L'OCCITANE EXTERNAL DATA PRIVACY NOTICE
We at L’Occitane Singapore Pte Ltd (“L’Occitane SG”) respect the privacy and confidentiality of personal data in our possession or under our control. We have implemented policies and practices to safeguard the collection, use, disclosure, storage and other processing of personal data provided to us.
This External Data Protection Notice (“Notice”) explains how we collect, use, disclose, process and retain your personal data you provide to us. Personal data (as defined in the Personal Data Protection Act 2012 of Singapore (“PDPA”)) refers to “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.”
Types of Personal Data We Collect and Process
We may collect and process the following types of personal data about you when you engage with us:
- your personal details such as your name, your gender, your address, your location, your date of birth, your mobile number and your email address
- your facial and follicle condition
- your purchases and orders
- your online browsing activities on our website/s
- your interests, preferences, feedback and survey responses;
- your payment card details such as the card holder’s name, credit/debit card no. and card expiry date
- our correspondence and communications with L’Occitane
- For job applicants:
- your educational and professional qualifications
- your professional and work experience
- your medical and health information
Our Website is not directed to individuals under the age of eighteen (18), and we request that these individuals do not provide personal information through our Website. We do not knowingly collect information from children under 18 without parental consent.
This list is not exhaustive and, in specific circumstances, we may need to collect additional data for the purposes set out in this Notice. Some of the above personal data is collected directly, for example - setting up of membership account on-line account, on our websites. We may also collect personal data from our third party partners who have your consent to pass your details to us, or from publicly available sources.
Our Purpose(s) for Processing Personal Data About You
We process the personal data we have collected about you for one or more of the following purposes:
- for processing transaction sales (including payment), manage your membership (if you become a member), and any other services provided by the company.
- direct market to you, with your consent
- to analyze our services and product offerings to you, and your preferences and needs
- for your participation in promotions, and contests
- for conducting of market research and focus groups
- for product returns and exchanges
- for customer care and membership account management, including communications received from you
- for monitoring of visitors to our offices
- to process job applications, recruitment and selection
- to pass information about you to our agents, associates, subsidiaries or partners to carry out services for us, with your consent
- to carry out our obligations arising from any contracts entered into between you and us.
- to comply with legal obligations and regulatory requirements
Who We Disclose Personal Data About You To
We disclose some of the personal data we have collected about you to the following parties or organisations outside L’Occitane in order to fulfill our services to you:
- Banks, Payment card processing companies
- IT/Technical Support
- Freight/Courier service providers
- Business Process Outsourcing (BPO) service providers
- Recruitment Agencies / Headhunters (for job applicants)
In addition to the above, where required to do so by law, we will disclose personal data about you to the relevant authorities or to law enforcement agencies.
We may also share some of your personal data, after they are anonymised, with third parties for research purposes in order to improve our products and services to you.
How We Manage the Collection, Use, Disclosure and Storage of Your Personal Data
Where we collect personal data directly from you, we will notify you of the purposes for which we are collecting it and obtain your express consent to us collecting, using and disclosing it for those purposes. We will not collect more personal data than is necessary for the stated purpose.
When you voluntarily provide personal data to us for a purpose and it is reasonable that you do so, we may assume that you have deemed to have given us your consent to us collecting, using and disclosing your personal data for that purpose (e.g. when you provide your CV to us when responding to a job advertisement).
Under certain circumstances, we may collect, use and/or disclose personal data about you without your consent (e.g. to comply with our statutory obligations or where personal data is publicly available).
Where you engage us for our services on behalf of another individual, you must obtain consent from that individual in order for us to collect, use or disclose his/her personal data.
Withdrawal of Consent
Where your consent has been obtained, you may withdraw that consent at any time by giving us reasonable advance notice of your withdrawal. We will notify you of the likely consequences of your withdrawal of consent, e.g. without your personal contact information we may not be able to inform you of future updates or that the quality of our service may be impacted.
You may withdraw your consent by sending an email or letter to us, or through the membership withdrawal process (please contact us for more details at DPO.email@example.com.
Cookie, Google Analytics and Other Data Collection Technologies
When you visit our website or use our mobile applications], we collect certain Transaction Information by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons.
For example, when you visit our website, we place cookies on your computer. Cookies are small text files that websites send to your computer or other Internet-connected device to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. In many cases, you can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. All browsers are different, so visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available.
We collect many different types of information from cookies and other technologies. For example, we may collect information from the device you use to access our website, your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs also record the IP address assigned to the device you use to connect to the Internet. An IP address is a unique number that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to L’Occitane SG and the website you visit after you leave our site.
In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without any reference to personal data. For example, we use information we collect about all website users to optimize our websites and to understand website traffic patterns.
In some cases, we do associate the information we collect using cookies and other technology with your personal data. This Notice applies to the information when we associate it with your personal data.
Another third party vendor used by L’Occitane SG is Google Analytics. For information on how Google Analytics uses data please visit “How Google uses data when you use our partners sites or apps”, located at www.google.com/policies/privacy/partners/.]
Tracking of User Activity
If and where we do track your activity, we will document this in our Data Inventory, and disclose such activity in this Data Protection Notice.
You can opt out of these re-marketing services by visiting the web site of the relevant third party vendor(s), where applicable.
If you give us the permission via your mobile device, we may use and store information about your location. We use this information to provide features of our services in order to improve and customize our services.
You can enable or disable location services through your mobile device settings at any time when you use our services.
How do we handle access and correction requests of personal data?
You may write in to us to find out what personal data we hold about you and how we have been using or disclosing your personal data over the past one year. When you make any such request, we may need to verify your identity (e.g. by checking your legal identification document).
We will try to respond to your request as soon as reasonably possible or within 30 days, as stipulated period in the PDPA from our receipt of your request. If we are unable to do so within the stipulated period, we will let you know and give you an estimate of how much longer we require. We may charge a reasonable fee for processing your request and we will let you know the amount of the fee before you incur it.
You may also ask us to correct an error or omission in the personal data we hold about you. We will correct the personal data as soon as practicable, or within 30 days or any response period prescribed by law, unless we are satisfied on reasonable grounds that a correction should not be made.
How do we ensure accuracy of your personal data?
We take reasonable precautions and make reasonable verification checks to ensure that your personal data is reasonably accurate, complete and up-to-date.
From time to time, we may do a verification exercise for you to update us on any changes to the personal data we hold about you. If we are in an ongoing relationship with you (such as being our Member), it is important that you update us if there are any changes in the personal data we hold about you (such as a change in your home address).
How do we protect your personal data?
Our Infomation Security Policy governs how we protect personal data. We make reasonable security arrangements to protect personal data about you that is in our possession or under our control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
All of L’Occitane SG’s employees (including part-timers and interns) will take reasonable and appropriate measures to maintain the confidentiality and integrity of your personal data and will only share your data with authorised persons on a 'need to know' basis.
Relating to credit card payments: The Payment Card Industry Data Security Standard (PCI DSS), which is managed by the PCI Security Standards Council (founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International). The PCI DSS is a multifaceted international security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures with a view to achieving ongoing development, enhancement, storage, dissemination and implementation of high security standards for account data protection. For more details please refer to: https://www.pcisecuritystandards.org/
We ensure that the entities that process personal data on our behalf will be bound by contracts that require them to provide sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and to take reasonable steps ensure compliance with those measures.
How can you protect your data?
In L’Occitane SG we do not practice asking for your credit card details via email.
For your membership log-in password, please keep it private, anyone who knows your password may access your account with or without your knowledge.
What do we do when we retain your personal data?
We have a Document Retention Policy that spells out when we must cease to retain personal data and that requires documents and personal data to be destroyed (paper documents) or deleted (electronic documents and data stored in databases) securely. Certain retention periods are based on statutory or regulatory requirements.
We will not retain any documents containing personal data about you as soon as it is reasonable to assume that the purpose for which we collected that personal data is no longer being served by retention of it and retention is no longer necessary for legal or business purposes.
What do we do if we do transfer your personal data?
If there is a need for us to transfer personal data about you to a country or territory outside Singapore, we will ensure that the recipient organisation will be obliged to provide a standard of protection to such transferred data that is comparable to the protection it receives under Singapore law.
What happens if we make changes to this Notice? 
If you have any questions about our collection, use, and/or disclosure of personal data about you; feedback regarding this Notice, or any complaint you have relating to how we collect, use, disclose and store personal data about you, you may contact our Data Protection Officer(s) at (DPO.firstname.lastname@example.org)
Any query or complaint should include, at least, the following details:
- Your full name and contact information
- A brief description of your query or complaint