We understand that your privacy and the security of your personal information is extremely important. This notice sets out what we do with your personal information, what we do to keep it secure, from where and how we collect it, as well as your rights in relation to the personal information we hold about you.
This policy applies if you interact with us through our stores, over the phone, online, via email, through our mobile applications or otherwise by using any of our websites or interacting with us on social media.
If you don’t want to read all the detail, here are the things we think you’d really want to know:
- Your personal information is, where appropriate, shared within the Sainsbury’s Group.
- You have a number of rights over your personal information. How you can exercise these rights is set out in this notice.
- We do send direct marketing, if we’re allowed to. And we do this to encourage you to buy our products and services by sending you offers and ideas that we feel will be of benefit to you. If you want us to stop then here’s how.
- We also use your information to display more relevant online advertising and marketing relating to our products and services on websites across the Sainsbury’s Group, on other websites and online media channels.
- Our websites and apps are not intended for children and we do not knowingly collect children’s data.
When we say ‘we’ or ‘us’ in this policy, we are referring to the companies that make up the Sainsbury’s Group.
The companies that currently make up the Sainsbury's Group are:
- Sainsbury’s Supermarkets Ltd (registered office: 33 Holborn, London, EC1N 2HT)
- Sainsbury’s Bank Plc (registered office: 33 Holborn, London, EC1N 2HT)
- Argos Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Habitat Retail Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Argos Financial Services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited) (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Argos Distributors (Ireland) Ltd (registered office: Argos Distributors (Ireland) Ltd, Ballybin Road Ashbourne, Co. Meath);
- Nectar Loyalty Limited (registered office: 33 Holborn, London, EC1N 2HT); and
- Argos Business Solutions Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW).
- Information that you provide to us such as your name, address, date of birth, telephone number, email address, bank account and payment card details and any feedback you give to us, including by phone, email, post, or when you communicate with us via social media;
- Information about the services that we provide to you (including for example, the things we have provided to you, when and where, what you paid, the way you use our products and services, and so on);
- Information required to make decisions about your applications for products and services we offer (for example, insurance, loans or credit cards);
- Your account login details for our websites and apps, including your user name and chosen password;
- Information about whether or not you want to receive marketing communications from us;
- Information about any device you have used to access our services (such as your device’s make and model, browser or IP address) and also how you use our services. For example, we try to identify which of our apps you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too;
- Your contact details and details of the emails and other electronic communications you receive from us, and how you interact with them. For example whether the communication has been opened, if you have clicked on any links within that communication and the device you used. We do this because we want to make sure that our communications are useful for you, so if you don’t open them or don’t click on any links in them, we know we need to improve our Services;
- Information from other sources such as specialist companies that provide customer information. For example credit reference agencies such as Experian, the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, pay TV providers and the DVLA, as well as information that is publicly available; and
- Information captured by our CCTV, automatic number plate recognition (ANPR) and body worn recording devices (together ‘CCTV’) if you visit any of our premises.
Whenever we process your personal information we have to have something called a “legal basis” for what we do. The different legal bases we rely on are:
- Consent: You have told us you are happy for us to process your personal information for a specific purpose (s);
- Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
- Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services;
- Vital interests: The processing of your personal information is necessary to protect you or someone else’s life;
- Legal obligation: We are required to process your personal information by law.
We may use your information in the following ways:
- To provide our products and services: We need to use your personal information to make our products and services available to you. If you then decide to order any of our products or services, or enter one of our competitions then we’re delighted, thank you. After that, we need to provide them to you, process your payment and sometimes award you Nectar points. We need to use your details to do all this.
- To improve your shopping experience: We try to understand our customers so we can provide you with a great shopping experience, personalised offers, shopping ideas and online advertising. Understanding how you use our Apps, how you interact with the Sainsbury’s Group, where and when you shop, the products and services you buy and how you use and browse our websites helps us to do this.
- For safety and security: We use your personal information to help provide safe and secure environments for our customers to shop in, our colleagues to work in and for our businesses to be conducted. To enable this we use CCTV, ANPR technology, body worn recording devices, monitor online behaviour and carry out checks to help us ensure that our customers are genuine to prevent fraud and to help customers use our services appropriately.
- Analytics and profiling: We use your personal information for statistical analysis and to help us understand more about our customers. That includes understanding the products and services you buy, how you shop across the whole Sainsbury's Group and by creating profiles about you. This helps us to serve you better and to find ways to improve our services, stores, apps and websites. These profiles help us to send you offers that are more relevant to you.
- Contacting you: We use your personal information to contact you. This may be in relation to a service update, an issue you have raised with us, to conduct market research or to ask for your feedback.
- Marketing and advertising: We use your personal information to provide relevant marketing communications (including by email, phone, SMS, post or online advertising), relating to our products and services, and those of our suppliers and the Sainsbury’s Group. As part of this, online advertising may be displayed on websites across the Sainsbury’s Group and on other organisations’ websites and online media channels. We may also use information about how you shop with us to measure the effectiveness of these campaigns.
- Financial Services: If you interact with Sainsbury’s Bank or Argos Financial Services, your personal information is also used for Sainsbury's Bank's credit and capital management purposes and other purposes set out in the financial services section of this notice.
We use CCTV across all sites in the Sainsbury’s Group for the protection of our colleagues, customers and business. This includes investigating accidents, incidents, criminal activities and breaches of our policies. CCTV is also in operation in our petrol stations and car parks for these purposes. Some car parks are run by third parties, so please check the local notice.
Some of our colleagues also wear body worn devices to protect themselves and our customers in high risk situations such as when there is a threat of violence. These devices record audio and video.
Occasionally we share CCTV with public or regulatory authorities or in response to requests from individuals seeking to protect their rights, the rights of others or helping to prevent crime and nuisance. We will only share CCTV if we consider a request to be appropriate.
The Sainsbury's Group - we will share your personal information in certain circumstances with the other companies within the Sainsbury's Group so that we can provide you with a high quality, personalised and tailored service (including relevant marketing) across our Group. That includes sharing information with the companies which operate Sainsbury's stores and online shopping, Sainsbury's Bank, Argos, Argos Financial Services, Habitat, the Nectar loyalty scheme and our clothing brand, Tu.
Our service providers - we work with different companies so that they can help us provide the products and services you require from us or we think you might be interested in. These third parties include:
- Advertising companies, who help us place Sainsbury’s Group adverts online and on other media;
- Social media providers – such as Facebook, Instagram and Twitter;
- Market research partners, who help us analyse customer behaviour;
- Companies that deploy our email campaigns because they need to know your email address to carry out these services;
- Companies that provide insights and analytics services so we can stock the right products, send the relevant marketing campaigns and understand our business and customers better;
- Scheme providers – such as Visa and MasterCard – if you hold a credit card or travel money card with us, in order to manage your account and for your payments to be processed;
- Our agents, advisers or others involved in running accounts and services for you and your business or collecting what you or your business owe Group companies.
- Credit reference agencies, if you are a Sainsbury’s Bank customer (please see the “Banking and Financial Services” section for further information);
- Third party vendors who help us manage and maintain the Sainsbury’s Group IT infrastructure;
- Logistics and delivery providers who enable us to deliver products you order on our websites;
- Where relevant, our professional advisors, such as lawyers and consultants;
- Security and fraud prevention companies to ensure the safety and security of our customers, colleagues and business;
- Companies which run our contact centres because they need your personal information to identify and contact you;
- Companies who assess faults and repair products on our behalf;
- Companies who administer competitions for us so they run smoothly;
- Companies that enable us to collect your reviews and comments, both online and offline; and
- Companies that help us with our community and social goals, such as our Active Kids scheme.
If you use the services provided by another company to interact with us, such as a virtual assistant or a social media platform, please be aware that your data is also subject to the privacy policies of these companies.
Other organisations and individuals - we may share your personal information in certain scenarios. For example:
- If we're discussing selling or transferring part or all of a Sainsbury's Group business, we may share information about you to prospective purchasers and their advisers - but only so they can evaluate the relevant business; or
- If we are reorganised or sold to another organisation, we may transfer information we hold about you to them so they can continue to provide the Services to you.
- If we are required to by law, under any code of practice by which we are bound or where we are asked to do so by a public or regulatory authority;
- If we need to do so in order to exercise or protect our legal rights, users, systems and services; or
- In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests. For example, we will not share your personal information with individuals who are merely curious about you, but we will share your personal information to e.g. insurers, solicitors, employers etc. which have a legitimate interest in your personal information.
Credit Reference Agencies
When do we share data with Credit Reference Agencies?
When you apply for a credit product from the Sainsbury’s Group (e.g. a Sainsbury’s Bank loan, or credit card, or an Argos store card), we may perform credit reporting and identity checks on you with one or more of the main credit reference agencies – Experian, Equifax and TransUnion (the “Credit Reference Agencies”). We also run checks with the Credit Reference Agencies periodically to help us manage our relationship with you which may include for purposes of credit limit adjustments and card reissue.
Why do we share data with the Credit Reference Agencies?
The Credit Reference Agencies provide us with information about you which helps us to understand your credit-worthiness – how easily you will find it to repay credit to us. This may include information about your financial history, salary, current financial situation, and shared credit. These activities are essential in helping promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
We share your personal information to check the accuracy of the information you provide us, trace and recover debts; and to help prevent fraud, money laundering and criminal activity. We also periodically share information with the Credit Reference Agencies about how you are using your Sainsbury’s or Argos credit product so that they can keep the records they hold about you accurate and up-to-date. This information reveals how you pay back your loans and credit card debts. If you fail to pay back your loan or credit card in full or on time, we will inform the Credit Reference Agencies who will record this as an outstanding debt. This can be viewed by other organisations.
Joint Accounts and Credit Reference Agencies
If you make an application for one of our credit products with another person (e.g. a spouse or partner) (a “joint application”), we will search for information about both of you with the Credit References Agencies, and both us and the Credit References Agencies will link your records together.
Your records will stay linked with the Credit References Agencies until either you or the other account holder requests that the files are no longer linked. If one account holder’s credit score is negatively affected (e.g. by skipping payments or making payments late) while these records are linked, this will have a negative impact on the other account holder’s credit score and ability to obtain further credit with us and/or other organisations.
It is important that both account holders understand the implications of being linked in this way before you make an application. Read the paragraph Joint Accounts/Additional Card Holders below for more information about how we use this personal information.
Contacting the Credit Reference Agencies
The three main Credit Reference Agencies are TransUnion, Equifax and Experian.
Each of the Credit Reference Agencies have signed up to a joint policy (“CRAIN”) which explains how these agencies use and shares personal data they receive about you and/or your business that is part of or derived from or used in credit activity.
You can find out more about how these Credit Reference Agencies collect, use and share personal information they hold about you, and what your rights are in relation to that information at the websites below:
Sainsbury’s Bank and Argos Financial Services have systems and controls in place that protect our customers and our businesses against fraud and other kinds of financial crime. This includes collecting device (e.g. location of device and IP address) and behavioural information (e.g. how you interact with our website) when you logon and transact with our websites and mobile apps.
If false or inaccurate information about you (or a joint applicant) is provided to us as part of an application and fraud is identified, we pass details of these inaccuracies to fraud prevention agencies.
These agencies help financial institutions like banks (including Sainsbury’s Bank), insurance providers and investment companies fight financial crime. Our financial services companies may access and use the information held by the fraud prevention agencies to prevent fraud, ID theft and money laundering, for example, when:
- we are deciding whether to provide credit (e.g. a loan, credit card, store card) during an application for a Sainsbury’s Bank or Argos financial product;
- we manage credit and credit related accounts for our customers;
- we are trying to recover debt;
- we are checking details on proposals and claims for all types of insurance; and
- we have been made aware of potentially fraudulent activities affecting our customers’ accounts.
Find out more information about how these agencies collect, use and share personal information they hold about you, and what your rights are in relation to that information at the websites below:
Sharing your information with Law Enforcement Agencies or public bodies
Law enforcement agencies (e.g. the police) may also ask us for access to information about our customers’ for the prevention and detection of crime. We will only provide personal information to these agencies where:
- you have told us you are happy for us to do so;
- there is a threat to your life or the life of another customer/individual; ;
- the law enforcement agency or public body has been given authority by a Court to ask for this information.; or
- legislation(s) mandates the sharing of the information (e.g. the Inland Revenue Department under the Tax Administration Act 1994)
Anti-money laundering requirements
The financial services companies within our Group (Sainsbury’s Bank plc and Argos Financial Services) are obliged to collect certain information from you to satisfy our obligations under money laundering regulations. If you take out one of our financial products, we will ask you to provide us with copies of documents which confirm your identity, including:
- Driving licence; and
- Utility bills.
This enables us to protect both our business and our customers from fraudsters. We have a legal obligation to obtain and hold this information about you. We cannot open a financial services product without obtaining copies of these documents for our records.
Joint Account Holders
The Sainsbury’s Group offer a number of financial products which you can enter into with another person, including loans and savings products.
When you apply for one of these products with another person (the “joint account holder”), we will:
- search, link and/or record information held by credit reference agencies about you both;
- link joint applicants and/or any individual identified as your spouse or partner, in our own records;
- take both your personal information and the joint account holder’s personal information into account in future applications by either or both of you; and
- continue this linking until the account is closed, or it is changed to a sole account and one of you notifies us that you are no longer linked.
Additional Card Holders
The Sainsbury's Group offers a variety of insurance products to our customers, from Sainsbury’s Bank Travel Insurance to furniture and jewellery warranty cover to protect products purchased in Argos. We work with a number of insurance partners (or ‘underwriters’) to help us provide these products to our customers, as the Sainsbury’s Group is not regulated to provide these products by itself. These are known as branded insurance products.
When you buy a Sainsbury’s or Argos branded insurance product, these products will be underwritten by one of our insurance partners. These partners collect all the information about you that they need in order to provide you with the product – they are the ‘data controller’ of that information (i.e. they decide how the information is used) and you can ask them about how they use your information by contacting them using the details provided in your terms and conditions or on their website.
These partners pass certain necessary information about our customers back to us once they’ve bought an insurance product. This information helps us understand what products our customers have and how we can provide the best possible service for those customers across our Group.
When you apply for a Sainsbury’s Bank or Argos credit product (e.g. credit card, loan, store card), we will decide whether we can lend to you by automatically comparing the information you provide to us against our lending criteria. This criteria includes:
- credit score, credit history, employment status, existing credit products or previous applications and also an assessment of affordability.
Your information will be compared against this criteria and we will make a decision automatically, using a computer, about whether to offer you credit, and on what rate.
You do have the right to ask us to look at this manually, if you think we may have missed some relevant information during the decision-making process and would like this to be taken into account. Please contact us using the following details if you would like to discuss an application which has been completed using automated decision-making:
We would like to tell you (and joint account holders) about the great offers, ideas, products and services of the Sainsbury’s Group from time to time that we think you might be interested in. Where we have consent or it is in our legitimate interests to do so, we may do this through the post, by email, text message, phone, through online advertising or by any other electronic means.
We won't send you marketing messages if you tell us not to, but if you receive a service from us we will still need to send you occasional service-related messages and may still send you surveys (you can always opt out of these via the survey email itself). If you wish to amend your marketing preferences, you can do so by logging into any of your Sainsbury’s Group accounts and following the directions, or by logging into our Customer Preference Centre .
Please note that it can take a little while for all marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may have been identified as relevant to your interests and may already be in transit, it cannot therefore be immediately stopped.
You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you
- the right to access a copy of the personal information we hold about you;
- the right to correction of inaccurate personal information we hold about you;
- the right to restrict our use of your personal information;
- the right to be forgotten;
- the right of data portability; and
- the right to object to our use of your personal information.
Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.
If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.
We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you. We use profiling to enable us to give you the best service across the Sainsbury’s Group, including specific marketing which we believe you will be interested in.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or affects you in any other significant way.
If you are seeking to exercise this right, please contact us using the details in the “Contact Us” section below.
We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:
- We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there;
- We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data;
- Systems are proactively monitored through a “detect and respond” information security function;
- We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
- We enforce a “need to know” policy, for access to any data or systems.
If you would like to exercise one of your rights as set out in the “Your rights” or “Automated decision making and profiling” sections above, or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:
If your enquiry relates to Sainsbury’s Supermarkets, Argos, Habitat or Tu:
By email: firstname.lastname@example.org
By post: Data Protection Officer at Privacy Team, Sainsbury's Supermarkets Ltd, 17th Floor, Arndale House, Manchester, M4 3AL
Or if your enquiry relates to Sainsbury’s Bank or Argos Financial Services:
By email: email@example.com; or
By post: Data Protection Officer, Sainsbury’s Bank, 3 Lochside Avenue, Edinburgh Park, Edinburgh EH12 9DJ
You also have the right to lodge a complaint with the UK regulator, the Information Commissioner's Office. Go to ico.org.uk/concerns to find out more.