Social Media Privacy Policy
1. INTRODUCTION
BAT is committed to protecting your privacy, therefore, we will ensure that all the data you provide when visiting BAT’s social media pages or participating in competitions organized by us through our social media pages (such as Instagram, Facebook, or YouTube) (“Competition”) is used only for the purposes specified in this Privacy Notice.
This Privacy Notice informs you of how we collect and use your personal data and informs you of your privacy rights. It applies to all visitors to BAT’s social media pages or those participating in Competitions we organize through those pages.
For the purposes of this Privacy Notice, the legal entity responsible for processing your personal data is British American Tobacco ΕΛΛΑΣ A.E., a member of the British American Tobacco Group (collectively referred to as “BAT”, “we”, “us” or “our”).
If you wish to contact us, please refer to the “Contact” section at the end of this Privacy Notice or email us at: dpo@bat.com.
Please note that we may update this Privacy Notice at any time without prior notice. For this reason, please check this page regularly. If you have trouble locating future versions of this Privacy Notice, please contact us using the above contact details.
2. INFORMATION WE COLLECT ABOUT YOU
Depending on the circumstances and in accordance with applicable laws and conditions, we may collect the following information. You can find out why we collect your data in the following sections.
- If you visit BAT’s social media pages and like our posts, tag us in a hashtag, mention us, or tag us in a post, we may collect your username and other related information (content, time, and date of the post).
- If you send us a direct message, we collect your username (i.e., your social media account name) and any other information included in your message.
- If you are required to provide personal data to enter a Competition (e.g., a selfie photo or written post), we will collect the content of your entry.
- If you win a Competition on BAT’s social media pages, we may collect the following personal data:
a) Full name
b) Contact information: mailing address (including city and country), email address, phone number
c) Information necessary for the competition/draw: date of birth, documents to verify age (e.g., a copy of your passport or driver’s license, if required)
d) Social media username or other identifier (e.g., Instagram). We may process your username to announce winners on our glo_greece Instagram account and/or tag winners in Instagram posts or stories. In case you win, we may ask a third-party company to process your data on our behalf.
3. HOW WE COLLECT YOUR PERSONAL INFORMATION
Most of the data we hold is what you provide directly when you interact with BAT’s social media pages, email us, send a direct message, or enter our Competitions. We may use third-party partners to assist in running Competitions for example, collecting your data on our behalf, verifying your age, or sending prizes to your address. These companies receive only the data necessary for the services they provide under our instructions, as outlined below.
We may also collect data indirectly, for example, when you interact with content on our accounts. This includes the time you sent a message, posted a comment, or liked a post.
We may collect information about your visit, including Uniform Resource Locators (URL) clickstream data (including date and time), and gather general demographic data for aggregate use.
4. HOW WE LEGALLY USE YOUR PERSONAL INFORMATION
We are allowed to process your personal data in certain cases under the law. These cases are explained below, depending on the type of data:
1. Where the use of your data is necessary for us to enter into a contract with you
• to participate in competitions, for example, to send personal messages and transmit personal data to our partners responsible for sending the contest prizes;
2. When we have a legitimate interest in using your data
We may process your personal data when we have a "legitimate interest" that is not detrimental to you. This happens in the following cases: Legitimate interests: When our use does not override your rights, such as
• Contacting you through BAT social media pages
• Legal claim establishment, exercise, or defense
• Internal business purposes
We believe that none of the actions mentioned in this Privacy Notice will in any way be detrimental to you. However, you have the right to object to the processing of your data and, in the section below entitled Your Rights, there are details regarding the relevant procedure to be followed.
3. When it is necessary to use your data in order to comply with our legal obligations
• Where we have legal obligations that we need to comply with, we may use your personal data in order to comply with them (for example, to verify your age, as required by law).
4. In cases where you have given us your consent to make use of your personal data.
• We may make use your data where you have given us your explicit permission to do so, under certain circumstances. For example, where we ask you to use your name and image in the material we publish.
• Your consent is also required in order for us to edit your social media account username by posting the names of the winners of the contests we organize, on our Instagram account on glo_greece and/or tagging the Instagram accounts of the winners in an Instagram post or story.
You may withdraw consent at any time. Details on how to do this are provided in the “Your Rights” section below.
5. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES
We may share your data with third parties for the following reasons. We may share your personal information with:
• Other BAT Group entities: Your personal data may be shared with other members of the BAT group, for example, in the country where you declared that you reside, if circumstances require it (for example, if you wish to connect to BAT's local e-commerce websites, or if it is necessary for us to send you the prizes you have won in a contest, or even if it is necessary to process a complaint made by you or a third party, or for legal reasons concerning your personal data).
• Regulatory authorities: We may share your data with the authorities where we believe we are required by law or other regulations (for example, following a request in connection with an envisaged initiation of legal proceedings or to prevent fraud or to enforce or protect the rights and property of BAT or its subsidiaries).
• Organizations that support our business: We may share your personal information with other companies (such as third-party service providers) that provide services on our behalf (for example, who ensure that contestants are over 18 years of age or who send prizes to winners, companies that manage our social media, advertising and communication companies). We will only share data with these companies if we have entered into a relevant contract with them (usually called a "data processing agreement" or a similar name) setting out how your personal data will be used, which will be legally consistent with our instructions.
• Professional consultants and auditors: We may share your personal data with professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.
• In case of acquisition: If a BAT entity is merged with or acquired in the future by another business or company, we may share your personal data with the buyer or prospective buyer of the business or company (and its agents and advisers).
6. HOW WE PROTECT YOUR PERSONAL INFORMATION
We care about protecting your personal information. For this reason, we take appropriate measures, designed to prevent unauthorized access to and unlawful use of your personal data.
For this purpose, we have taken a number of appropriate technical and organizational measures, including encryption and disaster recovery plans. We update and test our security technology on an ongoing basis and allow limited access to your personal data only to the extent necessary.
7. WHERE WE STORE YOUR PERSONAL INFORMATION
When using your personal data, we process them using various technical systems, networks and facilities, some of which may be located outside Greece. When we transfer someone's personal data outside the European Union, we do so in ways permitted by data protection law, such as on contractual terms between us and the recipient organisation, or we only transfer your data to countries that have been pre-authorised, from a legal point of view, to receive personal data transferred from the European Union; because their legislation is as strict as that of the European Union.
8. HOW LONG WE RETAIN YOUR PERSONAL INFORMATION
We retain your data for as long as is strictly necessary and only if there is an ongoing legitimate business need (for example, in order to comply with applicable legal requirements, such as to verify your age, to comply with strict age restriction legislation, or to establish a legal basis; to raise and/or defend legal claims arising from the contract).
When the processing of your data is carried out with your consent, your personal data is retained until you withdraw this consent. You can withdraw your consent at any time.
In the event that we do not have a legitimate interest, of a professional nature, in retaining your personal data, we will either permanently erase or anonymise it or, if this is not possible (because, for example, your personal data has been stored in security files, which we must keep for a year or more, if required by law); We will then securely store your personal data and block it from further processing until it can be deleted. For more information regarding our data retention policy and practices, please contact us at the details in the "Contact Us" section at the end of this document.
9. YOUR RIGHTS
You have the following rights regarding your personal data.
You may:
• Right to object processing: If you exercise this right, you have the option to object to our processing of your personal data. If you object, then we will stop using your data unless we prove that there are compelling legitimate reasons (overriding your own interests) or if the use of your data is necessary to establish the legal basis, raise or defend legal claims.
• Withdraw consent: Where we have obtained your consent to process your personal data for certain activities, you have the right to withdraw that consent at any time. If you withdraw your consent, we will stop using your data, unless we believe that there is another legitimate reason that justifies us continuing to process your data for this purpose; so we will inform you about it. However, it is important to be aware that withdrawing your consent does not affect the lawfulness of any processing we carried out prior to the withdrawal.
• Right of Access: You have the right to ask us at any time to confirm that we are processing your personal data or to obtain a copy of your personal information which we keep and we will respond to your request within one month. This period may be extended by two months, if necessary, taking into account the complexity and number of requests made. We may ask for evidence of your identification in order to confirm your request. If you ask us for more copies of your personal information, we may charge you reasonable administrative costs. Where permitted by law, We have the right to refuse to comply with your request. In this case, we will inform you of our reasons for refusal.
• Right to erasure: In some cases, you have the right to request the erasure of your personal data: We have a limited right to refuse to comply with your request and, if we do so, we will inform you of the reasons.
• Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, if you dispute the accuracy of the personal data about you that we hold about you, or if you object to its processing because of your legitimate interest. If we have shared your personal data with third parties, we will inform them of its limited processing, unless this is impossible or involves disproportionate efforts. Of course, we will inform you before we remove any restrictions on the processing of your personal data.
• Right to Rectification: You have the right to request the correction of inaccurate or untrue personal data about you that we retain. If we have shared your personal data with third parties, we will inform them of its correction, unless this is impossible or involves disproportionate efforts. You can also request the details of the third parties to whom we have shared your inaccurate or incomplete personal data. In cases where we deem it reasonable not to comply with your request, we will explain the reasons.
• Right to data portability: If you wish, you have the right to transfer your personal data to service providers. Essentially, this means that you have the ability to transmit to third parties the data about you that we retain. In order to do this, we will provide your data in a format compatible with commonly used software, so that you can transfer it to third parties. Alternatively, we may transfer your data directly to third parties on your behalf, if this is possible.
• Right to lodge a complaint with the Supervisory Authority: You have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr) through its dedicated online portal (https://eservices.dpa.gr/). For more information you may consult the Hellenic Data Protection Authority’s site.
10. CONTACT
If you have any questions regarding this Privacy Notice, including your rights in relation to your personal data, you may send us a personal message on BAT's social media account or website (if applicable) or an email at dpo@bat.com.
