H&M Group Privacy Notice External Partners

Principles
The H&M Group manifests its commitment to privacy and data protection by embracing the following principles.

• H&M uses personal data lawfully, fairly, correctly and in a transparent manner.
• H&M collects no more personal data than necessary, and only for a legitimate purpose.
• H&M retains no more data than necessary or for a longer period than needed.
• H&M protects personal data with appropriate security measures.

Why do we process your data?
Under each specific section of this Privacy Notice you will be informed of the purpose for each relevant processing of information.

Who is responsible for processing of your personal data?
The Swedish company, H & M Hennes & Mauritz GBC AB is primary responsible for the processing of personal data within the scope of this Privacy Notice.

Under each specific section of this Privacy Notice you will be informed when instead H & M Hennes & Mauritz AB is responsible for processing your personal data, the allocation of responsibilities and the modalities for the execution of rights.

Identity of H&M Group controllers
H & M Hennes & Mauritz GBC AB
Registration number: 556070-1715
Address: Mäster Samuelsgatan 46
ZIP: 106 38 Stockholm
Sweden

H & M Hennes & Mauritz AB
Registration number: 556042-7220
Contact info as above.

The named H&M Group controllers above are throughout this Privacy Notice individually or collectively referred to as “H&M”, “we” or “us”.

Under certain circumstances the responsibility for data protection and your privacy is shared with third parties, such as banking and financial institutes, postal services, or electronic communication providers. More information can be found under each specific section of this Privacy Notice.

Where do we process your data?
The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area (“EU/EEA”) but may also, whenever necessary, be transferred to and processed in a country outside of the EU/EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.

From time to time, we may transfer personal data from the EU/EEA to a third country not being approved by European commission as a safe country for such transfer (adequacy decision). Whenever applicable H&M will use Standard Contractual Clauses to ensure a similar level of protection as granted within the EU/EEA or other lawful grounds for transfer.

Who has access to your data?
Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose. To the extent necessary, your personal data may be shared between the companies and brands of within the H&M Group, with suppliers and sub-contractors (processors and sub-processors) carrying out certain tasks on H&M’s behalf and with independent third parties.

In addition, we may also disclose personal data to third parties, if we have reason to believe that using or disclosing such information is necessary or advisable to: (i) conduct investigations of possible breaches of law; (ii) identify, contact, or bring legal action against someone who may be violating an agreement they have with us; (iii) investigate security breaches or cooperate with government authorities pursuant to a legal matter; or (iv) to protect our rights, safety or property, including the prevention of fraud.

We reserve the right to transfer any personal data we have about you in the event that we merge with or are acquired by a third party, undergo another business transaction such as a reorganization, or should any such transaction be proposed.

What is the legal ground for processing?
H&M is not allowed to collect, process, use, store etc. personal data without a valid legal ground. Lawfulness may be derived from your consent, by contract, statutory obligations or from our legitimate interest as a business. For each specific process purpose of processing of personal data, we collect from you, we will inform you about which legal ground that will apply, and what rights you are entitled to exercise. whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.

Right to access:
You have the right to request information about the personal data we hold on you at any time. You can contact H&M group that will provide you with your personal data via e-mail.

Right to portability:
Whenever H&M group process your personal data by automated means based on your consent or based on an agreement you have the right to get a copy of your data transferred to you or to another party. This only includes the personal data you have submitted to us.

Right to rectification:
You have the right to request rectification of your personal data if they are incorrect, including the right to have incomplete personal data completed.

Right to erasure:
You have the right to erase any personal data processed by H&M Group at any time except for the following situations

• for exercising the right of freedom of expression and information
• to comply with a legal obligation
• for the establishment, exercise, or defence of legal claims

Your right to object to processing based on legitimate interest:
You have the right to object to processing of your personal data that is based on H&M group’s legitimate interest. H&M group will not continue to process the personal data unless we can demonstrate a legitimate ground for the process which overrides your interest and rights or due to legal claims.

Your right to object to direct marketing:
You have the right to object to direct marketing, including profiling analysis made for direct marketing purposes. You can opt out from direct marketing by following the instruction in each marketing mail.

Right to restriction:
You have the right to request that H&M group restricts the process of your personal data under the following circumstances:
*if you object to a processing based on H&M Group’s legitimate interest, H&M Group shall restrict all processing of such data pending the verification of the legitimate interest.
*if you have claim that your personal data is incorrect, H&M Group must restrict all processing of such data pending the verification of the accuracy of the personal data.
*if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead
*if H&M group no longer needs the personal data but it is required for you to make or defend legal claims.

How can you exercise your rights?
We take data protection very seriously and you can exercise your rights by contacting your point of contact with H&M group. If you do not have a point of contact or do not get a prompt response, you can direct your request to dataprotection.externalpartner@hm.com

Data Protection Officer:
We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer by email at dataprotection.externalpartner@hm.com and write DPO as a subject.

Right to complain with a supervisory Authority:
If you consider the H&M group to process your personal data in an incorrect way you can contact us. You also have the right to turn in a complaint to a supervisory authority.

Updates to our Privacy Notice:
We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data, the identity of the controller or your rights.

Why do we use your personal data?
We will use and process your personal data necessary to evaluate potential business partners, collaborations and partnerships as well as manage existing business relations including communication, procurement, contract signing and financial transactions.

We will also process your personal data in order to achieve the purpose of the contract,
provide business partners with access to H&M Group’s systems, manage legal requirements for financial trading information.

In case of legal issues and disputes your personal data will be processed.

What types of personal data do we process?
We may process the following categories of personal data depending on relevant purpose:

• contact details such as name, e-mail address, telephone number
• work related information
• username
• publicly available social media information
• date of birth
• social security ID
• bank account
• nationality
• gender
• photo, audio, video

Who has access to your personal data?
We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose. For the same reason, personal data is also shared with suppliers carrying out certain tasks on our behalf, such as order fulfilment and payment processing. We share your personal data with external advisors, IT service providers and other external service providers. Your personal data that is forwarded to third parties is only used for the purposes mentioned above.
H&M is always fully responsible for its suppliers.

We may from time to time also share personal data with independent third parties, such as electronic communication providers, banks, and postal services. Please be aware that many of these recipients have an independent right or obligation to process your personal data in their own rights.

What is the legal ground to process your personal data?
When concluding a contract with you H&M will process your personal data necessary to fulfil any obligations derived from that contract. The legal ground for processing is fulfilment of contract.

The processing of your personal data to manage business relations, provide business partners access to our systems and to manage legal requirements for financial trading are based on H&M group’s legitimate interest as a business.

The processing of your personal data for financial trading information is based on legal obligations.

How long do we save your data?
H&M will process your data no longer than necessary for fulfilling the purpose of procurement and business partnership, for the length of the agreement and time to preclude legal issues.

For legal disputes we will keep the data during the ongoing dispute and for a period of time after the dispute when the information is still relevant.

We will keep the data for financial trading information for 5 years in accordance with legal requirements.

When we create media content such as articles, interviews, videos, and pods for all our channels we will process your personal data if you appear in such content. We also use personal data to prepare, facilitate, follow up on interviews and media coverage.

When we archive media material such as press clips, images and photos, campaigns, press releases, videos, and audio recordings to preserve the company’s history your personal data will be processed if you appear in the material.

To manage different types of events, including meetings and press conferences, we will process personal data of the invited persons. Certain events may be recorded and transcribed.

We will process your personal data to send out financial reporting and other company information to recipients based on legitimate interest or if you have signed up to receive such information.

We will process your personal data to manage use of press samples.

If you contact us for information requests, we will process the personal data necessary to assist you with your request.

What types of personal data do we process?
We may process the following categories of personal data:

• contact details such as name, e-mail address, telephone number
• date of birth
• username
• gender
• nationality
• work related information, such as company, country of employment and work role
• size information
• photo and images
• video footage
• audio recording

What is the legal ground to process your personal data?
The processing of your personal data for the following purposes are based on H&M group’s legitimate interest:

• managing content, including produce, administrate, archive, and distribute media content
• manage press conferences and meetings
• to analyze media coverage, including social media
• manage press samples
• to manage requests
• to manage events, invitations, and participation

The processing of your personal data for teleconference participation is based on your consent if you. If you have signed up to receive company information the processing of your personal data is based on your consent.

How long do we keep your data?
We save your data if needed to fulfil the purpose for which it was collected to pursue our legitimate interests or until there is no longer any legal requirements or right for us to keep the data.
For the processing of personal data for the purposes based on consent we will keep the data until you withdraw your consent.

Your right to object to processing based on legitimate interest
You have the right to object to the processing of your personal data that is based on H&M’s legitimate interest. H&M group will not continue to process the personal data unless we can demonstrate a legitimate ground for the process which overrides your interest and rights or due to legal claims.

Your right to withdraw your consent
You have the right to withdraw your consent from the processing of your personal data at any time. When you do so we might not be able to provide you with the service based on the consent.

Why do we use your personal data?
We will use and process your personal data when you register as a shareholder and when you interact with us in relation to your shareholding with us. This includes when we receive your personal data from third parties such as Euroclear Sweden AB (publ), banks and law firms.

We may also process your personal data to handle communication that you as a shareholder or contact person at a company that is a shareholder initiates, respond to inquiries and, handle comments.

If you are a major shareholder, we may also process your personal data by publishing names and shareholdings in annual reports and on our website.

To manage H&M group’s Annual General Meeting we will process personal data, including managing registration of participants record and transcript of the Annual General Meeting.

We will also use personal data to manage power of attorneys and corporate registration certificates for attendance to the Annual General Meeting.

Who is responsible for processing your personal data?
The company H&M Hennes & Mauritz AB is responsible and the controller for processing your personal data for the purposes regarding Shareholders and the Annual General Meeting.

What types of personal data do we process?
We may process the following categories of personal data:

• contact details consisting of name, title, address, telephone number and e-mail address
• date of birth
• identification documentation such as social security number
• company and organization number (if it is possible to connect to you as a person)
• shareholder records (including shares held, share purchases, share disposals, dividend entitlements and payments, votes, proxy appointments, shareholder options, exercise conditions and exercise dates)
• photo, video, and audio

Who has access to your personal data?
We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose.

We may share personal data with postal and e-mail distribution companies for our annual report, with Central securities depository to manage shareholders and power of attorneys.

What is the legal ground to process your personal data?
When we process your personal data necessary to meet the requirements imposed on us by applicable law, the legal basis for processing your personal data is legal obligation.

If you are a major shareholder, we also process your data by publishing names and shareholdings in annual reports, on our website, etc. This processing of personal data is based on H&M group’s legitimate interest.

The processing of personal data to register for the general annual meeting, to record and transcribe the meeting is based on H&M group’s legitimate interest.

The processing of personal data to register shareholders’ presence at the meeting is based on a legal obligation.

How long do we save your data?
Information that is processed to handle communication with you as well as related matters that you as a shareholder or contact person at companies that are shareholders initiate are saved as long as it is relevant in relation to the communication and the matter concerns.

We will keep your data for registration and for attendance to the annual general meeting and list of legal representatives for 12 months.

Why do we use your personal data?
We will process personal data to manage, register and resolve IT and information security incidents. We will also use personal data to handle incidents and accidents. We will also process your data to investigate a breach or non-compliance with regulations or H&M group’s policies and requirements.

We will use your personal data for camera monitoring in our facilities for security reasons and for follow up on incidents and accidents.

In order to be compliant with payment card industry regulations your personal data will be processed through visitor logs and audit reports for audit reasons.
We will also process your personal data related to your key card and the use of it, including follow ups on incidents and accidents.

In the event of investigation of non-compliance with our policies and in whistleblowing related matters we process personal data.

What type of data do we process?
We will process the following categories:

• contact information such as name, home address, e-mail address and telephone number
• date of birth
• work information such as company name and work role
• logs such as for key cards
• employment information such as user ID number
• IP number
• video surveillance footage
• photo
• other necessary information for investigations, and any other information provided to us in an incident report

Who has access to your personal data?
Data that is forwarded to third parties is only used to perform the service mentioned above. We will share your personal data with security companies, auditors, and legal advisors to handle security issues and administration. We will also share your personal data with video surveillance companies for video footage.

What is the legal ground to process your personal data?
The processing of your personal data is based on our legitimate interest in order for us to manage incidents and security breaches.

How long do we save your data?
We will keep your data for the time we need to prevent and/or report protentional fraud and other offenses.

Video footage will be saved in compliance with local legislation but maximum 30 days.

Why do we process your personal data?
H&M Group processes your personal data when monitoring social media channels across internet for mentions of our brands, competitors, product, and more. Only with insights about what customers say about us we can improve as a business, brand, and employer. Monitoring and measuring the buzz in social media is a crucial component of customer audience research and for cultivating our customer and public relations.

Personal data may also be collected from Social Media business accounts for analysing on an aggregated level to be able to gather insights and forecast trends. The purpose with these aggregated analyses is to improve product development and enhance business decisions.

How is personal data processed?
Personal data is collected from social media platforms and structured in databases provided by third-party suppliers. If you want to learn more about how our third-party service providers process your personal data, please visit following websites.

Brandwatch

Visenze

What personal data is processed?
Personal data consists of identifying information such as your name, username, device in combination of information relating to the published content (e.g. comments, expressions, opinions, posts, etc.), your profile picture or other images or videos that you post or interact with, your job title or profession, your interests and gender, and your location.

Who is responsible for the processing of personal data?
H&M is responsible for processing personal data in the scope of tracking, analysing and responding to conversations whereas Brandwatch is responsible for collecting (through crawling and indexing), structuring, compiling and storing personal data in the service.

Who has access to your personal data?
We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose. For the same reason, personal data is also shared with suppliers carrying out certain tasks on our behalf, such as independent analysing companies, PR and media agencies.

Any social media service provider making the personal data publicly available on their platform is responsible for their own part of the processing as a controller.

What is the legal ground to process your personal data?
H&M’s data processing activities taken place within the context of social media listening and analysis is based on our legitimate interest as a business.

Exercise of rights
You should turn to Brandwatch to exercise your rights to request access, update, restriction, rectification and erasure of such personal data Brandwatch holds about you.

You may also exercise your rights against the social media service provider who made the personal data publicly available.

The right to object

You have the right to object to the processing of your personal data that is based on H&M’s legitimate interest. H&M will not continue to process the personal data unless we can demonstrate a legitimate ground for the process which overrides your interest and rights or due to legal claims.

You have the right to object to H&M’s processing by contacting dataprotection.externalpartner@hm.com.

You may also exercise your rights against the social media service provider who made the personal data publicly available.

Why do we use cookies?
The H&M Group uses cookies and other tracking technologies to give you the full functionality of the website, to customize your user experience, perform analytics and deliver personalized advertising on our websites, apps and newsletters across internet and via social media platforms.

Who is responsible for cookies?
H & M Hennes & Mauritz GBC AB and the named publisher, listed in the cookie subgroup below, are both responsible for setting cookies on your device when you access any of our official websites and for the access and collection of data from the same device.

What is a cookie?
A “cookie” is a small text file that is downloaded onto your device such as computer or smartphone when you access our websites.

We use cookies and other similar technologies in order to make our website work efficiently and secure and to improve personalized user experience.

When referring to cookies we include:

• first- and third party cookies
• tracking pixels and plug-ins, including technologies those from third party publishers
• other tracing technologies

All cookies have a publisher which tells you who the cookie belongs to. The publisher is the owner of the domain specified in the cookie. Whenever you visit our website, we place cookies onto your device for different reasons. Such cookies are called “first-party” cookies, whereas cookies set by a third-party company, such as a social media platforms or ad network/ad tech providers, are called “third party” cookies.

Below you will find more detailed information about our cookies and the reason for using them.

How to withdraw your cookie consent?
You can at any time disable your non-essential cookie by withdrawing your consent. You manage your cookie consents in Cookie Settings at the bottom of this website.

In addition to your consent withdrawal, you can easily stop your browser from accepting cookies by configuring your browser’s cookie settings.

All commercial web browsers are featured with cookie management functionality.

Please check your web browser to find out more how to delete or disable cookies etc.

If you choose to disable cookies, you may face limitation on functionality and a deteriorated user experience.

What types of cookies do we use and why?

 

Links
hmgroup.com may contain links to other websites beyond our control. We cannot be held liable for breaches of integrity or content on these websites – we simply provide the links to make it easier for people visiting our site to find more information within specific areas.

Copyright
The content on this site is copyrighted and belong to H & M Hennes & Mauritz AB.

Colours
We cannot guarantee that the shown on the website exactly reproduce the of the actual garments. This partly depends on the reproduction on your computer.

This Privacy Notice was last updated:
09/02/2022

Effectuated Changes to previous version
Editorial changes, including clarifying information on Social media measurement.