the website of your country’s authority.
Country-specific additional points
According to which country you are in, you may have some additional rights.
If you are in Australia, find out more…
• If you are in Australia, the following additional information applies to you:
(A) if you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information that you request; and
If you are in France, find out more…
• If you are in France, you have the right to give us instructions regarding information we hold about you in the event of your death (specifically, whether we should store or delete it, and whether others should have the right to see it). You may:
(A) issue general instructions to a digital service provider registered with the French data protection supervisory authority (called “CNIL”) (these instructions apply to all use of information about you); or
(B) give us specific instructions that apply only to our use of information about you.
Your instructions may require us to transfer information about you to a third party (but where the information contains information about others, our obligation to respect also their privacy rights might mean that we can’t follow your instructions to the letter). You may appoint a third party to be responsible for ensuring your instructions are followed. If you do not appoint a third party in that way, your successors will (unless you specify otherwise in your instructions) be entitled to exercise your rights over information about you after your death:
(i) in order to administer your estate (in which case your successors will be able to access information about you to identify and obtain information that could be useful to administer your estate, including any digital goods or data that could be considered a family memory that is transferable to your successors); and
(ii) to ensure that parties using information about you take into account your death (such as closing your account, and restricting the use of, or updating, information about you).
You may amend or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, see Article 40-1 of the law 78-17 dated 6 January 1978. When you die, by default, you will stop using your account and we will delete information about you in accordance with our retention policies (see the paragraph “How long will information about you be kept?” for details).
If you are in the Philippines, find out more…
Who should you contact with questions?
If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.
If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.
Changes to this notice
We may update this notice (and any supplemental privacy notice), from time to time. Where the law requires it, we will notify you of the changes; further, where the law requires it, we will also obtain your consent to the changes.
First version: 23 June 2020