PRIVACY NOTICE

Data privacy is very important for H&M, and we want to be open and transparent about our processing of your personal data. 

We therefore have a policy that establishes how your personal data will be processed and protected.

Who controls your personal data?
The Swedish company, H & M Hennes & Mauritz GBC AB (“H&M”), controls the personal data you submit to us and is responsible for your personal data under applicable data protection law. 

H & M Hennes & Mauritz GBC AB
Mäster Samuelsgatan 46
106 38 Stockholm
Sweden

Companies register: Bolagsverket/Swedish Companies Registration Office
Company registration number: 556070-1715
Authorised representative: Karl-Johan Persson
VAT registration number: VAT NO. SE556070171501

Where do we store your data?
The data that we collect from you is stored within the European Economic Area (“EEA”), but may also be transferred to and processed in a country outside of the EEA. Any such transfer of your personal data will be carried out in compliance with applicable laws.

For transfers outside the EEA, H&M will use Standard Contractual Clauses and Privacy Shield as safeguards for countries without an adequacy decision from the European Commission.

Who has access to your data?
Your data may be shared within the H&M group (for details on the companies within the H&M group, please refer to our annual report which may be found at about.hm.com). The local H&M company will only act as  the personal data processor and processes the personal data on behalf of the Swedish company.

We never pass on, sell or swap your data for marketing purposes to third parties outside the H&M group. Data that is forwarded to third parties, is only used to provide you with our services. You will find what categories of third parties under every specific process below.

What is the legal basis for processing personal data?
For every specific processing of personal data that we have collected from you, we will inform you whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.

What are your rights? 
Right to access: 
You have the right to request information about the personal data we hold about you at any time. Contact H&M to receive your personal data via email.

Right to portability: 
Whenever H&M processes your personal data by automated means based on your consent or based on an agreement you have the right to get a copy of your data in a structured, commonly used and machine-readable format transferred to you or to another party. This only includes the personal data you have submitted to us.

Right to rectification: 
You have the right to request rectification of your personal data if it is incorrect, including the right to have incomplete personal data completed. 

If you have a H&M account or Club membership, you can edit your personal data under your account and membership pages

Right to erasure:
You have the right to erase any personal data processed by H&M at any time, except for the following situations:

*you have an ongoing matter with Customer Service
*you have an open order which has not yet been shipped or partially shipped
*you have an unsettled debt with H&M, regardless of the payment method
*you are suspected of misuse of or have misused our services within the past four years
*your debt has been sold to a third party within the last three years or one year for deceased customers
*your credit application has been rejected within the last three months
*you have made any purchase, whereby we will keep your personal data in connection with your transaction in accordance with bookkeeping rules

Your right to object to processing based on legitimate interests: 
You have the right to object to the processing of your personal data that is based on H&M:s's legitimate interests. H&M will not continue to process your personal data unless we can demonstrate a legitimate basis for the process which overrides your interests and rights or due to legal claims

Your right to object to direct marketing:
You have the right to object to direct marketing, including profiling analyses conducted for direct marketing purposes.

You can opt out of direct marketing by the following means:
* following the instructions in each marketing mails
* editing the settings of your H&M account

Right to restriction:
You have the right to request that H&M restricts the processing of your personal data under the following circumstances:

*if you object to the processing based on H&M:s's legitimate interests, H&M shall restrict all processing of such data pending the verification of the legitimate interests.
*if you claim that your personal data is incorrect, H&M must restrict all processing of such data pending the verification of the accuracy of the personal data.
*if the processing is unlawful, you can oppose the erasure of personal data and instead request the restriction of the use of your personal data.
*if H&M no longer needs the personal data but is required to keep it to defend legal claims.

How can you exercise your rights?
We take data protection very seriously and therefore we have dedicated customer service personnel who handle your requests in relation to your rights stated above. You can always reach them at dataprotection.ca@hm.com.

Data Protection Officer:
We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer at dataprotection.ca@hm.com and write DPO as subject matter.

Right to complain to a Supervisory Authority: 
If you believe H&M has processed your personal data incorrectly, you can contact us. You also have the right to submit a complaint to a supervisory authority.

Updates to our Privacy Notice:
We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice, for example the purpose of why we use your personal data, the identity of the Controller or your rights.

Please read our full  Privacy Notice.