We understand that your privacy and the security of your personal information is extremely important. This notice sets out what we do with your personal information, what we do to keep it secure, from where and how we collect it, as well as your rights in relation to the personal information we hold about you.
This policy applies if you interact with us through our stores, over the phone, online, through our mobile applications or otherwise by using any of our websites or interacting with us on social media (our “Services”).
If you don’t want to read all the detail, here are the things we think you’d really want to know:
- The Sainsbury’s Group is currently made up of Sainsbury’s Supermarkets, Sainsbury’s Bank, Argos, Tu Clothing, Habitat, Argos Financial Services, Nectar and Insight 2 Communication.
- Your personal information is, where appropriate, shared within the Sainsbury’s Group.
- We do use a number of third parties to process your personal information on our behalf and some of them are based outside of the European Economic Area.
- You have a number of rights over your personal information. How you can exercise these rights is set out in this notice.
- We do send direct marketing, if we’re allowed to. And we do this to encourage you to buy our products and services by sending you offers and ideas that we feel will be of benefit to you. If you want us to stop then here's how.
- We also display online advertising relating to our products and services on websites across the Sainsbury’s Group, on other websites and online media channels.
Who are we?
When we say ‘we’ or ‘us’ in this policy, we’re referring to the separate and distinct legal entities that make up the Sainsbury’s Group from time to time. Which of the Sainsbury’s Group Companies controls your personal information depends on the circumstances in which you are dealing with us. For example, if you are dealing with one of our supermarkets, then it will be Sainsbury’s Supermarkets Ltd, or if it is to do with your bank account with us then it will be Sainsbury’s Bank plc. If you would like more information about which Sainsbury’s Group Company you are dealing with, check the terms and conditions of the product or service you are using, or contact us by one of the means set out in the “Contact Us” section below.
The companies which make up the Sainsbury's Group currently are:
- Sainsbury’s Supermarkets Ltd (this is the company that sells our Tu Clothing range) (registered office: 33 Holborn, London, EC1N 2HT)
- Sainsbury’s Bank Plc (registered office: 33 Holborn, London, EC1N 2HT)
- Argos Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Habitat Retail Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW)
- Argos financial services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited) (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW);
- Nectar Loyalty Limited (registered office: 6th Floor 80 Strand, London, WC2R 0NN);
- Insight 2 Communication LLP (registered office: 6th Floor 80 Strand, London, WC2R 0NN); and
- Argos Business Solutions Limited (registered office: 489–499 Avebury Boulevard, Milton Keynes MK9 2NW).
We may add further companies to the Sainsbury's Group in the future. When we do so, we will update this notice.
What sorts of personal information do we hold?
- Information that you provide to us such as your name, address, date of birth, telephone number, email address, bank account and payment card details and any feedback you give to us, including by phone, email, post, or when you communicate with us via social media;
- Information about the services that we provide to you (including for example, the things we have provided to you, when and where, what you paid, the way you use our products and services, and so on);
- Information required to make decisions about your application for products and services offered by Sainsbury’s Bank or Argos Financial Services (for example, insurance, loans or credit cards) such as your employment details, financial position, information taken from identification documents such as your passport or driving licence, your insurance, criminal and medical history, and details about additional insured parties and cardholders or joint policyholders;
- Your account login details for our services, including your user name and chosen password;
- Information about whether or not you want to receive marketing communications from us; ;
- Information about any device you have used to access our Services (such as your device’s make and model, browser or IP address) and also how you use our Services. For example, we try to identify which of our apps you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too;
- Your contact details and details of the emails and other electronic communications you receive from us, including whether that communication has been opened and if you have clicked on any links within that communication. We want to make sure that our communications are useful for you, so if you don’t open them or don’t click on any links in them, we know we need to improve our Services; and
- Information from other sources such as specialist companies that provide customer information (like credit reference agencies such as Experian, fraud prevention agencies, claims databases, marketing and research companies), social media providers and the DVLA, as well as information that is publicly available.
Our legal basis for processing your personal information
Whenever we process your personal information we have to have something called a “legal basis” for what we do. The different legal bases we rely on are:
- Consent: You have told us you are happy for us to process your personal information for a specific purpose;
- Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
- Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services;
- Insurance: Where we process your information as part of offering you an insurance product from Sainsbury’s Bank;
- Prevention of fraud: Where we are required to process your data in order to protect us and our customers from fraud or money laundering;
- Vital interests: The processing of your personal information is necessary to protect you or someone else’s life;
- Public information: Where we process personal information which you have already made public;
- Legal claims: The processing of your personal information is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; and
- Legal obligation: We are required to process your personal information by law.
How do we use your personal information?
There are a number of ways in which we use your personal information, depending on how you interact with us. If you do not provide your information to us, then we will be unable to interact with you in that way – for example, if you do not provide your name, address and account details when purchasing one of our products online, we will not be able to sell you that product as we would be unable to process your payment or deliver the product to you.
We may use your information in the following ways:
To provide our products and services - we need to use your personal information to make our products and services available to you. If you then decide to order any of our products or services then we’re delighted, thank you. After that, we need to provide them to you, process your payment and sometimes award you Nectar points. And we need to use your details to do all this.
To personalise your shopping experience - we try to understand our customers so we can provide you with a great shopping experience, relevant marketing, personalised offers, shopping ideas and online advertising. Understanding how you use our Apps, how you interact with the Sainsbury’s Group, where you shop, the products and services you buy and how you use and browse our websites helps us to do this.
For safety and security - we use your personal information to help provide safe and secure environments for our colleagues to work in, our customers to shop in and for our businesses to be conducted. To enable this we use CCTV, ANPR technology, body worn recording devices, monitor online behaviour and carry out checks to help us ensure that our customers are genuine to prevent fraud and to help customers use our services appropriately.
Analytics and profiling - we use your personal information for statistical analysis and to help us understand more about our customers. That includes understanding the products and services you buy, the manner in which you consume them, how you shop across the whole Sainsbury's Group and by creating profiles about you. This helps us to serve you better and to find ways to improve our services, stores, apps and websites. These profiles help us to send you offers that are more relevant to you.
Contacting you - we use your personal information to contact you: either to conduct market research or to contact you about products and services from us and other companies. We may also contact you in relation to any questions you have raised with us or to discuss the status of your account with us.
Financial Services - if you interact with Sainsbury’s Bank or Argos financial services, your personal information is also used for Sainsbury's Bank's credit and capital management purposes and other purposes set out in the financial services section of this notice.
Cookies and similar technologies
Who might we share your personal information with?
The Sainsbury's Group - we will share your personal information in certain circumstances with the other companies within the Sainsbury's Group so that we can provide you with a high quality, personalised and tailored service (including relevant marketing) across our Group. That includes sharing information with the companies which operate Sainsbury's stores and online shopping, Sainsbury's Bank, Argos, Argos Financial Services, Habitat, the Nectar loyalty scheme and our clothing brand, Tu.
Our service providers - we work with partners, suppliers, insurers, aggregators and agencies so that they can help us provide the products and services you require from us. These third parties process your personal information on our behalf and are required to meet our high standards of security before doing so. We only share information that allows them to provide their services to us or to facilitate them providing their services to you. These third parties include:
- Advertising companies, who help us place Sainsbury’s Group adverts online;
- Scheme providers – such as Visa and MasterCard – if you hold a credit card or travel money card with us, in order to manage your account and so your payments are processed;
- Our agents, advisers or others involved in running accounts and services for you and your business or collecting what you or your business owe Group companies.
- Credit reference agencies, if you are a Sainsbury’s Bank customer (please see the “Banking and financial services” section for further information);
- Market research partners, who help us to analyse customer behaviour;
- Social media providers – such as Facebook, Instagram and Twitter – where we interact with you on social media;
- Third party vendors who help us to manage and maintain the Group IT infrastructure;
- Logistics and delivery providers who enable us to deliver products you order on our websites;
- Providers of temporary staff, who need access to certain personal information to carry out their role within the business;
- Where relevant, our professional advisors, such as lawyers and consultants;
- Companies that deploy our email campaigns for us because they need to know your email address to carry out these services;
- Companies that provide insights and analytics services for us so we can stock the right products, send the right marketing campaigns and understand our business and customers better;
- Security and fraud prevention companies to ensure the safety and security of our customers, colleagues and business;
- Companies which run our contact centres because they need your personal information to identify and contact you;
- Companies who assess faults and repair products on our behalf;
- Companies administer competitions for us so they run smoothly;
- Companies that enable us to collect your reviews and comments, both online and offline; and
- Companies that help us with our community and social goals, such as our Active Kids scheme).
Other organisations and individuals - we may share your personal information in certain scenarios. For example:
- If we're discussing selling or transferring part or all of a Sainsbury's Group business, we may share information about you to prospective purchasers and their advisers - but only so they can evaluate the relevant business; or
- If we are reorganised or sold to another organisation, we may transfer information we hold about you to them so they can continue to provide the Services to you.
- If we are required to by law, under any code of practice by which we are bound or where we are asked to do so by a public or regulatory authority such as the police or the Department for Work and Pensions;
- If we need to do so in order to exercise or protect our legal rights, users, systems and services; or
In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests. For example, we will not share your personal information with individuals who are merely curious about you, but we will share your personal information to e.g. insurers, solicitors, employers etc. which have a legitimate interest in your personal information.
Banking and financial services information
When you apply to us to open an account, we will:
- Check our own records for information on:
- The accounts or other products you hold with us;
- And, if you have one, your spouse/(personal) partner’s personal accounts (a personal partner will be someone with whom you have a relationship that creates a joint financial unit in a similar way to a married couple. You will normally, but not necessarily, be living at the same address. It is not intended to include temporary arrangements such as students or flat sharers); and
- If you are a director or partner in a small business, we may also check on your business accounts (a small business is defined as an organisation, which might be sole trader, partnership or a limited company that has three or less partners or directors).
- Search at credit reference agencies for information on:
- Your personal accounts;
- And, if you have ever done the following, we will check the personal accounts of your financial associates (e.g. joint account holders and those that are financially dependent or linked to you) as well:
- If you are making a joint application now;
- If you have previously made a joint application (or applications);
- If you have joint account(s);
- If you are financially linked (credit reference agencies may link together the records of people that are part of a financial unit. They may do this when people are known to be linked, such as being married or have jointly applied for credit or have joint accounts. They may also link people together if they, themselves, state that they are financially linked);
- If there is insufficient information to enable us to assist you, we may also check other members of your family;
- If you are a director or partner in a small business we may also check on your business accounts; and
- We will also search at fraud prevention agencies for information on you and other members of your household and your business (if you have one).
What we do with the information you supply to us as part of the application:
- Information that is supplied to us will be sent to the credit reference agencies;
If you tell us that you have a spouse or (personal) partner, we will:
Search, link and/or record information at credit reference agencies about you both;
- Link joint applicants and/or any individual identified as your spouse or partner, in our own records;
- Take both your personal information and your personal partner’s personal information (if you have one) into account in future applications by either or both of you; and
- Continue this linking until the account closes, or is changed to a sole account and one of you notifies us that you are no longer linked,
so you must be sure that they are aware you are disclosing personal information about them to us for this purpose.
If you give us false or inaccurate information and we suspect fraud, we will record this and may also pass this information to financial and other organisations involved in fraud prevention to protect us, them and our respective customers from theft and fraud.
With the information that we obtain we will:
Assess this application for credit;
- Verify your identity and the identity of your spouse/partner;
- Undertake checks for the prevention and detection of fraud and/or money laundering;
- Manage your personal account with us; and
Undertake periodic statistical analysis or testing to ensure the accuracy of existing and future Services, any or all of these processes may be automated.
We may use scoring methods to assess this application and to verify your identity.
- If you are applying for one of our insurance products, we will share your details with our chosen group of insurers for them to process your application and, if appropriate, offer you an insurance product. The insurers may hold your information for a reasonable period for record keeping purposes, and may be required to share your information either where required by law, with regulators or statutory bodies or with third parties where you have been notified or it is obvious that they will do so.
What we do when you have an account:
- Where you borrow or may borrow from us, we will give details of your personal account including names and parties to the account and how you manage it/them to credit reference agencies;
- If you borrow and do not repay in full and on time, we will tell credit reference agencies;
- We may make periodic searches of our records, credit reference and fraud prevention agencies to manage your account with us, to take decisions regarding your identity and also credit, including whether to make credit available or to continue or extend existing credit, or to close your account if it is dormant or you are no longer resident in the UK;
- If you have borrowed from us and do not make payments that you owe us, we will trace your whereabouts to recover payment (where appropriate, this may be carried out by third party debt collection and recovery agencies on behalf of the Sainsbury’s Group, or by a third party debt purchaser) – this may result in us sending notices to an address that our tracing agents tell us you have moved to;
- If you hold one of our insurance products and wish to make an insurance claim, we may pass your information to the relevant insurance company which has underwritten your product, who will process your claim. Such information may also be put on a register of claims by that insurance company and shared with other insurers to prevent fraudulent claims.
- We will contact you shortly before the maturity of any fixed term or fixed rate products. This ensures that you are aware of the options available and helps you make an informed decision about your maturity instructions; and
- In order to comply with money laundering regulations, there are times when we need to confirm (or reconfirm) the name and address of our customers.
If you apply for any of our credit-based products (e.g. insurance, loan, mortgage or credit card), we will perform searches with credit reference agencies. We may give details of your account and how you conduct it to credit reference agencies. If you borrow and do not repay in full and on time, we may inform credit reference agencies who will record the outstanding debt.
The information below provides further details about how credit reference agencies, us and other lenders use your information.
- Q: What is a credit reference agency?
- A: Credit reference agencies (“CRAs”) collect and maintain information on consumers’ and businesses’ credit behaviour, on behalf of lenders in the UK (e.g. Experian).
- Q: What is CRAIN?
- A: The UK’s three Credit Reference Agencies (i.e. Experian, Equifax & Call Credit) have made changes to their Fair Processing Notices and created the Credit Reference Agency Information Notice (“CRAIN”). CRAIN will ensure that the financial industry delivers standardised, clear and consistent information to consumers to explain how CRAs use and share personal information, the type of information they hold, where it comes from and the legalities of handling personal information.
- Q: What is a fraud prevention agency?
- A: Fraud Prevention Agencies (“FPAs”) collect, maintain and share information on known and suspected fraudulent activity (e.g. Cifas). Some CRAs also act as FPAs.
- Q: Why do you use them when I have applied to your organisation?
- A: Although you have applied to us and we will check our own records, we will also contact CRAs to get information on your credit behaviour with other organisations. This will help us make the best possible assessment of your overall situation before we make a decision.
- Q: Where do they get the information?
- A: The information is usually publicly available, and comes from the following sources:
- The Electoral Register at Local Authorities;
- County Court Judgments from Registry Trust;
- Bankruptcy information from the Insolvency Service;
- Fraud information from fraud prevention agencies; and
- Credit information comes from information on applications to banks, building societies, credit card companies etc and also from the conduct of those accounts.
- Q: How will I know if my information is to be sent to a CRA or FPA?
- A: When you apply for a product, where relevant, we will notify you if your information may be sent to a CRA or FPA.
- Q: Why is my personal information used in this way?
- A: We and other organisations want to make the best possible decisions we can, in order to make sure that you will be able to repay us. Some organisations may also use the information to check your identity. In this way we can ensure that we all make responsible decisions. At the same time we also want to make decisions quickly and easily and, by using up to date information, provided electronically, we are able to make the most reliable and fair decisions possible.
- Q: Who controls what credit reference agencies are allowed to do with my personal information?
- A: All organisations that collect and process personal information are regulated by the Data Protection Act 1998 or (from 25 May 2018) the General Data Protection Regulation (2016/679) and the Data Protection Act 2018, overseen by the Information Commissioner’s Office. All credit reference agencies are in regular dialogue with the Commissioner. Use of the Electoral Register is controlled under the Representation of the People Act 2000.
- Q: Can anyone look at my personal information held at credit reference agencies?
• A: No, access to your information is very strictly controlled and only those that are entitled to do so may see it. Usually that will only be with your agreement or (very occasionally) if there is a legal requirement.
- Q: What do Credit Reference Agencies do and how do they use personal information?
- A: When credit reference agencies receive a search from us they will:
- Place a search “footprint” on your credit file whether or not this application proceeds. If the search was for a credit application, the record of that search (but not the name of the organisation that carried it out) may be seen by other organisations when you apply for credit in the future. This may affect your ability to obtain credit elsewhere in the near future;
- Link together the records of you and anyone that you have advised is your financial associate including previous and subsequent names of parties to the account. Links between financial associates will remain on your and their files until such time as you or your partner successfully files for a disassociation with the credit reference agencies;
- Supply to us:
- Credit information such as previous applications for financial products and the conduct of the accounts in your name and of your financial associate(s) (if there is a link between you);
- Public information such as County Court Judgments (CCJs) and bankruptcies;
- Electoral Register information; and
- Fraud prevention information;
- When information is supplied by us, to them, about you:
- the details that are supplied on your personal account(s) including previous and subsequent names of parties to the account and how you manage it/them;
- that you have not satisfied a debt to us, or do not repay it in full or on time; and
- keep your records on file for a period of time (as defined by law) after your account is closed, whether settled by you or defaulted.
- Credit reference agencies will NOT use your personal information:
- to create a blacklist; or
- to make a decision.
- Credit reference agencies may supply the information which we, other organisations and fraud prevention agencies provide to the credit reference agencies about you and your financial associates to other organisations, where it will be used by them to:
- Verify your identity if you or your financial associate applies for other facilities including all types of insurance applications and claims;
- Make decisions on credit, credit related services and on motor, household, life and other insurance proposals and insurance claims, about you, your partner, other members of your household or your business;
- Credit reference agencies may also use this information to:
- Trace your whereabouts and help us (and other creditors) to recover payments if you do not make payments you owe;
- Conduct checks for the prevention and detection of crime including fraud and/or money laundering;
If you would like to find out more, you can contact the 3 agencies currently operating in the UK; the information they hold may not be the same so it is worth contacting them all.
- CallCredit, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ or call 0870 0601414 or log on to www.callcredit.co.uk(Opens New Window)
- Equifax Ltd., Customer Service Centre, PO Box 10036, Leicester, LE3 4FS or call 0800 014 2955 or log on to www.equifax.co.uk(Opens New Window)
- Experian Ltd., Consumer Help Service, PO Box 8000, Nottingham NG80 7WF or call 0344 481 8000 or log on to experian.co.uk(Opens New Window).
If you have been refused credit you can get advice from your local Trading Standards Department, Citizens Advice Bureau and/or the agencies’ web sites. The Information Commissioner also produces a useful leaflet entitled ‘Credit Explained’. You can obtain a free copy on the Information Commissioner’s website or by telephoning 0870 600 8100.
Fraud Prevention Agencies (or “FPAs”)
We have systems that protect our customers and ourselves against fraud and other crime. Personal information can be used to prevent crime and trace those responsible. If false or inaccurate information is provided and fraud is identified, details will be passed to FPAs.
Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example, when:
- Checking details on applications for credit and credit related or other facilities
- Managing credit and credit related accounts or facilities;
- Recovering debt;
- Checking details on proposals and claims for all types of insurance; and
- Checking details of job applicants and employees.
Please contact us on if you want to receive details of the relevant fraud prevention agencies. We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.
International transfers of personal information
Keeping you informed about our products and services
We would like to tell you about the great offers, ideas, products and services of the Sainsbury’s Group from time to time that we think you might be interested in. Where we have your consent or it is in our legitimate interests to do so, we may do this through the post, by email, text message or by any other electronic means.
We won't send you marketing messages if you tell us not to, but if you receive a service from us we will still need to send you occasional service-related messages. If you wish to amend your marketing preferences, you can do so by logging into any of your Sainsbury’s Group accounts and following the directions, or by logging into our Customer Preference Centre.
Please note that it can take up a little while for all marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may already be in transit.
You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.
- the right to access a copy of the personal information we hold about you;
- the right to correction of inaccurate personal information we hold about you;
- the right to restrict our use of your personal information;
- the right to be forgotten;
- the right of data portability; and
- the right to object to our use of your personal information.
Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.
If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.
Automated decision making and profiling
We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you. We use profiling to enable us to give you the best service across the Sainsbury’s Group, including specific marketing which we believe you will be interested in.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or affects you in any other significant way.
If you are seeking to exercise this right, please contact us using the details in the “Contact Us” section below.
How long will we keep your personal information for?
We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:
- We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there;
- We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data;
- Systems are proactively monitored through a “detect and respond” information security function;
- We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
- We enforce a “need to know” policy, for access to any data or systems.
If you would like to exercise one of your rights as set out in the “Your rights” or “Automated decision making and profiling” sections above, or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:
If your enquiry relates to Sainsbury’s Supermarkets, Argos, Habitat or Tu:
By email: email@example.com
By post: Data Protection Officer, 33 Holborn, London, EC1N 2HT
Or if your enquiry relates to Sainsbury’s Bank or Argos financial services:
By email: Privacy.Bank@sainsburysbank.co.uk
By post: Data Protection Officer, Sainsbury’s Bank, 3 Lochside Avenue, Edinburgh Park, Edinburgh EH12 9DJ
You also have the right to lodge a complaint with the UK regulator, the Information Commissioner. Go to ico.org.uk/concerns to find out more.