H&M GROUP PRIVACY NOTICE

GENERAL

Protecting personal data and your privacy is of greatest concern for the H&M Group. This Privacy Notice intends to establish a clear, concise, and transparent communication on the collection, use, processing, storing etc. of personal data necessary to establish and manage external partner relationships.
This Privacy Notice is applicable to any former, current, and potential business partner, agent, franchisee, supplier, sub-contractor, shareholder, persons on site (to our premises or websites) or other stakeholder with whom we engage with.
The H&M Group comprises the company affiliates of H & M Hennes & Mauritz AB and its brands: H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound.
The H&M Group and its affiliated companies are throughout this Privacy Notice individually or collectively referred to as “H&M”, “we” or “us”.

Who is responsible for processing of your personal data?

The company responsible for the processing of your personal data is dependent on the purpose for which your personal data is collected and with whom you engage with.

The Swedish company, H & M Hennes & Mauritz GBC AB Registration number: 556070-1715, Mäster Samuelsgatan 46A, 106 38 Stockholm, Sweden, is responsible for most of the processing of personal data within the scope of this Privacy Notice.

Within each specific section of this Privacy Notice, we will clarify how personal data processing responsibilities are distributed among H&M companies.

Under certain circumstances, your personal data is shared with third parties, such as banking and financial institutes, postal services, or electronic communication providers. These third parties operate as independent data controllers and have their own privacy practices. More information can be found under each specific section of this Privacy Notice.

What is the legal ground for processing?

H&M is not allowed to collect, process, use, store etc. personal data without a valid legal ground. Lawfulness may be derived from your consent, by contract, statutory obligations or from our legitimate interest as a business. For each specific process purpose of processing of personal data, we collect from you, we will inform you about which legal ground that will apply, and what rights you are entitled to exercise. Whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.

Where do we process your data?

The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area (“EU/EEA”) but may also, whenever necessary, be transferred to and processed in a country outside of the EU/EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.

From time to time, we may transfer personal data from the EU/EEA to a third country not being approved by European commission as a safe country for such transfer. Whenever applicable H&M will use Standard Contractual Clauses to ensure a similar level of protection as granted within the EU/EEA or other lawful grounds for transfer.

Who has access to your data?

Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose. To the extent necessary, your personal data may be shared between the companies and brands of within the H&M Group, with suppliers and sub-contractors (processors and sub-processors) carrying out certain tasks on H&M’s behalf and with independent third parties.

In addition, we may also disclose personal data to third parties, if we have reason to believe that using or disclosing such information is necessary or advisable to: (i) conduct investigations of possible breaches of law; (ii) identify, contact, or bring legal action against someone who may be violating an agreement they have with us; (iii) investigate security breaches or cooperate with government authorities pursuant to a legal matter; or (iv) to protect our rights, safety or property, including the prevention of fraud.

WHAT ARE YOUR RIGHTS?

Right to access:
You have the right to request information about the personal data we hold on you at any time. You can contact H&M Group that will provide you with your personal data.

Right to portability: 
Whenever H&M Group process your personal data by automated means based on your consent or based on an agreement you have the right to get a copy of your data transferred to you or to another party. This only includes the personal data you have submitted to us.

Right to rectification:
You have the right to request rectification of your personal data if they are incorrect, including the right to have incomplete personal data completed.

Right to erasure:
You have the right to erase any personal data processed by H&M Group at any time except for the following situations:

  • for exercising the right of freedom of expression and information
  • to comply with a legal obligation
  • for the establishment, exercise, or defence of legal claims

Your right to object to processing based on legitimate interest: 
You have the right to object to processing of your personal data that is based on H&M group’s legitimate interest. H&M group will not continue to process the personal data unless we can demonstrate a legitimate ground for the process which overrides your interest and rights or due to legal claims.
Your right to withdraw your consent
For the processing activities where you have given us your consent, you have the right to withdraw your consent from the processing of your personal data at any time. When you do so we might not be able to provide you with the service based on the consent.

Right to restriction:
You have the right to request that H&M group restricts the process of your personal data under the following circumstances:
*if you object to a processing based on H&M Group’s legitimate interest, H&M Group shall restrict all processing of such data pending the verification of the legitimate interest.
*if you have claim that your personal data is incorrect, H&M Group must restrict all processing of such data pending the verification of the accuracy of the personal data.
*if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead
*if H&M group no longer needs the personal data but it is required for you to make or defend legal claims.

How can you exercise your rights?
We take data protection very seriously and you can exercise your rights by contacting your point of contact with H&M group. If you do not have a point of contact or do not get a prompt response, you can direct your request to dataprotection.externalpartners@hm.com.

Data Protection Officer:
We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer by email at dataprotection.externalpartners@hm.com and write DPO as a subject.

Right to complain with a supervisory Authority: 
If you consider the H&M group to process your personal data in an incorrect way you can contact us. You also have the right to turn in a complaint to a supervisory authority.

BUSINESS RELATIONS

Why do we use your personal data?
We will process your personal data necessary to fulfil our obligations directly or indirectly deriving from our business contracts, legal requirements, and our business relationships. Therefore, we may collect and use your personal data for the following purposes:

  • To evaluate and source potential business partners, collaborations, and partnerships.
  • To oversee the entire business contract lifecycle, including negotiating, signing, amending, and terminating agreements.
  • To manage existing business relations including communication, procurement, training administration and financial transactions.
  • To enable business collaboration by providing access to H&M Group´s systems.
  • To monitor and evaluate performance if service level is agreed upon.
  • To manage legal requirements related to financial trading.
  • To handle legal issues and disputes.

What types of personal data do we process?
We may process the following categories of personal data depending on relevant purpose:

  • contact details such as name, e-mail address, telephone number
  • work related information
  • username
  • publicly available information related to your profession
  • date of birth
  • personal ID and nationality if you act as a seller on our online store
  • bank account
  • gender
  • photo, audio, video

Who are responsible for processing of your personal data?
The H&M Company that you engage and/or enter into an agreement with is the data controller and thus responsible for the processing activities of your personal data.

What is the legal ground to process your personal data?
When concluding a contract with you H&M will process your personal data necessary to fulfil any obligations derived from that contract. The legal ground for processing is fulfilment of contract.

The processing of your personal data to manage business relations, provide business partners access to our systems and to manage legal requirements for financial trading are based on H&M Group’s legitimate interest as a business.

The processing of your personal data related to financial trading is based on legal obligations.

How long do we save your data?
H&M will process your data no longer than necessary for fulfilling the purpose of procurement and business partnership, for the length of the agreement and time to preclude legal issues.

For legal disputes we will keep the data during the ongoing dispute and for a period after the dispute when the information is still relevant.

We will keep the data for financial trading information in accordance with legal requirements.

MEDIA AND COMMUNICATION

We actively engage and build a relationship with key stakeholders across different platforms. To do this, your personal data may be processed for the following purposes:

  • To create, facilitate and publish digital contents such as articles, interviews, and videos across our channels.
  • To archive media content such as press clips, images and photos, campaigns, press releases, videos, and audio recordings to preserve the company’s history.
  • To manage different types of events, including meetings and press conferences, we will process personal data of the invited persons. Certain events may be recorded and transcribed.
  • To send out financial reporting and other company information to interested stakeholders.
  • To answer information requests and other enquiries.

What types of personal data do we process?
We may process the following categories of personal data:

  • contact details such as name, e-mail address, telephone number
  • date of birth
  • username
  • gender
  • nationality
  • work related information, such as company, country of employment and work role
  • size information
  • photo and images
  • video footage
  • audio recording

Who are responsible for processing your personal data?
The company H&M Hennes & Mauritz GBC AB is responsible for the processing of personal data related to Group level communication and media activities.

For locally hosted events the controller is the H&M Company that you engage with.

What is the legal ground to process your personal data?
We will obtain your consent to send you Group financial information and press releases. For all other purposes referred herein we rely on our legitimate interest as a business organization.

How long do we keep your data?
We save your data if needed to fulfil the purpose for which it was collected to pursue our legitimate interests or until there is no longer any legal requirements or right for us to keep the data.
For the processing of personal data for the purposes based on consent we will keep the data until you withdraw your consent.

SHAREHOLDERS, BOARD MEMBERS AND INVESTOR RELATIONS

Why do we use your personal data?
We will use and process your personal data when you register as an individual shareholder and when you interact with us in relation to your shareholding with us. This includes when we receive your personal data from third parties such as Central Securities Depository (CSD), banks and law firms.

  • To manage your shareholding interest and fulfil your rights as a shareholder.
  • To comply with our obligation as a public listed company by maintaining records and file returns about shareholdings at H&M Group. This may require you to disclose family member information.
  • To contact you with shareholder related information, such as reports, dividend distribution, general meeting details etc.
  • To manage our relationship with you including answering any enquiries you send us.
  • To secure transparency by publishing board members and main shareholders’ details on our site.
  • To enable relevant parties to participate our Annual General Meeting we manage both a registration and transcripts.

What types of personal data do we process?
We may process the following categories of personal data:

  • contact details consisting of name, title, address, telephone number and e-mail address
  • information to confirm your identity and your business, including personal identity number, date of birth and company details
  • records about your past and present shareholding details
  • bank details where dividends, income and capital returns are paid into
  • information, including family members’ data, disclosed to fulfil insider trading prevention requirement
  • photo, video, and audio we publish to secure transparency and where it is recorded during meetings

Who is responsible for processing your personal data?
The company H&M Hennes & Mauritz AB is responsible and the controller for processing your personal data for the purposes regarding Shareholders and the Annual General Meeting.

Who has access to your personal data?
We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose.

We may share personal data with postal and e-mail distribution companies for our annual report, with Central securities depository to manage shareholders and power of attorneys.

What is the legal ground to process your personal data?
When we process your personal data necessary to meet the requirements imposed on us by applicable law, the legal basis for processing your personal data is legal obligation.

If you are a major shareholder, we also process your data by publishing names and shareholdings in annual reports, on our website, etc. This processing of personal data is based on H&M group’s legitimate interest.

The processing of personal data to register for the general annual meeting, to record and transcribe the meeting is based on H&M group’s legitimate interest.

The processing of personal data to register shareholders’ presence at the meeting is based on a legal obligation.

How long do we save your data?

Information that is processed to handle communication with you as well as related matters that you as a shareholder or contact person at companies that are shareholders initiate are saved as long as it is relevant in relation to the communication and the matter concerns.

We will keep your data for registration and for attendance to the annual general meeting and list of legal representatives according to legal requirement.

SECURITY

Why do we use your personal data?
Security measures, including information and physical security, are vital to protect our business partners, customers, colleagues, and business. Therefore, your personal data may be used for the below purposes:

  • To protect our premises, facilities and equipment, and all information contained therein from incidents, accidents, and malicious/criminal attacks.
  • To conduct and document security audits.
  • To investigate a crime or an act of misconduct, such as breach of law, company policies, fraudulent activities etc., for example through a digital forensic investigation. Such investigations are triggered by serious suspicion, whistle blow, grievance reporting or other channels.
  • To ensure H&M’s legal compliance and protect our position in the events of potential crime reporting & investigations.
  • To establish, exercise and/or defend, current and/or future, legal claims.

What type of data do we process?
We will process the following categories:

  • contact information such as name, home address, e-mail address and telephone number
  • information to verify your identity, such as personal ID number
  • date of birth
  • work information such as company name and work role
  • logs such as for key cards
  • employment information such as user ID number
  • IP number
  • video surveillance footage
  • photo
  • relevant information for investigations, including details from incident reports.

Who are responsible for processing your personal data?
The company H&M Hennes & Mauritz GBC AB is responsible for the processing of personal data related to cyberdefence and information security.

Local H&M company is the responsible party for processing activities related to physical security and locally conducted investigations.

Who has access to your personal data?
Data that is forwarded to third parties is only used to perform the service mentioned above. We will share your personal data with security companies, auditors, and legal advisors to handle security issues and administration. We will also share your personal data with video surveillance companies for video footage.

What is the legal ground to process your personal data?
The processing of your personal data is based on our legitimate interest for us to manage incidents and security breaches.

How long do we save your data?
We will keep your data for the time we need to prevent and/or report protentional fraud and other offenses.

Video footage will be saved in compliance with local legislation.

BRAND & CONSUMER PERCEPTION ANALYSIS

Why do we process your personal data?
H&M Group processes your personal data when monitoring social media channels across internet for mentions of our brands, competitors, product, and more. Only with insights about what customers say about us we can improve as a business, brand, and employer. Monitoring and measuring the buzz in social media is a crucial component of customer audience research and for cultivating our customer and public relations.

Personal data may also be collected from Social Media business accounts for analysing on an aggregated level to be able to gather insights and forecast trends. The purpose with these aggregated analyses is to improve product development and enhance business decisions.

What personal data is processed?
Personal data consists of identifying information such as your name, username, device in combination of information relating to the published content (e.g. comments, expressions, opinions, posts, etc.), your profile picture or other images or videos that you post or interact with, your job title or profession, your interests and gender, and your location.

Who is responsible for the processing of personal data?
The company H&M Hennes & Mauritz GBC AB is responsible for processing personal data in the scope of analysing conversations whereas Brandwatch is responsible for collecting (through crawling and indexing), structuring, compiling and storing personal data in the service. Other sites and domain owners such as Social Media platforms are also independent data controllers for the processing of your personal data.

Who has access to your personal data?
We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose. For the same reason, personal data is also shared with suppliers carrying out certain tasks on our behalf, such as independent analysing companies, PR and media agencies.

What is the legal ground to process your personal data?
We process your personal data via Brandwatch to analyse public perception on our brands and consumer needs is based on our legitimate interest as a business.

How long do we save your data?
We do not store your personal data at H&M Group. However, please note that Brandwatch and the original publication platforms will retain your data according to their own rules and rights.

UPDATES TO THIS PRIVACY NOTICE

We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data, the identity of the controller or your rights.

June 2024

  • Incorporated all H&M Group affiliated entities into this Privacy Notice.
  • Clarified data controllers in each chapter under “Who is responsible for the processing of your personal data?”
  • Reformatted the purposes under “Why do we process your personal data” in all chapter for easy reading.
  • Amendments and clarification in data types under “What type of data do we process” in all chapters.
  • Added performance evaluation as a purpose under “Business Relations” chapter.
  • Added
  • Added legal defence as a purpose under “Security” chapter.
  • Added insider trading disclosure information as a data type under “Shareholders, board members and investor relations” chapter.

SPECIFIC INFORMATION FOR HMGROUP.COM

Links
hmgroup.com may contain links to other websites beyond our control. We cannot be held liable for breaches of integrity or content on these websites – we simply provide the links to make it easier for people visiting our site to find more information within specific areas.

Copyright
The content on this site is copyrighted and belong to H & M Hennes & Mauritz AB.

Colours
We cannot guarantee that the shown on the website exactly reproduce the of the actual garments. This partly depends on the reproduction on your computer.

Changes

This Privacy Notice was last updated: June 2024.

Information about cookies has been moved to a dedicated and separate Cookie Notice.