IQOS CLUB - Privacy Policy

Specific information about the Processing of Data in the IQOS CLUB "Privacy Policy"

1.General Remarks on this Privacy Policy

Protecting your personal data is very important to us. We take measures to protect and respect your privacy in accordance with the General Data Protection Regulation of the EU (Regulation 2016/679 – GDPR) and the applicable legislation of the Republic of Cyprus, in combination with applicable decisions and instructions of competent authorities. This Privacy Policy includes information regarding the personal data we collect about you and how we use such data in the context of the operation of the IQOS CLUB. We invite you to read the Privacy Policy carefully. For any question or issue concerning this policy and the processing of your data, please contact us using the contact details listed below.

2.Who does this Privacy Policy apply to?

This Privacy Policy is your update on the processing of your data in your capacity as consumers who are interested in becoming members, and then as Members, of the IQOS CLUB (provided your membership it is activated pursuant to the Terms of Use of the IQOS CLUB). This Privacy Policy is supplemented by the "Cookies" Policy posted on the IQOS CLUB Platform. It is also supplemented on a case-by-case basis by the more specific privacy policies that apply to the Programmes you choose to participate in, as well as by PMI’s General Privacy Policy which governs all consumer data processing operations.

3.Who is the Controller?

The Controller of the processing of your personal data is the company named PHILIP MORRIS CYPRUS LTD, having its registered office at 23 Kennedy Ave, 1075, Nicosia, Cyprus, with registration number HE420512 (hereinafter "PMCY").

Our contact details are PHILIP MORRIS CYPRUS LTD, with registered office at 23 Kennedy Ave., 1075, Nicosia, Cyprus, registration number HE420512, telephone number 22848000, fax number 22543412, email address for personal data matters: contact.cy@iqos.com

4.Description of the purposes of the processing of your data and legal basis for the processing

Processing Purposes

4.1. Expression of interest in participating in the IQOS CLUB and verification of your age: when expressing interest in participating in the IQOS CLUB, we collect your details as required (including, without limitation, name, IQOS device registration) so as to verify that you are an adult, and that you meet the terms and conditions specified for your participation in the IQOS CLUB, in compliance with our statutory obligation to avoid sales to minors due to the nature of PMI's products (hereinafter the "Products"). Furthermore, for the above purpose, you may be asked to confirm your details at any time during your participation in the CLUB, e.g., when receiving Prizes in Competitions, redeeming Coupons, participating in Programs, or receiving IQOS CLUB Privileges, etc.

4.2. Activation of your membership and fulfilment of the conditions of the IQOS CLUB: if you meet the above conditions, you may freely proceed to activate your membership and become a Member of the IQOS CLUB. In order to fulfil the terms of the IQOS CLUB, we collect your registration data in the IQOS CLUB and we create your IQOS CLUB Member profile so that you can collect Points, personally use its Privileges, participate in the Programs that we provide to Members at times, or advance in the tiers of the IQOS CLUB. For the above purpose, we will process in your IQOS CLUB Membership profile data related, without limitation, to your purchases and your voluntary participation in Programs for the collection of Points, as well as data from your other interaction within IQOS CLUB, data necessary for the performance of the terms of IQOS CLUB towards you.

The legal basis for this processing is your consent to your participation in the IQOS CLUB for the purpose of collecting Points and receiving the Privileges. The activation of your participation in the IQOS CLUB is subject to verification that you are an adult. You may withdraw your consent to participate in the IQOS CLUB at any time by deleting your Account on the Platform or by contacting us using PMCY Contact Details.

4.3. Creating and logging into your account at the IQOS CLUB Platform: to complete your membership of the IQOS CLUB and obtain the status of a Member and access to its Programs and Privileges, you must activate your personal account on the IQOS CLUB Platform. In this context, we use your registration and identification data, as well as your mobile phone, to send a unique code when you register on iqos.com and to keep logs of your logins. You are always verified as an IQOS CLUB Member through your mobile phone. The processing of the aforementioned is based on our legitimate interest to ensure access and use of the IQOS CLUB by specific persons who has indicated their willingness to subscribe to the CLUB and who have been verified as adults, as well as for security reasons of access and use of the Platform and in view of our legal obligations due to the nature of the Products and is in your interest.

4.4. Participation in Programs/receipt of Privileges provided to IQOS CLUB members: By becoming an IQOS CLUB Member, you can choose to receive Privileges or participate in the special IQOS CLUB Programs and Competitions by declaring your participation in them and/or by accepting their special terms. The processing of your data that is necessary for your participation in these Programs is based on the performance of the contractual relationship between us that is concluded by your participation and/or voluntary acceptance of the terms of each Programme or Competition (where required) and is governed by this privacy policy and any more specific policies described in individual Programs.

4.5. Answering questionnaires: you can choose to answer questionnaires to collect Points. Your answers, as well as the number of Points you collect, will also be kept in your IQOS CLUB Member profile. You can only participate in questionnaires if you consent, since you participate in them voluntarily, and you can freely decline to participate in these questionnaires.

4.6. Issuance and redemption of Coupons and vouchers: if you issue a Coupon or voucher or participate in a Programme or Competition, we will process your data that are required for the issuance and redemption of the Coupon or voucher. The processing of your data for this purpose is based on the performance of a contract, since both our PMCY and our third party partners (as applicable) must redeem the Coupon or voucher based on the express conditions you have accepted when issuing the Coupon or voucher or when participating in the Programme or Competition, and must process the data where required in order to properly allocate such benefits to you and to duly observe procedures.

4.7. Communication with you in the context of customer service for IQOS CLUB procedural issues: we will use your contact details on a case-by-case basis if required to inform you about IQOS CLUB procedural issues, such as, without limitation, changes to the terms as specified under the IQOS CLUB Terms of Use and in this Privacy Policy, for security issues related to your IQOS CLUB account, to inform you about your points or your rank or for any other issue arising in the context of the performance of the terms of the IQOS CLUB that necessitates communication with you.

The legal basis for the processing of your data in the above context is our legitimate interest: a) to ensure the orderly and proper operation of customer service within the framework of the CLUB Programs and Privileges; and b) to maintain transparency and properly update you on matters concerning the CLUB but also its security (technical or organisational); both a) and b) above are also pursued in your interest and do not affect your rights and freedoms.

4.8. Statistical data generation: we will process the data we collect (including purchase data) by extracting anonymous aggregate data based on our legitimate interest to generate statistical conclusions for the purposes of statistical analysis to evaluate and improve IQOS CLUB services, including its Privileges and Programs, the procedures, the operation of the Platform, as well as our Products and services.

4.9. Data kept as evidence of fulfilment of IQOS CLUB conditions:we keep personal data that are absolutely necessary to prove the redemption of your coupons and/or vouchers, your participation in Competitions or other actions, your consent or its revocation, your identification for the purposes of IQOS CLUB membership or for rejecting participation if a Member has been deleted due to a violation of the terms and conditions, but also for our relations with the third parties that we cooperate with for the performance of the terms of the IQOS CLUB. Such processing is based on our legitimate interest to demonstrate compliance with its terms which is also to your benefit and does not affect your rights and freedoms.



Also, to the extent that the keeping of such data is required for the fulfilment of our statutory obligations such as e.g. for consent etc., the processing is based on our compliance with our statutory obligations.

5. Which data/categories of data do we process for the above purposes?

1. your registration and identification data;
2. demographical data;
3. contact details (email, mobile, telephone);
4. login logs to your Platform Account;
5. Device and other IQOS product data for purposes of proper performance of customer service, etc.;
6. purchase data for points;ν
7. questionnaire response data;
8. participation in Competitions and Programs;
9. after sales service history, in the context of customer service;
10. voucher issuing and redeeming data;
11. data about your interaction with the IQOS CLUB (e.g. participation in quizzes and interaction in connection with video challenges) and its Programs based on the terms of the IQOS CLUB and the more specific terms of the programs;
12. data that you may share with us for the above purposes;
13. cookie data based on the cookie policy;
14. your profile information created from the collection of the above data.


6. How do we collect your data?

We collect the data concerning you, without limitation, from the following sources:

• Directly from you, when you submit such data to us (on and off the IQOS CLUB Platform which, however, are related to IQOS CLUB purposes):


• during your registration;
• during your identification and the verification of your age;
• when opening and logging into your account on the Platform;
• when making your purchases to receive points;
• when you register your participation in an IQOS CLUB Programme or Privilege or answer questionnaires;
• when you collect points and redeem coupons and/or vouchers;
• when you receive Prizes from a Competition;
• when you contact us to inquire about IQOS CLUB matters;
• when you contact us to express a related complaint/request;
• when you contact us to express a related complaint/request;
• Generated by your interaction with the IQOS CLUB:
• from your ranking in tiers
• from processing your profile for IQOS CLUB purposes;
• By installing cookies based on our applicable policy;
• From third parties (partners or consumers who have participated in a programme), when:
• You buy IQOS products from third parties for which you can collect points;
• You redeem coupons and/or vouchers issued in the IQOS CLUB to third parties;
• You take any action related to the IQOS CLUB before a third party.

As a Data Controller, we are obliged to keep your data accurate and updated, and, we, therefore, encourage you to contact us using the contact means listed above, if your data have changed or if you have provided inaccurate data to us by mistake..

7. What are my rights and how can I exercise them in relation to the specified purposes?

We fully respect your rights regarding the processing of your personal data. We have created a mechanism for data subjects to exercise their rights so that we can satisfy data subjects as soon as possible provided they email us at contact.cy@iqos.com. In any case, your request must be exact, and you can exercise your right when the following conditions apply:

Right (the Articles mentioned hereinafter are those of the General Data Protection Regulation)

Explanation of rights

Right of Access (Article 15)

You may request from us:

· To confirm that we are processing your personal data;
· To provide you with access to any personal data that you do not already have at your disposal;
· To provide you with other information concerning your personal data, such as what data we keep, why we use such data, to whom we may transfer the data, whether we transfer data abroad, how we protect data, how long we keep data, what rights you have as a data subject, the complaint procedure, the sources of your data (to the extent such information is not already set out under this Privacy Policy).

Right to rectification (Article 16)

You can request the correction of inaccurate personal data.

We may seek to verify the accuracy of data before correcting it.

Right to Erasure (Article 17))

You can ask us to delete your personal data:

– when you have withdrawn your consent;
– whenever they are no longer needed for the purposes for which they were collected;
– if they have been collected illegally;
– when you object to processing;
– when you declare that you no longer wish to participate in the IQOS CLUB (except for the data we are required to keep by law or as proof of the proper performance of the terms of the IQOS CLUB)

We are not obliged to comply with your request to delete your personal data if the processing is necessary:

– to comply with a statutory obligation;
– to fulfill another legitimate purpose or other legitimate legal basis;
– to establish, exercise or support legal claims.

Right to Restrict Processing
(Article 18)

You may ask us to restrict the processing (e.g. to store but not use) of your personal data when:

· the accuracy of the data is disputed (see rectification) so that we can verify the accuracy of the personal data; or
· the personal data has been illegally processed, but you object to the deletion of the personal data; or
· they are no longer necessary for the purposes for which they were collected, but you still need them to establish, exercise or defend legal claims, or there is another legitimate processing purpose or other legal basis;
· you have exercised the right to object, and are awaiting its verification.

Right to Data Portability
(Article 20)

Where the processing is based on your consent or the performance of a contract and is performed by automated means, you may request that we provide your personal data in a structured, commonly used and machine-readable format, or you may request that data be transmitted directly to another controller. However, this right only concerns data provided by the data subject and not data generated by the controller based on already collected data.

Right to object
(Article 21)

You may at any time object to any processing of your personal data, which is based on our legitimate interest or the performance of a task carried out in the public interest.

If you exercise the right to object, we are entitled to demonstrate compelling legitimate grounds for the processing which override the rights and freedoms of the data subject; however, your fundamental rights and freedoms will not be affected.

Rights in the context of automated individual decision-making, including profiling
(Article 22)

If you are subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way, you have the following rights: to ensure human intervention on the part of the controller, as well as to express your point of view and to Competition the decision.

Right to withdraw consent (opt out)

You have the right to withdraw your consent where consent is the basis for processing. Any opting out applies for the future and any processing carried out by us up to the time of opting out is lawful.

Right to lodge a complaint with the competent Supervisory Authority

Since your privacy is a top priority for us, we encourage you to contact us about any issues you may have regarding our use of your personal data. We will gladly try to reach an amicable solution for handing your requests, so we encourage you to contact us in any way.

You do, however, have the right to lodge a complaint with the domestic Supervisory Authority in relation to any processing activities undertaken by us. In Cyprus, the competent Authority to which you can submit your complaint is the Office of the Data Protection Commissioner located at 1 Iasonos St, 1082 Nicosia. You may find more information on how to exercise your right to lodge a complaint at https://www.dataprotection.gov.cy/

You may access a list of all EU Authorities. List of Personal Data Protection Competent Authorities | Shaping Europe's digital future (europa.eu)/



Procedure for exercising your rights:

Identification

We fully respect the confidentiality of all files containing personal data. We reserve the right to ask you for evidence so that we can identify you in order to satisfy your rights.

Cost

Data subjects are not financially burdened for exercising their rights in relation to personal data, unless, as specified by law, the request to obtain access to information is unsubstantiated or excessive. In this case, we may charge the data subject a reasonable fee under certain circumstances. We will notify you of any potential charges before completing the processing of the request.

Time Schedule

We aim to respond to valid data subject requests no later than one (1) month after receiving them, unless the request is extremely complex or the same individual has submitted multiple requests, in which case we aim to respond to you within three (3) months. If we need more than one month for the reasons mentioned above, we will inform you accordingly. We may ask you if you wish to explain exactly what you want to receive or what your concern is. This will enable us to react more quickly in relation to your request. In any case, you must provide specific, accurate and true data and/or facts so that we can respond and/or satisfy your request accurately. Otherwise, we reserve the right to any errors beyond our control. In addition, we may reject requests that are unsubstantiated, excessive, abusive, made in bad faith, or are illegal under statutory provisions.



8. Recipients of your personal data

8.1. The recipients of your data are only those who are absolutely necessary and will have access to your data only if it is absolutely necessary for them to become aware thereof. As part of our proper administration of PMCY and proper management of the IQOS CLUB, we cooperate with certain providers. Depending on their role in the processing of personal data (joint controllers or processors or independent processors), we have concluded data processing contracts (if required) and have taken all appropriate security measures when transferring your data, so as to ensure the protection of your personal data.

8.2. The recipients of your personal data are divided into the categories described below:

i) Recipients in general: Such as internal and external accountants, marketing managers, IT and security department managers, customer service managers, technical support service providers, any department of our company or our external partners related to the operation and management of the IQOS CLUB as a whole, etc.

ii) Special recipients:

– We use cloud service providers to host digital data, technical maintenance and support providers, software developers, physical and digital security providers, and, in general, technical consultants to support our technical infrastructure and systems.

– We use email campaign providers, web hosting providers, digital platform providers.

-We use call center companies, marketing agencies, consulting services, data storage and management services, IQOS CLUB registration services, statistical data extraction services.

- Your data is transmitted to our third-party partners who also act as data controllers for the fulfillment of the conditions of the IQOS CLUB based on our cooperation with them, i.e. regarding the redemption of coupons and/or vouchers (it is expressly clarified that any other processing of your data carried out by third parties other than the aforementioned, is performed under the sole responsibility of the third parties as independent controllers based on their own privacy policy for which we are not liable in any way whatsoever) – you may find a list of our partners at the IQOS CLUB platform.

- Statistical data are also transmitted to our parent company, i.e. Philip Morris Products SA or other companies of our group.ς

- Public Authorities and Administrative Bodies:
– Taxation Department, Judicial Authorities, Police and Prosecuting Authorities in the case of criminal offenses or in the case of legal claims, etc.

- Professional advisors such as our external legal advisors and auditors.

9. International Transfers

In general, we take measures to process data within the European Union and the EEA and/or third countries covered by adequacy decisions. However, we may need to transfer your data to third countries as well. In this case, we make our best efforts to take all appropriate technical and organisational measures to comply with the principles of the General Data Protection Regulation, regarding the secure transfer of data to third countries, as well as to perform the appropriate Standardized Contractual Clauses ("SCCs") where necessary and to conduct the appropriate Data Protection Impact Assessment, "DPIA", where required. When we use data transfer agreements or similar safeguards, we may be able to provide you with a copy or sample, if you contact us at 22848000

10. Data retention time

We will retain your personal data for the period necessary to fulfil the purposes of the processing. If you express your interest in IQOS CLUB membership, your details will be kept for the purposes of verifying your age and to enable you to activate your account if you meet the conditions. In the event that your account is not activated, your data will not be retained for IQOS CLUB purposes. After you have become a member we will process and keep your data concerning you for the period of time necessary to fulfil the purposes for which they were collected, and until you are deleted from the IQOS CLUB. Any purchases of consumables for points collection will be retained for the period of time required for points to be awarded, per points collection period, as described in the IQOS CLUB terms and conditions (and then deleted).

11. Personal Data Security We implement appropriate technical and organizational measures and strict security procedures to protect your personal data and information to prevent unauthorized access, disclosure, use, modification, or destruction.

The personal data we collect is processed exclusively by authorised personnel under our control and direction and, where necessary, our recipients. In carrying out the processing, the Company selects persons with relevant professional qualifications, offering adequate guarantees in terms of technical knowledge and personal integrity with regard to maintenance of confidentiality. The technical and organizational measures we have taken allow accessibility and availability of personal data to be restored in a timely manner in the event of a physical or technical incident. In any case, the security of your personal data in the digital environment is subject to risks that are outside the sphere of influence of our company and in exceptional circumstances, as well as in the case of risks due to technical or other network vulnerabilities or conditions created despite the security measures taken or outside the control of our company or for reasons of force majeure or accidents.

12. Amendments to the Privacy Policy This Privacy Policy shall enter into force on the date of its publication and may be modified at any time by PMCY by posting a relevant notice on the IQOS CLUB platform. Also, if it is necessary for compliance with new requirements imposed by applicable laws, directives, or technical requirements or during a review of our company's procedures and practices (including but not limited to the purposes and/or bases of processing), or changes in the way the IQOS CLUB operates, we again reserve the right to modify the current Privacy Policy and make a relevant announcement to this effect either at the IQOS CLUB platform or directly to you.



Effective date: 22/03/2023