EU general information notice (in force since 25/03/2024)

We are Stella McCartney LTD with registered offices at 3 Olaf Street, London W11 4BE, United Kingdom, and Stella McCartney Italia SRL, with registered offices at Via Morimondo 2/3, 20143 Milano (Italia) and, for the purposes described in this Notice, we are the Main Joint Data Controllers of your Personal Data.

Stella McCartney LTD and Stella McCartney Italia SRL are collectively identified below as (“Stella McCartney” “SMC,” “we” or “us”).

When we collect your Personal Data during your purchasing process on our E-commerce (i.e. when you buy our Services online, or you are interested in a particular product and you place it in your shopping cart), we are Joint Data Controllers of your Online Shopping Data together with Drop Srl, which is the Merchant of Records for the online purchases processing activities on our E-commerce.

We may collect data from Our Pages, Mobile Applications, E-commerce, when you visit one of Our Shops, and/or when you attend one of Our Events. Data collected and the relative purposes of processing depend on how you interact with us and how you manage the settings of your Browser and the Device you are using.

You may find further details on the reasons why we process your Personal Data in the “Why we use your Data” section below.

Data you provide

You can provide us with Personal Data such as your name, phone/mobile number(s), date of birth, sex, e-mail address, postal address, payment and billing information, as well as your preferences (e.g., hobbies, job, interests, size or particular colours of your purchase history). It is the case, for example, when you use our Services, make purchases in Our Shops, participate in one of Our Events or when you ask us questions, make requests, interact with our support services or participate in our surveys. You can also choose to provide us with Information about your location if, for example, you want to search for one of Our Shops in a particular location (e.g., London, Milan, Paris, etc.) or when you order our products.

If you provide us with the data of third parties (e.g., postal addresses or payment data of third parties for a gift), you will be held responsible for having shared such information with us. You must be legally authorized to share it (i.e., authorized by the third party to share their information or for any other legitimate reason). You must fully indemnify us against any complaints, claims or demands for compensation of damages which may arise from the processing of third-party Personal Data in violation of applicable data protection law.

Data collected by the Browser and the Device

When you use Our Pages, we collect information on the Browser and the Device you are using. This information includes your IP Address, the date, time and the requested URL, Unique Identifiers and other information such as the type of your Browser or Device. Information related to your Browser or Device may include your operating system, language, network settings, telephone operator or internet provider, installed third-party applications and plug-in lists.

Some of this information is collected using Cookies, SDK and Other Tracking Technologies that are on your Browser or Device. This helps us, for instance, to avoid malfunctions during the provision of the Services, and allows us to provide you with Content that may be useful to you. You can find the complete list of Cookies and SDK we use here.

Data inferred by your activity

We collect information based on your online and offline interactions with our Services in order to improve them and to identify Content that may be useful to you. This happens, for example, when you are interested in a particular product and you place it in your shopping cart, when you click on an advertising link on Our Pages, or when you participate in Our Events. In such cases, we will attempt to provide you with relevant content.

In other cases, such as when you contact us by email, mail, telephone or otherwise regarding our products or request other information, we will collect and maintain a record of your contact details, communications and our responses. If you contact us by telephone, more information will be provided during the call.

Information about your location

We collect information about your location to allow you to view Our Shops near you, and to provide you with Content that may be useful to you. Your location can be determined by manually entering an address, city or zip code or by checking your IP Address.

Your location is determined - more or less accurately - depending on whether it is collected from the Browser or Device and on the privacy settings you have set on them. We make every possible effort to ensure that Information on your location is not used to infer your Sensitive Data.

You can limit our collection of your position by changing your Browser or Device settings, as set out in the “How to control your Data and manage your choices” section below.

Who can access your Personal Data stored in our CRM

Please note that your Personal Data stored in our CRM, subject to your prior consent as explained below, are worldwide accessible by SMC, acting as the Main Joint Data Controllers of your Personal Data, and by:

• Drop S.r.l., which process your Online Shopping Data acting as Joint Data Controller, in accordance with your jurisdiction, for the online purchases processing activities;
• our Affiliates operating Our Shops, acting as Data Processors of your Personal Data for marketing and profiling activities, which can access worldwide to your Online Shopping Data stored in our CRM.

Data collected by third parties

We may ask third-party business partners (e.g., social media, co-branding companies, etc.) to send or display our advertisements to their users on the basis of certain criteria/interests. These so-called micro-targeting and/or retargeting activities typically do not lead to the direct collection of Personal Data by SMC. Instead, they usually allow us to obtain Aggregated Information on the effectiveness of those advertisements or lead to the registration of new users or new followers. In accordance with European legislation, in carrying out these activities both SMC and our business partners make every possible effort to verify the conformity of the data (including joint controllership agreements) before they are used. You can request more information on our list of active commercial partners and the obligations of the respective parties by writing to privacy@stellamccartney.com.

When you buy our Services in one of our Shops, your Shopping Data are processed by our Affiliates operating our Shops, acting as independent Data Controllers for the related purchases processing activities.

In order to have a better insight and understanding of your needs, we may ask the Affiliates operating our Shops to send us your Shopping Data to enable us to analyse them and send you offers targeted to your interests. The transfer of your Shopping Data from our Shops to SMC is subject to your explicit prior consent.

Data collected from public or publicly accessible sources

We may collect or enrich your Personal Data with information obtained from third parties and public sources accessible within the limits of the law applicable to us. These sources may include data brokers, public registers, online newspapers, lists or public directories. Please note that a preliminary check is always carried out on the possibility to use this information, according to the best practices established by the competent Supervisory Authorities to which we are subject (the UK ICO and the Italian Garante).

We disclose your Data with the following list of persons/entities (“Recipients”):

• Persons authorized by us to perform any of the data-related activities described in this document: our employees and collaborators who have undertaken an obligation of confidentiality and abide by specific rules concerning the processing of your Data;
• Our Data Processors: external subjects to whom we delegate some processing activities. For example, security systems providers, accounting, administrative, legal, tax, financial and debt collection consultants, data hosting platform providers, etc. We have signed agreements with each of our Data Processors to ensure that your Data are processed with appropriate safeguards and only under our instruction.
• Systems administrators: our employees and those of our Data Processors which assist us with the management of our IT systems and therefore can access, modify, suspend and limit the processing of your Data. These subjects have been previously selected, adequately trained and their activities tracked by systems they cannot modify.
• Third parties in relation to your purchases: external payment providers, international carriers.
• Our Affiliates: depending on your jurisdiction, we will share your Data with our Affiliates operating Our Shops to assist you in your preferred language and in cases where we wish to engage in business initiatives at the local level. All the Affiliates have signed a data processing agreement for the processing of your Data. You can request more information on our Affiliates and our data processing agreements by writing to privacy@stellamccartney.com.
• Law enforcement or any other authority whose provisions are binding for us: this is the case when we have to comply with a judicial order or law or defend ourselves in legal proceedings. Where a government, being supranational, federal, state or governmental, prefectural or local government, statutory, administrative or regulatory body, court, agency, including a law enforcement agency, or any other authority in any part of the world (also outside of your jurisdiction) whose regulations, directives, notices, resolutions, orders, decrees, injunctions, warrants, subpoenas, or judgments are binding upon us requires us to disclose your Data, we will not share your Data without your consent, unless we are under a legal obligation to comply with said regulations, etc.

Data collected for the purposes indicated above are processed both manually and via automated processing, namely, through programs or algorithms that analyse Data inferred by your activities, Information about your location, and Data collected by the Browser and the Device.

Your Data may also be subject to Combination and/or Crossing, which provides a deeper understanding of your interactions with us. The Combination and/or Crossing of your information for the purposes we process it for (e.g., customizing the Services) can be enabled or disabled as explained in the “How to control your Data and manage your choices” section below.

SMC is a global brand and Our Shops are available in multiple jurisdictions worldwide. This means that your Data may be stored, accessed, used, processed, and disclosed outside your jurisdiction, including within the European Union, and the United States of America, or any other country where our Affiliates operating Our Shops, service providers, Data Processors and sub-processors are located, or where their server or cloud computing infrastructures may be hosted. We take steps to ensure that the processing of your Data by our Recipients is compliant with the applicable data protection laws, including the UK and the Italian laws to which we are subject. Where required by EU data protection law, transfers of your Data to Recipients outside of the EU will be subject to adequate safeguards (such as the EU standard contractual clauses for data transfers between EU and non-EU countries), and/or other legal basis according to the EU and the UK legislations. For more information on the adequate safeguards we have implemented with regard to Data that is transferred to third countries, please write to: privacy@stellamccartney.com.

Data processed for the purposes indicated above will be kept for the period deemed strictly necessary to fulfil such purposes. Data collected for marketing and customization of Services will be retained for seven years based on our legitimate interest as luxury brand.

Data processed in compliance with the legal obligations to which we are subject will be kept for the period required by law. Data processed to protect our interests, and our users' interests, is kept until the time provided for by applicable law to protect our interests (typically no longer than 10 years).

Once the relevant retention period/criterion has expired, your Data is erased pursuant to the SMC retention policy.

You can request more information on our data retention criteria and policy by writing to: privacy@stellamccartney.com

We take reasonable precautions from the physical, technological and organizational points of view to prevent the loss, misuse, or modification of Data under our control. For example:

• We ensure that your Data is only accessed and used by, transferred or disclosed to Recipients that need to have access to such Data.
• We also limit the amount of Data which is accessible, transferred or disclosed to Recipients to what is strictly necessary to fulfil the purposes or specific tasks performed by the Recipient.
• The computers and servers where your Data is stored are kept in a secure environment, are password-controlled with limited access, and have industry standard firewalls and anti-virus software installed.
• Paper copies of any documents containing your Data (if any) are kept in a secure environment as well. For example, depending on the sensitivity of the information in question, your Data may be stored in a locked filing cabinet that can only be accessed by our employees who require the information, as described above.
• When destroying paper copies of documents containing your Data that is no longer needed, we ensure that such documents are shredded or incinerated.
• When destroying Data recorded and stored in the form of electronic files that are no longer needed, we make sure that a technical method (for example, low level format) ensures that the records cannot be reproduced.
• Laptops, USB keys, mobile phones and other electronic wireless devices used by our employees who have access to your Data are password protected. We encourage employees not to store your Data on such devices unless it is reasonably necessary for them to do so to perform a specific task as outlined in this Notice.
• We train our employees to comply with this Notice and periodically conduct audits and other monitoring activities to ensure ongoing compliance and to determine the effectiveness of our privacy management practices.
• Any data processor that we use is contractually required to maintain and protect your Data using measures that are substantially similar to those set out in this Notice or required under applicable data protection law.
• In cases required by the applicable legislation, if a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data transmitted, stored or otherwise processed, will be notified to you and to the competent data protection authority as required (for example, unless Data is unintelligible to any person or the breach is unlikely to result in a risk to your rights and freedoms and those of others).

This Notice explains and covers the processing operations that we carry out as Data Controllers and as Main Joint Data Controllers.

The Notice does not cover processing carried out by parties other than SMC and in particular, does not cover:

• the processing carried out by our business partners as autonomous data controllers including those carried out by social media platforms within Our Pages;
• The further processing carried out by our Affiliates as autonomous Data Controllers for the exclusive purpose of finalizing the sales in Our Shops;
• The processing carried out by Drop Srl as an autonomous Data Controller for purposes other than those described in this Notice.

With respect to such hypotheses, we do not assume any responsibility for the processing of your Data not covered by this Notice.

This Notice entered into force on the date indicated at the beginning of this document. We reserve the right to modify or update this Notice, in full or in part, at our discretion or as a consequence of changes in applicable regulations. We will inform you of substantial changes to this Notice via your contact details.

The previous Notice is available here.

The icons illustrated in this Notice are “Data Protection Icons” by Maastricht University European Centre on Privacy and Cybersecurity (ECPC) CC BY 4.0.