British American Tobacco Benelux - Privacy policy

Privacy policy

We respect your privacy. We are committed to safeguarding the privacy of our website visitors. Please read this document carefully as it sets out our 'Privacy Policy' which informs you what we do with your personal data, whether we are providing you with news alerts or using your personal data as part of the research that we conduct for or statistical purposes.

This Privacy Notice applies to the personal data of visitors to this website.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), the company responsible for your personal data is: British American Tobacco Belgium, Nieuwe Gentsesteenweg 21, 1702 Groot-Bijgaarden, Belgium (“BAT BELUX”).

BAT NL and BAT BELUX hereinafter jointly referred to as “BAT” or “us”.

We may amend this Privacy Notice from time to time. Please visit this page if you want to stay up-to-date as we will post any changes here.

If you are dissatisfied with any aspect of our Privacy Notice, you may have legal rights which we have described below where relevant.

1) Information we collect about you

Depending on the relevant circumstances and applicable local laws and requirements, we may collect some or all of the information listed below to help us with this:

  •  Name;
  •  Contact details;
  •  Country of residence;
  •  Background i.e. vocation/profession; and
  •  Extra information that you choose to tell us.

The above list details the ways in which we collect your personal details pleased note that this is not exhaustive.

Some of the personal data we collect from you are required to enable us to fulfil our duties to you or to others. For example, when you sign up to email alerts, we need to collect your email address, name and country to be able to process your request. Other items may simply be needed to ensure that our relationship can run smoothly.

Depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil the request.

For details of the legal bases that we rely on to be able to use and process your personal data, please see the below section entitled "Legal bases for us processing your data".

2) How do we collect your personal data?

We collect your personal data in three primary ways:

  •  Personal data that you give to us;
  •  Personal data that we receive from other sources; and
  •  Personal information we collect automatically.

Personal data you give to us:

There are numerous ways that you can share your information with us. These include:

  •  Where you contact us proactively, usually by phone, email or via social media; and/or
  •  Where we contact you, either by phone or email.

Personal data we receive from other sources

We may seek more information about you from other sources generally including from third parties.

Personal data we collect automatically

When you visit our website, we collect technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. We use the information for statistical reporting and do not link it to any named individuals.

BAT will not intentionally collect any information about visitors to this website who are under eighteen years of age. If BAT becomes aware that a child has provided any information this will immediately be deleted from BAT’s records.

3) Why do we collect your personal data?

We collect, use and disclose your personal data for a number of reasons, including:

  •  to ensure that we can respond to any queries and contact you if you request us to do so
  •  for storing your details (and updating them when necessary) on our database, so that we can contact you in relation to email news alerts or respond to any query you have asked us to answer
  •  as part of the research that we conduct for statistical purposes
  •  to administer our website for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
  •  to ensure the effective operation of software and IT services procured by us (including disaster recovery)
  •  for other reasons with your consent.

4) Who do we share your information with?

We will share your personal data primarily to ensure we provide you with the most relevant and up to date news, content and events, or to ensure we can respond to any query quickly and expeditiously. Unless you specify otherwise, we may share your information with any of the following groups:

  •  Any of our BAT entities, where this is necessary, and in accordance with laws on data transfers;
  •  Tax, audit, or other authorities, when we believe that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation) or in order to help prevent fraud or to enforce or protect the rights and properties of British American Tobacco or its subsidiaries; or protect the personal safety of British American Tobacco employees, third party agents or members of the public.
  •  Third party service providers who perform functions on our behalf (including external consultants, investor relations service providers and professional advisers such as lawyers, auditors and accountants, technical support functions and IT consultants carrying out testing and development work on our business technology systems);
  •  Third party outsourced IT providers where we have an appropriate data processing agreements (or similar protections) in place;
  •  If a BAT entity merges with or is acquired by another business or company in the future, we may share your personal data with the new owners of the business or company (and provide you with notice of this disclosure); and
  •  Circumstances may arise where, whether for strategic or other business reasons, British American Tobacco decides to sell, buy, merge or otherwise reorganise businesses in some countries. Such a transaction may involve the disclosure of your personal information to prospective or actual purchasers, or the receipt of it from sellers. It is British American Tobacco’s practice to seek appropriate protection for personal information in these types of transactions.

    We do not share, rent or trade your information with third parties for marketing or promotional purposes.

5) How long do we keep your personal data for?

We will not keep your personal data for longer than is necessary for the purposes for which we collect it unless we believe that the law or other regulation requires us to preserve it (for example, because of a request by a tax authority or in connection with any anticipated litigation).

When it is no longer necessary to retain your data, we will delete the personal data that we hold about you from our systems.

6) How do we keep your personal information secure?

We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.

We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.

Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Please raise your concern by contacting us using the Contact us section of the website, in the first instance, and we will investigate the matter and update you as soon as possible on next steps.

7) Your rights

You have various rights in relation to the data which we hold about you. We have set these out below.

Right to object

This right enables you to object to us processing your personal data where we do so for one of the following reasons:

  •  because it is in our legitimate interests to do so (for further information please see section 10 below);
  •  to enable us to perform a task in the public interest or exercise official authority; or
  •  for scientific, historical, research, or statistical purposes

Right to withdraw consent

Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.

Data Subject Access Requests

You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.

Right to erasure

You have the right to request that we erase your personal data in certain circumstances. Normally, this right exists where:

  •  The data are no longer necessary;
  •  You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
  •  The data has been processed unlawfully;
  •  It is necessary for the data to be erased in order for us to comply with our obligations under law; or
  •  You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
  •  We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
  •  When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Right to rectification

You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Right of data portability

If you wish, you have the right to transfer your personal data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.

Right to complain

You also have the right to lodge a complaint with your local supervisory authority which is the Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer / Commission de la protection de la vie privée). You can contact them in the following ways:

Phone: +32 (0)2 274 48 00

Website: www.privacycommission.be

E-mail: commission@privacycommission.be

Address: Drukpersstraat 35, 1000 Brussel
Rue de la Presse 35, 1000 Bruxelles

If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact us using the Contact us form on the website. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

8) Who is responsible for processing your personal data?

BAT BELUX is responsible for processing personal data.

If you have any comments or suggestions concerning this Privacy Notice please contact us. We take privacy seriously and will get back to you as soon as possible.

9) How do we store and transfer your data internationally?

Your personal data may be transferred outside of the European Economic Area to the types of entities described in section 4 above.

We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:

By way of an intra-group agreement between BAT entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws;

By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or

By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or

By transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or

Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer your data to a benefits provider based outside the EEA); or

Where you have consented to the data transfer.

Where we transfer your personal data outside the EEA and where the country or territory in question does not maintain adequate data protection standards, we will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy

10) Legal bases for us processing your data

There are a number of different ways that we are lawfully able to process your personal data. We have set these out below.

Where using your data is in our legitimate interests

We are allowed to use your personal data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.

We believe that our use of your personal data is within a number of our legitimate interests, including but not limited to:

To help us understand our website visitors better and provide more relevant information and services to them;

To ensure that our website runs smoothly;

To help us keep our systems secure and prevent unauthorized access or cyber-attacks; and

We don't think that any of the activities set out in this Privacy Notice will prejudice you in any way. However, you do have the right to object to us processing your personal data on this basis. We have set out details regarding how you can go about doing this in section 7 above.

Where you give us your consent to use your personal data

We are allowed to use your data where you have specifically consented. In order for your consent to be valid:

It has to be given freely, without us putting you under any type of pressure;

You have to know what you are consenting to - so we'll make sure we give you enough information;

You should only be asked to consent to one thing at a time - we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and

You need to take positive and affirmative action in giving us your consent - we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.

When you register on our website, we ask you for specific consents to allow us to use your data in certain ways. If we require your consent for anything else in the future we will provide you with sufficient information so that you can decide whether or not you wish to consent.

You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this in section 7 above

Where using your personal data is necessary for us to carry out our obligations under our contract with you

We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you.

Where processing is necessary for us to carry out our legal obligations

As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.