SAINT-LOUIS PRIVACY POLICY
Data protection and privacy policy
Effective Date: December 2018, 28th
1. General Statement
We take your privacy very seriously and we are committed to protecting it. We believe that you should easily know what personal data we collect and use, as well as to understand your rights in respect of your personal data.
Our privacy policy (“Privacy Policy”) explains our policies and practices regarding how we collect, use, and disclose the personal data that we collect through our Digital Platforms, our stores or during our events.
We recommend that you read this Privacy Policy carefully as it provides important information about your personal data.
Our Privacy Policy is designed so that you can easily reach the section you are interested in.
You can print the complete text of our Privacy Policy by clicking here. You may also ask for a copy of our Privacy Policy in any of our stores.
Do not hesitate to contact us should you have any questions or remarks about our Privacy Policy (See section “How to contact us?” below).
2. Who we are?
“Saint-Louis”, "we" "us" and “our” refer to the company “Compagnie des cristalleries de Saint-Louis » as the controller of your personal data, except otherwise stated in this Privacy Policy.
Compagnie des cristalleries de Saint-Louis is a French company (“Société par actions simplifiée”) with a capital of 3,892,000 euros, having its registered office at Coëtlosquet, 57620 Saint-Louis-Lès-Bitche (France), registered with the Sarreguemines Trade and Companies Registry under number 353 438 708.
Compagnie des cristalleries de Saint-Louis is a company of Hermès group. For further details on Hermès group, please visit http://finance.hermes.com.
You can find our contact details in section “How to contact us?” below.
3. What personal data do we collect and how is it collected?
Personal data is information relating to an identified or identifiable natural person. For example, it may include an individual’s name, address and gender.
We may collect personal data either directly from you (for example when you purchase a product in a store) or indirectly (for example from your electronic devices that interact with our websites, electronic forms or mobile applications (“Digital Platforms”)).
3.1. Information you provide directly to us
You may provide us with information:
- When you create an account online or in our stores;
- When you subscribe to our newsletter;
- When you use our Digital Platforms;
- When you purchase products or services on our Digital Platforms or in our stores;
- When you visit our stores;
- When you participate in one of our events;
Depending on what you provide us with, such information may include:
- Your identity (including your first name, last name, gender, image);
- Your contact details (including your postal address(es), email address(es), phone number(s));
- Your personal status (including your title);
- Your purchases and repairs (including purchase history, order details);
- Your preferences (including your size);
- Certain payment information (including billing information, payment type or method, charge or credit card number);
- Other information you may provide by filling forms or by contacting us (including your feedbacks, or other communications with us).
We will inform you when your information is required in order to process your request, to respond to your queries or to provide you with our products and services. If you do not provide this information, then it may delay or prevent us from processing your request, responding to your query and providing products or services to you.
We hope to ensure that the personal data we possess are accurate at all times and therefore we encourage you to update your information in case any changes have occurred. We also may ask you to update your information from time to time.
We recommend that you only provide the data requested or necessary for your query, with the exception of any sensitive information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, sex life or sexual orientation.
We remind you that we do not provide our services or products directly to, nor collect personal data of, persons below the age of 18. Therefore, we ask you not to provide us with personal data of persons under 18 years of age.
3.2. Information indirectly collected
We may collect information when you use our Digital Platforms, such as your IP address or other browsing information (including browser, operating system, device model), through cookies or similar technologies placed on your device. Some cookies are required for the proper functioning of our Digital Platforms and other are used for analytics purposes which help us to provide you with more personalized and customized services and a better digital experience. For more information about cookies and to know how you can edit your preferences, please read our cookies policy.
We may also collect information about you from third parties, such as a spouse who contacts us on your behalf or from your friends who provide us with your information in order to invite you to events you may be interested in.
If you provide personal data to us about someone else, you must ensure that you are entitled to disclose that information to us and that, without us taking any further steps required by data protection laws, we may collect, use and disclose such information for the purposes described in our Privacy Policy. For example, you should ensure the individual concerned is aware of the various matters detailed in our Privacy Policy. The individual must also provide the consents set out in this Privacy Policy in respect of how we will deal with their personal information.
4. Why do we collect your personal data and how do we use it?
We collect and use your personal data based on one or many of the following legal basis:
- we have obtained your prior consent (for example, when you subscribe to our newsletter). Please note that for this specific legal basis, you have the right to withdraw your consent at any time (see below “What rights do you have on your personal data?”);
- the processing is necessary in connection with any contract between Saint-Louis and you (for example, when you make a purchase);
- we have a legitimate interest in carrying out the processing and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms (for example, to prevent payment fraud);
- we have to process your personal data to comply with applicable laws and regulations.
Depending on the context, we may use your personal data in order to:
- provide you with the products or services you requested;
- conduct checks to identify you and verify your identity;
- send you Promotional Communications - with your prior consent (see section “Promotional Communications”);
- provide you after-sale services;
- respond to your queries, requests and suggestions;
- manage the events you registered and/or participated in;
- detect any fraudulent or illegal activity, including to secure your transactions by detecting and preventing fraud against you and Saint-Louis;
- protect you, employees and other individuals in our stores as well as our property;
- manage the stock of certain types of rare products to allow a fair allocation of the products we sell;
- monitor and improve our Digital Platforms;
- conduct statistical analysis;
- improve our products and services;
- fulfil our legal obligations corresponding to preventing and combating fraud and money-laundering;
- provide information to regulatory bodies when legally required.
5. Marketing Communications (newsletter, invitations, etc.)
With your express prior consent (usually obtained by ticking a specific box in a form), you may receive information concerning offers, services, products or events sent by Saint-Louis and/or by other Hermès group companies (“Marketing Communications”). In such a case, you also accept that your contact information is shared with other Hermès group companies for this purpose. Please visit http://finance.hermes.com for details about companies of Hermès group.
6. How long do we keep your personal data?
Your personal data are processed for the period necessary for the purposes for which they have been collected, to comply with legal and regulatory obligations and for the duration of any period necessary to establish, exercise or defend any legal rights.
In order to determine the most appropriate retention periods for your personal data, we have specifically considered the amount, nature and sensitivity of your personal data, the reasons for which we collected your personal data, the service you deserve and expect from us together with the applicable legal requirements. For example:
- With regard to our prospects (potential customers):your data is stored for three years from your last action and then deleted or archived to comply with legal retention obligations;- With regard to our customers: your data is stored for the duration of our commercial relationship and for up to ten years and then deleted or archived to comply with legal retention obligations;
- With regard to the cookies used on Digital Platforms: they are stored for up to 13 months from the moment they were installed on your device.
7. How do we disclose and transfer your personal data?
We may disclose your personal data only to the parties indicated below and for the following reasons:
- We disclose your personal data to Saint-Louis employees that need to have access to your personal data and are authorized to process them in order to achieve the aforementioned purposes and who are committed to confidentiality.
- We may disclose your personal data to Hermès group companies, in charge of customer relationship, retail, e-commerce, communication, internal audit and IT management for the purposes set out in our Privacy Policy and to provide you with a consistent level of service across all Hermès group companies. This may include providing you with the products and services that you have requested, improving the services provided and – with your consent – sending you Marketing Communications concerning offers, services, products or events (for such purpose, you may withdraw your consent at any time – see section “What rights do you have on your personal data?” below).
For the specific purpose of combating payment fraud, your personal data are communicated to Hermès Sellier in order to process your order and to fight against online payment methods fraud attempts. As part of our legitimate interest to fight against fraud with payment methods, Hermès Sellier, acting as data controller, can transmit your financial information to an external service provider with a fraud detection tool in order to authenticate a payment. Such service provider is committed to confidentiality.
The Hermès group companies are located worldwide. As a result, personal data may be transferred outside the country where you are located. This includes transfers to countries outside the European Union (“EU”) and to countries that do not have laws that provide adequate protection for personal data according to the European Commission.
To ensure lawful transfers of data, the Hermès group has implemented Binding Corporate Rules (“BCRs”) designed to allow Hermès group companies to transfer personal data from the European Economic Area (“EEA”) to other Hermès group companies located outside of the EEA in compliance with the European data protection law. These BCRs have been approved by the European data protection authorities. For more information on Hermès group’s BCRs, please click here.
For countries where BCRs are not fully recognized as adequate mechanism, transfers are made on the basis of appropriate contractual clauses approved by the data protection authorities. To obtain a copy of the relevant adequate safeguards, you can send us your request (see below “How to contact us?”).
Please visit http://finance.hermes.com for more details about companies of Hermès group.
- We may also disclose personal data to third-party providers acting on behalf of Saint-Louis and approved by Saint-Louis. All such processing is based on our prior instructions set out in a binding contract that is compliant with the requirements of applicable law. Such disclosures are made for different purposes including:
- - IT development and support;
- - Hosting and carrying out marketing and business studies and marketing campaigns;
- - Verifying your information, authenticating payments and processing orders and payments, to third parties that provide credit reporting, payment or order fulfilment services;
- - Delivery services
- - Data quality management services (standardization, deduplication…)...
These providers are committed to confidentiality and are not permitted to use your personal data for any other purposes. We also require them to use appropriate security measures to protect your personal data.
Part of those service providers are located outside of your country, notably outside the EU. We have taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data, including outside the EU are done lawfully. Where we transfer personal data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses, or under other appropriate safeguards, as the EU/US Privacy Shield for transfers to the United States of America.
To obtain a copy of the relevant adequate safeguards, you can send us your request using the details in Section “How to contact us?” below.
- We may be required by the binding requirements of an applicable law, or for the purposes of responding to legal proceedings or other lawful requests to disclose your personal data to authorities or third parties.
- We may also disclose or otherwise process your personal data, in accordance with applicable law, to defend our legitimate interests (for example, in civil or criminal legal proceedings). For example, we may disclose such personal data as necessary to identify, contact or bring legal action against a person or entity who may be violating our Terms and Conditions of Sale and Use, or who may be causing injury to, or interfering with, other users of our Digital Platforms.
- In the event that Saint-Louis or Hermès group companies, or all or part of its or their assets, are acquired by a third party, your personal data may be included in the transferred assets.
8. How do we protect your personal data?
All your personal data is strictly confidential and will only be accessible, on a need-to-know basis, to duly authorized personnel of Saint-Louis and other entities of the Hermès Group and third providers acting on our behalf with appropriate technical and organizational security safeguards.
Saint-Louis has implemented security measures to protect your personal data against unauthorized access and use. We follow appropriate security procedures in the storage and disclosure of your personal data so as to prevent unauthorized access by third parties and to prevent your data being accidentally lost. We limit those who access your personal data to those who have a genuine business need to access it. Those who do access your data are subject to a duty of confidentiality towards Saint-Louis.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We also require those parties to whom we transfer your personal data to comply with the same. However, unfortunately, the transmission of information via the internet is not completely secure. So, we cannot ensure the security of your personal data transmitted by you to us via the internet. Any such transmission is at your own risk and you acknowledge and agree that we shall not be responsible for any unauthorized use, distribution, damage or destruction of Your Information, except to the extent we are required to accept such responsibility under the law. Once we have received your personal data, we will use the security measures abovementioned.
9. What rights do you have on your personal data?
In accordance with the applicable data protection laws, you can, at any time, request access, rectification, erasure and portability of your personal data or restrict and object to the processing of your personal data. A summary of these rights is provided below:
- Your right of access: the right to be provided with a copy of your personal data.
- Your right to rectification: the right to require us to correct any mistakes in your data or to complete your information.
- Your right to be forgotten: the right to require us to delete your personal data — in certain situations
- Your right to restriction of processing: the right to require us to restrict processing of your personal data — in certain circumstances, for example if you contest the accuracy of the data.
- Your right to data portability: the right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party — in certain situations
- Your right to object to processing: the right to object:
— at any time to your personal data being processed for direct marketing;
— in certain other situations to our continued processing of your personal information, eg processing carried out for the purpose of our legitimate interests.
You may at any time decide to withdraw your consent to the processing of your personal data. If your consent is withdrawn, it does not prevent us from processing your personal data based on other legal bases if any, such as fulfilling your orders and storing your order data as required by applicable law.
If you no longer wish to receive our marketing/promotional information, we remind you that you may withdraw your consent to direct marketing at any time directly from the unsubscribe link included in each electronic promotional message we send to you. If you do so, we will promptly update our databases, and will take all reasonable steps to meet your request at the earliest possible opportunity, but we may continue to contact you to the extent necessary for the purposes of any products or services you have requested.
You also have the right to lodge a complaint with your local data protection authority in case of alleged infringement of the data protection rules applicable to you.
To exercise any of those rights, please contact us using the contact information below (see “How to contact us”).
Please note that upon exercising any of the rights listed above, you will be requested to let us know what right you want to exercise and provide information (copy of an identity card, passport or other legally recognized identity) for identification purposes in order to process your request and protect you against fraudulent requests from third parties.
[For California Residents] What are your rights under California Civil Code Sections 1798.83-1798.84?:
California Civil Code sections 1798.83-1798.84 give California residents the right to ask us for a notice describing what categories of personal customer information we share with third parties or corporate affiliates for their direct marketing purposes. That notice will identify the categories of information shared and will include a list of the third parties and affiliates with which it was shared, along with their names and address. If you are California resident and would like a copy of this notice, please submit a written request to: contact-gdpr@saint-louis.com.
[For Nevada Residents] What are your rights under Nevada Revised Statutes Chapter 603A?:
If you are a Nevada resident, in addition to the rights set forth above, you have the right to request that we do not make any sale of your covered information that we may have collected from you (or may collect from you in the future). We do not sell your covered information, as those terms are defined in N.R.S. 603A. Nonetheless, if you wish to make such a request, submit it to our designated email address below in the “How to Contact Us” section. Please allow up to 60 days for a response.
Opting out of these sales will not cease marketing communications from Saint-Louis and Hermes group; To opt out of marketing communications, see “Marketing Communications” above.
10. How to contact us?
In issues relating to your account, to withdraw your consent, to ask general questions or to lodge a complaint, please contact our Customer Service:
- By email: contact-GDPR@saint-louis.com
- By phone: +33 (0)3 87 06 40 04
- By mail: rue Coëtlosquet, 57620 Saint-Louis-Lès-Bitche (France)
In issues specifically related to Marketing Communications, we remind you that you can, at any time, directly unsubscribe through the “unsubscribe” link in any electronic promotional messages we send to you.
If you have any questions or concerns about our Privacy Policy or data processing, you may contact our group Data Protection Officer at: privacy@hermes.com.
11. Changes to our Privacy Policy
Our Privacy Policy reflects our current practices, and is subject to change and update from time to time. When we post changes to our Privacy Policy we will modify the "Effective Date" at the top of this document to indicate when such changes have come into effect.
If we change our Privacy Policy in a material way, we will inform you through a notice advising of such change at the beginning of this Privacy Policy and on the “saint-louis.com” website homepage.
12.California Consumer Act Privacy Notice
This California Consumer Act Privacy Notice (“CCPA Notice”) applies to California “Consumers” as defined by the California Consumer Privacy Act (“CCPA”). For the purpose of this CCPA Notice, “Personal Information” (“PI”) as defined by the CCPA includes personal data as used in the Privacy Policy.
This CCPA Notice is in addition to the provisions of the Saint-Louis Privacy Policy. In case of contradiction, discrepancy or inconsistency between the Privacy Policy and the CCPA Notice, the CCPA Notice shall prevail for Californian Consumers. We may collect, use and disclose your PI as required or permitted by applicable law, or as directed by you, in accordance with our Privacy Policy.
We collect the following categories of PI from Consumers: identifiers, personal records, account details, consumer characteristics, professional information, and internet usage information. We draw inferences from PI provided to us by consumers, and use PI provided by Consumers to provide requested products and services; advertise and offer new products and services; and improve our products and services.
We share PI provided by Consumers with
(i) our Saint-Louis employees that need to have access to your personal data and are authorized to process them in order to achieve the aforementioned purposes and who are committed to confidentiality
(ii) our departments in charge of customer relationship, retail, e-commerce, communication, internal audit, legal, security, and IT management for the purposes set out in this CCPA Notice and our Privacy Policy and to provide you with a consistent level of service across all Hermès group companies.
(iii) our service providers who assist us in providing, offering and improving products and services and other purposes (IT development and support; hosting and carrying out marketing and business studies and marketing campaigns; verifying your information, authenticating payments and processing orders and payments, to third parties that provide credit reporting, payment or order fulfilment services; delivery services...).
We also use PI provided by Consumers, along with PI from publicly available data bases and from service providers to prevent fraudulent and illegal activity. We provide such PI to service providers who assist us in preventing fraudulent and illegal activity and in subpoenas and other legal process, who use this PI for such purposes.
We do not knowingly “sell” PI that we collect from you, in accordance with the definition of “sell” in the CCPA, and will treat PI we collect from you as subject to a do not sell request. There is not yet a consensus as to whether third party cookies and tracking devices associated with our websites and mobile apps may constitute a “sale” of your PI as defined by the CCPA. You can exercise control over browser-based cookies by adjusting the settings on your browser. We also list cookies and provide access to their privacy information and, if available, opt-out programs in the Cookie Policy. Further, you can learn more about your choices regarding certain kinds of online interest-based advertising here. We do not represent that these third-party tools, programs or statements are complete or accurate.
Some browsers have signals that may be characterized as do not track signals, but we do not understand them to operate in that manner or to indicate a do not sell request by you, so we currently do not recognize these as a do not sell request. We understand that various parties are developing do not sell signals and we may recognize certain such signals if we conclude such a program is appropriate.
Consumers have the right to exercise their privacy rights under the CCPA in their individual capacity or via an authorized agent who meets the agency requirements of the CCPA. We will not discriminate against you in a manner prohibited by the CCPA as a result of your exercising your rights under the CCPA.
Any request you submit to us is subject to a verification process, including without limitation, verification of residency in the State of California (“Verifiable Consumer Request”). We will not fulfill your CCPA request unless you have provided sufficient information to reasonably verify you are the Consumer about whom we collected PI. This verification process includes asking a Consumer to provide two (2) unique data points for disclosure of general categories of PI that we collect. With respect to requests for your specific pieces of PI, as required by the CCPA we will apply heightened verification standards by asking a Consumer to provide three (3) unique data points. To make a Verifiable Consumer Request according to your rights to know or to request deletion of your PI set forth below, you may send us an email at contact-GDPR@saint-louis.com or by calling us at +33 (0)3 87 06 40 04. You may also obtain information on how to make, and may submit, a request by asking a store manager at any of our California retail locations.
Some PI we maintain about Consumers is not sufficiently associated with a Consumer for us to be able to verify that it is a particular Consumer’s PI (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that PI in our response to Verifiable Consumer Requests. If we cannot comply with a request, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your CCPA rights requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. In addition, we have right not to honor a request to the extent that doing so would infringe upon ours or the rights of any other person of party’s rights or conflict with applicable law.
You have the right to send us a request, no more than twice in any twelve-month period, for any of the following for the period that is twelve months prior to the request date:
• The categories of PI we have collected about you.
• The categories of sources from which we collected your PI.
• The business or commercial purposes for our collecting your PI.
• The categories of third parties to whom we have shared your PI.
• The specific pieces of PI we have collected about you.
• A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
• A list of the categories of PI sold about you in the prior 12 months, or that no sale occurred. If we sold your PI, we will explain:
- - The categories of your PI we have sold.
- - The categories of third parties to which we sold PI, by categories of PI sold for each third party.
You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.
Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.
Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Note also that we are not required to delete your PI that we did not collect directly from you.
You may alternatively exercise more limited control marketing communications by exercising the rights set forth in the “Marketing Communications” Section of our Privacy Policy (Section 5).