Last Updated: June 2020
We are committed to safeguarding your privacy rights and ensuring that your personal data is protected.
1. Who is responsible for what happens with your data?
Superdrug Stores plc ("Superdrug" or “we”) are responsible for processing your personal data on our Site. Superdrug is a member of the A.S. Watson group of companies (“ASW Group”), which is part of the multinational conglomerate CK Hutchison Holdings Limited (“CK Hutchison”).
2. How do I contact the Data Protection Officer?
If you have a question in relation to how we process your personal data you can contact our Data Protection Officer via email email@example.com or via post at Group Information Security, 17 Nijborg , 3927 DA Renswoude, The Netherlands.
3. What is Personal Data?
Personal Data means information that can directly or indirectly identify you ("Personal Data"). This typically includes information such as your name, address, email address, and telephone number, but can also include other information such as IP address, shopping habits, information about your health and information about your lifestyle or preferences such as your hobbies and interests. Information about your health are called “special categories of Personal Data” that require special protection because of their sensitivity.
4. What happens when you provide us with your Personal Data or when we otherwise receive your Personal Data?
We collect your Personal Data directly in a number of ways, for example when you provide us with your information to register as a customer for our Site, subscribe to our newsletter, receive information or mailings, buy a product or service from us, complete a survey, complete a health diagnostic test, make a comment or enquiry or contact our Customer Team.
We may also receive your Personal Data from other sources, including information from commercially available sources, such as public databases and data aggregators, and information from third parties. If you do not want us to receive your Personal Data from other sources, please communicate your preferences directly with the relevant sources.
Please refer to the table in Section 6.1 for details of the various types of Personal Data we may collect, the relevant purposes and the legal basis for such processing.
5. What happens if our customer is a child?
You must be at least 16 years of age to register an account and to place an order on the Site. We therefore will not use the Personal Data of any person under the age of 16 which is obtained via the Site for marketing purposes.
6. For which purposes do we process your Personal Data?
6.1 We process the following categories of Personal Data for the following purposes:
|What Personal Data may we collect?||What is the purpose of the processing?||How long do we store your Personal Data?||What is the legal basis for the processing?|
|Browsing on our Sites||Information about the type of browser you use when visiting our Sites, your IP and device address, hyperlinks that you have clicked, websites you visited before arriving at our Site and information collected by cookies or similar tracking devices. Your user name, profile picture, gender, networks and any other information you choose to share when using Third Party Sites (such as when you use the "Like" functionality on Facebook).|
See Section 6.2. below for more information about cookies.
Please check the Cookie Consent Tool to learn about the storage periods for each cookie.
Your consent when you click “agree and proceed” in our Cookie Consent Tool on our Site. In some cases, and always when permitted by law, we will infer from your actions that you agree to Cookies. Please note that we need to process certain basic surfing data in order to provide core Site functionalities such as secure log-in or remember how far you are through an order.
You can always revisit your cookie preferences via our Cookie Consent Tool or by changing your browser settings.
|Purchase/Agreeing to a Service|
Name, title, postal address, billing address, email address, home telephone, mobile number, passwords, prescription order history, payment history, payment information (i.e. bank or credit card details), age, date of birth, gender, NHS number, information on the handling of your request (including information relating to prescription or pharmacy medicines and other medicinal products that you order), and other Personal Data you voluntarily provide to us.
|We process Personal Data to provide you with products or services that you request from us, including sending you products you have purchased.||As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, except where we are required by law as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.||We need this information to process your order or any other service you request from us (performance of a contract). For processing of information about health (your consent).|
|Customer Service||Name, title, postal address, billing address, email address, home telephone, mobile number, passwords, prescription order history, payment history, payment information (i.e. bank or credit card details), age, date of birth, gender, NHS number, information on the handling of your query, posts and other content you submit to our Site, and further information submitted by you in relation to a purchase or service request or other query (including special category Personal Data).||We process your Personal Data whenever you contact us and when we respond to your enquries and comments.||General enquiries and comments relating to service issues etc. three years from last communication with you. Communications relating to your health, personal injuries, accidents and other health and safety issues may need to be kept for a longer period in case of legal claims or settlements.||To process your enquiries, comments or complaints at your request (performance of a contract or quasi-contract).|
|Suggesting products and services which may interest you||Name, title, postal address, email address, mobile number, order history, payment history, age, date of birth, gender, actions you take on our website or when viewing our emails, answers you provide in surveys, your shopping habits and preferences.||To suggest tailored products or services that we think may be of interest to you based on your shopping history and behaviour, your preferences, and our market segmentation strategies. We may do this by sending you - via post, email, newsletter, SMS, push notifications or phone - details of products, services, special offers, promotions and other information. We may also contact you to offer the opportunity to take part in customer research surveys, promotions, prize draws or competitions.||As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, unless we are required by the law to store it for a longer period. |
If you have signed up to any of our newsletters, we will retain your Personal Data until you unsubscribe.
You may authorise us to do so if you become a Health & Beautycard member by accepting our Terms & Conditions (performance of a contract).
If you are not a Health & Beautycard member, you will authorise us by signing up to our newsletters or creating an online account.
You can always opt-out of our marketing by updating your Account Details in your profile (if you have one), by calling our Customer Team or via the unsubscribe button in any our marketing communications.
|Online Shopping||Name, title, postal address, billing address, email address, home telephone or mobile number, gender, NHS number, information about products you order, (including health products or medicines), prescription order history, details about your purchase, payment information, payment history, age, date of birth.||To process your online purchase and deliver the product(s) to you as ordered. Your payment related Personal Data may be transferred to payment providers to process your payments.||As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, except where we are required by law as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.||We need this information to provide you with your online order (performance of a contract). For processing of information about health data (your consent).|
|Fraud prevention and other administrative services, such as registration||Name, title, postal address, email address, home telephone or mobile number, information about health or diagnostic data, NHS number, payment information (i.e. bank details), payment history, age.||To carry out administrative services, including processing any application you submit to us for providing the services, preventing or detecting fraud or other crimes, verifying your identity and credit/payment status, or processing payment instructions. Your payment related Personal Data may be transferred to payment providers to process your payments or the police for fraud prevention purposes.||As long as you keep shopping with us. If after three years, you have no transactions, we delete or anonymise your Personal Data, unless we are required by law as a healthcare provider to retain certain electronic patient records. These patient records will include some Personal Data and your prescription / treatment history. We are required to retain these records for a minimum of 10 years after your death.|
For the prevention and detection of fraud to ensure that your identity and transactions are secured (balancing of interest with our interest being to prevent fraud and protect our customers).
We perform other administrative services to provide you with the respective underlying services (performance of a contract).
When you visit our Site you may access services which are provided on third party websites (for example, the Superdrug Online Doctor and Superdrug Online Opticians). In this instance these third parties will be responsible for your Personal Data and will act as Data Controller in respect of your Personal Data.
6.2 Cookies and Similar Technologies
We may also tailor our Site and our products to your interests and needs, by collecting information about your device and linking this to your Personal Data so as to ensure that our Site present the best web experience for you.
Where we use Google Analytics, we have set up the service to anonymise your IP address as soon as data is received by the Analytics Collection Network https://support.google.com/analytics/answer/2763052?hl=en, before any storage or processing takes place. To opt out of being tracked by Google Analytics across all websites please visit http://tools.google.com/dlpage/gaoptout.
You can view more information on the Cookies we use and adjust your preferences via the Cookie Consent Tool on our Site. Please note, however, that without cookies you may not be able to use all of the features of our Site or online services.
7. Who do we share your Personal Data with?
7.1 Our Service Providers
You understand that in order to provide our services to you we may need to share your Personal Data (including special category Personal Data relating to your health) with your doctor and non-medical staff working at or with us as well as with pharmacies (including but not limited to pharmacies operated by us) or hospitals working with us to deliver medical services to you.
We share your Personal Data with with the following data processors (i.e. service providers that help us to perform the above tasks):
- relevant companies of the ASW Group and subsidiaries of CK Hutchison for the purposes of Customer Relationship Management and analytics, in particular with A.S. Watson (Health & Beauty UK) Limited.
- relevant companies of the ASW Group and trusted third parties which directly support our promotional activities, Site administration and Superdrug’s Health & Beautycard programme, in particular A.S. Watson (Health & Beauty Continental Europe) B.V. for IT management (hosting, maintenance and test).
- trusted third parties to help us process and analyse your Personal Data for us, to support us when suggesting products & services which may interest you in line with Section 6.1 above.
- if you order a product or service from us, trusted third parties to allow payment and delivery of the products and services you have ordered. Unless you provided consent, any such trusted third parties are not authorised by us to use your Personal Data in any other way and will be required by us to implement adequate technical and organisational measures to protect your Personal Data.
7.2 Other Recipients
We share your Personal Data with the following third parties that process your Personal Data for their own purposes (i.e. these third parties are not processors; they rather use your Personal Data because they have their own interest or because you had consented):
- law enforcement or other agencies if we are required to do so by law, or by a warrant, subpoena or court order to disclose your Personal Data.
Please note that we never share your Personal Data with social media platforms. When we engage in audience building or customer matching activities with social media platforms like Facebook or Google, your Personal Data is always anonymised before the transfer. If there are any changes in the future and we have to share your Personal Data with a social media platform, we will ask for your consent.
7.3 Sharing your Site Usage Information
With your consent, we will share Site usage information with trusted third parties (e.g. advertisers, advertising agencies, advertising networks, data exchanges, etc.) in order to offer you tailored content which may be of interest to you based on your prior activity on our Site. These trusted third parties may set and access their own Cookies, web beacons and similar tracking technologies on your device in order to help us deliver customised content and advertising to you when you visit our relevant Sites. Please see Section 6.2 for more information about Cookies and how to opt out.
You can also visit the website www.youronlinechoices.com to choose which companies can deliver customised advertisements.
Please note that even if you opt out, you may still receive advertisements from us that are not customised based on your Site usage information.
8. To which countries do we transfer your Personal Data?
Many of our trusted third parties and ASW Group companies and CK Hutchison companies are based in countries that provide an adequate level of data protection, such as the European Economic Area.
We also transfer your data to Ukraine (where our web development team sits), USA and India (where some of our suppliers have back office services), and Canada (where some of our suppliers that provide us with data analytics and personalisation services are located).
When we need to transfer your Personal Data to a trusted third party or ASW Group or CK Hutchison company based in a country where data protection laws are considered not to offer the same level of protection, we ensure adequate data protection safeguards by relying on other legitimate means, such as the Privacy Shield certification and/or Standard Contractual Clauses.
More details on the transfer mechanism can be obtained from our Data Protection Officer (see contact details in Section 2).
9. How long do we process your Personal Data?
We will store your Personal Data only until the aforementioned purposes for which we have collected or received your Personal Data are fulfilled and once our statutory obligations to preserve records have expired as further described in Section 6.1.
10. What are your rights?
If certain requirements are fulfilled, you have the right to:
- Obtain from us confirmation as to whether or not we process Personal Data from you and, where that is the case, access to your Personal Data;
- Rectification of inaccurate Personal Data;
- Erasure of Personal Data, subject to our legal obligations to retain certain special category Personal Data relating to your health;
- Objection to the processing of Personal Data;
- Restriction of processing of Personal Data; and
- Portability of Personal Data - receive the Personal Data you have provided to us in a structured, commonly used and machine-readable form and transmit it to another data controller.
You can learn more about these rights here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/. To exercise your rights, please contact the Data Protection Officer (see Section 2 for contact details) or get in touch with our Customer Team on the details set out below.
Note that you do not need to contact our Data Protection Officer to exercise your rights to stop receiving marketing communications from us. You can opt out of receiving such communications by going to your Account Details, directly from the communications we send you or by contacting our Customer Team by phone – 01706 300 210 or by sending an email to firstname.lastname@example.org.
11. Can you withdraw your consent to the processing of Personal Data?
Where your consent is the legal basis for the processing of your Personal Data, you can withdraw your consent for:
- Marketing communications: by logging into your account details using the unsubscribe link in any of our marketing communications.
- Other purposes: by sending us an email to email@example.com or by contacting our Customer Team as detailed in Section 10.
Please note that withdrawing your consent will not affect the lawfulness of the processing before the withdrawal.
12. Can you complain with the Data Protection Authorities?
If you think that the processing of Personal Data by us violates data protection laws, you can lodge a complaint with the Information Commissioner (www.ico.org.uk).
a id="13">13. How do we protect your Personal Data?
We maintain appropriate technical and organisational measures to protect the Personal Data you provide to us against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your Personal Data.