5.HOW DO WE PROCESS YOUR PERSONAL DATA?
5.1 What modalities do we use to Process your Personal Data?
The Processing of your Personal Data is carried out, electronically and manually, only within the limits necessary to pursue the purposes outlined above.
We undertake to protect your Personal Data. All Personal Data provided by you is kept on secure servers, adopting adequate security measures to protect Personal Data from non-authorized access, to maintain the accuracy of Personal Data and guarantee the proper use of information.
5.2 We disclose your Personal Data to other Affiliates of the Group
EssilorLuxottica is a global organization with offices and operations throughout the world and most of your Personal Data relating to is stored and Processed within a range of global applications that is used globally by the Affiliates of EssilorLuxottica.
We may disclose your Personal Data to certain Affiliates of the EssilorLuxottica Group, based on your preferences and interests about these Affiliates their brands, for the purposes set out in this Privacy Notice, in each case in or outside your country, as permitted and required by applicable law and/or in other circumstances with your consent.
We may also disclose your Personal Data for our internal business purposes.
5.3 Is your Personal Data sold, shared or disclosed?
a) Vendors and/or Service Providers
We may disclose your Personal Data with our vendors and/or service providers entrusted with Processing activities that provide services or assistance and advice to us, with special – but not exclusive – reference to technology, accounting, administrative, legal, insurance, IT, marketing, customer service, Data Subjects’ requests management, data analysis matters.
Each vendor and/or service provider will act as a Data Processor, on behalf of and in accordance with the instructions received from us, by virtue of a specific agreement in place per applicable legislation, which sets out its obligations and guarantees the implementation of appropriate technical and organizational measures to respect the applicable legislation and the protection of your rights.
We require that any such vendor and/or service provider is subject to strict control and implements appropriate guarantees of security and confidentiality of your Personal Data.
b) Sale or merger of business
We may also disclose your Personal Data:
- in the event that we sell any business or assets, or in anticipation of these events, in which case we may disclose your Personal Data to the prospective purchaser of such business or assets; or
- if we sell, buy, merge with, are acquired by, or partner with other companies or businesses, or sell some or all of our assets. In such transactions, your Personal Data may be among the transferred assets.
We may disclose all of the information we collect in connection with a substantial corporate transaction, such as the sale of a website, a merger, consolidation, asset sale, or in the unlikely event of bankruptcy.
c) Legal process
We may disclose your Personal Data to any authority, court, administrative body, or other authorized third party (including, without limitation, counsel), where the disclosure of Personal Data is required by law, regulation or court order or where such disclosure is necessary for the protection and defense of our rights.
d) Other instance
We may ask if you would like to disclose your information with other third parties who are not described elsewhere in this Privacy Notice. We may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest for you. In those cases, without your consent, your Personal Data would not be transferred to the third party.
The abovementioned Recipients will Process your Personal Data as Data Controllers, Data Processors or persons in charge of Processing, depending on the circumstances.
More information on the categories of Data Processors is available on request, that can be forwarded to us at the contact details set out in section 9 below.
e) Sale and sharing (applicable to residents of certain US states)
We use cookies and tracking technologies to display advertisements about our products to you on nonaffiliated websites, applications, and online services and to advance our commercial and economic interests. When we engage in those activities, we sell Personal Data (i.e., information from cookies including unique personal identifiers) to advertising networks, data analytics providers, and social media networks.
5.4 Is your Personal Data transferred across the border?
Given the presence of EssilorLuxottica in many countries around the world and to provide you with personalized service worldwide, some of your Personal Data may be collected, accessible or stored outside your country of residence.
As a result of the above, your Personal Data may be accessed and/or transferred to countries which do not have equivalent data protection laws to those required within the European Economic Area (EEA).
In such cases, EssilorLuxottica ensures that, at all times, appropriate safeguards are implemented to ensure that your Personal Data is Processed in accordance with applicable legislation. In this respect, where your Personal Data is Processed by another EssilorLuxottica entity, the safeguards are based on the commitments taken on the basis of (ii) a dedicated transfer agreement binding upon the EssilorLuxottica entity involved in the Processing and (ii) a set of common rules applicable through the EssilorLuxottica Group Data Protection Policy.
Where your Data is Processed by EssilorLuxottica entities or third parties located outside the European Economic Area, EssilorLuxottica ensures that specific contractual protection is implemented to ensure that this requirement is addressed in accordance with the applicable legislation.
For further information regarding the appropriate or suitable safeguards and the means by which to obtain a copy of them, you can contact us with the modalities as per this Privacy Notice.
5.5 For how long do we retain your Personal Data?
We retain all or part of your Personal Data for the time strictly necessary for the reason:
(a) to meet applicable statutory requirements for data retention,
(b) to meet and comply with our legal and/or contractual obligations,
(c) for as long as necessary to carry out each of the purposes mentioned in this Privacy Notice, including for the purposes of satisfying any legal, accounting, reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In particular, we hereby specify that your Personal Data will be retained for a period of 10 years for our contractual and legal purposes (e.g., including such as invoicing and accounting purposes), save for the circumstances in which applicable laws may provide for different retention requirements.
In any case, please note that, as general rule, within EssilorLuxottica, retention and archiving of Personal Data will not exceed 10 (ten) years overall calculated as of the first record and/or consent renewal and/or any other relevant interaction, exception made for further legal hold obligations.
In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you, such as for statistical analysis, monitoring and/or enhancing our medical devices, R&D purposes, training AI models, etc.
For any additional information on the retention of your Personal Data, you can contact us at the email address set out in section 9 of this Privacy Notice.
5.6 We keep your Data safe, updated and accurate
EssilorLuxottica has a responsibility for the security and accuracy of the Personal Data that it Processes about you and also for keeping Data up to date. EssilorLuxottica has taken steps to eliminate duplicate copies of Data and to facilitate updating of Data that may change over time.
5.7 Children’s Personal Data and other sensitive Personal Data
EssilorLuxottica does not collect, sell, or share Personal Data of consumer under 16 years of age. We do not use sensitive Personal Data for purposes other than those allowed by applicable legislation.
6. HOW DO WE PROTECT YOUR PERSONAL DATA?
EssilorLuxottica regards the protection of Personal Data as an essential priority.
In this respect, EssilorLuxottica has implemented appropriate measures and safeguards to protect the Personal Data it Processes.
This is reflected in EssilorLuxottica’s procedures described in the EssilorLuxottica Group Data Protection program, guidelines and policies and in the actual technical, organizational and security measures implemented throughout the Group.
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only Process your Personal Data on our instructions, and they are subject to a duty of confidentiality. These measures range from technical security measures that protect IT systems to the physical security measures employed at EssilorLuxottica sites. EssilorLuxottica also requires its staff to participate in information security trainings. Details of these measures may be obtained from the Group Information Security Department by sending us the relevant requests to the contact details set out in section 9 below
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. YOUR RIGHTS
You can exercise any of the following rights, subject to verification of your identity where necessary:
a) Right of Information and Access
You may request the confirmation of the existence of your Personal Data and to be informed of its content and source and obtain a copy of those Personal Data which our databases currently contain.
b) Right to Rectification
You may request to rectify what Personal Data our databases currently contain. We may not accommodate a request to change Personal Data if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
c) Right to Restriction of the Processing
When applicable, you may restrict the Processing of your Personal Data. When such restrictions are not possible, we will advise them accordingly. You can then choose to exercise any other applicable rights under this Privacy Notice, including withdrawing your consent to the processing of your Personal Data.
d) Right to Object to the Processing
When applicable, you have the right to object to the Processing of your Personal Data on grounds relating to your particular situation, if the Processing is based on our legitimate interest. In addition, you have the right to object at any time to Processing where Personal Data are Processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing, and to object to any automated decision-making.
When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice, to include withdrawing your consent to the Processing of your Personal Data.
e) Right to Erasure
If you wish to have your Personal Data deleted, then you may submit a request. Upon receipt of such a request for erasure, we will confirm receipt and confirm once your Personal Data have been deleted.
f) Right to Data Portability
Upon request and when possible and where applicable by local laws, we can provide to you with copies of your Personal Data. When such a request cannot be honoured, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Notice, including withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.
g) Right to Withdraw Your Consent
Where Processing is based on consent, you may withdraw your consent at any time to the Processing of your Personal Data. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop Processing your Personal Data.
h) Right to Lodge a Complaint with the Relevant Data Protection Supervisory Authority
If you are not satisfied with the way we Process your Personal Data and/or responds to a request to exercise the rights you have exercised, you can lodge a complaint with the relevant data protection competent supervisory authority.
We do not Process Personal Data for the purpose of profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
Additional US State Rights
Depending on which US state in which you reside or are located, you may have certain additional rights regarding your Personal Data. We will verify your identity either to a “reasonable degree of certainty” or “reasonably high degree of certainty” depending on the sensitivity of the Personal Data, the risk of harm to you by unauthorized disclosure, deletion, or correction, and as required by applicable law. To do so, we will ask you to verify data points based on information we have in our records concerning you. If you are submitting a request on behalf of an individual, please submit the request through one of the designated methods listed below
a) Right of Information and Access
In addiction of the point A. of this paragraph, you may request the access to the categories of Personal Data, the categories of sources from which we collected Personal Data, the business or commercial purpose for collecting, selling, or sharing Personal Data (if applicable), the categories of third parties to whom we disclose Personal Data (if applicable), and the specific pieces of Personal Data we collected about you.
b) Right to Opt Out of Sale or Sharing (Targeted Advertising)
You have the right to opt out of the sale or sharing of your Personal Data. You may submit a request to opt out of a sale or sharing by clicking here. If you have enabled privacy controls on your browser (such as a plugin), we will also treat that as a valid request to opt out. Please see the Universal Opt-Out Mechanism section for more information.
c) Right to Limit Our Use or Disclosure
If we use or disclose sensitive Personal Data for purposes other than those allowed by applicable law, then you may submit a request to limit our use of disclosure of your sensitive Personal Data.
d) Right Not to Receive Discriminatory Treatment
You have the right not to receive discriminatory treatment by the business for the exercise of your privacy rights.
