Who are we?

We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on a card, an app or a website, or in an e-mail or sms, containing a link to this notice.

  • PMI: Philip Morris International, a leading international tobacco group. It is made up of a number of companies or “affiliates”.
  • PMI affiliates: Each member of the Philip Morris International group of companies is a “PMI affiliate”. “We” (or “us” or “our”) refers to the PMI affiliate that first collected information about you.
  • PMI product: means a product of ours or of another PMI affiliate.

How do we collect information about you?

We may collect information about you in various ways.

  • You may provide us with information directly (e.g. when you visit our premises and demonstrate your identity; fill in a form; or make a call to us).
  • We may collect information automatically (e.g. when you use a PMI app or website; CCTV at building entrances, exits and loading bays).
  • We may acquire information from third parties (e.g. business colleagues, your employer).

In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints”. PMI touchpoints include both physical (for example, retail outlets and events), and digital (for example, apps and websites).

We may collect information that you provide directly. Typically this will happen when you:

  • sign up to be a member of our databases (for example if you register to receive e-mail alerts)
  • submit content to a digital PMI touchpoint;
  • contact us through a touchpoint, by e-mail, or telephone; or
  • participate in PMI surveys.

We may collect information about you automatically. Typically this will happen when you:

  • communicate with us (for example, by telephone or through a touchpoint); or
  • use PMI touchpoints (e.g. through tracking mechanisms in an app or a website).

We may also collect information about you automatically through the use of cookies and similar tracking technologies on digital PMI touchpoints. The specific cookies and technologies used will depend on the PMI touchpoint in question. To learn about the cookies (including Google analytics cookies) and similar technologies used on a touchpoint, including how you can accept or refuse cookies, please see the cookie notice made available on or through that touchpoint.

Where permitted by law, we may acquire information about you from third parties. This may include information shared between PMI affiliates.

We may also collect information in other contexts made apparent to you at the time.

What information about you do we collect?

We may collect various types of information about you:

  • information necessary to provide you with e-mail alerts
  • information about your visits to our premises, outlets and events
  • information you give us in calls you make to switchboards or call centres
  • information you give us when you submit content to a digital PMI touchpoint
  • information about your preferences and interests
  • information necessary to verify your identity and age

Information that we collect from you directly will be apparent from the context in which you provide it. For example:

  • you may provide us with information necessary to provide you with e-mail alerts and information necessary to coordinate your visits with you, and to communicate with you during your visits;
  • if you submit content to a digital PMI touchpoint, you may provide your name, username, contact, image, location, interests and preferences, and e-mail address;
  • you may provide information on your preferences and interests so that we can enhance your experiences when you visit us;
  • we may collect information that enables us to verify your identity and age, for example a copy of an identity document or your facial image.

 

Information that we collect automatically will generally concern:

  • details of your visit or call (such as time and duration);
  • security information when you visit our offices (e.g. through video (CCTV) recording and building access logs);
  • your use of digital PMI touchpoints (such as the pages you visit, the page from which you came, and the page to which you went when you left, search terms entered, or links clicked within the touchpoint); and
  • your device (such as your IP address or unique device identifier, location data, details of any cookies that we may have stored on your device).

 

Information that we collect from third parties will generally consist of information provided by your colleagues or your employer, for example regarding your planned visits to our premises.

The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:

Purpose
 Legal Basis for Processing

Deliver PMI touchpoints, press releases and mail alerts

  • enabling you to use PMI touchpoints (for example, allowing you to remain logged in to sections of a touchpoint that are reserved for authorized users only, administering your language preference)
  • customize your experience of PMI touchpoints (for example, to personalize your visit, such as with greetings or suggestions that might interest you)
  • administering your accounts and troubleshooting

 

This will typically be a combination of information that you provide to us (for example, your name and contact and social media details); and information that we collect automatically (for example, using technology to monitor use of PMI touchpoints).

We use it on the grounds that we have a legitimate business interest to operate PMI touchpoints, and to customize your experiences, in these ways that is not overridden by your interests, rights and freedoms to protect information about you.

To identify you, and for the purposes of security

  • when you visit our premises, we use information about you to identify you and to support us in keeping our premises secure

This will typically be a combination of information that you provide to us (for example, your name and contact, and other details to identify you); and information that we collect automatically (for example, using CCTV technology to monitor movements in some areas of our premises).

We use it because we have a legitimate interest in identifying you and in maintaining security in our premises that is not overridden by your interests, rights and freedoms to protect information about you.

 

Business administration

  • general organizational management and business record keeping
  • visitor administration and record keeping
  • administering and running events
  • correspondence in relation to our relationship with you, including to deal with your inquiries and requests
  • managing your appointments with us
  • IT systems development, implementation, operation and maintenance
  • maintaining the security of systems, devices and buildings
  • the operation of contact databases and collaboration tools
  • operating a safe work environment
  • maintaining the security and safety of PMI affiliates’ staff, customers, suppliers, visitors and the property of each

 

We will generally either receive the information from you directly.

We use it because we have a legitimate business interest to run our business, manage our relationship with you and maintaining the security and integrity of our buildings and IT systems that is not overridden by your interests, rights and freedoms to restrict use of information about you.

 

Security and systems monitoring

  • authentication and access controls and logs, where applicable
  • monitoring of PMI systems, devices, internet and e-mail to which you are granted access
  • monitoring of access to PMI premises, deliveries to PMI affiliates, and security-related processes at our premises

This information is collected automatically through various means such as automated systems and device monitoring, and CCTV recording and audio recording at our premises.

We use it because we have a legitimate business interest in ensuring the confidentiality, integrity and security of our physical and digital infrastructure and premises that is not overridden by your interests, rights and freedoms to protect information about you.

Business analytics and improvements

  • for business analytics and improvements (including for our premises, PMI products, outlets that sell PMI products, events, digital PMI touchpoints and the information that we (or our affiliates) provide to our customers)

This will typically be a combination of information that you provide to us; information that we collect automatically; and (where permitted by law) information that we acquire from third parties.

We use it on the grounds that we have a legitimate business interest to analyze and to improve our business performance, our products, PMI touchpoints, outlets and events, and to invite others to get involved in promoting PMI products, that is not overridden by interests, rights and freedoms to protect information about you.

Business analytics and improvements

  • allowing us or our business partners to inform you of potential opportunities to get involved in promoting PMI products
  • for business analytics and improvements (including for PMI products, systems, processes, offices, outlets that sell PMI products, training, events, digital PMI touchpoints and the information that we (or our affiliates) provide to you, your employer or our customers)

This will typically be a combination of information that you provide to us; information that we collect automatically; and (where permitted by law) information that we acquire from third parties.

We use it on the grounds that we have a legitimate business interest to analyze and to improve our business performance, our products, systems, processes, offices, outlets, training, events, PMI touchpoints and the information we provide and to invite others to get involved in promoting PMI products, that is not overridden by interests, rights and freedoms to protect information about you.

 

Where we do not base our use of information about you on one of the above legal bases, or where law requires it, we will ask for your consent before we process the information (these cases will be clear from the context).

In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.

Who do we share your information with, and for what purposes?

We may share information about you with:

  • PMI affiliates;
  • third parties who provide PMI affiliates or you with products or services; and
  • other third parties, where required or permitted by law.

We share information about you with others only in accordance with applicable laws. Thus, where law requires your consent, we will first ask for it.

Sharing data with other PMI affiliates

  • Information about you will be shared with Philip Morris Products S.A. (based in Neuchâtel, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Philip Morris Products S.A. processes the information about you for all the purposes described in this notice.
  • Information about you may be shared with any other PMI affiliate that may be involved in managing the premises you visit or the event you attend (for example, if various affiliates are managing different aspects of your visit or the event you are attending) in order to enhance your experience.

Details of PMI affiliates and the countries in which they are established are available.

Country-specific additional points

According to which country you are in, we want you to be aware of some further points.

If you are in Japan, find out more…

If you are in Japan, note that we share information about you, for the purposes described in this notice, with other PMI affiliates on the basis of “joint use” under Japanese data protection laws. When we do this, Philip Morris Japan Limited (PMJ) continues to manage your personal information responsibly, and we require those with whom we share the data to do the same. Further, if they are located outside Japan, we take reasonable measures in accordance with the relevant laws and regulations.

Sharing data with third parties

  • To the extent permitted by applicable law, we may share information about you with third parties who provide PMI affiliates or you with products or services (such as advisers, retailers, information services providers and identity verification providers).
  • We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.

Where might information about you be sent?

As with any multinational organisation, PMI affiliates transfer information globally. Accordingly, information about you may be transferred globally (for example, if you are in  the European Economic Area ("EEA"), your information may be transferred outside the EEA; if you are in Australia, you information may be transferred outside Australia).

When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.

For example, PMI affiliates within the EEA may transfer personal information to PMI affiliates outside the EEA. In all cases, the transfer will be:

  • on the basis of a European Commission adequacy decision;
  • subject to appropriate safeguards, for example the EU Model Contracts; or
  • necessary to discharge obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in relation to travel arrangements.

In all cases, appropriate security measures for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.

Our service providers are located in many countries throughout the world, including in particular the EEA, Switzerland, the USA, Canada, India, the Philippines, Indonesia, and Australia.

How do we protect information about you?

We implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.

How long will information about you be kept?

We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.

Typically, we retain data based on the criteria described in the table below:

Type
 Explanation/typical retention criteria
  • database records

If you have signed up to receive e-mail alerts (and similar) or to use a PMI digital touchpoint, most of the information in your profile is kept for the duration of the period you continue to receive the alerts, use the digital touchpoint, or respond to our communications. However, some elements of your profile, such as your history of use of the PMI digital touchpoint, naturally go out of date after a period of time, so we delete them automatically after defined periods as appropriate for the purpose for which we collected them.

  • visitor records

If you visit our buildings, visitor records are retained typically for a period of three years.

  •  CCTV
 If you visit our buildings, CCTV records retained typically for a period of only a few days, up to a few weeks, depending on the specific purpose for the recording.
  •  system audit logs
 System audit logs are retained typically for a period of only a few months.
  •  business analytics
 Business analytics data is typically collected automatically when you use PMI touchpoints and anonymised/aggregated shortly afterwards.

What rights and options do you have?

You may have some or all of the following rights in respect of information about you that we hold:

  • request us to give you access to it;
  • request us to rectify it, update it, or erase it;
  • request us to restrict our using it, in certain circumstances;
  • object to our using it, in certain circumstances;
  • withdraw your consent to our using it;
  • data portability, in certain circumstances;
  • opt out from our using it for direct marketing; and
  • lodge a complaint with the supervisory authority in your country (if there is one).

We offer you easy ways to exercise these rights, such as “unsubscribe” links, or giving you a contact address, in messages you receive.

Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.

The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.

Right in respect of the information about you that we hold
Further detail (note: certain legal limits to all these rights apply)
  • to request us to give you access to it

This is confirmation of:

  • whether or not we process information about you;
  • our name and contact details;
  • the purpose of the processing;
  • the categories of information concerned;
  • the categories of persons with whom we share the information and, where any person is outside the EEA and does not benefit from a European Commission adequacy decision, the appropriate safeguards for protecting the information;
  • (if we have it) the source of the information, if we did not collect it from you;
  • (to the extent we do any, which will have been brought to your attention) the existence of automated decision-making, including profiling, that produces legal effects concerning you, or significantly affects you in a similar way, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; and
  • the criteria for determining the period for which we will store the information.

On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).

  • to request us to rectify or update it

This applies if the information we hold is inaccurate or incomplete.

  • to request us to erase it

This applies if:

  • the information we hold is no longer necessary in relation to the purposes for which we use it;
  • we use the information on the basis of your consent and you withdraw your consent (in this case, we will remember not to contact you again, unless you tell us you want us to delete all information about you in which case we will respect your wishes);
  • we use the information on the basis of legitimate interest and we find that, following your objection, we do not have an overriding interest in continuing to use it;
  • the information was unlawfully obtained or used; or

to comply with a legal obligation.

  • to request us to restrict our processing of it

This right applies, temporarily while we look into your case, if you:

  • contest the accuracy of the information we use; or
  • have objected to our using the information on the basis of legitimate interest

    (if you make use of your right in these cases, we will tell you before we use the information again).

    This right applies also if:

  • our use is unlawful and you oppose the erasure of the data; or
  • we no longer need the data, but you require it to establish a legal case.
  • to object to our processing it

You have two rights here:

  • if we use information about you for direct marketing: you can “opt out” (without the need to justify it) and we will comply with your request; and
  • if we use the information about you on the basis of legitimate interest for purposes other than direct marketing, you can object to our using it for those purposes, giving an explanation of your particular situation, and we will consider your objection.

 

  • to withdraw your consent to our using it

This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context.

  • to data portability

If:

  • you have provided data to us; and
  • we use that data, by automated means, and on the basis either of your consent, or on the basis of discharging our contractual obligations to you,

then you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else if it is technically feasible for us to do so.

  • to lodge a complaint with the supervisory authority in your country

Each European Economic Area country must provide for one or more public authorities for this purpose.

You can find their contact details here:

http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

For other countries please consult the website of your country’s authority.

Country-specific additional points

According to which country you are in, you may have some additional rights.

If you are in France, you have the right to give us instructions regarding information we hold about you in the event of your death (specifically, whether we should store or delete it, and whether others should have the right to see it). You may:

  1. issue general instructions to a digital service provider registered with the French data protection supervisory authority (called “CNIL”) (these instructions apply to all use of information about you); or
  2. give us specific instructions that apply only to our use of information about you.

Your instructions may require us to transfer information about you to a third party (but where the information contains information about others, our obligation to respect also their privacy rights might mean that we can’t follow your instructions to the letter). You may appoint a third party to be responsible for ensuring your instructions are followed. If you do not appoint a third party in that way, your successors will (unless you specify otherwise in your instructions) be entitled to exercise your rights over information about you after your death:

  • in order to administer your estate (in which case your successors will be able to access information about you to identify and obtain information that could be useful to administer your estate, including any digital goods or data that could be considered a family memory that is transferable to your successors); and
  • to ensure that parties using information about you take into account your death (such as closing your account, and restricting the use of, or updating, information about you).

You may amend or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, see Article 40-1 of the law 78-17 dated 6 January 1978. When you die, by default, you will stop using your account and we will delete information about you in accordance with our retention policies (see the paragraph “How long will information about you be kept?” for details).

If you are in Australia, the following additional information applies to you:

  1. if you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information or services that you request; and
  2. our Privacy Policy (available at https://www.pmiprivacy.com/en-au/privacy-policy) explains: (i) how you may access and correct the personal information that we hold about you; (ii) how you can lodge a complaint regarding our handling of your personal information; and (iii) how we will handle any complaint.

 

If you are in Taiwan, the following additional information applies to you:

If you do not provide your personal information to us, we may not be able to (as applicable) provide you with the information, products or services that you request.

If you are in Switzerland, find out more…

If you are in Switzerland,  information about you may be transferred outside of Switzerland, including to a country or territory that may not have equivalent data protection standards. In such cases, the transfer will be subject to appropriate safeguards such as the Standard Contractual Clauses in accordance with the new Data Protection Act and guidance from the Federal Data Protection and Information Commissioner.

If you are in Colombia, find out more…

The data controller is Coltabaco S.A.S. located in Carrera 52 No. 4-96, Medellín, Colombia, phone number: +57 4 356 90 00, email: proteccion.datos@pmi.com. We are an affiliate of Philip Morris International. For all activities that involve the processing of personal data we will abide by the provisions of Law 1581 of 2012, Decree 1377 of 2017 and other regulations that modify or add them. Where required, we will always obtain your consent for the processing of personal data in advance, including any international transfers, unless a legal exception applies. You have the right to access, update and rectify your personal data free of charge by contacting us using the contact details set out above, or by getting in touch with the data processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or where processing is prohibited or has not been authorized. Your data will be subject to automated processing. You may: (i) optionally answer the questions about sensitive data or the data of children and adolescents; (ii) request to be informed by us, upon request, regarding the use we have given to your personal data; (iii) ask us for proof of your consent; (iv) withdraw your consent, provided there is no conflicting legal or contractual duty to remain in a database; (v) revoke your consent and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The Privacy team is responsible for all requests, complaints and claims relating to the processing of personal data. If you wish to contact the Privacy team, you can find the contact information above. This notice is effective for Colombia on 14 February 2024.

Who should you contact with questions?

If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.

If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court. 

Changes to this notice

We may update this notice (and any supplemental privacy notice), from time to time. Where the law requires it, we will notify you of the changes; further, where the law requires it, we will also obtain your consent to the changes.

Last modified 14 February 2024. You can find previous versions of this notice here.