Norwex needs to obtain, collect, and use certain types of information about individuals. Such information is often referred to as Personally Identifiable Information, a phrase which encompasses a wide-range of personal data types. For purposes of this policy, the term “personal data” is used to describe any type of data that obtained, collected, and used by Norwex.
As to whom the “personal data” is obtained from, this is often referred to as customers, clients, users, data subjects – phrases which encompass a wide-range of individuals. For purposes of this policy, the term “individual(s)” is used to describe any type of
person for which “personal data” is obtained and collected from, and then subsequently used by Norwex.
Norwex is deeply committed to maintaining your trust and confidence, values your privacy and recognises the sensitivity of your personal information, and will thus
Our privacy standards
The Norwex Group (“we / us / our”) respects and is committed to protecting your privacy through our compliance with this policy.
used or disclosed by us. We comply with the regulations of the UK data privacy act and
European data protection regulations.
This policy does not apply to information collected on any third-party site. We inform you about third-party applications that may be active on our website, see 4.b below (“third party applications”).
Please read the following carefully to understand our policies and practices regarding your personal information and how we will treat it.
• The EU General Data Protection Regulation (GDPR).
2. Children under the age of 13
Our Websites are not intended for use by children under 13 years of age. No one under age 13 may provide any personal information to or on the Websites. We do not knowingly collect personal information from children under 13. If you are under 13, please do not register on the Websites, make any purchases through the Websites
or send any information about yourself to us. In the event that we learn that we
have collected personal information from a child under age 13 without verification of parental consent, we will delete that information. If you believe that we might have any information from or about a child under 13, please contact us at eu-compliance@ norwex.com
a. GDPR Stipulations:
Norwex thus complies with the General Data Protection Regulation (GDPR). Specifically, the GDPR states the following, per Article 8:
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
3. Information we collect
a. Internet usage related information
We collect several types of information from and about users of our Websites, including:
information you provide to us, that we collect as you navigate through the Websites,
– traffic and location data, IP addresses, usage details through the use of certain technologies, including cookies and web beacons.
aa. IP Addresses
We collect details of your visits to our Websites. We only collect aggregate information, such as, for example, traffic data, logs and other communication data. The information we collect concerns the resources that you access, information about your computer and internet connection, including your IP address, operating system and browser type.
We strive to provide you with choices regarding the personal information you provide to us.
cc. Web Beacons
Web beacons (also known as pixel tags) are electronic images, contained on Websites that permit us to count users who have visited those pages and for other related Websites statistics (for example, recording the popularity of certain Websites content and verifying system and server integrity). Web beacons are not used to access your personal information on the Websites and are only used to compile aggregated statistics concerning use of the Websites.
b. Information required to deliver our services
We may collect and use the following information that you provide to us: Information that you provide by filling in forms on our Websites. This includes
information provided at the time of registering to use our Websites, subscribing to our services, posting material or requesting further services or information. We may also ask you for information when you enter a contest or promotion sponsored by us, and when you report a problem with our Websites;
Records and copies of your correspondence (including e-mail addresses), if you contact us.
Your responses to surveys that we might ask you to complete for research purposes, although you do not have to respond to them.
Details of transactions you carry out through our Websites and of the fulfilment of your orders. You may be required to provide financial information before placing an order through our Websites.
4. Our own uses made of the information
We use information that we collect about you or that you provide to us, including any personal information, in the following ways:
a. Internet usage related information (IP Addresses, Cookies, Web Beacons)
To present our Websites and their contents in a suitable and effective manner for you and for your computer, unless you have refused in case of cookie usage.
To provide you with information, products or services that you request from us.
For system administration purposes and to report non-personal aggregate information to our advertisers.
b. Information required to deliver our services
To carry out our contractual obligations, process and enforce our rights arising from any contracts entered into between you and us.
To allow you to participate in interactive features of our services, when you choose to do so.
c. Marketing and promotional purposes
We will use your data for marketing and promotional purposes in the following cases aa. and bb. only:
aa. Double-opt-in consent
We will use your data for direct marketing activities (Email, sms) where you have given an double-opt-in informed consent (which means that you have given us an informed consent to receive promotional information via email and sms and have confirmed this when a respective request has been sent to you via email or sms).
bb. Existing customers
If you are an existing customer we will send you Email and/or sms for direct advertising of our own similar goods or services if we have obtained your Email and/or sms data in connection with the sale of goods or services; and you have not objected to this use.
You will be clearly and unequivocally advised, when the address is recorded and each time it is used, that you can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates.
cc. Opt-out procedures / unsubscribing
You can also always opt-out of receiving e-mail information from us other than the
e-mail informing you of the completion of user registration, correction of user data, or change of password by sending us an e-mail stating your request to eu-compliance@ norwex.com.
If we have sent you a promotional e-mail, you may send us a return e-mail asking to be omitted from future e-mail distributions. Such unsubscribe requests will be honoured within less than ten (10) business days of such request and your data will be deleted. This opt out does not apply to information provided to Norwex as a result of a product downloads or purchase, warranty registration, product service experience or other transactions.
d. Sensitive data
Any use of sensitive data (such as health data, religious belief, political opinion) not required for the fulfillment of our contractual obligations will require your express consent.
e. Information Collected and Stored Automatically (Personal Information)
Users may be required to provide personal information into various form fields, and/or for purposes of searching, retrieving, and downloading data from any Norwex websites. If you choose to provide us with personal information, Norwex will use appropriate security controls for ensuring the protection of your personal data. Personal information which may be required when using various pages found on any Norwex websites may include any of the following:
General Data Protection Regulation
“Any information relating to an identified or identifiable natural person (i.e., a
“data subject”); an identifiable natural person is essentially somebody that can be identified, directly or indirectly, in particular by reference to an identifier via name,
an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
5. Choice and Consent
a. Limit the amount of Personal Data provided to Norwex
If you have a personal or business relationship with Norwex, you have the right to limit the types of personal data we store, process, and/or transmit. Please be advised if you limit the types of personal data, then this may result in the inability to fully process your data and provide the services we offer. Certain rights relating to erasure, rectification, and portability of data in regards to the GDPR are thus deemed in-scope for this
b. Opt-Out of Electronic Communications
You have the right opt out of receiving promotional messages from Norwex. Please note that even if you opt out of promotional messages, Norwex may still send you additional messages relating
to your account and other important information.
6. Disclosure of your information to third parties
a. Third parties / customer data aa. Data recipients
We only disclose personal information that you provide via this Website
- where necessary to fulfill the contractual obligations or
- where you have given your informed consent
To the following third parties:
To a member of our group – holding company and its subsidiaries and affiliates and
Direct contractors and service providers we use to support our business.
In the event (whether prospective or actual) of a merger, acquisition, or any form of sale of some or all of Norwex’s assets, in which case personal information held by Norwex’s about its customers will be among the assets transferred to the (prospective) buyer.
We may also disclose your personal information to third parties to comply with any UK
court order or other legal obligation. bb. Transfer standards
Where we commission a third party contractor to provide services on our behalf in accordance with our instructions, then, in addition to a service agreement comprising the work to be performed, the agreement will also refer to the obligations of the contractor as the party commissioned to process the data. These obligations shall set out the instructions of the customer concerning the type and manner of processing
of the personal data, the purpose of processing and the technical and organisational measures required for data protection in order to make sure that the standards of our data policy will apply to the third party, too.
The contractor will not be allowed to use the personal data (entrusted to it for performing the order) for its own or third-party processing purposes.
cc. US and EU data processing standards
If we transfer data to bodies that are headquartered in a third country or that transfer data across national borders, steps shall be taken to ensure that this data is transmitted properly. Appropriate data privacy and data security requirements shall be agreed
with the recipient before data is transmitted. In addition, personal data, particularly data collected in the EU or the EEA, shall only be transmitted to controllers outside of the European Union if the appropriate level of data privacy has been ensured, such as the EU standard contractual clauses or individual contractual agreements that
meet the relevant requirements of European law or the application of a Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism
to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. See the statements from the Swiss Federal Council and Swiss Federal Data Protection and Information Commissioner.
The Privacy Shield program, which is administered by the International Trade
Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organisations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.- based organisation will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organisation makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organisations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety. Key provisions of the Privacy Shield include, but are not limited, to the following:
• Safeguards related to intelligence activities will extend to all data transferred to the U.S., regardless of the transfer mechanism used.
• The Shield’s dispute resolution framework provides multiple avenues for individuals to lodge complaints, more than those available under the Safe Harbor and alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
• An organisation’s compliance with the Privacy Shield will be directly and indirectly monitored by a wider array of authorities in the U.S. and the EU, possibly increasing regulatory risks and compliance costs for participating organisations.
• The Department of Commerce will significantly expand its role in monitoring and supervising compliance, including by carrying out ex officio compliance reviews and investigations of participating organisations.
• Participating organisations will be subjected to additional compliance and reporting obligations, some of which will continue even after they withdraw from the Privacy Shield.
Third party applications may be available via the website. The owners of these applications (“Third Party Owners”) may collect personally identifiable information from you and may have their own policies and practices. We will inform you about such applications, but we are not responsible for the policies or the practices of Third Party Owners or how they or their applications use your personally identifiable information. These Third Party Owners may have their own terms of service, privacy policies or other policies and ask you to agree to the same. You should review any available policies before submitting any personally identifiable information to a third party application.
The following third party applications are available via or will be used on our website:
aa. Google analytics
Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on
your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
We have followed the procedures recommended by the UK Data Protection Authorities to protect your privacy, including measurements to anonymise/shorten your IP address as far as possible. Therefore your IP address will be shortened by the “IP-Anonymise”- function for the use within the European Union /European Economic Area, only in exceptional cases the full IP address will be transferred to and shortened in the United States.
You may refuse the use of your data using a browser plugin provided by google following this link: http://tools.google.com/dlpage/gaoptout?hl=en
Further information about the google privacy terms can be found at http://www.google.com/analytics/terms/gb.htmlor at http://www.google.com/intl/en_uk/analytics/privacyoverview.html.
7. Data security
a. Data security standards
We have implemented measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration and disclosure in accordance with Section 9 sentence 1 BDSG and Appendix. We take reasonable precautions to ensure that data collected from you is reliable, accurate, complete and current. All information you provide to us is stored on secure servers behind firewalls.
All payment transactions you make via our website are encrypted using SSL technology.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Websites like message boards. The information you share in public areas may be viewed by any user of the Websites.
b. Transmission via Internet
Unfortunately, the standard non-SSL-transmission of information via the internet is not encrypted. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
c. Your User Contributions
d. GDPR Security Requirements
All information accessed through any Norwex websites is in compliance with the required information security mandates of Article 32 of the GDPR. Specifically, Article 32 mandates the following:
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
o The pseudonymisation and encryption of personal data.
o The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
o The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
o A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
8. Your rights
You have the following rights of cost-free access to your data:
a. Access via account profile
You can review and update your personal information by logging into the Websites
and visiting your account profile page and making changes. If you have forgotten your password, once you have tried to register and failed, you can click on the “Forgot your password?” link to reach a page on which there is a link where you can submit your
e-mail address. b. Contacting us
9. GDPR Data Privacy Rights
Please be advised and aware of the following rights you have regarding your personal data for which Norwex is possibly storing, processing, and/or transmitting:
a. Right of Access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
b. Right to Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c. Right to Erasure (“Right to be Forgotten”)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay when various grounds apply.
d. Right to Restriction of Processing
The data subject shall have the right to obtain from the controller restriction of processing when various grounds apply.
e. Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
f. Right to Object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is
based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Norwex shares information with the following vendors, thus such entities are to be readily aware of that aforementioned privacy policies:
• Logistic Center Weert B.V., Havenweg 16, 6006 SM Weert, The Netherlands.
• Rackspace Ashburn Data Center, 44480 Hastings Drive, Ashburn 20147, Virginia, United States of America.
• Global Collect, Planetenweg 43 - 59, 2132 HM, Hoofddorp, The Netherlands.
12. Contact information
firstname.lastname@example.org by regular mail at:
Norwex UK Ltd 4200 Waterside Centre, Solihull Parkway, Birmingham B37 7YN