Global Privacy Notice for Vendor Personnel

What does this Privacy Notice apply to?

Avon Cosmetics (M) Sdn. Bhd., as part of Natura &Co Group of Companies, its affiliates and subsidiaries (“Natura &Co”, “we”, “us”, “our”), is fully committed to the responsible collection, use, and care of the Personal Data of individuals, including our Vendors’ personnel. This Global Privacy Notice for Vendor Personnel (“Privacy Notice”) provides you with information on how we collect, use, and share Personal Data of individuals associated with our Vendors’ businesses.

If you are in a jurisdiction that recognizes the concept of a Data Controller or similar, the Data Controller is the Natura &Co entity (including Group of Companies) which has a business relationship with the applicable Vendor. If you have a query about how your Personal Data is being used, you can contact the Data Controller through the Data Protection Officer (DPO) team here.

Key Definitions

Capitalised terms not otherwise defined in this Notice have the following meanings:

  • Personal Data means any information relating to an identified or identifiable living individual.
  • Sensitive Personal Data means any information relating to an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, criminal records/history or processing of genetic data or biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. Depending on the country you are based sensitive personal data may also refer to personal information that, once leaked or illegally used, may cause harm to natural persons, including but not limited to information on specially designated status, financial accounts, individual location tracking, as well as the personal information of minors or information on social security, driver’s license, state identification, and passport numbers, precise geolocation, combination of email address, debit card, or credit card with security or access code, password, or other credentials allowing access to financial account.
  • Processing means the use of personal data including collection, recording, organization, structuring, adaptation or alteration, analysis, retrieval, consultation, providing or blocking access to (including remote access), disclosure, dissemination, aligning, copying, transfer, storage, deletion, hosting, combination, destruction, disposal, or other use or handling of personal data.
  • Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In our company, the ultimate data controller is Natura & Co., our holding company.
  • Third Party means any natural person or legal entity, public authority, agency or any other body other than Data Subject, Data Controller, any vendor, supplier or service provider who solely or jointly process personal data on behalf of the Data Controller and acts on the Data Controller’s instructions.
  • Data Subject means the identified or identifiable living individual to whom the Personal Data relates.
  • Natura &Co Group of Companies: the full listing can be found here.       

Personal Data we collect and process

We may collect the following Personal Data:

  • information that you or other Vendor Personnel provide to  us during the course of Vendor’s relationship with us, such as name, address, telephone number and e-mail address; banking information; tax identification number, professional details and qualifications and other information provided when communicating with us;  information required for due diligence purposes, such as: financial background information, business references, criminal, regulatory and enforcement action history, professional suspensions and reputational information; relationships with government officials and business relationships with organisations located in a country which is subject to trade sanctions.  This information may be collected from other parties, such as from external providers of due diligence services, anticorruption watchlist services and social responsibility databases.
  • information relating to your use of our systems, such as IP address, location of access, operating system and relevant settings, using cookies and other similar technologies.

We may use Personal Data for the following purposes:

Where permitted by the applicable law depending on the country you are based, by providing us with Personal Data you, on behalf of yourself and other Vendor Personnel whose Personal Data you provide, consent to the Processing of Personal Data for the purposes described in this Notice. Personal Data is also processed under other lawful bases that might vary depending on the country you are based. The most commonly used lawful bases are either to fulfil the our contractual obligations with Vendors, to comply with Natura &Co's legal obligations under any applicable laws, or as otherwise processed to meet our legitimate business interests(where applicable and depending on the country you are based). Where applicable, we may rely on the legitimate interest in managing its business relationships appropriately including analysing which of its relationships are most successful and determining our future strategy, monitoring its business processes, complying with its obligations, maintaining its reputation, defending its legal interests, and keeping its records accurate and up to date.

How long we store your Personal Data

We store your Personal Data processed for the purposes stated in this Notice and for the duration of our business relationship with you. Once our business relationship with you has ended and your data is no longer required for these purposes, we will delete your data, unless your data is required also for other purposes set out in this Privacy Notice, and/or is necessary to fulfil applicable legal or regulatory obligations. We also may store your data for dealing with any complaints regarding our products and services. Our retention periods are being determined as per the legal requirements of the country you are based.

How we share and disclose your Personal Data

As a global Company, we may disclose your Personal Data to

  • Natura &Co Group of Companies;

Natura &Co’s external legal advisors, auditors, due diligence providers and other third-party service providers who provide services to Natura &Co, such as information technology services, data hosting services and e-mail delivery services;

  • third parties as required by applicable laws, pursuant to a valid request of a government authority, valid legal process or in connection with dispute resolution proceedings. Law enforcement and other government authorities. To do so, the authority requires an appropriate judicial order or warrant, for which they need to demonstrate that the disclosure of the requested or intercepted information is required. We reserve the right to challenge these requests.
  • to an acquiring party, service providers or other third parties in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of Natura &Co’s business, assets or stock (including in connection with any bankruptcy or similar proceedings);
  • as Natura &Co believes necessary or appropriate for the other purposes listed in section 3 above.

We may share or transfer your Personal Data in the course of any direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies, and sales of all or part of our assets. Your Personal Data may be shared following the completion of such transaction and/or during the assessment processing pending transfer (subject to confidentiality requirements). If transferred, your Personal Data will remain subject to this Privacy Notice or a policy that, at a minimum, protects your privacy to an equal degree as this Privacy Notice unless you otherwise consent.

This sharing will be for the purposes set out in this Privacy Notice (including the engagement of third-party service providers, who may act as controllers of your Personal Data).

International Data Transfers: We may transfer your Personal Data to our affiliates and subsidiaries or to other third parties, in accordance with applicable local law, depending on the country you are based. We may also transfer your Personal Data from your country or jurisdiction to other countries or jurisdictions in accordance with legal requirements.

  • For international data transfers subject to EEA, UK and Swiss law: we primarily use European Union Commission Standard Contractual Clauses.
  • For transfers between other jurisdictions, we  may rely on other legal mechanisms for international transfers, as appropriate under the relevant law.

We have also concluded and executed an Intra-Group Agreement to ensure safe and lawful transfers of personal data take place among entities within the Natura &Co Group of Companies and also among different countries around the world, where such transfers are necessary in the course of business.

We carry out Transfers Impact Assessments to implement supplementary measures to ensure your personal data is processed under the standards that apply to your territory.

Your Sensitive Personal Data will not be used for any additional purposes that are incompatible with the purposes listed above unless we provide you with notice of those additional purposes.

We do not sell your Personal Data or your Sensitive Personal Data, nor do we share it with third parties for cross-context behavioural advertising.

How we protect your Personal Data

We implement comprehensive technical, physical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process and to ensure compliance with applicable legal requirements. These measures are aimed at safeguarding the ongoing integrity and confidentiality of personal data. We evaluate and improve these measures on an ongoing basis.

Your rights in relation to the processing of your Personal Data

Depending on the country you are based, you may have some or all of the following rights:

To obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification) (please let us know if and to what extent your data stored by us has changed, so that we can rectify or update the respective data);

If there are legitimate reasons, to request the deletion of the personal data (right to erasure);

To request the restriction of the processing of the personal data, if the legal requirements are met (right to restriction of processing);

To withdraw your consent at any time, if the data processing is based on consent, provided that such withdrawal does not affect the lawfulness of the previous processing of your data (consent withdrawal); 

 To receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by us (right to data portability); and

Not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met (not to be subject to automated processing).

To object, where applicable law provides, to the processing of your data (right to object):

which is being processed for the purposes of our legitimate interests (where applicable and depending on the country you are based) unless such interests outweigh your individual rights; and/or

for direct marketing purposes, without any special reason.

In order to exercise your rights, including the withdrawal of your consent, please contact us here here. You may also designate an authorized agent to make a request on your behalf. In order to protect your data from unauthorized access or alteration by third parties, all requests regarding your personal information will be subject to verification of the identity of the requesting individual.  We endeavour to respond to a verifiable request within required time frames.

A Data Subject who feels that we are not adhering to this Notice or applicable data protection laws with respect to his or her Personal Data may contact us to register a complaint; submit requests for exercising rights; or address any other issue arising under this Notice. Complaints by any person may also be referred to the DPO team by email here.

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time.

Implied Consent

By submitting orders and/or keeping active in your commercial contractual relationship with us, and unless you tell us differently, you renew/grant consent to process your personal data as described in the notice.

Changes we make

We may update this Notice periodically and will revise the date at the bottom of this Notice to reflect the date when such update occurred. If we make any material changes in the way we collect, use, and/or share the personal information that you have provided, we will endeavour to provide you with notice before such changes take effect, such as by posting prominent notice on our Company website.

Continued use of the website constitutes acceptance of the new Privacy Notice. We encourage you to periodically review this page for the latest information on our privacy practices. Where required to do so by the applicable law depending on the country you are based, we may seek your prior consent to any material changes we make to this Privacy Notice.

Effetive Date: 22 December 2022

Updated: 20 September, 2023