Privacy Policy & Personal Information Collection Statement Page 1 of 4 PRIVACY POLICY & PERSONAL INFORMATION COLLECTION STATEMENT (“PICS”)

1. Our Commitment to Privacy :

1 Introduction

Giordano International Limited (“Giordano Myanmar Group”, “we” or “us”) takes the protection of your

personal data seriously. This Privacy Notice sets out information about Giordano’s privacy

practices and your rights. We may amend this Privacy Notice at any time and for any reason. The updated version

will be available by following the “Privacy Notice” link on our website homepage. You

should check the Privacy Notice regularly for changes.

2 Data protection laws

Giordano is based in Hong Kong and is subject to the Personal Data (Privacy) Ordinance

(“PDPO”). Giordano processes all personal data in accordance with the PDPO (See our

Privacy Policy at our official website). In addition, when:

Giordano processes personal data of individuals who are located in the European

Union (“EU”); and

that processing relates to offering goods or services to individuals who are located in

the EU or monitoring individuals who are located in the EU, then Giordano is also subject to the General Data Protection Regulation 2016/679

(“GDPR”). Therefore, if you are located in the EU, Giordano will also process your personal

data in accordance with the GDPR and you may have additional rights under the GDPR. In this Privacy Notice, the terms personal data, controller, processor, data subject,

consent, recipient, third party, processing and profiling have the meanings given to them in the GDPR.

3 Controller contact details

The controller for the processing of personal data under this Privacy Notice is:

Giordano International Limited

5th Floor, Tin On Industrial Building 777-779 Cheung Sha Wan Road Kowloon Hong Kong The controller’s representative in the EU for the purposes of the GDPR is:

Kennedys

31 Rue de Lisbonne 75008 Paris France Phone: +33 1 84 79 37 80

4 Data Protection Officer contact details

If you have any questions about this Privacy Notice or about our personal data processing

practices, or if you wish to exercise any of your rights as a data subject, you may contact

Giordano’s Data Protection Officer at dataprotection@giordano.com or as follows:

Mark Loynd

Executive Director, Group Counsel & Group Human Resources Director Giordano International Limited 5th Floor, Tin On Industrial Building 777-779 Cheung Sha Wan Road Kowloon Hong Kong

Privacy Notice Page 2 of 9 Fax: +852 2370 8864 Email: dataprotection@giordano.com

5 Supervisory authority contact details

If you have a complaint about our personal data processing practices, you should first

contact Giordano’s Data Protection Officer. If you are not satisfied with our response, you have the right to lodge your complaint with

a data protection authority. If you are outside the EU, you can lodge your complaint with your local data protection

authority or the Hong Kong Privacy Commissioner for Personal Data:

Privacy Commissioner for Personal Data

Room 1303, 13/F, Sunlight Tower 248 Queen's Road East Wanchai Hong Kong Fax: 2877 7026 Email: complaints@pcpd.org.hkWebsite: https://www.pcpd.org.hk/If you are in the EU, you can lodge your complaint with your country’s supervisory

authority. A list of supervisory authorities is available here.

6 Specific situations in which we may process your personal data

Giordano collects and processes personal data in a number of different situations.

6.1 Purchasing products from our physical stores

We process certain personal data about customers who purchase products from our

physical stores.

Types of personal data we collect When you purchase a product from our physical stores and pay by credit or debit card,

we will collect your card details required through our payment terminal to process

your payment. At the time of your purchase, we may also invite you to join a loyalty scheme. See

section 6.4 below for details about loyalty scheme membership.

Purposes of processing We may use your card details to process your payment.

Legal basis for processing under the GDPR Using your card details to process your payment is necessary for our legitimate

interests as a retailer. See section 7 below for more details about Giordano’s

legitimate interests.

Recipients or categories of recipients We may disclose your card details to our bank, your bank and your card association

for authorisation.

Transfers If our bank or your bank is located overseas, the credit card authorisation process

may involve your card details being transferred overseas. Your card details are kept

secure in accordance with the Payment Card Industry Data Security Standard.

Retention period We may retain your transaction details for as long as we require them for legal and

commercial reasons. Generally, we retain transaction details for a period of seven

Privacy Notice Page 3 of 9 years after your transaction. Once Giordano has no legal or commercial reasons to

retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data If you pay for a purchase by cash, we will not collect any personal data from you.

6.2 Creating a Giordano Online Store profile

Before you make a purchase from the Giordano Online Store, you will first need to create a

profile. Note that we also have online stores on third-party platforms and that you may

need to create a separate profile with those platforms – you should check their privacy

policies online for details about how they process your personal data.

Types of personal data we collect To create a profile, you will be required to provide either your email address or

mobile phone number. You can optionally add a photo, a nickname and your date of

birth (to receive birthday discounts).

Purposes of processing We may use the personal data in your profile to provide you with discounts on

purchases. If you consent to receive communications when you register, we may send you

promotional offers, information about new products, and invitations to special events

by email or SMS.

Legal basis for processing under the GDPR Using your personal data to provide you with discounts is necessary for our legitimate

interests as a retailer. See section 7 below for more details about Giordano’s

legitimate interests. Using your personal data to send you promotional messages is based on your consent.

You may withdraw your consent by unsubscribing from promotional emails and/or

SMS messages at any time on your profile page.

Recipients or categories of recipients We may disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data.

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on central servers located in Hong Kong, mainland China and Dubai. Any

personal data that we store on our systems will be transferred to one of those

locations. See section 8 below for information about the safeguards Giordano adopts

when transferring personal data overseas.

Retention period We may retain your profile details for as long as we require them for legal and

commercial reasons. If you unsubscribe from promotional messages, we may retain

your email address on a “no marketing” list to ensure we do not inadvertently send

you promotional messages in the future.

Requirement to provide personal data It is mandatory to provide your email address or mobile phone number to create a

profile before making a purchase from our online stores. Providing any other personal

data is optional.

6.3 Purchasing products from our online stores

Privacy Notice Page 4 of 9 We will process certain personal data about customers who purchase products from our

online stores.

Types of personal data we collect When you purchase a product from our online stores, we may collect your name,

mobile phone number, e-mail address, and (unless you choose to pick up your order

from a physical store) delivery address. Payment is via PayPal – PayPal’s privacy

policy is available at https://www.paypal.com. We have no access to any personal

data you provide to PayPal.

Purposes of processing We may use your contact details to contact you about your order and your delivery

address to deliver your order.

Legal basis for processing under the GDPR The processing described above is necessary for our legitimate interests as a retailer.

See section 7 below for more details about Giordano’s legitimate interests.

Recipients or categories of recipients We may disclose your delivery details to our delivery provider to arrange delivery.

We may disclose your payment details to your card issuer or to a payment processor

for verification. We may also disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data.

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on central servers located in Hong Kong, mainland China and Dubai. Any

personal data that we store on our systems will be transferred to one of those

locations. If our bank or your bank is located overseas, the credit card authorisation process

may involve your card details being transferred overseas. Your card details are kept

secure in accordance with the Payment Card Industry Data Security Standard. See section 8 below for information about the safeguards Giordano adopts when

transferring personal data overseas.

Retention period We may retain your order details for as long as we require them for legal and

commercial reasons. Once Giordano has no legal or commercial reasons to retain

personal data, it will be securely deleted or destroyed.

Requirement to provide personal data It is mandatory to provide your name and contact details. We cannot process your

order without these details. If you choose to pick up your order at one of our physical

stores, you do not need to provide a delivery address.

6.4 Loyalty scheme membership

We will process certain personal data about customers who join one of Giordano’s loyalty

schemes (“loyalty schemes”). Loyalty schemes vary by country and/or region and include

World Without Strangers, BSX, Giordano Junior and Giordano Ladies Privilege Card.

Types of personal data we collect When you make a purchase over a certain amount from a Giordano retail store, we

may invite you to join a loyalty scheme. The information we collect when you join

differs depending on the loyalty scheme:

Privacy Notice Page 5 of 9

World Without Strangers – phone number* and day and month of birth*;

BSX- surname and name*, day and month of birth*, phone number*, gender and

email address;

Giordano Junior – name*, day and month of birth*, age range*, phone number*,

gender and email address;

Giordano Ladies Privilege Card surname and name*, phone number*, ID

card/passport number, day and month of birth, email address, mailing address,

and country. (*required)

Purposes of processing We may use your personal data to enrol you in the loyalty scheme, provide you with

member discounts and other entitlements, (for World Without Strangers) track your

accumulated points, communicate with you about loyalty scheme member discounts

and other entitlements and notify you of any changes to the loyalty scheme rules.

Legal basis for processing under the GDPR By joining the loyalty scheme, you consent to us processing your personal data for

the above purposes. You can withdraw your consent at any time by contacting us at wws@giordanogroup.com, but you will then cease to be a member of the loyalty

scheme and forfeit any accrued points or privileges.

Recipients or categories of recipients We may disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data.

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on central servers located in Hong Kong, mainland China and Dubai. Any

personal data that we store on our systems will be transferred to one of those

locations. See section 8 below for information about the safeguards Giordano adopts

when transferring personal data overseas.

Retention period We will store your personal data for as long as you are a loyalty scheme member.

Once Giordano has no legal or commercial reasons to retain personal data, it will be

securely deleted or destroyed.

Requirement to provide personal data It is entirely optional to join a loyalty scheme. If you decide to join, it is mandatory

to provide your data as required.

6.5 Subscribing to Giordano promotional eNews

We will process certain personal data about customers who sign up to receive promotional

eNews from Giordano.

Types of personal data we collect You may sign up to receive promotional eNews from Giordano by entering your email

address in the eNEWS SUBSCRIPTION box on the Giordano website.

Purposes of processing If you provide us with your email address, you consent to us using your email address

to send you promotional offers, information about new products, and invitations to

special events.

Privacy Notice Page 6 of 9

Legal basis for processing under the GDPR By entering your email address in the eNEWS SUBSCRIPTION box on the Giordano

website, you consent to us processing your personal data for the above purposes. You

can withdraw your consent at any time by unsubscribing using the link in our emails.

Recipients or categories of recipients We may disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data.

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on central servers located in Hong Kong, mainland China and Dubai. Any

personal data that we store on our systems will be transferred to one of those

locations. See section 8 below for information about the safeguards Giordano adopts

when transferring personal data overseas.

Retention period We will store your personal data for as long as you consent to receive promotional

eNews from Giordano. If you unsubscribe, we may retain your email address on a “no

marketing” list to ensure we do not inadvertently send you marketing

communications in future.

Requirement to provide personal data It is entirely optional to subscribe to promotional eNews.

6.6 Service Providers

Giordano will collect certain personal data about individuals who are, or who are

associated with, Giordano service providers.

Types of personal data we collect To engage you or your organisation as a service provider, we will need to collect

personal data about you, including your name, position, address, contact details,

business details, qualifications and experience.

Purposes of processing We may process your personal data for the purpose of allowing you or your

organisation to provide, and for receiving, your services and for other purposes

related to that purpose (for example, to pay you for your services).

Legal basis for processing under the GDPR If you are an individual service provider, you will have a contract with Giordano for

the provision of services. The processing described above is necessary for taking

steps to enter into that contract, or for the performance of that contract. If you are an individual associated with a service provider, the processing described

above is necessary for the purposes of Giordano’s legitimate interests in operating its

business. See section 7 below for more details about Giordano’s legitimate interests.

Recipients or categories of recipients We may disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data. In exceptional circumstances, we may be required or permitted by law to disclose

personal data, for example to law enforcement authorities or to prevent a serious

threat to public safety.

Privacy Notice Page 7 of 9

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on servers located in Hong Kong, mainland China and Dubai. Any personal

data that we store on our systems will be transferred to one of those locations. See

section 8 below for information about the safeguards Giordano adopts when

transferring personal data overseas.

Retention period Giordano will only retain personal data for as long as it has a legitimate purpose to

do so. Giordano will need to retain personal data for commercial and legal purposes.

How long it will need to retain personal data for these purposes will depend on the

specific personal data. Giordano will generally retain your personal data for at least

six years after you last provided services to us. Once Giordano has no legal or

commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data It is optional to provide most of the above personal data. However, in many cases, if

you do not provide that data, it may affect our ability to assess your suitability to

provide services to us, or your ability to provide services to us.

6.7 Contacting us with a query

Giordano will collect certain personal data about you if you contact us with a query, in

store, by mail, email, fax or through our website.

Types of personal data we collect We may collect your name and contact details, and any other personal data in your

correspondence to us.

Purposes of processing We may use your personal data to respond to your query.

Legal basis for processing The processing described above is necessary for the purposes of Giordano’s

legitimate interests serving its customers. See section 7 below for more details about

Giordano’s legitimate interests.

Recipients or categories of recipients We may disclose your personal data to third parties who provide administrative,

storage, telecommunications, information technology and other services to us in

support of our business. However, we will ensure that all such service providers are

subject to obligations not to use or disclose that data. Otherwise, we will not

disclose your personal data outside Giordano, unless that is necessary to respond to

your query.

Transfers We may transfer your personal data overseas. Giordano’s information systems are

hosted on central servers located in Hong Kong, mainland China and Dubai. Any

personal data that we store on our systems will be transferred to one of those

locations. See section 8 below for information about the safeguards Giordano adopts

when transferring personal data overseas.

Retention period Giordano will only retain personal data for as long as it has a legitimate purpose to

do so. Giordano will need to retain personal data for commercial and legal purposes.

How long it will need to retain personal data for these purposes will depend on the

specific personal data.

Privacy Notice Page 8 of 9 Giordano may retain your personal data for as long as it takes to respond to your

query. After we have responded to your query, we may retain your personal data for

follow up or record-keeping purposes. Once Giordano has no legal or commercial reasons to retain personal data, it will be

securely deleted or destroyed.

Requirement to provide personal data You may choose what personal data you provide when you send us a query.

7 Legitimate interests

As noted in section 6 above, in some situations, Giordano may process your personal data

on the basis of its “legitimate interests”. Giordano Group is a global fashion retailer. As such, Giordano has a legitimate interest in:

advertising, offering and selling its products in physical and online stores;

developing and growing its business and understanding the needs of its customers; and

employing and managing its employees and contractors. Giordano will only rely on those legitimate interests to process personal data where:

the processing is necessary for the purposes of those legitimate interests; and

those legitimate interests are not overridden by the data subject’s interests or

fundamental rights and freedoms.

8 Transfers

As noted in section 6 above, Giordano may transfer your personal data to other countries

and/or regions. The information systems of Giordano are hosted on central servers located in Hong Kong,

mainland China and Dubai. Any personal data that we store on our systems will be

transferred to one of those locations. For the purposes of the GDPR, the European Commission issues adequacy decisions on the

data privacy laws of non-EU countries and/or regions. A list of current adequacy decisions

is available here: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-

protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.

The majority of countries and/or regions to which Giordano may transfer personal data are

not covered by an European Commission adequacy decision. However, many of them do

have local data privacy laws which are similar to the GDPR. Giordano will require that any overseas third party to which it discloses your personal data

to: (a) only use that personal data for the purposes for which it was disclosed; (b) use all

technical and organisational measures which are reasonable in the circumstances to secure

that personal data; (c) delete that personal data when it is no longer required; and (d)

treat that personal data in accordance with this Privacy Notice and their local data privacy

law.

9 Automated decision-making including profiling

Giordano does not engage in any automated decision-making or profiling.

10 Website tracking and cookies

When you visit our website, we may maintain log files recording the following information:

the Internet Protocol (IP) address;

the date and time of visit;

the webpage accessed and documents downloaded; and

Privacy Notice Page 9 of 9

the type of browser being used. The log files provide us with statistical information on how people use the site and what

content people are viewing. They do not contain any personal data and they are not used

to identify any individual. We use cookies to collect the above information. For more information about our use of

cookies, please refer to our Cookie Policy.

11 Your rights

If you are located outside the European Union and the United Kingdom

The PDPO provides you with the right to seek access to any personal data we hold about

you, and to request correction of that data if it is incorrect. To make a request pursuant to

these rights, contact Giordano’s Data Protection Officer (see section 3 above).

If you are located in the European Union or the United Kingdom

If you are located in the EU or the UK, you have additional rights in relation to your

personal data as follows:

Access: You have the right to obtain access to and a copy of any personal data we

hold about you. You also have the right to find out whether your personal data has

been transferred outside the EU and any safeguards relating to this transfer.

Rectification: If you consider that any personal data we hold about you is incorrect

or incomplete, you have the right to ask us to correct or complete that personal data.

Erasure: In certain circumstances, you have the right to ask us to erase any personal

data we hold about you.

Restriction of processing: In certain circumstances, you have the right to ask us not

to process your personal data for certain purposes.

Objection to processing: In certain circumstances, you have the right to object to us

processing your personal data for certain purposes.

Data portability: In certain circumstances, you have the right to request a copy of

your personal data in a structured, commonly used and machine-readable format.

Withdrawing consent: If we are processing your personal data based on your consent,

you have the right to withdraw that consent at any time. For more information about these rights, visit https://ico.org.uk/for-the-public/. To make a request pursuant to these rights, contact Giordano’s Data Protection Officer

(see section 4 above). [Ref.: PN(EN)-201810]

You have successfully subscribed!
This email has been registered