Privacy Notice

 

At BAT, we collect a variety of information about people we interact with as part of our business and may use it in lots of different ways. We are committed to ensuring that your personal information is protected and never misused.

In this Privacy Notice, "BAT", "us", "we" or "our" means the BAT group company or companies who are responsible for personal information collected about you in the United Kingdom. 

We have designed this Privacy Notice to help you find the information about our privacy practices quickly and simply.  This part of our Privacy Notice explains what control you have over your personal information, who we share it with, and how we keep your personal information safe including where we transfer it out of the EEA. 

For information on which BAT company is primarily responsible for your personal information, what we collect about you, why we collect it, how we use it legally and for how long we keep it for will depend on the context of your relationship with BAT. Please choose from the options below selecting the one(s) that best fits your connection to BAT. If you are not sure which one applies to you and need help, please contact us using the contact details below. 

If you are an online consumer and want to know how your information is being processed, then please contact us and we will direct you to the correct website and privacy notice.

We may amend this Privacy Notice from time to time, so please ensure to check back regularly.

1. What are you rights under data protection law?

Subject to certain exceptions, by law you have several rights in relation to how your information is used. If you want to exercise your rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will make sure to respond to you within one month from the later of (i) the date that we have confirmed your identity, or (ii) the date we received your request.

Right of access (also known as Subject Access Requests)

You may ask us for a copy of the information we hold about you. If we provide you with a copy, we will not charge you. If you request further copies of this information from us, we may charge you a reasonable administrative cost.  We will only refuse your request in very limited circumstances as permitted by law, and we will always explain to you the reasons why we are not fulfilling your request.

Right to correct the data we hold about you

You have the right to ask us to correct any inaccurate or incomplete personal information that we hold about you. If we have shared this personal information with third parties, we will notify them, unless this is impossible or involves disproportionate effort.

Right to object

You can object to us using your information if we are using it for the purpose of our legitimate interests.

If we agree that your objection is justified, we will permanently stop using your information for those purposes. Otherwise we will explain why we need to continue using your information (for example, explaining that we need to use your information in connection with a legal claim).

Right to withdraw consent

Where we have asked your permission to use your personal information for certain activities, you may withdraw your permission at any time by emailing or calling us at the contact details set out below and we will stop using your information for that purpose.

Right to erasure

In certain cases, you have the right to ask us to "erase" your personal information.  Normally, you can do this where:

  • It’s no longer necessary for us to use your information;
  • we were relying on your consent to use your information and you have withdrawn your consent;
  • Your information has been used unlawfully;
  • your information needs to be erased in order for us to comply with our obligations under law; or
  • You object to the processing and we don’t have a compelling reason to continue using it.

In these cases, we will take all reasonably practicable steps to erase the relevant data.  We will only refuse to comply with your request to erase your information in limited circumstances, and we will always tell you our reason for doing so.

Right to restrict our use of your personal information

You can ask us to suspend our use of your personal information in certain circumstances. For example, during the time it takes us to respond to your request to correct the information we hold about you. If we have shared your information with third parties, we will notify them about the restricted use of your personal information unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on our use of your personal information.

Right to move your data

You have the right to ask us to transfer certain personal information we hold about you to another third party service provider.  Alternatively, you may ask us to transfer the information directly to you.

Rights relating to automated decisions

In certain circumstances, you may contest a decision made about you based on automated processing. We do not generally make decisions based solely on automated processing of your personal data, but when we do so, we will let you know.

Right to complain

You have the right to lodge a complaint with your local data protection supervisory authority, which is the Information Commissioner's Office in the UK.

2. Who do we share your information with?

At BAT, we do not share, rent or trade your information with third parties for marketing or promotional purposes. When necessary we may share information about you with the following recipients:

  • any of our BAT group companies;
  • Tax, audit, or other authorities, when we believe we are legally required to do so, where the relevant authority has asked us to assist (for example, because of a request by a tax authority or in connection with any expected litigation), or in order to help prevent fraud or to protect the rights of BAT; or protect the personal safety of BAT employees, third party agents or members of the public.
  • third party service providers such as external consultants and professional advisers (including law firms, auditors and accountants), technical support functions, and IT consultants carrying out testing and development work on our business technology systems);
  • third parties for the purposes of background screening checks, credit worthiness checks, order fulfilment, delivery, customer support services and storage services;
  • third party outsourced IT providers, including but not limited to email/text messaging providers; Cloud IT service providers, business suite solution providers; data analytics agencies; IT strategic implementation partners; hosting service providers;
  • if it is proposed that a BAT Group entity or business is to merge with or be acquired by another business in the future, we may share your personal information with potential purchasers, where this is necessary, or the new owners of the business or company.

3. Do we transfer your personal information to other countries when we share it?

Sometimes when we share your personal information with the third parties described in section 2 above, it may be transferred to countries within the European Economic Area (EEA) or to countries outside of the EEA.

We will do our best to ensure that your personal information is stored and transferred in a way which is secure.

When we transfer your personal information outside the EEA, we take appropriate steps to protect that information, which include:

  • maintaining an intra-group agreement between BAT companies which includes clauses the European Commission has determined offer adequate protection for your information (known as the “Standard Contractual Clauses” and available on the European Commission website);
  • entering into agreements with third parties which include the Standard Contractual Clauses;
  • transferring to third parties in the United States participating in the EU-U.S. Privacy Shield Framework (these are rules the receiving organization has to follow to ensure that your personal information is used in a way that is considered acceptable by the European Commission); or
  • transferring to organizations within countries that the European Commission has judged offers adequate protection for your information.

4. How do we use your personal information and how do we legally do this?

We need to process your personal information for a variety of reasons or ‘purposes’.  These purposes for which we use your information are summarized below. In addition, when we process (or ‘use’) your personal information we need a legal basis to do this. The general legal bases that allow us to use your information are set out below. To find out which specific legal grounds we rely on for the processing of your personal information in the context of each particular purpose, please choose from the options in this Privacy Notice selecting the one(s) that best fits your connection to BAT.  If you need any assistance, please contact us using the contact details below. 

  • Performance of a contract
  • We need to process your personal information to perform a contract with you or take steps at your request prior to entering into a contract.
  • Legal obligation
  • We have a legal obligation to ensure that we comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties.  These obligations may require us to collect, store and sometimes share your personal information with other organizations such as the police, tax authorities or other public authorities or governmental enforcement agencies (including those outside the UK).
  • Legitimate interests
    We have a legitimate interest in using your information in the following ways:
  • Risk analysis and management;
  • Prevention and detection of criminal activity;
  • Credit worthiness checks;
  • Corporate restructuring;
  • Activities related to information security and building security, including the use of CCTV (e.g. if you visit our premises);
  • Client/customer and vendor relationship management and business to business communication;
  • Internal and external audits;
  • Group communications;
  • Establishing and defending legal claims.

The law allows our use of your personal information for these interests only insofar as such interests are not outweighed by a greater need to protect your privacy.  

  • Consent
    We may ask your permission to use your personal information in certain circumstances. Where you give your permission, you are entitled to withdraw it at any time and we shall make this clear at the time of collection.

5. How do we ensure your information is safe with us?

We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorized access to, and misuse of, your personal information.  We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans.

If you suspect any misuse or loss of or unauthorized access to your personal information, please let us know immediately by contacting us using the details provided at the end of this notice.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted from you to us.

6. Contact us

To exercise any of your rights or if you have any questions or complaints about this Privacy Notice please email by writing to Data_Privacy@bat.com.

A BAT staff member

If you are a current or former employee, contractor or another staff member of BAT (such as a trainee or secondee) then please note that this Privacy Notice does not apply to you. Please click here  to access the BAT Employee Privacy Notice or contact Data_Privacy@bat.com for more information.

A visitor to this website

This section of the Privacy Notice applies to visitors of the BAT.com website and those individuals who are interested in BAT’s updates, events or make an enquiry via this website. Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long.

Which BAT company is primarily responsible for your personal information?

The company responsible for your personal information collected on this site is British American Tobacco p.l.c. with its registered offices at Globe House, 4 Temple Place, London WC2R 2PG, United Kingdom.

What personal data do we hold about you and where does it come from?  

We don't make any routine use of your personal information. Non-personally identifiable information is captured in statistical form, i.e. Google Analytics statistics about the online footfall to our site. Unless you fill in a form on our website, we can't identify you.

We only collect and hold the personal information you provide to us when you visit our website, such as through filling out a contact form, or if you sign up to receive communications regarding BAT updates or news on events. 

How do we use your personal data, how do we legally do this and how long do we keep it for?

For a general description of all the ways we use your personal information please click back to section 3 of this Privacy Notice. However, in respect of the way we use your personal information in the context of the relationship that you have with us in visiting the BAT.com website, please see below

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To respond to any query that you have asked us.
  • Name and contact information
  • Any information that you provide to us in submitting your query through our contact form.
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved.
However, we will always balance our legitimate interests against your rights and freedoms before using your data. We will take into consideration the factors listed here. 
1 year after the point in which it is no longer necessary for the purposes for which we obtained it.
Where you request us to do so, to communicate our events and updates to you
  • Name and contact information
We rely on your consent to communicate with you for these purposes. We will keep this information for as long as you would like to receive information about our events. We will delete this information if you unsubscribe or withdraw your consent.

We may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary for us to keep your information, we will delete it from our systems. Afterwards, we only retain aggregated data from which you cannot be identified for analytical purposes.

Business relationships with BAT

Privacy for our business contacts

This section of the Privacy Notice applies to you if you or your employer supplies goods or services to BAT, or you purchase goods or services from us. It also applies if you are a director or direct or indirect shareholder of an organisation which supplies or receives goods or services to or from BAT.

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long we keep it.

Which BAT company is primarily responsible for your personal information?

The BAT company listed below which has a business relationship with you, your employer, or the company of which you are a shareholder or director, will be primarily responsible for your personal information. For further information please contact Data_Privacy@bat.com

What personal data do we hold about you and where does it come from?  

At BAT, we need some information about you, such as your name, job title and contact details so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you.  In addition, as part of managing the business relationship, we may be legally required to conduct ‘know your customer’, or similar compliance screenings on you or your company. In doing so we will use the information listed below. We obtain this information either obtain directly from you or from your employer, or the company you are shareholder or director of. In the context of conducting compliance screenings, we will also check the personal information provided to us against public information.

How do we use your personal data, how do we legally do this and how long do we keep it for?

[For a general description of all the ways we use your personal information please click back to section 3 of the Privacy Notice. However, in respect of the way we lawfully can use your personal information in the context of the relationship that you have with us, please see below.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To contact you in order to manage the contract and business relationship with either you, your employer or the company you are a director or direct or indirect shareholder.
  • Name, contact information (e.g. email address, telephone number)
In order to perform our obligations under contract or take steps prior to entering into a contract. 7 years after the expiry of the business relationship or contract entered into by BAT.
To comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties.
  • Name, contact information
  • In the case of sole traders: financial information, such as creditworthiness, bank account details, specimen signature; and
  • In the case of certain key individuals: KYC (know your customer) records, such as passport details, identity documentation, social security number, date and place of birth, nationality, relationships with public officials, or allegations of criminal conduct.
To comply with Legal obligations to which BAT is subject.

12 years from the date you leave the organization that requires us to process this data or from the data that BAT ceases its relationship with that organization.

 
  • personal information relating to criminal allegations, proceedings or convictions; and
  • political opinions
To comply with regulatory requirements relating to unlawful acts to which we are subject, including but not limited to the UK Bribery Act 2010. 12 years from the date you leave the organization that requires us to process this data or from the data that BAT ceases its relationship with that organization.

Please note that we may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

BAT entities primarily responsible for your personal information
  • British-American Tobacco (Holdings) Limited
  • British American Tobacco (Investments) Limited 
  • B.A.T (U.K. and Export) Limited
  • BATLaw Limited
  • BATMark Limited
  • British American Shared Services (GSD) Limited
  • British American Tobacco AIT Limited
  • British American Tobacco Western Europe Commercial Trading Limited
  • British American Tobacco (Corby) Limited
  • Nicoventures Trading Limited
  • Nicovations Limited

A candidate or job applicant

Privacy for our candidates or people applying to work for us.

Please see the Privacy Notice available here  if you have registered with us on our BAT Career site if you have sent us your CV or resumé, or you’re currently in a recruitment process with one of our companies.

Emergency contacts or those named to receive benefits by a BAT employee          

Privacy for our employees’ relatives or emergency contacts

This section of the Privacy Notice applies to you if one of our employees employed by a BAT legal entity established in the United Kingdom has named you as the person we should contact in an emergency or to administer any employee-based benefits. If the relevant employee is employed at a BAT entity outside of the United Kingdom, then a local Privacy Notice applies. Please contact the local office for more information or send an email to data_privacy@bat.com .

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long.

Which BAT company is primarily responsible for your personal information?

The BAT company primarily responsible for your personal information is British-American Tobacco (Holdings) Limited whose address is Globe House, 4 Temple Place, London WC2R 2PG or if the person nominating you is an employee at British American Tobacco UKI Limited (BAT UKI) then BAT UKI is primarily responsible for your personal information.

What personal data do we hold about you and where does it come from?  

We only hold information about you (as detailed in the table below) which has been provided to us by a BAT employee to enable us to contact you in emergencies or to administer employee benefits such as healthcare or international assignment relocation packages.

How do we use your personal data, how do we legally do this and how long do we keep it for?

We only your personal information in the ways detailed in the table below, which also sets out the legal bases we rely on to contact your or use your information in any other way.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To contact you in emergencies relating to the BAT employee(s) that have named you as their emergency contact person
  • Name and contact information.
It is in our legitimate interests to be able to contact you for the benefit of our employee in an emergency. 1 year after the relevant employee remains an employee by BAT.
To administer employee benefits that our employee has asked us to take steps to fulfil
  • Name and contact information; and
  • Data of birth.
This is necessary for us to take steps to perform the benefits contract between the BAT employee and the benefits provider. 6 years following the duration of the contract through which you are entitled to receive the relevant employee benefits.
To administer employee pension benefits that our employee has asked us to take steps to fulfil
  • Name and contact information
  • Data of birth; and
  • National insurance number
This is necessary for us to take steps to perform to comply with our legal obligations (in particular under UK tax laws) between the BAT employee and the benefits provider. 20 years following the duration of the pension lifetime through which you are entitled to receive the relevant employee benefits.

Please note that we may need to keep your information longer than the periods stated above because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement; or
  • to preserve records beyond the above periods to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems.  After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

Other individuals who interact with BAT

This section of the Privacy Notice applies to you if you fall within any of the following categories:

  • journalists with whom we communicate in any medium;
  • visitors to our physical premises;
  • individuals who attend or participate in conferences or events in which we are involved;
  • individuals who represent regulatory and law enforcement agencies or other governmental offices; and
  • academics and research professionals.

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long we keep it.

Which BAT company is primarily responsible for your personal information?

The BAT company listed below with which you interact will be primarily responsible for your personal information. For further information please contact Data_Privacy@bat.com.

What personal data do we hold about you and where does it come from? 

At BAT, we need some information about you, and will collect and hold the information listed in the table below under ‘What Type of Information’ so we can manage any current or future relationship  we may have with you. We obtain this information either directly from you or from your employer, or from third parties who lawfully provide it to us (including publicly available materials) including the organisers of public events you attend.

How do we use your personal data, how do we legally do this and how long do we keep it for?

For a general description of all the ways we use your personal information please click back to section 3 of the Privacy Notice. However, in respect of the way we lawfully can use your personal information in the context of the relationship that you have with us, please see below.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To contact you in order to manage your relationship with us.
  • Name, contact information (e.g. email address, telephone number, region where you are from)
In order to: (1) perform our obligations under contract (in particular: (a) for those individuals who attend, or participate in, conferences or events; or (b) in the context of our relationships with journalists) or take steps prior to entering into a contract; or (2) exercise our legitimate interests in being able to contact you in the context of a current or future business or commercial relationship. 7 years after the expiry of the business relationship or contract entered into by BAT.
To perform relevant due diligence into publicly available materials relating to you.
  • Name, contact information including the region where you are from
  • Professional details including your work history, academic history and qualifications, job title, organization, website details (if any), contact details, and area of expertise or speciality
  • Any publications, articles or publicly available materials you have created
We will either: (1) rely on our legitimate interest in: (a) protecting our business; or (b) in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate. 7 years after the expiry of the business relationship or contract entered into by BAT
To respond to any query that you have asked us.
  • Name and contact information
  • Any information that you provide to us in submitting your query through our contact form or to us directly
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved. 1 year after the point in which it is no longer necessary for the purposes for which we obtained it.
To facilitate visits to our premises.
  • Name and contact information
  • Any information that you provide to us relating to your visit.
It is in our legitimate interests to facilitate your visit to our premises. This includes recording your access to our premises, taking steps to help ensure your safety on site, and recording any feedback you provide. 1 year after the point in which it is no longer necessary for the purposes for which we obtained it.
Building a professional relationship with you in relation to your attendance at conferences and events that are of mutual interest.
  • Name and contact information
  • Records of conferences and events attended
It is in our legitimate interests to process your personal data for the purposes of building our professional relationship with you. 1 year after the point in which it is no longer necessary for the purposes for which we obtained it
Building current or future professional relationship with you in the context of your work as an academic or research professional.
  • Name and contact information
  • Professional details including your academic history and qualifications, job title, organization, website details (if any), contact details, and area of speciality
It is in our legitimate interests to process your personal data for the purposes of developing a current or future professional relationship with you. 7 years after the expiry of the business relationship or contract entered into by BAT.

If we rely on our legitimate interests (as detailed above in ‘How legally can we use your information’), we will always balance our legitimate interests against your rights and freedoms before using your information and will take into consideration the factors listed here .

Please note that we may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

BAT entities primarily responsible for your personal information
  • British-American Tobacco (Holdings) Limited
  • British American Tobacco (Investments) Limited
  • B.A.T (U.K. and Export) Limited
  • BATLaw Limited
  • BATMark Limited
  • British American Shared Services (GSD) Limited
  • British American Tobacco AIT Limited
  • British American Tobacco Western Europe Commercial Trading Limited
  • British American Tobacco (Corby) Limited
  • Nicoventures Trading Limited
  • Nicovations Limited
max
xlarge
large
medium
small
mobile