DE BEERS PRIVACY POLICY

About this Privacy Policy

We care about your privacy and we think it is important that you always know what information we obtain about you in the context of your use of De Beers' website (available at www.debeers.com , including any purchases or associated activities undertaken by you whilst using the website (the " Services") and what that information is used for.

In the Privacy Policy below, we therefore aim to keep you fully informed as to the type, extent and purpose of the collection, storage, use and processing of your personal data by us.

Personal data (as used in this Privacy Policy) is all information relating to an identified or an identifiable natural person. A person is identified when the identity of a specific person can be deduced from the information itself. A person is identifiable when we can make a connection to a specific person using information available to us.

You generally have the option of not identifying yourself or of using a pseudonym when dealing with us, except where this is impractical (for example when you shop online with us) or where certain laws or a court order provides otherwise.

This Privacy Policy applies to the Website and your use of the Services. Depending on your jurisdiction, this Privacy Policy may apply with or without changes. Where changes apply depending on your jurisdiction, the changes are noted in Schedule 2.

Please read this Privacy Policy carefully to understand our practices regarding your personal data and how we will treat it.

IF YOU DO NOT AGREE WITH OUR POLICIES AND PRACTICES, DO NOT VISIT OUR WEBSITE OR USE THE WEBSITE SERVICES.

Our Privacy Policy applies to any customer or visitor to our website.

Who we are

We are the entity described in Schedule 1 as the entity registered in your country of residence (hereinafter: " De Beers" " we" or " us").

We are the provider of the Website and the Services and the organisation responsible for the personal data collected about you as part of your use of the Website and the Services within the meaning of applicable data protection and privacy laws.

We are an organisation who sell luxury jewellery.

How to contact us

If you have any questions about this Privacy Policy or our use of your personal data, if you need to report a problem, or if you would like to exercise one of your rights under data protection and privacy laws you can contact us using the contact details set out in Schedule 1.

You can get in touch with our dedicated privacy contacts with any queries or complaints regarding your data.

How we get information and what data we collect

When you (i) use the Services, (ii) visit our Website, (iii) sign-up for our newsletter, (iv) book an appointment with us, (v) contact our customer services department or (vi) use our live chat service we may collect the following information from you directly:

· your name;

· your email address and phone number;

· your address;

· your IP address;

· credit or debit card details; and

· cookies referred to in the section on cookies below.

We collect certain information about you when you sign up to our services or use our website.

When you visit the Website our server will record your IP address together with the date, time and duration of your visit. An IP address is an assigned number, similar to a telephone number, which allows your computer to communicate over the Internet. It enables us to identify which organisations have visited the Website.

IF YOU DO NOT WANT US TO COLLECT ANY OF THE INFORMATION DESCRIBED IN THIS PRIVACY POLICY, DO NOT USE OUR WEBSITE OR THE WEBSITE SERVICES.

Use of our customer service web chat function

We provide a customer service web chat function as part of the Services. You should be aware that personal data that you voluntarily include and transmit online via this chat function will also be processed in accordance with this privacy policy. Please bear this in mind when providing us with information about yourself via the chat function.

You choose what personal data you share with us when you use our chat function, and we will process that personal data in accordance with this policy.

Why we collect, process and use your information

We collect, process and use your personal data for the following purposes:

To provide you with the Services

· to maintain updated customer accounts

· to provide you with a personalised online shopping experience

· to fulfil any enquiries you raise

· to process your online orders

· to communicate with you about your orders, and

· to book in-store appointments

We use your data to provide you with the Services.

For business administrative purposes

· to facilitate our internal business administration, including maintaining proper business records

· to administer databases (including our contacts database)

· to establish and manage good relationships with you or the organisation with which you are associated

· to investigate or respond to any incidents, complaints or grievances

· to compile statistical data on the use of the Services to report on the cross section of people who use the Services, and

· as part of our efforts to keep the Website and our physical and digital assets safe and secure.

We use your data for business administrative purposes.

For marketing and promotion purposes

· to update you on our latest products and services which we think you may be interested in.

We use your data to provide you with details of new products and services.

How long we keep your information for

We retain your personal data until you ask us to delete it or it is no longer necessary for the purposes described above.

Your rights

You have various rights in relation to the data which we hold about you as described below. You can find out more about your rights by contacting the data protection authority in your jurisdiction (where applicable). Some of the rights described below are not legal rights in all jurisdictions, and we may not be legally required to comply with requests that you make in respect of these. We will comply with requests where we are required by law to do so, and where reasonable and practicable, we will also endeavour to meet other requests you make in respect of these rights. If we are unable to do so, then we will communicate this to you.

To get in touch with us about any of your rights under applicable data protection laws, please use the contact details set out in Schedule 1. We will seek to deal with your request without undue delay, and in any event within any time limits provided for in applicable data protection law (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object

This right enables you to object to us processing your personal data where we do so for one of the following reasons:

· because it is in our legitimate interests to do so (for further information please see the section on the grounds for processing below);

· to enable us to perform a task in the public interest or exercise official authority;

· to send you direct marketing materials; or

· for scientific, historical, research, or statistical purposes.

Right to withdraw consent

If we obtain your consent to process your personal data for any activities, you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition. You can withdraw your consent by updating your preferences in your account or by contacting our customer services department.

Right to access a copy of your data

You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.

Right to erasure

You have the right to request that we "erase" your personal data in certain circumstances. Normally, this right exists where:

· The data are no longer necessary;

· You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;

· The data has been processed unlawfully;

· It is necessary for the data to be erased in order for us to comply with our obligations under law; or

· You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.

We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so. When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.

Right to restrict processing

You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.

Right to rectification

You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.

Right of data portability

If you wish, you have the right to transfer your personal data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.

Right to complain

You also have the right to complain to your data protection authority (where applicable).

You have a number of rights regarding your data.

Sharing your information

In general, your data is processed exclusively by us and we do not pass on any personal data to third parties unless in the context of our Website and Services. Where we do share your personal data, we do so with the following categories of recipients:

Service providers

We may share your personal data with third party service providers who perform functions on our behalf (including logistics companies, website providers, email communications service providers, payment and tax calculation services providers, technical support functions and IT consultants carrying out testing and development work on our business technology systems). We will only share your data with these third party service providers where we have appropriate data processing agreements (or similar protections) in place (or your consent where required) and they will not be able to use your data for their own purposes (e.g. for their own marketing purposes).

Related Entities

We may disclose your personal data to our affiliated companies and to our franchisees.

Regulatory bodies

We may disclose your personal data:

· to data protection regulatory authorities;

· in response to an enquiry from a government agency; and

· to other regulatory authorities with jurisdiction over our activities.

Professional advisors and Auditors

We may disclose your personal data to professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.

Replacement providers

In the event that we sell or buy any business assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If De Beers or substantially all of its assets are acquired by a third party, personal data held by us about our clients will be one of the transferred assets.

Otherwise, your data will only be disclosed in special exceptional cases, where we are obligated or entitled to do so by statute or upon binding order from a public authority.

We may share your data with certain third parties (e.g. to help us provide the Services and the Website).

Changes to this Privacy Policy

We will review this Privacy Policy periodically, and reserve the right to modify and update it at any time. You acknowledge that we may make changes to this Privacy Policy. Where those changes are not material, it is your responsibility to check back to this page from time to time to review the Privacy Policy. Changes to this Privacy Policy will come into effect immediately upon such changes being uploaded to our Website. Where changes are material, we will notify you of those changes and obtain your consent if required. This Privacy Policy was last revised on 17/04/2020

We may make changes to this Privacy Policy from time to time.

Cookies

We use cookies (access data files) on our Website which save certain personal information in order to provide a specialised service that is customised and personalised, as well as for analytics and tracking purposes. Cookies are small pieces of data (text files) that are sent by the website server to the user's browser or app and saved on the user's computer and other devices. With respect to its operation, our cookies distinguish between the users' computer or mobile phones but do not differentiate the individual users.

You have a right to choose whether the cookies are installed or not. You may choose to refuse all cookies, confirm each time a cookie is saved, or permit all cookies by going to [Tools]>[Internet Option]>[Security]>[Custom Setting], or by using the Settings or Options function on mobile devices. If you reject cookies or delete our cookies, you may still use our Website, but you may have reduced functionality.

We use the following cookies on the Website:

Name

Type of Cookie

Purpose

Cookie Duration

Frontend

Strictly necessary

This cookie is set by website content management system to remember the following:

Any items in your shopping bag;

An indicator if you are currently logged in;

A link to information about your shopping bag and viewing history;

The store view or language you have selected; and

An encrypted list of products added to your Wishlist.

30 days

ga

Analytical/performance

Google Analytics – this allows us to understand how visitors interact with our website and to improve our service

2 years

_gaclientName

Analytical/performance

Google Analytics – this allows us to understand how visitors interact with our website and to improve our service

2 years

_gaclientName_gid

Analytical/performance

Google Analytics – this allows us to understand how visitors interact with our website and to improve our service

24 hours

_uetsid

Analytical/performance

Bing Advertising – this allows us to understand how visitors via Bing interact with our website

30 minutes

mp_%random%_mixpanel

Analytical/performance

Tracks site navigation, responsiveness, and other metrics to help us improve visitors’ experience on our sites.

10 months

_55

Functional

This allows us to measure our visitor frequency and whether visitors have created an account on the website

6 months

_zlcmid

Functional

These are managed by ZopIM, who provide the technology behind our LiveChat service. The __zlcmid cookie allows you to continue your conversation with us as you view different pages on our site, or if you come back to the site at a later date.

1 year

_zlcprivacy

Functional

This cookie is set if you choose to disable the live chat and the _zlcmid cookie is deleted.

9 months

We also use third party cookies on our Website. These third party cookies help us learn more about our customers so that we can provide a more personalised service. We use the following third parties cookies on the Website; to find out how these companies process your personal data, please review the relevant privacy notice.

Third Party Name

Purpose

Link to Third Party's Privacy Notice

Bing

Bing allows us to build lists of users who have searched for certain terms and clicked on results using their search engines, so that we can target our advertising more effectively.

http://choice.microsoft.com/en-us/opt-out

https://privacy.microsoft.com/en-US/

Facebook Custom Audiences

We use custom audience pixels to record information about the way visitors use our Website. This pixel records information about a user’s browser session, which it sends to Facebook, along with an anonymised version of the Facebook ID and the URL viewed. This allows us to target our Facebook ads to audiences of people who have visited our Website.

http://www.facebook.com/about/privacy/

Google (AdWords Remarketing)

This cookie helps us to advertise De Beers across the internet, in particular on the Google Display network. Remarketing will display ads to you based on which product pages you have visited on the De Beers website by placing a cookie on your web browser. This cookie does not in any way identify you or give access to your computer or mobile device. The cookie is used to indicate to other websites that ‘this person visited a particular page, so show them ads relating to that page.’and allows us to tailor our marketing to better suit your needs and display ads that are relevant to you.

http://www.google.com/analytics/learn/privacy.html

Google / Doubleclick

We use Google DoubleClick cookies to inform, optimise and serve ads based on a visitor’s previous visit to our Website and report how ad impressions, other uses of ad services and interactions with these ad impressions and ad services are related to visits to our Website.

http://www.google.com/analytics/learn/privacy.html

Google Analytics

These cookies are used to collect information about how visitors use our Website. We use the information to compile reports and to help us improve the Website.

http://www.google.com/analytics/learn/privacy.html

IP Label

For monitoring and improving the performance of our website.

https://www.ip-label.co.uk/legal-information/

Campaign Monitor

We also send emails using Campaign Monitor, which uses tracking technology. We use this information primarily to understand what subjects are interesting to our readers, by monitoring whether our emails are opened and what links are clicked on by our readers. We then use this information to improve the emails that we send to you.

https://www.campaignmonitor.com/policies/#privacy-policy

Content Square

Content Square is a solution which aggregates usage and frequency data to improve user experience. Statistics created are anonymous.

https://www.contentsquare.com/privacy-and-security/

Fresh Relevance

For personalised experiences and service messaging

https://www.freshrelevance.com/cookies-policy

Salesforce

We use Salesforce to send emails. We use this information primarily to understand what subjects are interesting to our readers, by monitoring whether our emails are opened and what links are clicked on by our readers. We then use this information to improve the emails that we send to you.

https://www.salesforce.com/company/privacy/full_privacy/

We use cookie technology on the Website.

Security

We care about protecting your personal data. That’s why we put in place appropriate security measures which are designed to prevent any misuse of the data that you provide to us, including:

· HTTPS or FTPS being used for all data in motion; and

· Organisational controls on who within De Beers can access your personal data.

Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

If you suspect any misuse, loss, or unauthorised access to your personal data please let us know immediately using the contact details set out in this Privacy Policy. We will investigate the matter and update you as soon as possible on next steps.

We take security seriously and put in place measures to protect your information

Where your information is transferred and stored

In general, your data will be stored in the United Kingdom ( UK) and replicated elsewhere depending on your geographic location.

A number of our service providers are also located elsewhere in the world. For example, in the United States of America, Singapore, Russia, the United Arab Emirates, South Africa, Canada, Slovakia, Kazakhstan and Kuwait.

In the event that we transfer your personal data to, or store your personal data in, a country or territory which does not maintain adequate data protection standards, we will take all reasonable steps to ensure that any such transfers are undertaken in accordance with applicable data protection and privacy laws (including, where required, obtaining your consent to such transfers) and that your data is treated securely and in accordance with this Privacy Policy.

However, please note that where personal data is stored in another country, it may be accessible to law enforcement agencies in accordance with domestic laws.

We store your data in the UK and elsewhere depending on your geographic location but our service providers may be located elsewhere in the world.

Grounds for processing your information

Where you give us your consent to process your personal data

We are allowed to use your personal data where you have specifically consented. In order for your consent to be valid:

· It has to be given freely, without us putting you under any type of pressure;

· You have to know what you are consenting to – so we'll make sure we give you enough information;

· You should only be asked to consent to one thing at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and

· You need to take positive and affirmative action in giving us your consent – for example, we could provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.

We currently seek your consent to use your personal data for marketing and advertisement purposes.

Before giving your consent you should make sure that you read any accompanying information provided by us so that you understand exactly what you are consenting to.

You have the right to withdraw your consent at any time, and details can be found in the "Right to withdraw consent" paragraph in the section on your rights above.

Where processing your information is within our legitimate interests

We are allowed to use your personal data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.

We believe that our use of your personal data is within a number of our legitimate interests, including but not limited to:

· To provide you with the Services;

· To ensure that our systems run smoothly;

· To protect against improper use or unauthorized use of our Website;

· To protect against fraud; and

· To market our Website and Services.

We don't think that any of the activities set out above will prejudice you in any way. However, you do have the right to object to us processing your personal data on this basis. We have set out details regarding how you can go about doing this in the section on your rights above.

Where processing your personal data is necessary for us to carry out our obligations under our contract with you

We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you.

For example, we need to collect and store your email address in order to provide you with our newsletter if you have requested it.

Where processing is necessary for us to carry out our legal obligations

As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with, and we are allowed to use your personal data when we need to comply with those other legal obligations.

We rely on certain grounds to collect, use and share data about you.

Schedule 1: De Beers Controller Entities and Regulatory Authorities

Your country of residence

De Beers Controller Entity

Contact Details for De Beers Controller Entity

Regulatory authority and contact details (if applicable)

Australia

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Office of the Australian Privacy Commissioner

Phone : 1300 363 992

Email : enquiries@oaic.gov.au

Post : GPO Box 5218, Sydney NSW 2001, Australia

India

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Not applicable.

Japan

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Personal Information Protection Committee (PPC)

Phone: 03-6457-9849

Post: Kasumigaseki Common Gate West Tower 32nd Floor, 3-2-1, Kasumigaseki, Chiyoda-ku, Tokyo, 100-0013, Japan

Monaco

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Data Protection Authority of Monaco (Commission de Contrôle des Informations Nominatives - CCINN)

Phone: (+377) 97 70 22 44

Fax: (+377) 97 70 22 45

Email: ccin@ccin.mc

Post : “Suffren” building, Block B, 4th floor, 7, rue Suffren Reymond, 98000 - Monaco

Norway

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Details of the relevant supervisory authority can be found at the following website: https://edpb.europa.eu/about-edpb/board/members_en

Switzerland

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Federal Data Protection and Information Commissioner

Phone: +41 (0)58 462 43 95

Email: info@edoeb.admin.ch

Post: Office of the Federal Data Protection and Information Commissioner FDPIC Feldeggweg 1 CH - 3003 Berne

Malaysia

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Saudi Arabia

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

South Korea

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

UK

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Information Commissioner's Office

Phone: 0303 123 1113

Email: casework@ico.org.uk

Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EU

De Beers Jewellers Ltd

Email : clientservices@debeers.com

Post : 45 Old Bond Street, London, W1S 4QT

Details of the relevant supervisory authority can be found at the following website: https://edpb.europa.eu/about-edpb/board/members_en


Schedule 2 - Addenda to the De Beers Privacy Policy

Index

Addenda

Date of last revision

A.

Addendum for Andorra

17/04/2020

B.

Addendum for Australia

17/04/2020

C.

Addendum for India

17/04/2020

D.

Addendum for Japan

17/04/2020

E.

Addendum for Monaco

17/04/2020

F.

Addendum for Malaysia

17/04/2020

G.

Addendum for Norway

17/04/2020

H.

Addendum for Saudi Arabia

17/04/2020

I.

Addendum for South Korea

17/04/2020

J.

Addendum for Switzerland

17/04/2020

K.

Addendum for the United Kingdom

17/04/2020

L.

Addendum for the European Union

17/04/2020

Note on Addenda

The above Privacy Policy shall be replaced, deleted or varied (as applicable) by the country-specific provisions contained below. For example, if you are a consumer in Andorra, the above Privacy Policy shall apply with the changes described in Andorra Addendum below.


A. Addendum for Andorra

No changes required.


B. Addendum for Australia

1.The Privacy Policy applies with the following changes:

1.1 The definition of personal data in the " About this Privacy Policy " section includes opinions.

1.2 The word "use" is replaced with "handling" in the " How to contact us " section.

1.3 The following sentence is added to the end of the " How long we keep your information for " section:

" Laws and regulations may set a minimum period of time for which we must retain your personal data ."

1.4 The " Your rights " section is changed as follows:

1.4.1 The word " always " is replaced with "usually" in the paragraph the " Right to access a copy of your data".

1.4.2 The "Right to restrict processing" paragraph is replaced with the following:

" You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impracticable or unlawful. We will, of course, where lawful to do so, notify you before lifting any restriction on processing your personal data ."

1.4.3 The "Right to rectification" paragraph is replaced with the following:

" You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impracticable or unlawful. You may also request that we notify the third parties that we have disclosed the inaccurate or incomplete personal data to and any correction made to the personal data. Where we think that it is reasonable for us not to comply with your request, we will usually explain our reasons for this decision ."

1.5 The “ Security " section is replaced with the following:

Security

We care about protecting your personal data. That’s why we put in place appropriate security measures which are designed to protect your personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure, including:

  • HTTPS or FTPS being used for all data in motion; and
  • Organisational controls on who within De Beers can access your personal data.

Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

If you suspect any misuse, loss, or unauthorised access to your personal data please let us know immediately using the contact details set out in this Privacy Policy. We will investigate the matter and update you as soon as possible on next steps.

We take security seriously and put in place appropriate measures to protect your information

1.6 The " Grounds for processing your information " section is deleted.


C. Addendum for India

1. The Privacy Policy applies with the following changes:

1.1 The second paragraph of the " Who we are " section is replaced with the following:

" We are the provider of the Website and the Services and the organisation responsible for collecting and retaining personal data about you as part of your use of the Website and the Services within the meaning of applicable data protection and privacy laws ."

1.2 The following words are added to the beginning of the second paragraph of the " How we get information and what data we collect " section:

" Your credit or debit card details are considered to be sensitive personal information under Indian law ."

1.3 The " Your rights " section is changed as follows:

1.3.1 The exception to your right to withdraw your consent (set out in the "Right to withdraw" paragraph), on the ground that an alternative legal basis may be used, does not apply to credit and debit card details. You may withdraw your consent to the processing of this data at any time.

1.3.2 The last sentence of the paragraph on "Right to access a copy of your data" (namely "Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.") is deleted.

1.3.3 The last sentence of the paragraph on "Right to rectification" (namely "Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.") is deleted.

1.3.4 The paragraph on the "Right to complain" is deleted.

1.4 The following new sentence is inserted after the first sentence in the “ Sharing your information ” section:

Whenever we share your sensitive personal data with third parties, we will take all reasonable steps to ensure that the third party maintains at least the same level of protection for the information as we do ourselves.”

1.5 The " Grounds for processing your information " section is changed as follows:

1.5.1 The following sentence is added to the end of the last paragraph on "Where you give us your consent to process your personal data":

" If you withdraw consent, we have the right to terminate your right and ability to access or use the Services ."

1.5.2 The paragraphs on "Where processing your information is within our legitimate interests", "Where processing your personal data is necessary for us to carry out our obligations under our contract with you" and "Where processing is necessary for us to carry out our legal obligations" do not apply to sensitive personal data such as your credit or debit card details.


D. Addendum for Japan

1. The Privacy Policy applies with the following changes:

1.1 The " Why we collect, process and use your information " section is changed as follows:

1.1.1 The "For marketing and promotion purposes" paragraph is replaced with the following

paragraph:

For marketing and promotion purposes

· to update you on our latest products and services which we think you may be interested in; and

· to send you our newsletters (should you choose to request it).

1.1.2 The following additional paragraph is added to the end of the section:

For other related legal compliance matters

to comply with our legal obligations under applicable laws (including those laws outside Japan), including without limitation, legal obligations relating to know-your-client requirements and tax requirements.

We use your data to the extent necessary to comply with our legal obligations around the world.

1.2 The " Your rights " section is changed as follows:

1.2.1 the first bullet under the "Right to object" paragraph (stating "because it is in our legitimate interests to do so (for further information please see the section on our legal bases for processing below)" ) is deleted;

1.2.2 the last bullet under the "Right to erasure" paragraph (stating "You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing". ) is deleted; and

1.2.3 the words " or you object to our processing of your personal data for our legitimate interests " are deleted from the "Right to restrict processing" paragraph.

1.3 The following additional paragraph is added to after the second paragraph of the " Where your information is transferred and stored " section:

The data will be stored on servers which may be owned by our affiliate companies or our third party IT services providers. For further details regarding our sharing of data with third parties please see the section above headed “Sharing your Information”.

1.4 The words “take all reasonable steps to” in the " Where your information is transferred and stored " section are deleted.

1.5 The " Grounds for processing your information " section is deleted.


E. Addendum for Monaco

No changes required.


F. Addendum for Malaysia

1. The Privacy Policy applies with the following changes:

1.1 The following sentence is added to the end of the " About this Privacy Policy " section:

" In the event of any discrepancy or inconsistency between the English version and Malay version of this Privacy Policy, the English version shall prevail ."

1.2 The " How to contact us " section is replaced with the following:

How to contact us

If you have any questions about this Privacy Policy or our use of your personal data, if you need to report a problem or complaint, or to limit the processing of your personal data, or if you would like to exercise one of your rights under data protection and privacy laws you can contact us using the contact details set out in Schedule 1.

You can get in touch with our dedicated privacy contacts with any queries or complaints regarding your data.

1.3 The following sentence is added to the end of the " Why we collect, process and use your information " section:

" Provision of your personal data to provide you with the Services and for business administrative purposes are [mandatory in order for us to carry out our obligations towards you] . If you do not provide us with this information we may not be able to provide the Services to you. However provision of personal data for marketing and promotional purposes is optional and you may exercise your rights by contacting us using the contact details set out in Schedule 1 ."

1.4 The " Grounds for processing your information " section is replaced with the following:

Consent to process your information and exceptions

The PDPA requires your consent for any processing of your personal data, except where an exception applies. We have described the requirements of your consent and the exceptions below.

Where you give us your consent to process your personal data

We are allowed to use your personal data where you have specifically consented. In order for your consent to be valid:

  • It has to be given freely, without us putting you under any type of pressure;
  • You have to know what you are consenting to – so we'll make sure we give you enough information;
  • Your consent must be capable of being recorded and maintained meaning that you need to take positive and affirmative action in giving us your consent – for example, we could provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.

We currently seek your consent to use your personal data for marketing and advertisement purposes.

Before giving your consent you should make sure that you read any accompanying information provided by us so that you understand exactly what you are consenting to.

You have the right to withdraw your consent at any time, and details can be found in the "Right to withdraw consent" paragraph in the section on your rights above.

Exception to the consent requirement - Where processing your personal data is necessary for us to carry out our obligations under our contract with you

We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you.

For example, we need to collect and store your email address in order to provide you with our newsletter if you have requested it.

Exception to the consent requirement - Where processing is necessary for us to carry out our legal obligations

As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with, and we are allowed to use your personal data when we need to comply with those other legal obligations.

We rely on consent or these exceptions to collect, use and share data about you.


G. Addendum for Norway

No changes required.


H. Addendum for Saudi Arabia

No changes required.


I. Addendum for South Korea

1. The Privacy Policy applies with the following changes:

1.1 The " How long we keep your information for " section is replaced with the following:

How long we keep your information for

We retain your personal data until you ask us to delete it or it is no longer necessary for the purposes described above.

1.2 The "Service providers" and "Related Entities" paragraphs of the " Sharing your information " section is replaced with the following:

Sharing your information

Service providers

We may share your personal data with the following third party service providers who perform functions on our behalf:

  • FeBex/DHL/Sungfun - logistics companies;
  • Salesforce ] - website providers;
  • Salesforce - email communications service providers;
  • Avalara - payment and tax calculation services providers;
  • Everis UK LTD - technical support functions and IT consultants carrying out testing and development work on our business technology systems

We will only share your data with these third party service providers where we have appropriate data processing agreements (or similar protections) in place and they will not be able to use your data for their own purposes (e.g. for their own marketing purposes).

Related Entities

We may disclose your personal data to our affiliated companies and to our franchisees on the following basis:

  • DeBeers Group, Anglo American PLC – We share Sales data, address details, name, contact details data for the purpose of marketing activity and understanding.

1.3 The paragraphs on “ Where processing your information is within our legitimate interests”, “Where processing your personal data is necessary for us to carry out our obligations under our contract with you " and “ Where processing is necessary for us to carry out our legal obligations” in the Grounds for processing your information " section are deleted.


J. Addendum for Switzerland

1. The Privacy Policy applies with the following changes:

1.1 The meaning of “Personal data” in the “ About this Privacy Policy section includes information relating to identified or identifiable legal persons (such as corporate entities) and the Privacy Policy also applies to the personal data of these persons.

1.2 The " Where your information is transferred and stored " section is replaced with the following:

Where your information is transferred and stored

In general, your data will be stored in the United Kingdom (UK) and replicated elsewhere depending on your geographic location.

A number of our service providers are also located elsewhere in the world. For example, in the United States of America, Singapore, Russia, the United Arab Emirates, South Africa, Canada, Slovakia, Kazakhstan and Kuwait.

In the event that we transfer your personal data to, or store your personal data in, a country or territory which does not maintain adequate data protection standards, we will ensure adequate data protection by way of using appropriate agreements (in particular on the basis of the standard contract clauses of the European Commission) or binding corporate rules. We may also rely on the statutory exceptions of consent, performance of contracts, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or transfer personal data because it is necessary to protect the integrity of the persons concerned. You can obtain a copy of the mentioned contractual guarantees at any time using the contact details provided above. However, we reserve the right to redact copies for data protection reasons or reasons of secrecy as well as the right to produces excerpts only.

However, please note that where personal data is stored in another country, it may be accessible to law enforcement agencies in accordance with domestic laws.

We store your data in the UK and elsewhere depending on your geographic location but our service providers may be located elsewhere in the world.


K. Addendum for United Kingdom

No changes required.


L. Addendum for European Union

No changes required.