1. DEFINITIONS

    1. In this Privacy Notice, the below terms shall have the following meanings:

      1. "Personal Data" means any information relating to an identified or identifiable natural person;

      2. "Data Subject" means any identified or identifiable natural person to whom Personal Data relates;

      3. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

      4. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

      5. "DP Act" shall mean Chapter 586 of the Laws of Malta (the Data Protection Act) and the subsidiary legislation thereunder, as may be amended from time to time;

      6. "Applicable Laws" shall mean the GDPR and the DP Act;

      7. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of your Personal Data;

      8. "Processor" means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller; and

      9. "Consent" means any freely given, specific, informed and unambiguous indication of your wishes by which you (by a statement or by a clear affirmative action) signify agreement to the Processing of your Personal Data.

    2. As used herein, each term defined in the terms and conditions found here: https://hudsonmax.net/terms.html shall have the meaning assigned to it in the terms and conditions, unless expressly provided herein to the contrary.

  2. INTRODUCTION

    Hudson Malta Sales Ltd (C 32438) ("Hudson", the "Company", "We", "Us" or "Our") is a company forming part of the Hudson Group, which is an international sport and fashion retailer and distributor. Hudson operates the Programme, whereby members earn points when making qualifying purchases at Participating Outlets. Members may also acquire benefits from Programme Partners with which Hudson may partner from time to time. Further information about the Programme can be found in the T&Cs linked in section 1.2 of this Privacy Notice. In order to operate the Programme and manage your membership therein, We are required to Process your Personal Data. This Privacy Notice applies with respect to the Processing of Your Personal Data by the Company pursuant or in relation to its operation of the Programme and its management of your membership therein, and provides information regarding the manner in which the Company Processes your Personal Data, in accordance with the Applicable Laws.

  3. WHO WE ARE

    The Controller of Your Personal Data is Hudson Malta Sales Ltd, a limited liability company having registration number C 32438 and its registered address at Hudson House, Burmarrad Road, Burmarrad, San Pawl il-Bahar SPB 9060, Malta.

    Should you wish to contact Us for any reason with respect to Our Processing of Your Personal Data, you may do so using the below details.

    HUDSON MALTA SALES LTD

    Email Address: hudsonmax@hudson.com.mt

    Telephone Number: +356 2345 9001

  4. PERSONAL DATA WE COLLECT ABOUT YOU

    1. In the context of your membership in the Programme, We may Process the following Personal Data pertaining to you:

      1. Identity Data:your first and last name, email address, date of birth, location, gender, phone number, device type, and your photo identity document; and

      2. Transaction Information:the amount you have spent on purchases at the Participating Outlets, items purchased as well as the date and time of such purchases.

    2. We collect your first and last name, email address, gender, and phone number directly from you, as provided by you to representatives at the Participating Outlets when you sign up for the Hudson Membership Card, or as provided by you directly on the App, as the case may be. In the event that you have signed up for membership in the Programme through the App, we will also collect your device type and location through the App. We will collect your Transaction Information through the point-of-sale (POS) systems installed at the Participating Outlets when you make a purchase at such outlets. When you attempt to redeem coupons at the Participating Outlets, We will request visibility of a valid photo identity document from you in order to verify your identity as the member to whom the coupons belong. We shall not retain this document or any copies thereof.

  5. PURPOSES AND LAWFUL BASES FOR PROCESSING OF YOUR PERSONAL DATA

    1. We shall Process the Personal Data set out under section 4 above on the lawful basis of Our legitimate interests to:

      1. operate the Programme and manage your membership therein efficiently and successfully;

      2. provide you with information, products, or services that you request from Us;

      3. communication with you about your membership in the Programme and the transactions carried out under your membership;

      4. contact you via email, SMS, push notifications on your device (if you have signed up for membership in the Programme through Our App) or phone calls with marketing and promotional communications in relation to Our products, services, events, offers, sales, discounts, new collections, promotions, quizzes, giveaways, and company news, where such communications relate to Our products and services which are similar to those you have procured from Us in the past; and

      5. analyse your shopping habits at the Participating Outlets in order to send you appropriate marketing and promotional communications (as referred to under (iv) directly above).

    2. We shall not Process your Personal Data other than for the purposes set out above, unless We are required to do so in accordance with any applicable laws.

    3. Should You wish not to receive any marketing and promotional communications from Us as referred to in section 4.1(iv) above, You may opt out of receiving such communications by:

      1. unticking the "Keep me updated on HudsonMAX news, offers and promotions" box found in the 'Profile' section of the App;

      2. using the 'Unsubscribe' link found in Our promotional newsletters; or

      3. sending an email to [email protected] .

  6. AUTOMATED DECISION-MAKING AND PROFILING

    1. We do not use your Personal Data in order to carry out any automated decision-making or profiling. In the event that We decide to carry out any such automated decision-making or profiling in the future, We shall inform you prior to making any such use of Your Personal Data.

  7. DATA RECIPIENTS

    1. In the course of Our business, We work with third parties, typically Our service providers or subcontractors, who may also be Our Processors.

    2. In particular, We may share Your Personal Data with the Participating Outlets and the Programme Partners in order to manage Your membership in the Programme and Your benefits as derived therefrom, in accordance with the T&Cs. We may also share Your Personal Data with Our service provider Think Ltd, which provides us with services relating to the App.

    3. There are also times when we may be required to disclose Your Personal Data to third parties, such as when abiding by a court order, and We shall only do so in accordance with the law, particularly Applicable Laws.

    4. We require all third parties with whom We share Personal Data to respect the security of such Personal Data and to treat it in accordance with relevant law, including the Applicable Laws.

    5. We do not allow Our Processors to use Your Personal Data for their own purposes and only permit them to Process Your Personal Data for specified purposes and in accordance with Our instructions.

  8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

    1. We do not generally transfer Your Personal Data to persons or entities outside the EU and the European Economic Area (the "EEA"). In the event that any such transfer of Your Personal Data to countries which are outside the EU/EEA, We shall ensure that a lawful basis for this exists and that appropriate safeguards are implemented for the protection of Your Personal Data, in accordance with the Applicable Laws.

  9. RETENTION OF PERSONAL DATA

    1. We retain Your Personal Data only for as long as We have a valid reason to do so. To determine the appropriate retention period for Personal Data, We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of Your Personal Data, the purposes for which We Process Your Personal Data and whether We can achieve those purposes through other means, and the applicable legal requirements.

    2. Our standard practice is to determine whether there are any specific laws permitting or obliging us to keep certain Personal Data for a certain period of time, in which case We will typically keep the Personal Data for the maximum period indicated by any such law. We would also determine whether there are any laws and/or contract that may be invoked against Us by you and/or third parties and, if so, what the prescriptive periods for such actions are. These periods are usually of two or five years. In such cases, We will keep any relevant Personal Data that We may need to defend Ourselves against any claims, challenges or other such actions by you and/or third parties for such time as is necessary.

    3. Without prejudice to sections 9.1 and 9.2 above, We generally retain the Personal Data listed in section 4 of this Privacy Notice until the time of termination, withdrawal or cancellation of your membership in the Programme (as the case may be), for the purposes set out under section 5 of this Privacy Notice, following which time We shall dispose of all such Personal Data pertaining to you.

  10. YOUR RIGHTS

    In terms of the Applicable Laws, as a Data Subject and for as long as We retain Your Personal Data, you have the following rights in relation to such Personal Data:

    1. Access - You have the right to request access to Your Personal Data and information related to the Processing thereof, as well as obtain a copy thereof;

    2. Rectification - You have the right to request the rectification of any inaccuracies or any missing Personal Data of yours;

    3. Erasure - You have the right to request the erasure of your Personal Data;

    4. Restriction - You have the right to request the restriction of the Processing of your Personal Data in cases explicitly provided for by law, including if you believe that We are unlawfully Processing your Personal Data or that the Personal Data that We hold about you is inaccurate;

    5. Portability - You have the right to request that We provide You with Personal Data which We hold about you in a structured, commonly used and machine-readable format (except where such Personal Data was provided to Us in handwritten format, in which case, upon your request, such Personal Data will be provided to you in such handwritten format). Where technically feasible, you may also request that We transmit such Personal Data to a third-party Controller indicated by you;

    6. Objection - You have the right to object to the Processing of your Personal Data where We are relying on Our legitimate interests (or those of a third party) for such Processing;

    7. Automated decision-making and profiling - You have the right to object to a decision taken solely on the basis of automated Processing, including profiling, which has an impact on you or significantly affects you;

    8. Withdrawal of Consent - if you have provided Consent for the Processing of your Personal Data, you have the right to withdraw that Consent at any time, which will not affect the lawfulness of the Processing carried out prior to such withdrawal; and

    9. Information about the source - where the Personal Data We hold about you was not provided to Us directly by you, you also have the right to receive any available information as to the source of such Personal Data.

    Any of the above requests should be addressed in writing to [email protected] .

    You will not have to pay to exercise any of the above-listed rights. However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

    Please note that none of above-listed rights are absolute and such rights must generally be weighed against Our own legal obligations and legitimate interests. If We are permitted, and if a decision is taken to override your Data Subject request, We shall inform you accordingly.

  11. COMPLAINTS

    We strive to be receptive to your concerns and would appreciate it if you would contact Us in the first instance should you have any complaints or believe that We have breached any privacy rules.

    Nonetheless, should you feel wronged by Our data protection practices, you may file a complaint with the data protection supervisory authority of your country of residence. In Malta, this would be the Office for the Information and Data Protection Commissioner, the contact details of which are as follows:

    OFFICE OF THE INFORMATION AND DATA PROTECTION COMMISSIONER [MALTA]

    Email: idpc.info@idpc.org.mt

    Phone: +356 2328 7100

    Address: Floor 2, Airways House, Triq il-Kbira, Tas-Sliema SLM 1549, Malta

  12. SECURITY OF PERSONAL DATA

    We have implemented appropriate security measures to the Personal Data that We hold, in order to prevent it from being accidentally lost, altered or disclosed in an unauthorised manner. These include IT security measures, such as authentication measures, encryption, appropriate data backup measures, and anti-malware and anti-virus software, as well as physical security measures, such as the installation of fire and intruder alarms at Our premises.

    We also carry out periodical reviews of Our data security measures and regularly perform vulnerability scans and penetration testing on our IT systems, in order to ensure that Our IT security is constantly up to standard.

    In addition, We limit access to your Personal Data to those employees and third parties who have business need to access such data. These persons are only allowed to Process your Personal Data on Our instructions and are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of such a breach where We are legally required to do so.

  13. YOUR OBLIGATIONS

    You acknowledge that, when providing your Personal Data to the Company, you are required to provide your actual, accurate and complete data. Furthermore, you must inform Us of any changes to the Personal Data We hold about you, so as to ensure that it is kept up-to-date and accurate.

  14. GOVERNING LAW

    This Privacy Notice is governed by and construed in accordance with the laws of Malta and relevant EU legislation.