PRIVACY POLICY

FOR THE PHYSICAL AND DIGITAL WORLDS
Effective Date

Table of Contents

1. WHAT IS COVERED BY THIS PRIVACY POLICY AND DO OTHER POLICIES APPLY TO YOU?

This privacy policy covers situations where we, Kering Foundation, access, collect, store process, use, disclose or transfer your personal information in paper or electronic form. It also covers situations where approved partners or other members of Kering use your personal information on our behalf.

In some cases, other policies apply to you. It may be the case when you use certain products or services, and in this event:

  • You will be notified of these other policies while using the services they apply to.
  • Such policies will supersede this privacy policy unless they expressly refer to it.

This privacy policy does not cover products or services you might use as provided by other companies acting on their own account.

2. WHO COLLECTS & USES YOUR PERSONAL INFORMATION?

We, Kering Foundation, act as the “data controller”, which means that we determine “why” and “how” your personal information is collected and used. We are a French Corporate Foundation governed by Law No. 87-571 of July 23, 1987 as amended, and published in the Journal Officiel de la République Française legal gazette dated August 23, 2008, located in 40 RUE DE SEVRES 75007 PARIS FONDATION D'ENTREPRISE.

To be able to deliver our services to you, we need to share your personal information with approved partners or other members of Kering who generally act as our “data processors”. All are bound by an obligation to implement appropriate security measures to protect personal data in their possession, and are bound by a strict confidentiality agreement and specific contractual terms on “how” and “when” they are allowed to use your personal information on our behalf.

Please be aware that certain approved partners, such as social medias, could also determine “why” and “how” your personal information is used. They have their own privacy and cookies policies, so remember that the personal information you give them will be subject to their rules and not ours.

3. WHY DO WE COLLECT YOUR PERSONAL INFORMATION?

Kering Foundation will collect, hold, use and disclose your personal information for the purposes described in this section. The processing of your personal information will comply with your privacy legislation and rely on the legal bases set out in this section.

If you would like more information on the purposes and legal bases, you can contact us at privacy@kering.com (or see How can you contact us?).

  • To enable you to receive relevant information about our activity.

You will receive information and updates about us either at your request (with your prior consent where required by law) or when we are authorised by law to send you such information and updates directly. Such communication can be global or local, and may include updates about our activity, invitations to events, offers, surveys, etc.

  • To send you non-marketing communications.

Communications may be sent upon your request, and/or may be important for your safety and the security of your personal information.

You may still receive such communications even when you opt-out from certain communications. The information communicated may be necessary for the correct performance of our contract with you or be mandatory to comply with some of our legal obligations.

  • To conduct our business securely and protect our activities.

To comply with some of our legal obligations, we will implement fraud prevention and detection measures. Such measures will allow us to adequately perform our contract with you and/or protect our legitimate interests in defending ourselves against fraud.

  • To assess and better understand our activity.

To manage our activities and comply with our legal obligations, we may need to access and use some of your personal information for finance, management or legal purposes.

In certain limited circumstances, such activity may be based on our legitimate interest when related to business analytics & market research activities.

  • To optimise and manage our website and other means of communication.

We may take certain measures involving the use of your personal information to administer, optimise and improve our means of digital or physical communications such as our website.

The use of your personal information will allow us to perform our contractual obligations or improve our services in accordance with our legitimate interest. Of course, when we use cookies or other online advertising technologies, your prior consent will always be required.

4. WHAT PERSONAL INFORMATION DO WE COLLECT?

When you interact with us or our approved partners, you may provide us with the following categories of personal information (that may include sensitive information in accordance with applicable legislation).

  • A. Identifiers & personal information

This set of personal information enables us to identify you, provide you with assistance and, in some cases, to contact you, including by sending you information, on the ground of the legal bases set out in this privacy policy.

  • B. User-generated content

This set of personal information enables you to provide us with personal information relating to you or to third parties. In certain circumstances it enables us to contact you.

  • C. Technical, electronic & localisation information

This set of personal information enables better delivery of the service you expect from us.

It could include personal information related to your interactions with us and conduct our activity securely, assess and better understand our activity, and optimise and manage our website and other means of communication.

  • D. Additional information for Californian residents

    • Characteristics of classes protected under federal or California law
    • Categories of information collected over the past 12 months

Please note that the categories mentioned in this section What personal information do we collect? also represent the categories of personal information that we have collected over the past 12 months.

5. WHEN DO WE COLLECT YOUR PERSONAL INFORMATION?

When you interact with us, either online or in person, you may share with us your personal information when:

  • A. You interact with us or seek advice and share personal information through our websites, our social media pages, at events or through our services;
  • B. You use your device to browse activity across different websites;
  • C. Your information is shared with us by our approved partners, with your prior consent where required.

6. HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

We mainly obtain information directly from you and process them by automated means when you interact with us. When you interact with us, either online or in person, we collect your personal information through:

  • A. Our team when you share personal information with us;
  • B. Our website, by completing surveys, registration processes or forms. We may also use cookies or other online advertising technologies for this purpose;
  • C. From third-party sources such as social media.

7. WHO ARE OUR THIRD-PARTY SOURCES?

We mainly obtain information directly from you. From time to time, we may also obtain information on you from third-party sources.

We will only gather such information when the third parties either have obtained your consent or are otherwise legally allowed to share such information. In certain limited circumstances, some third parties may be required to disclose your personal information to us.

For more information on our sharing of information with these third-party sources, please refer to the section With whom do we share your personal information?

8. SHOULD YOU ALWAYS SHARE YOUR PERSONAL INFORMATION WITH US?

You may not always be required to provide us with the personal information that we are asking you for: any personal information that is required is clearly marked as mandatory.

When you do not wish to share certain personal information with us, you may simply not provide it to us, or opt-out of the processing of your personal information when this option is offered to you.

However, if you choose not to provide certain personal information, you may not be able to benefit from some of our services for which the provision of such personal information is necessary.

We may ask you to provide us with personal information to meet certain legal requirements. In such cases, we will notify you in due time and advise you as to whether your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

9. FOR HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

Our general approach is to retain your personal information only for as long as it is needed.

  • A. When you interact with the personal information you have shared with us (including personal information shared by mail, chat or text message or when our interaction is transcribed) for 5 years from the last interaction you initiated with us.
  • B. When we use cookies or other online advertising technologies, your consent shall only be valid for a maximum period of 13 months.

We may retain personal information for a shorter or longer time, for instance, where we are obliged to do so in accordance with relevant legal, tax and accounting requirements.

Additional information for South Korean residents:

We may retain certain personal information in accordance with the following legal requirements:

  • Records on contracts and withdrawal of subscriptions: 5 years (as required under the Act on Consumer Protection in Electronic Commerce Transactions)
  • Records on consumer complaints and processing of disputes: 3 years (as required under the Act on Consumer Protection in Electronic Commerce Transactions)
  • Records of log-ins: 3 months (as required under the Protection of Communications Secrets Act)

10. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We, Kering Foundation, are strongly committed to keeping your personal information safe.

To do so, we design our services with your safety in mind. Within our group, we have dedicated teams managing and ensuring the security and privacy of your personal information. We have adopted specific technical and organisational security measures to protect personal information against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.

For example, whenever personal information is passed between your device and our servers, we ensure that it is encrypted using Secure Sockets Layer (“SSL”) and/or other security methods. We implement Hyper Text Transfer Protocol over Secure Socket Layer (“HTTPS”) in order to protect your connection to our website. All your personal information is stored on secured servers.

We have also established a specialised personal information security management system. For example, we strictly control the scope of authorisation of our employees who have access to the personal information that we collect and process. We regularly review our information collection, storage and processing practices, including physical security measures, to guard against any unauthorised access and use.

We conduct security and privacy protection training courses and tests on a regular basis to enhance our employees’ awareness of the importance of protecting personal information. We take commercially reasonable steps to make sure that our business partners and third-party service providers are able to protect your personal information. Our employees and those of our business partners and third-party service providers who have access to your personal information are subject to enforceable contractual obligations of confidentiality and specific contractual privacy provisions.

In the event of a security incident resulting in any breach of personal information, as qualified by law, we have an emergency response plan in place to prevent the expansion of such security incidents. In addition, we will report such personal information breach to the relevant supervisory authority as required by applicable law, and inform you via an appropriate channel as and where required by applicable law.

However, you should be aware that no service can be completely secure, and you play a key role in keeping your personal information safe. For the best possible protection of your personal information outside the limits of our control, your devices should be protected (e.g. by updated antivirus software) and your internet service providers should take appropriate measures for the security of personal information transmission over the network (e.g. with firewalls and anti-spam filtering). You accept the inherent security implications of interacting over the Internet and will not hold us or our partners responsible for any security incident or breach of personal information unless it is due to our negligence.

If you have any concerns that your personal information has been put at risk, please contact us as soon as possible.

11. WHERE DO WE STORE YOUR PERSONAL INFORMATION?

We operate globally and may transfer your personal information to other companies within Kering or to approved partners in locations around the world. We want you to have the best service and customer experience, whether online or in person all over the world. For this purpose, we may have to share your personal information outside the country where you have first shared it with us. When we do so, it will always be for the purposes described in this privacy policy and where we are satisfied with the levels of protection and security implemented in compliance with applicable privacy legislation. This sharing of your personal information is necessary to enable us to perform the contracts we have with you or take steps at your request, prior to entering into a contract, in order to offer you a global customer experience.

In most cases, the personal information we collect from you will be stored in servers located in the European Union or Switzerland. However, this may vary depending on the country in which the information is collected or applicable legislation. For more information about the location where your personal information is stored, you can contact us at privacy@kering.com (or see How can you contact us?).

We want to ensure that your personal information is always safely used and available to you, wherever you want to access it and for whatever reason you wish to use it.

When we share, use or transfer personal information in particular from the European Union, we use standard contractual clauses approved by the European Commission, or put in place other measures under applicable privacy legislation, to ensure that such transfer provides adequate safeguards. You can contact us at privacy@kering.com (or see How can you contact us?) for more information about these safeguards including how to obtain copies of this information.

12. DO WE SELL YOUR PERSONAL INFORMATION?

We do not sell your personal information and have not done so in the past 12 months.

We may allow selected third parties (such as approved advertising partners) to collect your personal information via automated technologies on our websites (see “Do we use cookies or other online advertising technologies?“) in an effort to provide you with content and advertisements that may be of interest to you and on the legal bases set out in this privacy policy.

However, to the extent our transfers of your personal information to certain third-parties may be interpreted as a “sale” under California privacy law, if you are a Californian resident you have the right to opt out of that sale.

If you are a Californian resident, you also have the right to opt out of such disclosure of your information for online interest-based advertising purposes.

Californian residents’ rights are further described in the section: “Information for Californian residents” under the provision attached to the following question: “What are my rights regarding my personal information?

13. WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may share and disclose your personal information for business purposes with the categories of recipients listed below. We may also receive personal information about you from some of them as our third-party sources. If you would like more information about the sharing of your personal information, including the list of recipients, please contact our privacy team and Data Protection Officer at privacy@kering.com (or see How can you contact us?).

  • A. Approved partners acting as service providers

    To use your personal information, we rely on approved partners. All approved partners are bound by an obligation to implement appropriate security measures to protect personal data in their possession, and bound by a strict confidentiality agreement and specific contractual provisions on “how” and “when” they are allowed to collect and use your personal information. Your personal information may be accessible to the following authorised personnel on a need-to-know basis:

    • Kering and other affiliates of our group
    • Communication providers and social networks
    • IT service providers
    • Audit, law firms and similar corporate professional service providers, data analysis providers

  • B. Approved partners acting also on their own account

    To use some of your personal information (see “Why do we collect your personal information”), we rely on approved partners. Certain approved partners may be able to determine “why” and “how” your personal information is used.

    • Certain social medias such as Facebook & Instagram pages, in accordance with Facebook Page Insights Data Policy and Twitter in accordance with Twitter Data Policy

  • C. Actual or potential buyers as part of a business transfer

    We may disclose your personal information to an actual or a potential buyer (and its agents and advisers) in relation to any actual or proposed divestiture, merger, acquisition, joint venture, bankruptcy, dissolution, reorganisation, or any other similar transaction or proceeding in compliance with applicable laws and regulations. Where this is required, we will take steps to minimise any data that is shared.

  • D. Law enforcement body, regulatory body, government agency, court, lawyers to comply with laws and defend our rights and interests

    We may disclose your personal information to any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is (i) required as a matter of applicable law or regulation, (ii) necessary to exercise, establish or defend our legal rights, or (iii) necessary to protect your interests or those of any other person, and on the legal basis set out in this privacy policy. Where this is required, we will take steps to minimise any data that is shared.

  • E. At your request or for our legitimate interest or compliance with laws and regulations

    We may disclose your personal information to any other person: with your consent; where we have an overriding legitimate interest (on balance with your interests) to do so; or where we have a legal or regulatory obligation to do so.

14. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION?

Subject to your applicable privacy legislation, you may be entitled to one or more of the following rights and exercise them on your own or via a legal representative acting on your behalf. We, Kering Foundation, are committed to protecting your rights and allowing you to exercise them. You will never be discriminated against when you exercise your right in good faith under any applicable privacy law.

If you need any further information regarding your rights, how to exercise any of your rights, or if you have any complaints or questions regarding our privacy practices, please contact our privacy team and Data Protection Officer at privacy@kering.com.

  • A. Right of access, rectification and erasure

Under certain circumstances you may have the right to request access to and obtain a copy of any of your personal information that we may hold. Such right of access also includes the right to receive information in particular about the purposes of the processing, the categories of personal information concerned, the categories of recipients to whom your information may be disclosed, and the envisaged period for the retention of your information.

You may also request correction of any inaccurate personal information relating to you and to request the deletion of your personal information. You can see and update most of this personal information yourself online, or by contacting our customer services, or by emailing our privacy team at privacy@kering.com.

Specifically, subject to your applicable privacy legislation, your right of access may include:

  • the right to request whether and how your personal information is processed and whether it has been shared with a third party in the preceding 12 months, in particular if you are an Aruban resident

  • the right to obtain confirmation that we process personal information about you, to request information about the public and private entities with whom we have shared your personal information, and to request information about the possibility of denying consent and the consequences of such denial, in particular if you are a Brazilian resident.

  • if we cannot satisfy your request for correction, the right to request that a statement of correction be attached to your information noting that a correction has been sought but not made, in particular if you are a resident of New Zealand.

  • the right to be informed of any disclosure of inaccurate personal information about you, in particular if you are a resident of Qatar

Where processing of your personal information is based on your consent, you have the right to withdraw it at any time. For example, if you no longer wish to receive electronic communications, you can use the ‘unsubscribe’ link provided in our emails or contact us directly and we will stop sending you communications. Please note that the withdrawal of your consent will not affect the lawfulness of processing based on your consent as carried out before such withdrawal.

  • C. Right to personal information portability

Under certain conditions, you may have the right to receive personal information you have provided to us within a structured, commonly used and machine-readable format, and also to require us to transmit it to another data controller where this is technically feasible.

  • D. Right to restriction of processing

Subject to privacy legislation applicable to you, you may have the right to restrict our processing of your personal information in particular where:

    • you contest the accuracy of the personal information (until we have taken sufficient steps to correct or verify its accuracy);
    • the processing is unlawful, but you do not want us to erase the personal information;
    • we no longer need your personal information for the purposes of the processing, but you require such personal information to establish, exercise or defend legal claims; or
    • you have objected to processing that has been justified on legitimate interest grounds, pending verification as to whether we have compelling legitimate grounds to continue processing.

Where personal information is subject to restriction in this way, we will only process it with your consent or to establish, exercise or defend legal claims, in accordance with local legislation.

Specifically, subject to your applicable privacy legislation, your right to restriction of processing may include:

    • the right to request the anonymization, blocking or deletion of any unnecessary or excessive personal information or personal information processed unlawfully, in particular if you are a Brazilian resident.
    • the right to request us to stop transferring your personal information to a third party, in particular if
      you are a Vietnamese resident.

  • E. Right to object to processing

Where we rely on legitimate interest to process personal information, you may have the right to object to that processing. In this case, we must stop using your personal information for that purpose unless we can either demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or where we need to process the personal information in order to establish, exercise or defend legal claims. Where we rely on legitimate interest as a justification for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

If you are a resident of the United States or Guam, please also see Specific information on text and instant messages for residents of the United States or Guam residents.

  • F. Deceased person rights to privacy

To exercise rights on behalf of a deceased individual, you may be required to provide us with proof that you are an immediate family member or executor of the deceased person. Subject to applicable privacy laws, we may not be able to support your request. Please be informed that under certain laws (for example in France), you can define directives relating to the storage, erasure and communication of your personal information after your death.

  • G. Specific information for Californian residents

Your rights
If you are a Californian resident, subject to certain conditions and limitations, you may have the following rights with respect to personal information about you:

  • A. Right of access - You may be entitled to request that we disclose to you personal information we have collected about you, in the preceding 12 months, the categories of sources from which the information was collected, the purposes of collecting the information, the categories of third parties we have shared the information with, and the categories of personal information that have been shared with third parties for a business purpose.

  • B. Right of data portability – In some instances, you may have the right to receive the information about you in a portable and readily usable format.

  • C. Right to have personal data erased – Subject to certain conditions, you may be entitled to request that we delete personal information about you. We will not delete personal information about you when the information is required to fulfill a legal obligation, is necessary to exercise or defend legal claims, or where we are required or permitted to retain the information by law.

If you chose to exercise any of these rights, we will not discriminate against you on the basis of choosing to exercise your privacy rights. We may, however, charge a different rate or provide a different level of service to the extent permitted by law.

Sale of your personal information

As set out in the section Do we sell your personal information?, we do not sell your personal information nor have we done so in the past twelve months. We may allow selected third parties (such as approved advertising partners) to collect your personal information via automated technologies on our websites in an effort to provide you with content and advertisements that may be of interest to you and on the legal bases set out in this privacy policy.

However, to the extent our transfers of your personal information to certain third-parties may be interpreted as a “sale” under California privacy law, you have the right to opt out of that sale of your personal information. Please note that we will still share your information in ways that are not a “sale,” such as with our service providers, for our own online advertising purposes.

For information about how to manage cookies and opt out of online interest-based advertising, please review your browser or see our section “Do we use cookies or other online advertising technologies?“. Your opt-out of interest-based advertising on your browser will be specific to the web browser or device you use at the time you exercise your opt-out rights; if you use multiple web browsers or devices, you will need to opt-out from each browser and device. Opting-out of the use of your information for interest-based advertising purposes does not mean you will stop seeing ads, including interest-based ads.

If you are a Californian resident you also have the right to submit a Shine the Light Request: you may have the right to request that we provide you with a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, as well as the identity of those third parties.

Verification of your request

Before providing you with the above rights, we must be able to verify your identity. In order to verify your identity, you will need submit information about yourself, including, to the extent applicable, providing your account login credentials or other account information, answers to security questions, your name, government identification number we already have on file, date of birth, contact information, or other personal identifying information. We will match this information against information we have previously collected about you to verify your identity and your request. To the extent you maintain an account with us, we will require you to login to that account as part of submitting your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request. We are not obligated to collect additional information in order to enable you to verify your identity. For deletion requests, you will be required to submit a verifiable request for deletion and then to confirm separately that you want personal information about you deleted.

How to make your request

You may make one request per calendar year. In your request, please attest to the fact that you are a Californian resident and provide a current California address for your response. You may request this information in writing by contacting us at privacy@kering.com or calling our toll-free number + 1 646 889 1945.

When can you expect to hear from us

We will confirm receipt of your request within 10 business days and provide information about how we will process the request, including the verification process and expected response time. Please allow up to forty-five (45) days for a response, from the day the request is received. We may require an additional forty-five (45) calendar day extension.

*Additional Information: to the extent permitted by applicable law, we may charge a reasonable fee to comply with your request. This statement is available in alternative formats upon request. Please contact privacy@kering.com.

  • H. Right to lodge a complaint

You also have the right to lodge a complaint with your local supervisory authority if you consider that the processing of your personal information infringes applicable law.

If you are a resident of a Member State of the European Economic Area, you may refer to the list of data protection authorities in the European Economic Area available here.

Under applicable legislation, you may have the right to bring complaints relating to the processing of your personal information before civil courts, in particular if you are a Chilean resident.

  • I. Modalities of response to your requests, additional information or assistance

If you need any further information regarding your rights or how to exercise any of your rights, or if you have any complaints or questions regarding our privacy practices, please contact our privacy team and Data Protection Officer at privacy@kering.com (or see How can you contact us?).

To help protect your privacy and maintain security, we will take steps and may require you to provide certain information to verify your identity before granting you access to your personal information or complying with your request.

Where permissible under applicable law, we reserve the right to charge a fee for instance if your request is manifestly unfounded or excessive, to cover the administrative costs incurred by your request. We will endeavour to respond to your request as soon as possible and in any case within the applicable timeframe.

15. CAN THE PRIVACY POLICY CHANGE?

We may occasionally make changes to this privacy policy, for example to comply with new requirements imposed by applicable laws or technical requirements. We will post the updated privacy policy on our website. We therefore encourage you to review this page every so often.

We may also notify you in case of material changes and, where required by applicable law, we will seek your consent to those changes.

If we wish to process your personal information for a new purpose not described in this privacy policy, where necessary we will inform you and where required we will seek your consent.

16. DO WE USE COOKIES OR OTHER ONLINE ADVERTISING TECHNOLOGIES?

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic data. We also share information on your use of our site with our social media, advertising and analytics partners. You can read more about any of our purposes or the vendors that we use by clicking on ‘Cookie Settings.’ This preference centre is accessible at any time through the ‘Cookie Settings’ button located on every page.

When you visit any website, it may store or retrieve information using your browser, mostly in the form of cookies. This information might be personal information about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies.

At any time you have the option to accept or decline the use of cookies using the on/off settings of the preference centre, by clicking on the "Cookie Settings" link in the footer below.

17. HOW CAN YOU CONTACT US?

If you have any questions regarding our privacy practices or how we handle your information, please contact our privacy team and Data Protection Officer by sending an email to privacy@kering.com.