GIORDANO PRIVACY NOTICE
Introduction
Giordano International Limited (“Giordano”, “we” or “us”) takes the protection of your personal data seriously. This Privacy Notice sets out information about Giordano’s privacy practices and your rights.
We may amend this Privacy Notice at any time and for any reason. The updated version will be available by following the “Privacy Notice” link on our website homepage. You should check the Privacy Notice regularly for changes.
Data protection laws
Giordano is based in Hong Kong and is subject to the Personal Data (Privacy) Ordinance (“PDPO”). Giordano processes all personal data in accordance with the PDPO (See our Privacy Policy at our official website).
In addition, when:
-
Giordano processes personal data of individuals who are located in the European Union (“EU”); and
-
that processing relates to offering goods or services to individuals who are located in the EU or monitoring individuals who are located in the EU,
then Giordano is also subject to the General Data Protection Regulation 2016/679 (“GDPR”). Therefore, if you are located in the EU, Giordano will also process your personal data in accordance with the GDPR and you may have additional rights under the GDPR.
In this Privacy Notice, the terms personal data, controller, processor, data subject, consent, recipient, third party, processing and profiling have the meanings given to them in the GDPR.
Controller contact details
The controller for the processing of personal data under this Privacy Notice is:
Giordano International Limited
5th Floor, Tin On Industrial Building
777-779 Cheung Sha Wan Road
Kowloon
Hong Kong
The controller’s representative in the EU for the purposes of the GDPR is:
Kennedys
31 Rue de Lisbonne
75008 Paris
France
Phone: +33 1 84 79 37 80
Data Protection Officer contact details
If you have any questions about this Privacy Notice or about our personal data processing practices, or if you wish to exercise any of your rights as a data subject, you may contact Giordano’s Data Protection Officer at dataprotection@giordano.com or as follows:
Mark Loynd
Executive Director, Group Counsel & Group Human Resources Director
Giordano International Limited
5th Floor, Tin On Industrial Building
777-779 Cheung Sha Wan Road
Kowloon
Hong Kong
Fax: +852 2370 8864
Email: dataprotection@giordano.com
Supervisory authority contact details
If you have a complaint about our personal data processing practices, you should first contact Giordano’s Data Protection Officer.
If you are not satisfied with our response, you have the right to lodge your complaint with a data protection authority.
If you are outside the EU, you can lodge your complaint with your local data protection authority or the Hong Kong Privacy Commissioner for Personal Data:
Privacy Commissioner for Personal Data
Room 1303, 13/F, Sunlight Tower
248 Queen's Road East
Wanchai
Hong Kong
Fax: 2877 7026
Website: https://www.pcpd.org.hk/
If you are in the EU, you can lodge your complaint with your country’s supervisory authority. A list of supervisory authorities is available here.
Specific situations in which we may process your personal data
Giordano collects and processes personal data in a number of different situations.
1. Purchasing products from our physical stores
We process certain personal data about customers who purchase products from our physical stores.
-
Types of personal data we collect
When you purchase a product from our physical stores and pay by credit or debit card, we will collect your card details required through our payment terminal to process your payment.
At the time of your purchase, we may also invite you to join a loyalty scheme. See section 6.4 below for details about loyalty scheme membership.
-
Purposes of processing
We may use your card details to process your payment.
-
Legal basis for processing under the GDPR
Using your card details to process your payment is necessary for our legitimate interests as a retailer. See section 7 below for more details about Giordano’s legitimate interests.
-
Recipients or categories of recipients
We may disclose your card details to our bank, your bank and your card association for authorisation.
-
Transfers
If our bank or your bank is located overseas, the credit card authorisation process may involve your card details being transferred overseas. Your card details are kept secure in accordance with the Payment Card Industry Data Security Standard.
-
Retention period
We may retain your transaction details for as long as we require them for legal and commercial reasons. Generally, we retain transaction details for a period of seven
years after your transaction. Once Giordano has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.
-
Requirement to provide personal data
If you pay for a purchase by cash, we will not collect any personal data from you.
2. Creating a Giordano Online Store profile
Before you make a purchase from the Giordano Online Store, you will first need to create a profile. Note that we also have online stores on third-party platforms and that you may need to create a separate profile with those platforms – you should check their privacy policies online for details about how they process your personal data.
-
Types of personal data we collect
To create a profile, you will be required to provide either your email address or mobile phone number. You can optionally add a photo, a nickname and your date of birth (to receive birthday discounts).
-
Purposes of processing
We may use the personal data in your profile to provide you with discounts on purchases.
If you consent to receive communications when you register, we may send you promotional offers, information about new products, and invitations to special events by email or SMS.
-
Legal basis for processing under the GDPR
Using your personal data to provide you with discounts is necessary for our legitimate interests as a retailer. See section 7 below for more details about Giordano’s legitimate interests.
Using your personal data to send you promotional messages is based on your consent. You may withdraw your consent by unsubscribing from promotional emails and/or SMS messages at any time on your profile page.
-
Recipients or categories of recipients
We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations. See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
We may retain your profile details for as long as we require them for legal and commercial reasons. If you unsubscribe from promotional messages, we may retain your email address on a “no marketing” list to ensure we do not inadvertently send you promotional messages in the future.
-
Requirement to provide personal data
It is mandatory to provide your email address or mobile phone number to create a profile before making a purchase from our online stores. Providing any other personal data is optional.
3. Purchasing products from our online stores
We will process certain personal data about customers who purchase products from our online stores.
-
Types of personal data we collect
When you purchase a product from our online stores, we may collect your name, mobile phone number, e-mail address, and (unless you choose to pick up your order from a physical store) delivery address. Payment is via PayPal – PayPal’s privacy policy is available at https://www.paypal.com. We have no access to any personal data you provide to PayPal.
-
Purposes of processing
We may use your contact details to contact you about your order and your delivery address to deliver your order.
-
Legal basis for processing under the GDPR
The processing described above is necessary for our legitimate interests as a retailer. See section 7 below for more details about Giordano’s legitimate interests.
-
Recipients or categories of recipients
We may disclose your delivery details to our delivery provider to arrange delivery. We may disclose your payment details to your card issuer or to a payment processor for verification.
We may also disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations.
If our bank or your bank is located overseas, the credit card authorisation process may involve your card details being transferred overseas. Your card details are kept secure in accordance with the Payment Card Industry Data Security Standard.
See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
We may retain your order details for as long as we require them for legal and commercial reasons. Once Giordano has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.
-
Requirement to provide personal data
It is mandatory to provide your name and contact details. We cannot process your order without these details. If you choose to pick up your order at one of our physical stores, you do not need to provide a delivery address.
4. Loyalty scheme membership
We will process certain personal data about customers who join one of Giordano’s loyalty schemes (“loyalty schemes”). Loyalty schemes vary by country and/or region and include World Without Strangers, BSX, Giordano Junior and Giordano Ladies Privilege Card.
-
Types of personal data we collect
When you make a purchase over a certain amount from a Giordano retail store, we may invite you to join a loyalty scheme. The information we collect when you join differs depending on the loyalty scheme:
1. World Without Strangers – phone number* and day and month of birth*;
2. BSX- surname and name*, day and month of birth*, phone number*, gender and email address;
3. Giordano Junior – name*, day and month of birth*, age range*, phone number*, gender and email address;
4. Giordano Ladies Privilege Card – surname and name*, phone number*, ID card/passport number, day and month of birth, email address, mailing address, and country.
(*required)
-
Purposes of processing
We may use your personal data to enrol you in the loyalty scheme, provide you with member discounts and other entitlements, (for World Without Strangers) track your accumulated points, communicate with you about loyalty scheme member discounts and other entitlements and notify you of any changes to the loyalty scheme rules.
-
Legal basis for processing under the GDPR
By joining the loyalty scheme, you consent to us processing your personal data for the above purposes. You can withdraw your consent at any time by contacting us at wws@giordanogroup.com, but you will then cease to be a member of the loyalty scheme and forfeit any accrued points or privileges.
-
Recipients or categories of recipients
We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations. See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
We will store your personal data for as long as you are a loyalty scheme member. Once Giordano has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.
-
Requirement to provide personal data
It is entirely optional to join a loyalty scheme. If you decide to join, it is mandatory to provide your data as required.
5. Subscribing to Giordano promotional eNews
We will process certain personal data about customers who sign up to receive promotional eNews from Giordano.
-
Types of personal data we collect
You may sign up to receive promotional eNews from Giordano by entering your email address in the eNEWS SUBSCRIPTION box on the Giordano website.
-
Purposes of processing
If you provide us with your email address, you consent to us using your email address to send you promotional offers, information about new products, and invitations to special events.
-
Legal basis for processing under the GDPR
By entering your email address in the eNEWS SUBSCRIPTION box on the Giordano website, you consent to us processing your personal data for the above purposes. You can withdraw your consent at any time by unsubscribing using the link in our emails.
-
Recipients or categories of recipients
We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations. See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
We will store your personal data for as long as you consent to receive promotional eNews from Giordano. If you unsubscribe, we may retain your email address on a “no marketing” list to ensure we do not inadvertently send you marketing communications in future.
-
Requirement to provide personal data
It is entirely optional to subscribe to promotional eNews.
6. Service Providers
Giordano will collect certain personal data about individuals who are, or who are associated with, Giordano service providers.
-
Types of personal data we collect
To engage you or your organisation as a service provider, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications and experience.
-
Purposes of processing
We may process your personal data for the purpose of allowing you or your organisation to provide, and for receiving, your services and for other purposes related to that purpose (for example, to pay you for your services).
-
Legal basis for processing under the GDPR
If you are an individual service provider, you will have a contract with Giordano for the provision of services. The processing described above is necessary for taking steps to enter into that contract, or for the performance of that contract.
If you are an individual associated with a service provider, the processing described above is necessary for the purposes of Giordano’s legitimate interests in operating its business. See section 7 below for more details about Giordano’s legitimate interests.
-
Recipients or categories of recipients
We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data.
In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations. See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
Giordano will only retain personal data for as long as it has a legitimate purpose to do so. Giordano will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data. Giordano will generally retain your personal data for at least six years after you last provided services to us. Once Giordano has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.
-
Requirement to provide personal data
It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect our ability to assess your suitability to provide services to us, or your ability to provide services to us.
7. Contacting us with a query
Giordano will collect certain personal data about you if you contact us with a query, in store, by mail, email, fax or through our website.
-
Types of personal data we collect
We may collect your name and contact details, and any other personal data in your correspondence to us.
-
Purposes of processing
We may use your personal data to respond to your query.
-
Legal basis for processing
The processing described above is necessary for the purposes of Giordano’s legitimate interests serving its customers. See section 7 below for more details about Giordano’s legitimate interests.
-
Recipients or categories of recipients
We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such service providers are subject to obligations not to use or disclose that data. Otherwise, we will not disclose your personal data outside Giordano, unless that is necessary to respond to your query.
-
Transfers
We may transfer your personal data overseas. Giordano’s information systems are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations. See section 8 below for information about the safeguards Giordano adopts when transferring personal data overseas.
-
Retention period
Giordano will only retain personal data for as long as it has a legitimate purpose to do so. Giordano will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.
Giordano may retain your personal data for as long as it takes to respond to your query. After we have responded to your query, we may retain your personal data for follow up or record-keeping purposes.
Once Giordano has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.
-
Requirement to provide personal data
You may choose what personal data you provide when you send us a query.
Legitimate interests
As noted in section 6 above, in some situations, Giordano may process your personal data on the basis of its “legitimate interests”.
Giordano Group is a global fashion retailer. As such, Giordano has a legitimate interest in:
-
advertising, offering and selling its products in physical and online stores;
-
developing and growing its business and understanding the needs of its customers; and
-
employing and managing its employees and contractors.
Giordano will only rely on those legitimate interests to process personal data where:
-
the processing is necessary for the purposes of those legitimate interests; and
-
those legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.
Transfers
As noted in section 6 above, Giordano may transfer your personal data to other countries and/or regions.
The information systems of Giordano are hosted on central servers located in Hong Kong, mainland China and Dubai. Any personal data that we store on our systems will be transferred to one of those locations.
For the purposes of the GDPR, the European Commission issues adequacy decisions on the data privacy laws of non-EU countries and/or regions. A list of current adequacy decisions is available here: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
The majority of countries and/or regions to which Giordano may transfer personal data are not covered by an European Commission adequacy decision. However, many of them do have local data privacy laws which are similar to the GDPR.
Giordano will require that any overseas third party to which it discloses your personal data to: (a) only use that personal data for the purposes for which it was disclosed; (b) use all technical and organisational measures which are reasonable in the circumstances to secure that personal data; (c) delete that personal data when it is no longer required; and (d) treat that personal data in accordance with this Privacy Notice and their local data privacy law.
Automated decision-making including profiling
Giordano does not engage in any automated decision-making or profiling.
Website tracking and cookies
When you visit our website, we may maintain log files recording the following information:
-
the Internet Protocol (IP) address;
-
the date and time of visit;
-
the webpage accessed and documents downloaded; and
-
the type of browser being used.
The log files provide us with statistical information on how people use the site and what content people are viewing. They do not contain any personal data and they are not used to identify any individual.
We use cookies to collect the above information. For more information about our use of cookies, please refer to our Cookie Policy.
Your rights
If you are located outside the European Union and the United Kingdom
The PDPO provides you with the right to seek access to any personal data we hold about you, and to request correction of that data if it is incorrect. To make a request pursuant to these rights, contact Giordano’s Data Protection Officer (see section 3 above).
If you are located in the European Union or the United Kingdom
If you are located in the EU or the UK, you have additional rights in relation to your personal data as follows:
-
Access: You have the right to obtain access to and a copy of any personal data we hold about you. You also have the right to find out whether your personal data has been transferred outside the EU and any safeguards relating to this transfer.
-
Rectification: If you consider that any personal data we hold about you is incorrect or incomplete, you have the right to ask us to correct or complete that personal data.
-
Erasure: In certain circumstances, you have the right to ask us to erase any personal data we hold about you.
-
Restriction of processing: In certain circumstances, you have the right to ask us not to process your personal data for certain purposes.
-
Objection to processing: In certain circumstances, you have the right to object to us processing your personal data for certain purposes.
-
Data portability: In certain circumstances, you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format.
-
Withdrawing consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.
For more information about these rights, visit https://ico.org.uk/for-the-public/.
To make a request pursuant to these rights, contact Giordano’s Data Protection Officer (see section 4 above).
[Ref.: PN(EN)-201810]