Privacy Notice

1. APPLICATION
2. LEGAL BASES
3. PURPOSE
4. WITHDRAWAL OF CONSENT, ACCESS & CORRECTION
5. CHILDREN
6. THIRD PARTY DISCLOSURE & TRANSFER
7. SECURITY & PROTECTION
8. RETENTION OF PERSONAL DATA
9. GOVERNING LAW
10. CONTACT US

SHISEIDO (THAILAND) CO., LTD. (“Shiseido”; collectively, "us", “we” or "our") is committed to protecting your privacy and ensuring that your Personal Data is protected. For the purposes of this Privacy Notice, "Personal Data" means any personally identifiable data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access (or any materially similar or analogous concept or definition under applicable law). This may include photos, facial images and video / voice recordings.

1. APPLICATION

This Privacy Notice explains the types of Personal Data we collect and how we use, disclose, transfer, process and protect that information.

We collect Personal Data through, but not limited to, the following means:

i) Data you provide to us, such as:

(a) When you use or interact with our websites, platforms, virtual environments, product and service offerings and/or applications (both web and mobile versions) (collectively, our "Platforms");

(b) When you shop on, browse, access, or interact with us via our Platforms;

(c) When you shop in-store at our physical stores. In addition, your image may be recorded on CCTV during those visits;

(d) When you connect with us through social media, participate in our surveys, promotions, campaigns and other activities, or attend our marketing events;

(e) When you subscribe to our newsletter or other marketing communication;

(f) When you agree and consent to be our member and/or create an account with us, whether through physical or electronic means, or any other joint membership that we have with our partners;

(g) When you voluntarily share with us any content (suggestions, testimonials, surveys or any other feedback) about your experience in using our products or services. This also includes your posts on our Platforms (such as photos, videos, personal stories, or other similar media or content); and

(h) When you contact us via our customer service or via any other channel (online chat, email, text message, telephone help line for any reason, compliments, feedback or a request, etc.).

ii) Automatically collected data

Subject to the set-up of your internet browser, the following categories of Personal Data may be collected automatically when you navigate through our Platforms, due to various tracking technologies such as browser cookies. Such information may include (but are not limited to):

(a) Technical information: your IP address, the browser (type and version) you use, the name of your access provider, your operating system and interface or data related to your device and language preferences;

(b) Connection data: logs (identifiers, date and time of connection to your account and/or to our Platforms);

(c) Personal Data relating to your use of our Platforms: pages viewed, the website from which you are visiting us, your navigation actions, searched products, date, time and duration of your visit;

(d) Location-related information, which can be derived from information such as your device's IP address or your device's GPS signal; and

(e) Information collected in and through cookies, local storage, pixels and similar technologies.

iii) Data we receive and collect from other sources

(a) Third parties and advertising partners: We may obtain Personal Data from third parties and sources, such as our advertising partners. This may be the case when you accept our cookies on the Platforms, which will help us understand your activities, how you use our Platforms, the purchases you make, the advertisements you watch, among others. Such information are necessary for us to optimize our media campaigns and ensure we are not delivering to you ads that do not fit your preferences and profile.

(b) Social media partners: Subject to your consent to the use of cookies or similar technologies, we might receive your Personal Data from social media platforms (such as Facebook and Instagram, when you voluntarily provide to them your Personal Data in accordance with their policies), when you link your account with us to your social media account, or when you use your social media account to access any of our Platforms (e.g. to create an account with us on our Platforms, to participate in one of our promotional campaigns or to make a purchase without having to create an account on our Platforms) or when using social media plug-ins (e.g. “like” and “share” buttons). We will manage such Personal Data in accordance with this Privacy Notice. For the avoidance of doubt, the mere use of our Platforms does not generally involve Personal Data processing activities or Personal Data transfers or disclosures by or to social media platforms. However, depending on your cookies choices or confidentiality set-up, social media platforms may independently collect and otherwise process Personal Data about or related to you in order to provide personalized advertising, including ads from Shiseido. For more information about the scope and purposes for which your Personal Data is processed by these social media platforms, please refer to their privacy notices.

If you provide Personal Data of a third party to us, you must (i) verify the accuracy and completeness of the provided Personal Data; (ii) inform such third party about this Privacy Notice; and (iii) obtain the necessary consent (if required) from that third party to transfer their Personal Data to us, and for us to collect, use, disclose, transfer or process that Personal Data in accordance with this Privacy Notice and all applicable law.

We may update this Privacy Notice from time to time by posting updated versions on our Platforms, and/or by sending an e-mail to you.

Please check back regularly for updated information on how we handle your Personal Data.

2.LEGAL BASES

We collect, use, disclose, transfer and process your Personal Data on the following legal bases (as exceptions to the requirement of consent): (1) a contractual basis, for our initiation or fulfilment of a contract with you; (2) a legal obligation; (3) the legitimate interest of ourselves and third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and (5) public interest, for the performance of a task carried out in the public interest or for the exercise of official actions.

We also collect, use, disclose, transfer and process your Personal Data on the legal basis of consent, where consent is required. In such a case, we will request and obtain your consent separately for certain activities pertaining to the collection, use, disclosure, transfer, and processing of your Personal Data.

The types of Personal Data we collect include, but are not limited to, your: (a) first name and family name; (b) home address; (c) age and date of birth; (d) email address; (e) mobile number; (f) gender and, only if appropriate, your (g) user name and password; (h) billing and delivery address; (i) personal identification number; (j) skin and/or health information (such as your physical characteristics, skincare concerns and/or skincare regimes, skin type, skin conditions and medications for the same); (k) racial or ethnic origin; (l) biometric data; (m) billing and financial information (e.g. credit and debit card information); (n) purchase history; (o) product preferences and communication channel preferences; (p) communications data (such as your correspondence or feedback history with us); (q) technical information about your interaction with our Platforms (such as the type and configuration of your device or browser, your IP address, time zone, language settings, date and time of your visit, the URL of the website from which you have been referred and your browsing history); and (r) other information as may be reasonably required for us to fulfil the purposes set out in Section 3 below, in accordance with all applicable law.

3. PURPOSE

We collect, use, disclose, transfer and process your Personal Data, for the following purposes:

1. providing you with our products and services;

2. providing you with information on products and campaigns from us, Shiseido Group and our third party business partners via emails, phone messages, postal mails and social networking services, including back-in stock notifications (where we have your consent or are permitted to do so under applicable law);

3. including you in our databases and collaterals for our sales and marketing opportunities and campaigns;

4. tailoring ads on our Platforms, social media platforms and elsewhere to your interest, use patterns and history with us;

5. allowing you to purchase products and services offered for sale, including establishing an account for checkout purposes;

6. ensuring the quality of products and services we provide to you;

7. facilitating your transactions with us;

8. administering your accounts with us;

9. sending you product samples and/or products;

10. keeping you informed of updates, changes, and developments relating to us and our services;

11. notifying you about important changes to this Privacy Notice, and to our other policies or services;

12. providing you with personalized consultations (whether conducted in-person or remotely), and managing any related appointments;

13. responding to queries or feedback from you;

14. managing your comments and reviews on our products and services;

15. maintaining and operating the Platforms, and ensuring network and information security;

16. managing our administrative and business operations;

17. prevention and detection of fraud and any unlawful use of our Platforms;

18. ensuring business and disaster recovery (such as the creation of back-ups);

19. engaging third party business partners and data processors (whether located locally or overseas) for the purposes stated in this section;

20. performing customer profiling, market analysis, market surveys, and research to improve our product and service offerings to you;

21. for document and data retention or storage, record keeping, statistical analysis, internal reporting and research purposes;

22. preventing, detecting and investigating crime and analysing and managing commercial risks, or any complaints you make;

23. protecting and enforcing Shiseido's (including its affiliates and personnel) contractual and legal rights and obligations;

24. safeguarding the interests of Shiseido in the event of any claim, litigation or suits;

25. the legitimate interests of Shiseido or any other person, in accordance with applicable law;

26. complying with applicable legal requirements, relevant industry standards and our policies or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

27. processing payment or credit transactions;

28. any other purposes for which you have provided the information; and

29. any other purposes which are reasonably related to the above or for the performance of our obligations in the course of or in connection with the provision of our product and services offerings to you.

Where you do not provide Personal Data which are required for our legal compliance, or under the terms of a contract we have with you, we may not be able to comply with our legal obligations or perform the contract we have or are trying to enter with you (e.g., to provide you with our products or services).

4. WITHDRAWAL OF CONSENT, ACCESS, CORRECTION, ETC.

Where you have provided consent, if you wish to withdraw your consent to receive information on new products and campaigns, or any other services, you may do so by:
1. unsubscribing from our Platforms;
2. clicking the “Unsubscribe" link in the email(s) we send to you;
3. contacting our Data Protection Officer at the email address below; or
4. writing to us at the address below.
You may also withdraw your consent and request us to stop collecting, using, disclosing and/or processing your Personal Data for any or all of the purposes listed above in Section 3 by: (a) contacting our Data Protection Officer at the email address below; or (b) writing to us at the address below. Please note that if you choose to withdraw your consent to our use, disclosure, transfer and/or processing of your Personal Data, we may not be able to provide you with some or all of our services for the purposes you have consented to or you may not be able to use our Platforms. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose Personal Data where such collection, use and disclosure without consent is permitted or required under applicable laws.

You agree to only submit Personal Data which is accurate and not misleading and to keep it up to date. We may verify the Personal Data provided by you as part of our user verification processes or as required under applicable law.

You also have the following rights under the applicable law in relation to your Personal Data:
1. Request access. You have the right to access or obtain a copy of your Personal Data and check whether we are processing your Personal Data lawfully.

2. Request to rectify. You can ask us to rectify the Personal Data in our possession to be updated, accurate and complete.

3. Request to port. You have the right to obtain Personal Data in electronic format and request us to send or transfer such data to another data controller.

4. Right to object. You have the right to object to the processing of your Personal Data in certain circumstances, including where we are processing your Personal Data for direct marketing purposes.

5. Request to restrict. You have the right to request that we suspend the use of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to retain the data even if we no longer require it as you need the data to establish, exercise or defend legal claims; or (d) if you have objected to our use of your data but we need to retain the date to verify whether we have overriding legitimate grounds to use it.

6. Request to delete. You have the right to ask us to delete, destroy or anonymize your Personal Data.

7. Lodge a complaint. You have the right to make a complaint at any time to the competent data protection authority for data protection issues.

If you would like to exercise your rights regarding your Personal Data, please contact our Data Protection Officer at the email address below.

Please note that we may in accordance with applicable law, charge you a reasonable fee to process your access request. If so, we will inform you of the fee before processing your request. We will get back to you within the earlier of 30 days or the period stipulated under applicable law.

5. CHILDREN

Our Platforms are directed toward and designed for use by persons aged 10 or older. We do not intend to collect Personal Data from children under 10 years of age. We are not able to verify whether a Platform user is under 10 years of age and therefore, we recommend parents or guardians to be involved in the online activities of their children in order to consent to or prevent their children's Personal Data from being collected, used, disclosed and/or processed by us. In the event where we become aware that we have accidentally collected Personal Data from a child under the age of 10, we will remove that Personal Data from our records as soon as feasibly possible.

6. THIRD PARTY DISCLOSURE & TRANSFER

We do not disclose or transfer your Personal Data to third parties unless we have clearly asked for and obtained your consent to do so (except where permitted and authorised by law).

The Personal Data which you provide to us may be stored, processed, transferred between, and accessed from servers located in the United States (“USA”) and other countries. Some of these countries have laws and regulations which may not guarantee the same level of protection of Personal Data as Thailand. However, we will take reasonable steps to ensure that your Personal Data is provided a standard of protection and the appropriate safeguards are in place as required under applicable data privacy law and handled in accordance with this Privacy Notice, regardless where your Personal Data is stored or accessed from. We will request your consent where consent to cross-border transfer is required by law.

6.1 Disclosure to affiliated companies in the Shiseido Group
The Shiseido Group comprises a number of affiliated companies and legal entities located both within and outside Thailand. For additional information regarding our affiliated companies and legal entities, please see https://corp.shiseido.com/en/company/structure. We may disclose, where appropriate and to the extent necessary, your Personal Data to such affiliated companies and legal entities (including those in Japan and USA) for the purposes of corporate reporting, market research and analysis, supporting any actual or contemplated merger, reorganisation, restructuring, acquisition or similar corporate transaction or proceeding involving all or a portion of our business, customer relationship management and other related purposes, or for other purposes stated in Section 3 above. Please note that we provide our affiliated companies and legal entities with only the Personal Data they need for such purposes, and we require that they protect such Personal Data in accordance with the applicable laws and regulations and this Privacy Notice, and not use it for any other purpose.

6.2 Disclosure to third party business partners
We rely on third party business partners located both within and outside Thailand, to perform a variety of services on our behalf. In so doing, Shiseido may let them, where you have consented, to use your Personal Data for the marketing and promotion of our products, services or events that may be of interest to you, for market research and analysis, for customer relationship management, for the fulfilment of your orders for products and services purchased via the Platforms, or for other purposes stated in Section 3 above. Please note that we provide our third party business partners with only the Personal Data they need to perform their services and we require that they protect such Personal Data in accordance with the applicable laws and regulations and this Privacy Notice, and not use it for any other purpose.

Some of our third party business partners may act as a data controller in the course of delivering specific services to you. Your use of their services may be subject to conditions as may be agreed between you and them. Upon your acceptance of their services, the collection, use, disclosure, transfer and processing of your Personal Data in respect of their services will be subject to their applicable privacy notices. You must direct to them any queries or complaints relating to your use of their services.

Our Platforms may also contain links to third party websites, applications or services that are outside our control (even though they may display our logo or our trademarks). To the fullest extent permitted under applicable laws, we are not responsible for these websites’, applications’ or services’: (a) privacy practices and data policies; (b) use of cookies; (c) content or security; or (d) other acts and omissions. We would encourage you to review the privacy notices applicable to the third party websites, applications and services you use to determine how they will handle any Personal Data they collect from you.

6.3 Disclosure to third party data processors
We may use third party service providers (e.g., cloud service provider), located both within and outside Thailand, to help us maintain and operate the Platforms, to act on our behalf for the purposes stated in Section 3 above, as we may deem necessary to facilitate your dealings with us, and/or for other reasons related to the operation of the Platforms and Shiseido’s business (e.g. to manage the cloud servers), and they may receive your Personal Data for these purposes. We only provide them the Personal Data they need to provide these services on our behalf. We require these companies to protect the Personal Data in accordance with the applicable laws and regulations and this Privacy Notice, and to not use the information for any other purpose.

6.4 Other disclosure
We may use and disclose your Personal Data to perform your instructions and, as relevant, (a) comply with legislative and regulatory requirements; (b) protect, enforce and/or defend the rights and/or properties of Shiseido, and its customers and employees; and/or (c) take emergency measures for the purpose of securing the safety of customers, Shiseido, or the general public. This may result in us needing to share your Personal Data with any persons, government agencies, statutory authorities and/or industry regulators for the purpose of complying with applicable laws or regulations, and to anyone to whom Shiseido has transferred or may transfer its rights and duties (e.g. to prospective and actual investors and other relevant third parties in the event of a potential or completed sale or other corporate transaction related to Shiseido and/or any of its affiliates).

6.5 Digital and social media partners
In order to share content on or through social media, our Platforms may use functionalities, links or icons owned by our digital and social media partners. It may consist, for example, of the like or sharing buttons on social networks such as Facebook or Instagram. Such functionalities allow you to view content or share content, preferences and opinion on or in relation with our products and services. We are also using online tools such as Google, Facebook or Instagram (Google Analytics, Facebook Custom Audience or Conversion API) in order for us to optimize our ad targeting campaigns and ensure the delivery of advertising content that suits you best. The providers of these tools, functionalities, links or icons can directly identify you when you use it, or even if you do not use it but (i) you have an account to such social network or platform, or (ii) you are already known and identified by such providers. As soon as you view content or share content, preferences and opinion, our partners may connect your activities on our Platforms to other information they already own on you in their capacity as data controllers.

We may also use the lookalike functionalities (for example from Facebook) to build audiences similar to your profile in order to allow us or other brands of the Shiseido Group to target prospects that match your profile.

The above data processing is governed by our partners’ own privacy notices in their capacity as data controller. We strongly suggest that you visit and check the privacy notices of such online tools and to change your advertising or cookies preferences on those websites or platforms should you wish to opt out of advertising content.

7. SECURITY & PROTECTION

We maintain strict procedures, standards, and security arrangements to protect Personal Data in our possession or under our control. Upon receipt of your Personal Data, whether through physical or electronic means of collection, we will make the necessary security arrangements to protect such Personal Data as are reasonable and appropriate in the circumstances. Such arrangements may comprise administrative measures, physical measures, technical measures, or a combination of such measures.

When disclosing or transferring your Personal Data over the internet, we take all reasonable care to prevent unauthorised access to your Personal Data. However, no data transmission over the internet can be guaranteed as fully secure and you acknowledge that you submit information over the internet at your own risk.

Please note that any information you choose to share in public areas such as our Platforms' community features, or other social areas, is by definition considered as public and can be seen by anyone accessing the related platform.

8. RETENTION OF PERSONAL DATA

We may retain your Personal Data for as long as is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable law. After this period of time, we will destroy or anonymise any documents containing your Personal Data in a safe and secure manner.

9. GOVERNING LAW

This Privacy Notice is governed by Thai law.

10. CONTACT US

If you would like to access or correct any Personal Data which you have provided to us, submit a complaint in relation to your Personal Data, or have any queries about your Personal Data, please contact our Data Protection Officer by contacting us at datacontroller@shiseido.co.th or Data Protection Officer at dpo@shiseido.co.th. Alternatively, you may write to us at:

Attention: Data Protection Officer
SHISEIDO (THAILAND) CO., LTD.
No. 8 T One Building 23rd -24th Floor,
Soi Sukhumvit 40 Sukhumvit Road
Khwaeng Phra Khanong
Khet Khlong Toei
Bangkok 10110 THAILAND

Please note that to process your request, we may ask you for proof of identity.


Date: 1 December 2023