Privacy Policy
1. PURPOSE.
This Privacy Policy has the purpose of regulating the activities of Ikano Retail Mexico, S. de R.L. de C.V. and, if applicable, its subsidiaries or affiliate companies (jointly, “IKEA México”) regarding the treatment of personal information and data in Mexico.
IKEA México acknowledges that all the activities implying the treatment of personal data such as collection, treatment, storage, consultation and use, are subject to different legal requirements in different jurisdictions, thus, this Privacy Policy has the purpose of establishing requirements in order to protect the rights of the holders of personal data in Mexico that are collected and treated by IKEA México.
IKEA México commits to fulfill with the provisions of privacy, protection of personal data and the information security requirements in Mexico. This Privacy Policy (the “Policy”) is designed to get IKEA México’s personnel acquainted with the type of personal data with which we work in IKEA México and the need for measures to maintain the confidentiality of such information.
IKEA México acknowledges that the lack of protection of personal data can result in serious consequences for IKEA México and/or for the holders of personal data, such as legal sanctions (for instance, fines and penalties) set forth by the government agencies; identity theft of the Personal Data Holders, and the damage to the brand image and reputation of IKEA México (due to adverse publicity). In order to avoid harmful consequences, compliance with this Policy is mandatory.
This policy sets forth the minimum requirements regarding the treatment or personal data according to the applicable laws in Mexico.
2. SCOPE OF APPLICATION
This Privacy Policy will be applied to the treatment of all personal data held by IKEA México, including the personal data received from the clients, employees, agents, suppliers, consultants, and others, which are processed through electronic means, in written form or by telephone in a personal data system related to the commercial operations of IKEA México.
This policy is also applicable to the Persons in Charge or Third Parties with which IKEA México has contractual relations.
In case of conflict between the provisions of this Privacy Policy and those of the applicable laws, the Policy shall be interpreted according to the applicable laws.
When it is considered necessary to guarantee the appropriate treatment of the personal data held by IKEA México, this Policy can be complemented with additional guidelines of IKEA México, work practices, good practices manuals and other documents.
3. DEFINITIONS
a) Affiliate. – Refers to a company or other entity which, directly or indirectly is controlled by IKEA México.
b) Agents.- Refers to consultants, contractors, suppliers, service providers and their respective representatives which, when applicable, treat personal data on behalf of IKEA México.
c) Applicable Laws.- Refers to all the regulatory framework applicable to the treatment of personal data of IKEA México.
d) Non-compliance.- Refers to a conduct against this Privacy Policy or the applicable legal provisions, including but not limited to: undue or unauthorized access to personal data collected by IKEA México; illegal treatment of personal data; take ownership of, in whole or in part, information contained in the personal data bases of IKEA México; use the information contained in the personal data bases of IKEA México; as well as any other unauthorized conduct related to the treatment of personal data under the responsibility of IKEA México.
e) Person Responsible of Personal Data.- Refers to any person that (on his/her own or jointly) determines the purposes and ways for which the personal data are or will be object of treatment. IKEA México or an affiliate of IKEA México will be responsible of the data, although there can be more than one person responsible of data.
f) Person in Charge of Personal Data.- Refers to any person that treats personal data on behalf of the Person Responsible for the treatment, without being an employee of the person responsible.
g) Holder of Personal Data.- Refers to the person holding the personal data that will be treated.
h) Employee.- Refers to all employees, whether full-time or temporary, of IKEA México.
i) Functional area.- Refers to any functional group of businesses or a service of IKEA México, including but not limited to, Accounting, Marketing, Sales, among others.
j) Person.- Means an individual person or a legal entity.
k) Personal data.- Means any information or personal data that identifies or allows the identification of a person. This information can include names, addresses, emails, telephone numbers, and other personal information.
l) Personal Data System.- Means a set of personal data, whether elaborated by (i) the equipment that operate automatically, such as in a data base, system, or electronic file, or (ii) is kept in a manual, structured, file, whether by reference to specific individuals or according to criteria regarding individuals, in such way that the specific information regarding an individual in particular is easy to access and said person is identifiable.
m) Sensitive Personal Data.- Any information or personal data that reveals sensitive information of an individual, including but not limited to information regarding: the medical or health condition; race or ethnic origin; political opinions or membership in political parties or similar movements; religious or philosophical beliefs; membership in an organization or union; sexual orientation of an individual; banking information and any information obtained from an individual affecting his/her most private sphere.
n) Third parties.- Refers to any person different than the Person Responsible for Data or the Person in Charge.
4. IMPLEMENTATION
It is the responsibility of all employees and agents of IKEA México to carry out the treatment of personal data in accordance to this Policy and to the applicable laws in Mexico.
It is the responsibility of the head of every functional area and of each Affiliate to ensure the implementation and compliance with the provisions of the Federal Law for the Protection of Personal Data Held by Private Entities (“LFPDPPP”) and other applicable regulations.
5. GENERAL PRINCIPLES FOR THE TREATMENT OF PERSONAL DATA.
This Privacy Policy and the treatment of personal data collected by IKEA México will be regulated by the following general principles:
a) Legality. – All of IKEA México’s Areas must treat Personal Data in accordance with this Privacy Policy and the relevant Mexican and international legislation.
b) Consent. - All of IKEA México’s Areas must make sure to obtain the consent of the Data Holders, whether implicit or express, as the case may be, before obtaining Personal Data from the individuals.
c) Information. – Before obtaining any Personal Data, the Area that in the context of any business process obtains such data must give the Holder of Personal Data the information regarding the existence and main characteristics of the treatment that the Personal Data will be subject to. This, by making available the Privacy Notice. The Area that obtains the data is responsible of incorporating in its business processes the availability and appropriate delivery of Privacy Notices and make sure to obtain the consent of holders, in those cases where obtaining it is necessary. The fact that the Privacy Notices are delivered in the context of specific processes must be recorded in the operation manuals or specific process flows so that each Area can implement it. In the applicable cases, each Area is responsible of obtaining the corresponding signature of the Personal Data Holder and keep the duly signed document in the files or electronic records.
d) Quality. – Each Area of IKEA México must implement measures so that the Personal Data managed by each Area are exact, complete, correct, appropriate and are updated, regarding the purpose for which they are treated. Said activities will be regulated by the following:
i. Data updates. – Each Area must make periodic updates of the Personal Data under their custody. The criteria to determine the periodicity of the updates will be determined by each Area, depending on their needs. However, it must be assured that the periodicity adopted allows maintaining the veracity of data and avoid that the lack of accuracy affects a Personal Data Holder.
ii. Preservation and suppression or Personal Data.- Personal Data shall be preserved only for the terms necessary to comply with the purposes that justified the treatment. In any case, the Personal Data will be eliminated in the terms provided by the applicable policies or which are created regarding the preservation of data, or as determined by the Person Responsible of Privacy. Each Area shall be responsible to eliminate or block the Personal Data that it manages and to notify the Person Responsible of Privacy when the process has finished.
iii. Information regarding non-compliance of contractual obligations. – In the case of records related to suppliers or individual clients, the Areas which are in charge of managing the records of debts shall eliminate the information regarding the non-compliance of contractual obligations, once a term of 72 months has elapsed since the date when the non-compliance arose. No Area should provide third parties information related to default payments or credit Behavior.
e) Purpose. –Personal Data can only be treated to fulfill the purpose or purposes set forth in the corresponding Privacy Notices that have been used to collect the information of the Personal Data Holder. The purposes of the personal data treatment shall be regulated by the following:
i. Treatment for different purposes. – In case that an Area needs to treat Personal Data previously obtained by IKEA México, for a different purpose than the one informed to the Personal Data holder when his/her data was collected, the Area that wishes to carry out the treatment must obtain prior authorization and present a new Privacy Notice where the purposes for which the personal data will be treated are clearly indicated.
ii. Treatment for marketing, advertising or commercial prospection purposes. – In case that any area intends to use Personal Data for any of the purposes referred in this section (including the submission of commercial messages, carry out surveys, among others) must use the formats, forms, and procedures defined by the Person Responsible of Privacy. Also, the Marketing Area must make sure that all the marketing emails include the option allowing the message recipient to “Unsubscribe” from the email list.
f) Loyalty. – The Data Holders’ interests shall, at all times, be privileged when treating Personal Data.
i. Every Area of IKEA México, in any activity or initiative developed, must assume that every individual has the right to enjoy a reasonable expectation of privacy; this implies that every person delivering Personal Data to IKEA México has the right to expect that their data are treated in the terms that IKEA México informed such individual in the Privacy Notice.
ii. No Area can obtain or receive Personal Data bases or services related where there is a suspicion that they have an illegal origin or that the Data Holders did not give their consent for IKEA México to receive their data. Any transfer of data bases must be authorized by the Person Responsible of Privacy and the Legal Department.
g) Proportionality. – Only Personal Data that are necessary, appropriate and relevant regarding the purposes for which they were obtained can be subject to treatment. Every Area is responsible of identifying which is the minimum amount of Personal Data required to obtain and use for its operation, as well as eliminate those that are not necessary.
h) Responsibility. - IKEA México shall take measures to guarantee due treatment of the Personal Data. The measures that IKEA México will adopt include conducting internal and external audits, training of employees and entering into confidentiality agreements with third parties with which information transfers are made.
6. DATA SYSTEMS INVENTORY.
It is necessary that every functional area is aware of which personal data are being treated. At least, the following documentation must exist: List of Personal Data subject to treatment, systems used to treat personal data, type of personal data used, purposes of personal data treatment, recipients of such data, and, where applicable, the names of the Persons in Charge of the data.
7. DATA TREATMENT CARRIED OUT BY A PERSON IN CHARGE.
IKEA México is responsible of the personal information under its control, even when it subcontracts or commissions the treatment to a Person in Charge of the data. Therefore, IKEA México will carry out efforts to participate only with Persons in Charge and Agents who understand the relevance of the treatment of personal data and sensitive data, and who are capable of complying with this Policy and the laws applicable in Mexico.
All the treatment made by the Agents and Persons in Charge will be conducted according to this Privacy Policy. IKEA México should document in writing its legal relationship with the Agents and Persons in Charge of data, which will be contained in a written agreement where the obligations in charge of every party are described.
8. CROSS-BORDER TRANSFERS OF PERSONAL DATA.
IKEA México will only transfer Personal Data to Third Parties when there is a just case for it, whether provided by the law, i.e. for the administration of justice, anti-money laundering measures, protection of employees’ interests, external consultants, clients and suppliers protect the security or integrity of databases, websites or property of IKEA México, such as security measures to avoid legal liabilities, or in case of a sale, merger, dissolution, or acquisition or its assets or corporate reorganization, or because the transfer is necessary for the existence, maintenance or compliance of the legal relationship between IKEA México and the Personal Data Holder.
The Person Responsible for Privacy will keep an updated list of suppliers that can be used by IKEA México. Any transfer that is not in agreement to this Privacy Policy or the LFPDPPP is strictly prohibited and restricted, except when the Person Responsible for Privacy authorizes it. In any case, the recipient of the Personal Data transfer must prove to have the minimum infrastructure and security of Personal Data required to offer a protection standard similar to that offered by IKEA México.
9. RIGHTS OF THE INTERESTED PERSON
When required by the applicable laws, and at the request of an interested party, the personal data holders will be informed about the personal data held by IKEA México. Personal data holders can request the update of their personal data (if they are incorrect or incomplete) as well as oppose in any moment to the treatment of their personal data with purposes of direct marketing.
10. NON-COMPLIANCE OF DATA
All the employees and agents must report the suspicions of and breaches to the Compliance area of IKEA México, as applicable, according to the Information Technologies security policies applicable, regardless of the way in which the suspicion arises. Potential infractions include both unauthorized internal and external access and/or obtaining personal data.
11. ENFORCEABILITY, SANCTIONS
This Policy is mandatory for all employees of IKEA México.
The Person Responsible of Privacy and the Compliance Area are entitled to make investigations regarding the compliance of the Privacy Policy, in their areas of competence. Lack of compliance of any employee to this Privacy Policy will be considered as material harm to the employer or disclosure of secrets, unjustified disobedience, lack of adoption of preventive measures, as applicable, according to the Federal Labor Law and, therefore, as grounds for justified dismissal.
Regardless of the sanctions that IKEA México imposes, non-compliance of the Privacy Policy may result in the commission of crimes according to the legislation in force in Mexico.
