We only process your personal data to the extent necessary to provide our content and services and only if you are a registered user of our website. Your personal data will only be processed with your consent. An exception applies in cases where prior consent is not possible on factual grounds and/or the processing of your personal data is permitted by law (e.g. for the purpose of concluding or processing a contract with you).
1.2 If you have any questions about data protection and the processing of your personal data, you can contact the controller at the following email address: email@example.com
2. Personal data processed
2.1 We primarily process personal data that you provide to us when registering and using this website (e.g. entering promotions, stating your preferences, etc.) or that you disclose to us by email, post or other means.
2.2 We also process personal data that we receive about you from third parties. This includes personal data that we receive from our platform providers (e.g. hosting providers) and their affiliated third parties. It also includes personal data that you provide to us on other platforms (e.g. winston.ch or camel.ch) that we operate. In addition, it includes personal data that we receive from third parties performing services for us, such as payment service providers, courier services, sales outlets, age verification service providers, technical service providers, market research providers, etc.
2.3 The following categories of personal data may be processed by us:
- Contact information (e.g. email address, home address)
- User account information (e.g. account age, account number)
- Commercial information (e.g. purchasing tendencies)
- Personal identification (e.g. date of birth, first name)
- Browsing information (e.g. website history, browsing time)
- Government identifiers (e.g. national identity card details, passport scan)
- Education and skills (e.g. language)
- Employment information (e.g. grievances and complaints)
- Sensory and electronic information (e.g. visual information such as profile pictures)
- Biometric data (e.g. facial recognition), see Section 2.4
2.4 If you wish to carry out age verification by means of a governmental identification document, please note that you will need to take photos of one of your official identification documents (identity card, passport, driver’s license) and scan your face to collect your biometric data. This age verification is carried out on behalf of JTI by an external IT service provider, Veriff OÜ, a private limited company, registered with the Estonian commercial register (registry code: 12932944). Your data collected in this process will primarily be used for age verification. Additionally, Veriff OÜ will become data controller of your personal data shared through the age verification process to the extent necessary for retaining proof of evidence with compliance of requirements applicable to Veriff OÜ, developing, testing, improving and altering the functionality of the age-verification service, for machine learning purposes (data annotation for testing and training), for fraud prevention and detection purposes, and for producing anonymised or anonymised and aggregated statistical reports and research. For the avoidance of doubt, it is clearly stated that Veriff OÜ will not use your personal data to contact you for any marketing purposes. You explicitly consent to this data processing. Veriff OÜ’s Privacy Notice is available on https://www.veriff.com/privacy-notice.
3. Processing purposes
3.1 We use and process your personal data primarily to contact you, to offer you our services and to promote customer loyalty to and interaction on nordicspirit.ch. In detail, your personal data is used for the following purposes:
- to comply with legal obligations, such as verifying your age, so as to ensure that our offers and products are only available to adults
- to be able to fulfil our contractual obligations to you as a purchaser of our products (i.e. order processing, etc.)
- to provide sales and service assistance, such as handling your inquiries, complaints, general customer services, etc.
- to market our products (Nordic Spirit and others) and other offers by email, push messages, social media, direct mailings (e.g. post) etc.
- to analyse your interests, preferences, etc. (profiling) so as to be able to offer you a personalised experience (e.g. on the website, newsletters, etc.)
- to be able to offer and manage our customer loyalty programme
- to conduct market research and organise and conduct opinion polls and invite you to take part in them
- to develop and implement marketing strategies and campaigns
- to analyse our business strategies, improve our products and develop and launch new products
- to identify you across the different platforms we operate (e.g. winston.ch, camel.ch) so as to merge your personal data in order to better fulfil the above purposes
4. Recipients of personal data and transfer abroad
4.1 JTI ensures that only those employees of JTI who need to process your personal data in order to fulfil the purposes for which it was collected have access to it.
4.2 We may appoint third parties to provide us with the technical and/or organisational services we need to carry out our business activities. In this context, these third parties may process your personal data. Third parties appointed are, in particular, the following categories of data recipients:
- Companies within the JTI Group
- Service providers who help us provide you with our products and offers, carry out our business activities and/or comply with our legal obligations (e.g. hosting providers, age verification services, email delivery providers, market research service providers, etc.)
- Business partners and suppliers who support us in fulfilling our contractual obligations (e.g. sellers of our products, advertising agencies, courier services, etc.)
4.3 The third parties that process your personal data are contractually obliged to process you it solely on our behalf and in accordance with our instructions. We also oblige the third parties to comply with technical and organisational measures that ensure your personal data is protected in accordance with the applicable data protection regulations.
- the FDPIC or the Federal Council has certified that the country provides adequate protection; and/or
- standard data protection clauses approved, issued or recognised by the FDPIC in advance have been agreed; and/or
- disclosure is directly related to the conclusion or processing of a contract between us and you or between us and one of our service providers in your interest.
4.5 Your personal data is currently processed in the following countries:
- EU and EEA countries
5. Marketing communication
5.1 We will only contact you electronically or by post for marketing purposes. You can change the way we contact you at any time in your user profile and allow or prohibit individual marketing communications. Please note that not all marketing communication media may be visible in your user profile. If a medium is not visible in your user profile, please let us know you wish to unsubscribe by sending an email to firstname.lastname@example.org.
5.2 Please note that it may take up to 30 days to register or unsubscribe from individual marketing communications. This is because your personal data may already be included in an upcoming mailshot and cannot be removed from it individually.
6. Links and online services from third parties
7. Retention period of personal data
7.1 Your personal data is stored for as long as you are a registered and active user of nordicspirit.ch.
7.2 You can delete your customer account at any time. Once you have asked for your customer account to be deleted, your personal data will be completely anonymised within 28 days. This means we are unable to draw any conclusion about you as a person. Data we are required to retain due to legal obligations is not deleted. In particular, this includes data in connection with an order. This data is anonymised once the statutory retention period has expired.
7.3 If you do not log into your customer account for two years, we will delete it and anonymise your personal data. This does not apply to data we are required to retain due to legal obligations (see previous paragraph). Before deletion takes place, we will notify you by email.
8. Data security
8.1 We take technical and organisational measures to ensure that your personal data is protected against unauthorised and/or unlawful loss, alteration, disclosure or access – and contractually oblige all of our recipients of your personal data to do likewise. Please note that it is unfortunately not possible to guarantee complete security when transferring personal data and information in general over the internet or by other electronic means.
9.1 You may exercise any rights to which you are entitled under the Federal Act on Data Protection at any time. In particular, you have the right to obtain information about your stored personal data, rectify or supplement it, object to it being processing or request it be deleted at any time.
9.2 You can request or amend the deletion of your personal data, object to its use for marketing communication purposes and make certain rectifications to it yourself at any time in your user profile. For all further inquiries or exercise of rights, you can contact us at any time at the following email address: email@example.com
9.3 To the extent that Veriff OÜ processes data as Controller (see Section 2.4), contact information for further inquiries or to exercise your rights can be found in Veriff ÖU’s Privacy Notice (available on https://www.veriff.com/privacy-notice).
9.4 Please note that the rights mentioned in Section 9.1 may be restricted or excluded in individual cases, e.g. if there are doubts about your identity or this is necessary to protect other people, protect legitimate interests or comply with legal obligations. Please also note that we reserve the right to request a copy of your passport or other identification document in cases of doubt.
Dagmersellen, August 2023