BRITISH AMERICAN TOBACCO MAURITIUS PLC 

PRIVACY NOTICE 

 

At BRITISH AMERICAN TOBACCO MAURITIUS PLC (“BAT/US”) we take data privacy and the treatment of your personal information very seriously.  BAT’s address is P.O. Box 101, Nicolay Road, Port Louis, Mauritius. Under Mauritian laws, BAT is subject to comply with the Data Protection Act, 2017. 

 

By your interaction with us, we act as the data controller of your personal data and we are required to provide you with this privacy notice which informs you about how we process your personal data (hereinafter “the Notice”).  

 

1.  Who is responsible for my personal data at BAT? 

As stated above, BAT is the data controller of your personal data. You may reach us through the address details provided above. 

 

2.  What personal data do we hold about you and where does it come from?   

At BAT, we need some information about you, such as your name, contact details (mobile phone number and email address), national ID card details including your photo as it appears on your national ID and  your current location so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you.   

 

In addition, as part of managing the business relationship, we may be required to conduct ‘know your customer’, similar compliance screenings on you or your company or gift and entertainment statements/recordings, credit worthiness as per the compliance regulations that we need to observe. In doing so we will use the personal data listed below. We obtain this information either directly from you or from your employer, or the company you are shareholder or director of as applicable. In the context of conducting compliance screenings, we will also check the personal data provided to us against public information.  

 

3.  What are your rights under data protection law? 

Subject to certain exceptions, by law, you have several rights in relation to how your personal data is used. If you want to exercise your rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal data. Except in rare cases, we will make sure to respond to you within one month from the later of (i) the date that we have confirmed your identity, or (ii) the date we received your request.  

 

  • Right of access (also known as Subject Access Requests) 

You may ask us for a copy of the personal data we hold about you. If we provide you with a copy, we will not charge you. If you request further copies of this information from us, we may charge you a reasonable administrative cost.  We will only decline your request in very limited circumstances as permitted by law, and we will always explain to you the reasons why we are not fulfilling your request.  

 

  • Right to rectify the data we hold about you 

You have the right to ask us to rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them, unless this is impossible or involves disproportionate effort. 

 

  • Right to object 

You can object to us using your personal data if we are using it for the purpose of our legitimate interests.  If we agree that your objection is justified, we will permanently stop using your personal data for those purposes. Otherwise we will explain why we need to continue using your information (for example, explaining that we need to use your personal data in connection with a legal claim). 

 

  • Right to erasure (also known as Right to be forgotten) 

In certain cases, you have the right to ask us to delete your personal data.  Normally, you can do this where: 

  • It’s no longer necessary for us to use your personal data; 
  • We were relying on your consent to use your personal data and you have withdrawn your consent. Note that this is not applicable to data already collected and processed; 
  • Your personal data has been used unlawfully; 
  • Your personal data needs to be erased in order for us to comply with our obligations under law; or 
  • You object to the processing and we don’t have a compelling reason to continue using it. 

In these cases, we will take all reasonably practicable steps to erase the relevant data.  We will only decline to comply with your request to erase your personal data in limited circumstances, and we will always tell you our reason for doing so. 

  • Right to restrict our use of your personal data  

You can ask us to suspend our use of your personal data in certain circumstances. For example, during the time it takes us to respond to your request to correct the information we hold about you. If we have shared your information with third parties, we will notify them about the restricted use of your personal data unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on our use of your personal data. 

 

  • Rights relating to automated decisions 

In certain circumstances, if applicable, you may contest a decision made about you based on automated processing. We do not generally make decisions based solely on automated processing of your personal data, but when we do so, we will let you know. 

 

  • Right to withdraw consent (where the case) 

Where we have asked your permission to use your personal data for certain activities, you may withdraw your permission at any time by emailing or calling us at the contact details set out below and we will stop using your information for that purpose. 

 

  • Right to complain 

You have the right to lodge a complaint with your local data protection supervisory authority, which is the Data Protection Commissioner. 

 

4.  Who do we share your personal data with? 

At BAT, we do not share, rent or trade your personal data with third parties for marketing or promotional purposes. When necessary we may share this data about you with the following recipients which include (but are not limited to): 

  • any of our BAT group companies; 
  • Tax, audit, or other authorities, when we believe we are legally required to do so, where the relevant authority has asked us to assist (for example, because of a request by a tax authority or in connection with any expected litigation), or in order to help prevent fraud or to protect the rights of BAT; or protect the personal safety of BAT employees, third party agents or members of the public; 
  • Third party service providers such as external consultants and professional advisers (including but not limited to law firms, auditors and accountants), technical support functions, and IT consultants carrying out testing and development work on our business technology systems); 
  • Third parties for the purposes of background screening checks, credit worthiness checks, order fulfilment, delivery, customer support services and storage services; 
  • Third party outsourced IT providers, including but not limited to email/text messaging providers; Cloud IT service providers, business suite solution providers; data analytics agencies; IT strategic implementation partners; hosting service providers; and 
  • If it is proposed that BAT is to merge with or be acquired by another business in the future, we may share your personal data with potential purchasers, where this is necessary, or the new owners of the business or company. 

 

5.  Do we transfer your personal data to other countries when we share it? 

Sometimes when we share your personal data with the third parties described in section 4 above, it may be transferred to countries where BAT has a presence. 

 

We will do our best to ensure that your personal data is stored and transferred in a way which is secure. 

When we transfer your personal data outside the Mauritius jurisdiction, we take appropriate steps to protect that information, which include: 

  • maintaining an intra-group agreement between BAT companies which includes clauses the Data Protection Act has determined offer adequate protection for your personal data (known as the “Standard Contractual Clauses”. 
  • entering into agreements with third parties which include the Standard Contractual Clauses; 
  • transferring to organizations within countries that the Data Commissioner has judged offers adequate protection for your personal data. 

 

6.  How do we ensure your personal data is safe with us? 

We care about protecting your personal data. We are committed to taking all reasonable and appropriate steps to protect the personal data that we hold from misuse, loss, or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans. 

 

If you suspect any misuse or loss of or unauthorized access to your personal data, please let us know immediately by contacting us using the details provided at the end of this notice. 

 

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your personal data, we cannot guarantee the security of your information transmitted from you to us. 

 

7.  How do we legally use your data and how long do we keep it for? 

In respect of the way we lawfully can use your personal data in the context of the relationship that you have with us, please see below. 

 

Why do we hold your personal data 

What type of personal data? 

How legally can we use your personal data? 

How long do we keep it for? 

To contact you in order to manage the contract and business relationship with either you, your employer or the company you are a director, direct or indirect shareholder or representative. 

  • Name, contact information (e.g. email address, telephone number, region you are from), job title 

In order to perform our obligations under contract or take steps prior to entering into a contract. 

6 years after the expiry of the business relationship or contract entered into by BAT. 

To comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties. 

  • Name, contact information 
  • In the case of sole traders: financial information, such as creditworthiness, bank account details, specimen signature; and 
  • In the case of certain key individuals (and only where permitted by law): KYC (know your customer) records, such as passport details, identity documentation, social security number, date and place of birth, nationality, relationships with public officials, or allegations of criminal conduct. 
  • In case of gifts and entertainment statement as per compliance regulations, we might also process name, surname of your spouse/close family. 

We rely on legitimate interest that assists us in compliance with legal obligations.  

12 years from the date BAT ceases its relationship with you/that organization that you are employed by.  

6 years from the date of BAT recording in respect with the gift and entertainment is registered within BAT. 

 

  • Personal data relating to criminal allegations, proceedings or convictions,  
  • political opinions, and whether you are listed on a sanctions list.  

To comply with regulatory requirements relating to unlawful acts to which we are subject. (including but not limited to POCAMLA, as well as to amend and supplement regulatory act) 

6 years from the date BAT ceases its relationship with you/that organization that you are employed by. 

If you contact us and we need to respond to any query that you have asked us. 

  • Name and contact information 
  • Any information that you provide to us in submitting your query through our contact form or to us directly 

It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved. 

1 year after the point in which it is no longer necessary for the purposes for which we obtained it. 

 

Please note that we may need to keep your data longer than the periods stated above. This could be because of the following reasons: 

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement; 
  • to be able to deal with external or internal audits. 

 

When it is no longer necessary to retain your personal data, we will delete the personal data that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.  

We may amend this Privacy Notice from time to time, so please ensure to check back regularly or contact us to make sure you have the latest version.