British American Tobacco - Privacy Notice

Quick Navigation

Jump to content
Privacy Notice

Privacy Notice

Relationship with BAT A BAT staff member A visitor to this website Business relationships with BAT A candidate or job applicant Emergency contacts or those named to receive benefits by a BAT employee Other individuals who interact with BAT

At BAT, we collect a variety of information about people we interact with as part of our business and may use it in lots of different ways. We are committed to ensuring that your personal information is protected and never misused.

In this Privacy Notice, "BAT", "us", "we" or "our" means the BAT group company or companies who are responsible for personal information collected about you in the United Kingdom (‘UK’).

We have designed this Privacy Notice to help you find the information about our privacy practices quickly and simply.  This part of our Privacy Notice explains what control you have over your personal information, who we share it with, and how we keep your personal information safe including where we transfer it out of the European Economic Area (‘EEA’) or the UK.

For information on which BAT company is primarily responsible for your personal information, what we collect about you, why we collect it, how we use it legally and for how long we keep it for will depend on the context of your relationship with BAT. Please choose from the options below selecting the one(s) that best fits your connection to BAT. If you are not sure which one applies to you and need help, please contact us using the contact details below.

If you are an online consumer and want to know how your information is being processed, then please contact us and we will direct you to the correct website and privacy notice.

1. What are your rights under data protection law?

Subject to certain exceptions, by law you have several rights in relation to how your information is used. If you want to exercise your rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will make sure to respond to you within one month from the later of (i) the date that we have confirmed your identity, or (ii) the date we received your request.

Right of access (also known as Subject Access Requests)

You may ask us for a copy of the information we hold about you. If we provide you with a copy, we will not charge you. If you request further copies of this information from us, we may charge you a reasonable administrative cost.  We will only refuse your request in very limited circumstances as permitted by law, and we will always explain to you the reasons why we are not fulfilling your request.

Right to correct the data we hold about you

You have the right to ask us to correct any inaccurate or incomplete personal information that we hold about you. If we have shared this personal information with third parties, we will notify them, unless this is impossible or involves disproportionate effort.

Right to object

You can object to us using your information if we are using it for the purpose of our legitimate interests.

If we agree that your objection is justified, we will permanently stop using your information for those purposes. Otherwise we will explain why we need to continue using your information (for example, explaining that we need to use your information in connection with a legal claim).

Right to withdraw consent

Where we have asked your permission to use your personal information for certain activities, you may withdraw your permission at any time by emailing or calling us at the contact details set out below and we will stop using your information for that purpose.

Right to erasure

In certain cases, you have the right to ask us to "erase" your personal information.  Normally, you can do this where:

  • It’s no longer necessary for us to use your information;
  • we were relying on your consent to use your information and you have withdrawn your consent;
  • Your information has been used unlawfully;
  • your information needs to be erased in order for us to comply with our obligations under law; or
  • You object to the processing and we don’t have a compelling reason to continue using it.

In these cases, we will take all reasonably practicable steps to erase the relevant data.  We will only refuse to comply with your request to erase your information in limited circumstances, and we will always tell you our reason for doing so.

Right to restrict our use of your personal information

You can ask us to suspend our use of your personal information in certain circumstances. For example, during the time it takes us to respond to your request to correct the information we hold about you. If we have shared your information with third parties, we will notify them about the restricted use of your personal information unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on our use of your personal information.

Right to move your data

You have the right to ask us to transfer certain personal information we hold about you to another third party service provider.  Alternatively, you may ask us to transfer the information directly to you.

Rights relating to automated decisions

In certain circumstances, you may contest a decision made about you based on automated processing. We do not generally make decisions based solely on automated processing of your personal data, but when we do so, we will let you know.

Right to complain

You have the right to lodge a complaint with your local data protection supervisory authority, which is the Information Commissioner's Office in the UK.

2. Who do we share your information with?

At BAT, we do not share, rent or trade your information with third parties for marketing or promotional purposes. When necessary we may share information about you with the following recipients:

  • any of our BAT group companies;
  • Tax, audit, or other authorities, when we believe we are legally required to do so, where the relevant authority has asked us to assist (for example, because of a request by a tax authority or in connection with any expected litigation), or in order to help prevent fraud or to protect the rights of BAT; or protect the personal safety of BAT employees, third party agents or members of the public.
  • third party service providers such as external consultants and professional advisers (including law firms, auditors and accountants), technical support functions, and IT consultants carrying out testing and development work on our business technology systems;
  • third parties for the purposes of background screening checks, credit worthiness checks, order fulfilment, delivery, customer support services and storage services;
  • third party outsourced IT providers, including but not limited to email/text messaging providers; Cloud IT service providers, business suite solution providers; data analytics agencies; IT strategic implementation partners; hosting service providers;
  • if it is proposed that a BAT Group entity or business is to merge with or be acquired by another business in the future, we may share your personal information with potential purchasers, where this is necessary, or the new owners of the business or company.

3. Do we transfer your personal information to other countries when we share it?

In using information as set out in this Privacy Notice, personal data may be processed on a variety of systems, networks and facilities worldwide.

Sometimes your personal information may be transferred to countries outside of the EEA or the UK.

In such cases, we will take reasonable steps to ensure that your personal information is treated securely and the means of transfer provide adequate safeguards, for example using Standard Contractual Clauses as approved by the European Commission and/or the UK.

4. How do we use your personal information and how do we legally do this?

We need to process your personal information for a variety of reasons or ‘purposes’.  These purposes for which we use your information are summarized below. In addition, when we process (or ‘use’) your personal information we need a legal basis to do this. The general legal bases that allow us to use your information are set out below. To find out which specific legal grounds we rely on for the processing of your personal information in the context of each particular purpose, please choose from the options in this Privacy Notice selecting the one(s) that best fits your connection to BAT.  If you need any assistance, please contact us using the contact details below.

  • Performance of a contract
  • We need to process your personal information to perform a contract with you or take steps at your request prior to entering into a contract.
  • Legal obligation
  • We have a legal obligation to ensure that we comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties.  These obligations may require us to collect, store and sometimes share your personal information with other organizations such as the police, tax authorities or other public authorities or governmental enforcement agencies (including those outside the UK).
  • Legitimate interests
    We have a legitimate interest in using your information in the following ways:
  • Risk analysis and management;
  • Prevention and detection of criminal activity;
  • Credit worthiness checks;
  • Corporate restructuring;
  • Activities related to information security and building security, including the use of CCTV (e.g. if you visit our premises);
  • Client/customer and vendor relationship management and business to business communication;
  • Internal and external audits;
  • Group communications;
  • Establishing and defending legal claims.

The law allows our use of your personal information for these interests only insofar as such interests are not outweighed by a greater need to protect your privacy.

  • Consent
    We may ask your permission to use your personal information in certain circumstances. Where you give your permission, you are entitled to withdraw it at any time and we shall make this clear at the time of collection.

5. How do we ensure your information is safe with us?

We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorized access to, and misuse of, your personal information.  We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans.

If you suspect any misuse or loss of or unauthorized access to your personal information, please let us know immediately by contacting us using the details provided at the end of this notice.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted from you to us.

6. Contact us

To exercise any of your rights or if you have any questions or complaints about this Privacy Notice please email by writing to Data_Privacy@bat.com .

7. Updates to this Privacy Notice

We may amend this Privacy Notice from time to time, so please ensure to check back regularly.

Last Modified 29 November 2023.

You may find previous versions of this Privacy Notice below:
Privacy Notice - 30 September 2021 (1.2 MB)
Privacy Notice - 25 March 2021 (0.3 MB)

A BAT staff member

If you are a current or former employee, contractor or another staff member of BAT (such as a trainee or secondee) then please note that this Privacy Notice does not apply to you. Please click here to access the BAT Employee Privacy Notice or contact Data_Privacy@bat.com for more information.

A visitor to this website

This section of the Privacy Notice applies to visitors of the BAT.com website and those individuals who are interested in BAT’s updates, events or make an enquiry via this website. Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long.

Which BAT company is primarily responsible for your personal information?

The company responsible for your personal information collected on this site is British American Tobacco p.l.c. with its registered offices at Globe House, 4 Temple Place, London WC2R 2PG, United Kingdom.

What personal data do we hold about you and where does it come from?

We don't make any routine use of your personal information. Non-personally identifiable information is captured in statistical form, i.e. Google Analytics statistics about the online footfall to our site. Unless you fill in a form on our website, we can't identify you.

We only collect and hold the personal information you provide to us when you visit our website, such as through filling out a contact form, or if you sign up to receive communications regarding BAT updates or news on events.

How do we use your personal data, how do we legally do this and how long do we keep it for?

For a general description of all the ways we use your personal information please click back to section 4 of this Privacy Notice. However, in respect of the way we use your personal information in the context of the relationship that you have with us in visiting the BAT.com website, please see below

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To respond to any query that you have asked us.
  • Name and contact information
  • Any information that you provide to us in submitting your query through our contact form.
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved.
However, we will always balance our legitimate interests against your rights and freedoms before using your data. We will take into consideration the factors listed here.
1 year after the point in which it is no longer necessary for the purposes for which we obtained it.
Where you request us to do so, to communicate our events and updates to you
  • Name and contact information
We rely on your consent to communicate with you for these purposes. We will keep this information for as long as you would like to receive information about our events. We will delete this information if you unsubscribe or withdraw your consent.

We may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary for us to keep your information, we will delete it from our systems. Afterwards, we only retain aggregated data from which you cannot be identified for analytical purposes.

Business relationships with BAT

Privacy for our business contacts

This section of the Privacy Notice applies to you if you or your employer is a Third Party and supplying goods or services to BAT (or proposing to do so), or purchasing goods or services from us (or proposing to do so). It also applies if you are a director or direct or indirect shareholder of a Third Party organisation  supplying or receiving goods or services to or from BAT (or where such Third Party organisation is proposing to do so).

In this section "Third Party" means the following:

  • Supplier/Vendor - A person or organisation that provides goods or services to the BAT Group or any Group company and receives consideration for these goods or services.
  • Customers - Any person or entity (other than a BAT operating company or a direct store distribution customer of a BAT operating company) which directly purchases tobacco leaf and/or products from a BAT operating company.
  • Trade Associations - A group organised and funded by business/society participants that share common goals. Examples include: The Digital Coding & Tracking Association, Tobacco Manufacturers’ Associations, Associations of Accountants and Lawyers.
  • Landlords - The owner of land or buildings used by BAT

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long we keep it.

Which BAT company is primarily responsible for your personal information?

The BAT company listed below which has a business relationship with you, your employer, or the company of which you are a shareholder or director, will be primarily responsible for your personal information. For further information please contact Data_Privacy@bat.com .

What personal data do we hold about you and where does it come from?

At BAT, we need some information about you, such as your name, job title and contact details so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you. We may collect your personal data via  a Third-Party risk assessment tool  to complete due diligence and risk management processes necessary for Third Party onboarding. As part of managing the business relationship, we may be legally required to conduct ‘know your customer’ (e.g. via ‘World Check One’) or similar compliance screenings on you or your company. In doing so we will use the information listed below. We obtain this information either obtain directly from you or from your employer, or the company you are shareholder or director of. In the context of conducting compliance screenings, we will also check the personal information provided to us against public information, including official sources (such as sanctions lists), media sources and adverse media (such as news reports, journal articles,), and additional Government and official sources (such as court records, election results, company filings, official company websites and press releases).

How do we use your personal data, how do we legally do this and how long do we keep it for?

[For a general description of all the ways we use your personal information please click back to section 4 of the Privacy Notice. However, in respect of the way we lawfully can use your personal information in the context of the relationship that you have with us, please see below.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To manage the contract and business relationship with either you, your employer or the company you are a director or direct or indirect shareholder or representative.
  • Name, contact information (e.g. email address, telephone number)
In order to perform our obligations under contract or take steps prior to entering into a contract. 7 years after the expiry of the business relationship or contract entered into by BAT.
To conduct due diligence and risk management processes necessary for Third Party onboarding and during the relationship engagement (including risks related to bribery and corruption, money laundering, sanctions, tax evasion and illicit trade).
  • Primarily ordinary category data, e.g. names, email address, phone number, date of birth, country of residence, trading address, tax identification number, share ownership.

  • In certain circumstances (for example, Sanctions Screening), BAT will also seek to collect special category data (e.g. nationality data). BAT will only collect and process special category data where necessary as part of the specific screening required.

  • In the exceptionally rare event of a hit, BAT may potentially collect special categories of data and criminal records.

To comply with a legal obligation to which BAT is subject. For those not directly associated to a legal obligation, that such processing is necessary for the performance of a task carried out in the public interest, and that such processing is in its (and its Third Parties) in its legitimate interests. The legitimate interest is to ensure appropriate levels of due diligence so that it does not breach the laws and regulations that apply to it, including international sanctions laws and screening lists.

For special categories of personal data or criminal records, the processing is necessary for reasons of substantial public interest, in particular for the prevention and detection of unlawful acts, and for regulatory requirements relating to unlawful acts and dishonesty.

7 years following cessation of the relationship with that Third Party.

Please note that we may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

BAT entities primarily responsible for your personal information
  1. BAT Services Limited
  2. BATLaw Limited
  3. BATMark Limited
  4. British American Tobacco (AIT) Limited
  5. British American Tobacco (GLP) Limited
  6. British American Tobacco (Investments) Limited
  7. British American Tobacco Exports Limited
  8. British American Tobacco p.l.c.
  9. British-American Tobacco (Holdings) Limited
  10. British American Tobacco UK Limited
  11. Nicoventures Retail (UK) Limited
  12. Nicoventures Trading Limited
  13. British American Tobacco (Corby) Limited
  14. Nicovations Limited

A candidate or job applicant

Privacy for our candidates or people applying to work for us.

Please see the Privacy Notice available here if you have registered with us on our BAT Career site if you have sent us your CV or resumé, or you’re currently in a recruitment process with one of our companies.

Emergency contacts or those named to receive benefits by a BAT employee

Privacy for our employees’ relatives or emergency contacts

This section of the Privacy Notice applies to you if one of our employees employed by a BAT legal entity established in the United Kingdom has named you as the person we should contact in an emergency or to administer any employee-based benefits. If the relevant employee is employed at a BAT entity outside of the United Kingdom, then a local Privacy Notice applies. Please contact the local office for more information or send an email to data_privacy@bat.com .

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long.

Which BAT company is primarily responsible for your personal information?

The BAT company primarily responsible for your personal information is British-American Tobacco (Holdings) Limited whose address is Globe House, 4 Temple Place, London WC2R 2PG or if the person nominating you is an employee at British American Tobacco UKI Limited (BAT UKI) then BAT UKI is primarily responsible for your personal information.

What personal data do we hold about you and where does it come from?

We only hold information about you (as detailed in the table below) which has been provided to us by a BAT employee to enable us to contact you in emergencies or to administer employee benefits such as healthcare or international assignment relocation packages.

How do we use your personal data, how do we legally do this and how long do we keep it for?

We only your personal information in the ways detailed in the table below, which also sets out the legal bases we rely on to contact your or use your information in any other way.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To contact you in emergencies relating to the BAT employee(s) that have named you as their emergency contact person
  • Name and contact information.
It is in our legitimate interests to be able to contact you for the benefit of our employee in an emergency. 1 year after the relevant employee remains an employee by BAT.
To administer employee benefits that our employee has asked us to take steps to fulfil
  • Name and contact information; and
  • Data of birth.
This is necessary for us to take steps to perform the benefits contract between the BAT employee and the benefits provider. 6 years following the duration of the contract through which you are entitled to receive the relevant employee benefits.
To administer employee pension benefits that our employee has asked us to take steps to fulfil
  • Name and contact information
  • Data of birth; and
  • National insurance number
This is necessary for us to take steps to perform to comply with our legal obligations (in particular under UK tax laws) between the BAT employee and the benefits provider. 20 years following the duration of the pension lifetime through which you are entitled to receive the relevant employee benefits.

Please note that we may need to keep your information longer than the periods stated above because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement; or
  • to preserve records beyond the above periods to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems.  After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

Other individuals who interact with BAT

This section of the Privacy Notice applies to you if you fall within any of the following categories:

  • journalists with whom we communicate in any medium;
  • visitors to our physical premises;
  • individuals who attend or participate in conferences or events in which we are involved;
  • individuals who represent regulatory and law enforcement agencies or other governmental offices;
  • individuals who voluntarily participate in any of our panels; and
  • academics and research professionals.

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long we keep it.

If you engage in business with BAT by acting as a supplier or vendor, customer, trade association or landlord please see section ‘Business relationship with BAT’ here.

Which BAT company is primarily responsible for your personal information?

The BAT company listed below with which you interact will be primarily responsible for your personal information. For further information please contact Data_Privacy@bat.com .

What personal data do we hold about you and where does it come from?

At BAT, we need some information about you, and will collect and hold the information listed in the table below under ‘ What Type of Information ’ so we can manage any current or future relationship  we may have with you. We obtain this information either directly from you or from your employer, or from third parties who lawfully provide it to us (including publicly available materials) including the organisers of public events you attend.

How do we use your personal data, how do we legally do this and how long do we keep it for?

For a general description of all the ways we use your personal information please click back to section 4 of the Privacy Notice. However, in respect of the way we lawfully can use your personal information in the context of the relationship that you have with us, please see below.

Why do we hold your information What type of information? How legally can we use your information? How long do we keep it for?
To contact you in order to manage your relationship with us.
  • Name, contact information (e.g. email address, telephone number, region where you are from)
In order to: (1) perform our obligations under contract (in particular: (a) for those individuals who attend, or participate in, conferences or events; or (b) in the context of our relationships with journalists) or take steps prior to entering into a contract; or (2) exercise our legitimate interests in being able to contact you in the context of a current or future business or commercial relationship. 7 years after the expiry of the business relationship or contract entered into by BAT.
To perform relevant due diligence into publicly available materials relating to you.
  • Name, contact information including the region where you are from
  • Professional details including your work history, academic history and qualifications, job title, organization, website details (if any), contact details, and area of expertise or speciality
  • Any publications, articles or publicly available materials you have created
We will either: (1) rely on our legitimate interest in: (a) protecting our business; or (b) in the context of a current or future business or commercial relationship; or (2) seek your consent where appropriate. 7 years after the expiry of the business relationship or contract entered into by BAT
To respond to any query that you have asked us.
  • Name and contact information
  • Any information that you provide to us in submitting your query through our contact form or to us directly
It is in our legitimate interests to respond to your query and in order to ensure that you have the most up to date information about the BAT business and that any concerns you have relating to BAT are resolved. 1 year after the point in which it is no longer necessary for the purposes for which we obtained it.
To facilitate safe visits to our premises, and to contribute to COVID-19 containment measures.
  • Name, contact information and potentially questions surrounding your recent whereabouts or contact with those who may have been infected with the COVID-19 virus and body temperature information
  • Any information that you provide to us relating to your visit.

It is in our legitimate interests to facilitate your visit to our premises. This includes recording your access to our premises, taking steps to help ensure your safety on site, and recording any feedback you provide.

Furthermore, maintaining safe premises and a safe working environment is within our legitimate interests, and is necessary to protect your vital interests (and those of others) and to comply with our legal obligations.

1 year after the point in which it is no longer necessary for the purposes for which we obtained it.

Information obtained to contribute to COVID-19 containment measures will be retained for no longer than the conclusion of the situation pertaining to the COVID-19 outbreak.

Building a professional relationship with you in relation to your attendance at conferences and events that are of mutual interest.
  • Name and contact information
  • Records of conferences and events attended
It is in our legitimate interests to process your personal data for the purposes of building our professional relationship with you. 1 year after the point in which it is no longer necessary for the purposes for which we obtained it
Building current or future professional relationship with you in the context of your work as an academic or research professional.
  • Name and contact information
  • Professional details including your academic history and qualifications, job title, organization, website details (if any), contact details, and area of speciality
It is in our legitimate interests to process your personal data for the purposes of developing a current or future professional relationship with you. 7 years after the expiry of the business relationship or contract entered into by BAT.
To facilitate the panel that you are participating in and to understand areas of development of our products or services.
  • Name and contact information
  • Details about your experience or preferences of the product or service you are testing.
  • Any reimbursement paid or provided to you.
We use this information based on your consent which you can withdraw at any time.

We retain details collected during the panel for the period of 35 years.

We retain finance details of any reimbursement paid or provided to you for the period of 20 years.

If we rely on our legitimate interests (as detailed above in ‘ How legally can we use your information ’), we will always balance our legitimate interests against your rights and freedoms before using your information and will take into consideration the factors listed here .

Please note that we may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;
  • to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

BAT entities primarily responsible for your personal information
  1. BAT Services Limited
  2. BATLaw Limited
  3. BATMark Limited
  4. British American Tobacco (AIT) Limited
  5. British American Tobacco (GLP) Limited
  6. British American Tobacco (Investments) Limited
  7. British American Tobacco Exports Limited
  8. British American Tobacco p.l.c.
  9. British-American Tobacco (Holdings) Limited
  10. British American Tobacco UK Limited
  11. Nicoventures Retail (UK) Limited
  12. Nicoventures Trading Limited
  13. British American Tobacco (Corby) Limited
  14. Nicovations Limited
max
xlarge
large
medium
small
mobile