Privacy Notice

At BAT, we collect a variety of information about people we interact with as part of our business and may use it in lots of different ways. We are committed to ensuring that your personal information is protected and never misused.

In this Privacy Notice, “BAT”, “us”, “we” or “our” means the BAT group company or companies who are responsible for personal information collected about you in the United Kingdom.

We have designed this Privacy Notice to help you find the information about our privacy practices quickly and simply. This part of our Privacy Notice explains what control you have over your personal information, who we share it with, and how we keep your personal information safe including where we transfer it out of the EEA.

We may amend this Privacy Notice from time to time, so please ensure to check back regularly.

Privacy for our business contacts

This section of the Privacy Notice applies to you if you or your employer supplies goods or services to BAT, or you purchase goods or services from us. It also applies if you are a director or direct or indirect shareholder of an organisation which supplies or receives goods or services to or from BAT.

Here we tell you which BAT company is primarily responsible for your personal information, what we collect, why we collect it, how legally we can use it and for how long we keep it.

Which BAT company is primarily responsible for your personal information?

The BAT company listed below which has a business relationship with you, your employer, or the company of which you are a shareholder or director, will be primarily responsible for your personal information. For further information please contact Data_Privacy@bat.com.

What personal data do we hold about you and where does it come from?

At BAT, we need some information about you, such as your name, job title and contact details so we can work with you to manage the contract and relationship for the goods or services you supply to us, or we supply to you. In addition, as part of managing the business relationship, we may be legally required to conduct ‘know your customer’, or similar compliance screenings on you or your company. In doing so we will use the information listed below. We obtain this information either obtain directly from you or from your employer, or the company you are shareholder or director of. In the context of conducting compliance screenings, we will also check the personal information provided to us against public information.

How do we use your personal data, how do we legally do this and how long do we keep it for?

For a general description of all the ways we use your personal information please refer to section 3 of the Privacy Notice. However, in respect of the way we lawfully can use your personal information in the context of the relationship that you have with us, please see below.

Why do we hold your information What type of information?

  • To contact you in order to manage the contract and business relationship with either you, your employer or the company you are a director or direct or indirect shareholder.

  • To comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties.

How legally can we use your information?

  • Name, contact information (e.g. email address, telephone number)

  • In the case of sole traders: financial information, such as creditworthiness, bank account details, specimen signature; and

  • In the case of certain key individuals: KYC (know your customer) records, such as passport details, identity documentation, social security number, date and place of birth, nationality, relationships with public officials, or allegations of criminal conduct.

  • personal information relating to criminal allegations, proceedings or convictions; and political opinions

How legally can we use your information?

  • In order to perform our obligations under contract or take steps prior to entering into a contract.

  • To comply with Legal obligations to which BAT is subject.

  • To comply with regulatory requirements relating to unlawful acts to which we are subject, including but not limited to the UK Bribery Act 2010.

How long do we keep it for?

  • 7 years after the expiry of the business relationship or contract entered into by BAT.

  • 12 years from the date that BAT ceases its relationship with the organization that you are employed by.

Please note that we may need to keep your information longer than the periods stated above. This could be because of the following reasons:

  • to potentially establish, bring or defend legal proceedings or to comply with a legal or regulatory requirement;

  • to be able to deal with external or internal audits.

When it is no longer necessary to retain your data, we will delete the personal information that we hold about you from our systems. After that time, we would only retain aggregate data (from which you cannot be identified) for analytical purposes.

BAT entities primarily responsible for your personal information

  • British-American Tobacco (Holdings) Limited

  • British American Tobacco (Investments) Limited

  • B.A.T (U.K. and Export) Limited

  • BATLaw Limited

  • BATMark Limited

  • British American Shared Services (GSD) Limited

  • British American Tobacco AIT Limited

  • British American Tobacco Western Europe Commercial Trading Limited

  • British American Tobacco (Corby) Limited

  • Nicoventures Trading Limited

  • Nicovations Limited

  • British-American Tobacco Exports Limited

  • BTomorrow Ventures Limited

  • British American Tobacco p.l.c.

  • British American Tobacco UK Limited

  • Nicoventures Retail (UK) Limited

1. What are your rights under data protection law?

Subject to certain exceptions, by law you have several rights in relation to how your information is used. If you want to exercise your rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will make sure to respond to you within one month from the later of (i) the date that we have confirmed your identity, or (ii) the date we received your request.

Right of access (also known as Subject Access Requests)

You may ask us for a copy of the information we hold about you. If we provide you with a copy, we will not charge you. If you request further copies of this information from us, we may charge you a reasonable administrative cost. We will only refuse your request in very limited circumstances as permitted by law, and we will always explain to you the reasons why we are not fulfilling your request.

Right to correct the data we hold about you

You have the right to ask us to correct any inaccurate or incomplete personal information that we hold about you. If we have shared this personal information with third parties, we will notify them, unless this is impossible or involves disproportionate effort.

Right to object

You can object to us using your information if we are using it for the purpose of our legitimate interests.

If we agree that your objection is justified, we will permanently stop using your information for those purposes. Otherwise we will explain why we need to continue using your information (for example, explaining that we need to use your information in connection with a legal claim).

Right to withdraw consent

Where we have asked your permission to use your personal information for certain activities, you may withdraw your permission at any time by emailing or calling us at the contact details set out below and we will stop using your information for that purpose.

Right to erasure

In certain cases, you have the right to ask us to “erase” your personal information. Normally, you can do this where:

  • It’s no longer necessary for us to use your information;

  • we were relying on your consent to use your information and you have withdrawn your consent;

  • Your information has been used unlawfully;

  • your information needs to be erased in order for us to comply with our obligations under law; or

  • You object to the processing and we don’t have a compelling reason to continue using it.

In these cases, we will take all reasonably practicable steps to erase the relevant data. We will only refuse to comply with your request to erase your information in limited circumstances, and we will always tell you our reason for doing so.

Right to restrict our use of your personal information

You can ask us to suspend our use of your personal information in certain circumstances. For example, during the time it takes us to respond to your request to correct the information we hold about you. If we have shared your information with third parties, we will notify them about the restricted use of your personal information unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on our use of your personal information.

Right to move your data

You have the right to ask us to transfer certain personal information we hold about you to another third party service provider. Alternatively, you may ask us to transfer the information directly to you.

Rights relating to automated decisions

In certain circumstances, you may contest a decision made about you based on automated processing. We do not generally make decisions based solely on automated processing of your personal data, but when we do so, we will let you know.

Right to complain

You have the right to lodge a complaint with your local data protection supervisory authority, which is the Information Commissioner’s Office in the UK.

2. Who do we share your information with?

At BAT, we do not share, rent or trade your information with third parties for marketing or promotional purposes. When necessary we may share information about you with the following recipients:

  • any of our BAT group companies;

  • Tax, audit, or other authorities, when we believe we are legally required to do so, where the relevant authority has asked us to assist (for example, because of a request by a tax authority or in connection with any expected litigation), or in order to help prevent fraud or to protect the rights of BAT; or protect the personal safety of BAT employees, third party agents or members of the public.

  • third party service providers such as external consultants and professional advisers (including law firms, auditors and accountants), technical support functions, and IT consultants carrying out testing and development work on our business technology systems);

  • third parties for the purposes of background screening checks, credit worthiness checks, order fulfilment, delivery, customer support services and storage services;

  • third party outsourced IT providers, including but not limited to email/text messaging providers; Cloud IT service providers, business suite solution providers; data analytics agencies; IT strategic implementation partners; hosting service providers;

  • if it is proposed that a BAT Group entity or business is to merge with or be acquired by another business in the future, we may share your personal information with potential purchasers, where this is necessary, or the new owners of the business or company.

3. Do we transfer your personal information to other countries when we share it?

Sometimes when we share your personal information with the third parties described in section 2 above, it may be transferred to countries within the European Economic Area (EEA) or to countries outside of the EEA.

We will do our best to ensure that your personal information is stored and transferred in a way which is secure.

When we transfer your personal information outside the EEA, we take appropriate steps to protect that information, which include:

  • maintaining an intra-group agreement between BAT companies which includes clauses the European Commission has determined offer adequate protection for your information (known as the “Standard Contractual Clauses” and available on the European Commission website);

  • entering into agreements with third parties which include the Standard Contractual Clauses; or

  • transferring to organizations within countries that the European Commission has judged offers adequate protection for your information.

4. How do we use your personal information and how do we legally do this?

We need to process your personal information for a variety of reasons or ‘purposes’. These purposes for which we use your information are summarized below. In addition, when we process (or ‘use’) your personal information we need a legal basis to do this. The general legal bases that allow us to use your information are set out below. To find out which specific legal grounds we rely on for the processing of your personal information in the context of each particular purpose, please choose from the options in this Privacy Notice selecting the one(s) that best fits your connection to BAT. If you need any assistance, please contact us using the contact details below.

  • Performance of a contract

  • We need to process your personal information to perform a contract with you or take steps at your request prior to entering into a contract.

  • Legal obligation

  • We have a legal obligation to ensure that we comply with all statutory and regulatory requirements within the jurisdictions within which we operate (including those relating to bribery and corruption, money laundering and sanctions) when engaging with third parties. These obligations may require us to collect, store and sometimes share your personal information with other organizations such as the police, tax authorities or other public authorities or governmental enforcement agencies (including those outside the UK).

  • Legitimate interests

We have a legitimate interest in using your information in the following ways:

  • Risk analysis and management;

  • Prevention and detection of criminal activity;

  • Credit worthiness checks;

  • Corporate restructuring;

  • Activities related to information security and building security, including the use of CCTV (e.g. if you visit our premises);

  • Client/customer and vendor relationship management and business to business communication;

  • Internal and external audits;

  • Group communications;

  • Establishing and defending legal claims.

The law allows our use of your personal information for these interests only insofar as such interests are not outweighed by a greater need to protect your privacy.

  • Consent

We may ask your permission to use your personal information in certain circumstances. Where you give your permission, you are entitled to withdraw it at any time and we shall make this clear at the time of collection.

5. How do we ensure your information is safe with us?

We care about protecting your information. That’s why we put in place appropriate measures that are designed to prevent unauthorized access to, and misuse of, your personal information. We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorized access. We do this by having in place a range of appropriate technical and organizational measures, including encryption measures and disaster recovery plans.

If you suspect any misuse or loss of or unauthorized access to your personal information, please let us know immediately by contacting us using the details provided at the end of this notice.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will apply our normal procedures and comply with legal requirements to protect your information, we cannot guarantee the security of your information transmitted from you to us.

6. Contact us

To exercise any of your rights or if you have any questions or complaints about this Privacy Notice please email by writing to Data_Privacy@bat.com.