The H&M Group manifests its commitment to privacy and data protection by embracing the following principles.
- H&M uses personal data lawfully, fairly, correctly and in a transparent manner.
- H&M collects no more personal data than necessary, and only for a legitimate purpose.
- H&M retains no more data than necessary or for a longer period than needed.
- H&M protects personal data with appropriate security measures.
Why do we process your data?
Under each specific section of this Privacy Notice you will be informed of the purpose for each relevant processing of information.
Who is responsible for processing of your personal data?
The Swedish company, H & M Hennes & Mauritz GBC AB is primary responsible for the processing of personal data within the scope of this Privacy Notice.
Under each specific section of this Privacy Notice you will be informed when instead H & M Hennes & Mauritz AB is responsible for processing your personal data, the allocation of responsibilities and the modalities for the execution of rights.
Identity of H&M Group controllers
H & M Hennes & Mauritz GBC AB
Registration number: 556070-1715
Address: Mäster Samuelsgatan 46A
ZIP: 106 38 Stockholm
H & M Hennes & Mauritz AB
Registration number: 556042-7220
Contact info as above.
The named H&M Group controllers above are throughout this Privacy Notice individually or collectively referred to as “H&M”, “we” or “us”.
Under certain circumstances the responsibility for data protection and your privacy is shared with third parties, such as banking and financial institutes, postal services, or electronic communication providers. More information can be found under each specific section of this Privacy Notice.
Where do we process your data?
The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area (“EU/EEA”) but may also, whenever necessary, be transferred to and processed in a country outside of the EU/EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.
From time to time, we may transfer personal data from the EU/EEA to a third country not being approved by European commission as a safe country for such transfer (adequacy decision). Whenever applicable H&M will use Standard Contractual Clauses to ensure a similar level of protection as granted within the EU/EEA or other lawful grounds for transfer.
Who has access to your data?
Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose. To the extent necessary, your personal data may be shared between the companies and brands of within the H&M Group, with suppliers and sub-contractors (processors and sub-processors) carrying out certain tasks on H&M’s behalf and with independent third parties.
In addition, we may also disclose personal data to third parties, if we have reason to believe that using or disclosing such information is necessary or advisable to: (i) conduct investigations of possible breaches of law; (ii) identify, contact, or bring legal action against someone who may be violating an agreement they have with us; (iii) investigate security breaches or cooperate with government authorities pursuant to a legal matter; or (iv) to protect our rights, safety or property, including the prevention of fraud.
We reserve the right to transfer any personal data we have about you in the event that we merge with or are acquired by a third party, undergo another business transaction such as a reorganization, or should any such transaction be proposed.
What is the legal ground for processing?
H&M is not allowed to collect, process, use, store etc. personal data without a valid legal ground. Lawfulness may be derived from your consent, by contract, statutory obligations or from our legitimate interest as a business. For each specific process purpose of processing of personal data, we collect from you, we will inform you about which legal ground that will apply, and what rights you are entitled to exercise. whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.