Lush California and Canada Personnel Privacy Policy
Effective November 29th, 2024
1. Scope and Applicability
Lush Fresh Handmade Cosmetics Ltd, Lush Ltd., Lush USA Inc., Lush Handmade Cosmetics LLC, Lush Cosmetics Puerto Rico LLC and its related parties, subsidiaries, and affiliates, (referred to as ‘The Lush Group’, ‘Lush’, ‘our’, ‘we’, ‘us’) are committed to protecting the privacy and security of your personal information.
This Lush California and Canada Personnel Privacy Policy applies to all Lush job applicants, full-time and part-time employees, agency workers, (self-employed) contractors, and individuals who apply to work for or have worked with us (collectively, a “personnel”) within Canada and California.1
1. This Lush California and Canada Personnel Privacy Policy does not form part of any contract of employment or other contract to provide services.
This Lush California and Canada Personnel Privacy Policy sets out our policies and procedures for the collection, use, retention and disclosure of your personal information during and before your working relationship with us. The policies and procedures described within this Lush California and Canada Personnel Privacy Policy are designed to ensure compliance with requirements of relevant Canadian and California privacy laws. If you are a California resident the main terms do not apply, please see the California-specific privacy notice attached to this Lush California and Canada Personnel Privacy Policy as Addendum I for additional information about your rights under California law and how to exercise such rights.
2. The Information We Hold About You
What is Personal Information?
For the purpose of this Lush California and Canada Personnel Privacy Policy, personal information, or personal data, is any information/data that identifies, relates to, or could reasonably be linked to an individual, or identify an individual, directly or indirectly.
Personal information does not include:
- Data where the identity has been removed (anonymized, aggregated, or de-identified information/data)
- Business contact information such as a personnel’s name, titles, business address, business telephone number, or business email address(es) that is collected, used or disclosed solely for the purposes of their employment or profession
- Work product information prepared or collected by a personnel as part of their employment responsibilities
The Categories of Personal Information About You that We May Collect, Store, Disclose, and Use:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Gender.
- Marital status and dependents.
- Next of kin and emergency contact information.
- Canadian Social Insurance Number (SIN) or United States Social Security Number (SSN)
- Birth certificates or drivers’ licences to confirm identity.
- Driving permit forms for roles which require driving.
- Bank account details, payroll records and tax status information.
- Salary, annual leave, pension and benefits information.
- Start date and, if different, the date of your continuous employment.
- Leaving date and your reason for leaving.
- Location of employment or workplace.
- Copy of passport and right to work documents such as work visas.
- Recruitment information and Resume or Curriculum Vitae (CV) including, but not limited to, copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process.
- Employment records (including job titles, work history, working hours, holidays, training records and professional memberships).
- Compensation history.
- Performance information.
- Disciplinary and grievance information.
- CCTV footage and other information obtained through electronic means such as swipe card and fob records.
- Information about your use of our information and communications systems.
- Photographs and videos
- Results of CAR and IRS employment status check, details of your interest in and connection with the intermediary through which your services are supplied.
- Information about your health, including any medical condition, health and sickness records, including:
- Where you leave employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision;
- Information detailing a workplace injury or accident;
- Details of any absences (other than holidays) from work including time on sick leave; and
- Where you leave employment and the reason for leaving is related to your health, information about that condition needed for pensions and permanent health insurance purposes.
- Information about criminal convictions and offences if you are legally required to inform us.
3. How Your Information Is Collected
We will collect your personal information in order to establish and maintain our working relationship with you. Your personal information will be collected either directly from you or from other sources with your consent or where permitted or required by law.
We collect personal information about individuals who work or apply to work for us, whether employed or not (for instance, employees, workers, contractors, agency workers, etc.) through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check providers. We may sometimes collect additional information from third parties including former employers or credit reference agencies.
We may also collect personal information from the trustees or managers of pension arrangements operated by a group company.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
4. How We Will Use Information About You
We will only use your personal information as necessary to fulfil our working contract with you and as allowable by law. Purposes for collecting and using your personal information include, but are not limited to the following:
- Where we need to perform the contract we have entered into with you.
- When we need to assess your candidacy for employment (i.e. information on resumes and application forms, results of criminal record checks, and so on).
- In order to administer compensation and payroll processing.
- When we need to contact the personnel or designate(s) outside of work (i.e. health emergencies).
- To offer, authorize or administer benefits.
- Where we need to comply with a legal obligation.
- Where it is necessary for the purposes of the legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.
- In order to provide performance management (i.e performance reviews, corrective/disciplinary action).
- Where we need to provide you workplace accommodation or travel.
- When you participate in training and further education.
- In order to investigate workplace safety concerns or complaints.
- Where you have given consent to processing your personal information.
- Where we need to carry out legal or compliance obligations (i.e. in response to a search warrant or other legally valid inquiries or orders) or exercise rights in connection with employment.
- When we need to communicate with you such as to share important or relevant company information, policies, and announcements.
- Where processing is necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity.
- Processing is necessary for the purpose of establishing, making or defending legal claims.
- We process sensitive personal data for equality and diversity purposes to the extent permitted by law.
- Processing relates to data about you that you have made public (e.g. if you tell colleagues that you are ill).
- We must comply with employment or other laws, such as recording information related to leaves of absence, including sickness absence or family related leaves.
- We want to ensure the health and safety in the workplace and provide appropriate workplace adjustments where necessary.
- Processing is necessary to administer benefits including statutory pay (i.e. maternity or sick), pensions, and permanent health insurance.
Some of the above grounds will overlap and there may be several grounds which justify our use of your personal information.
We may need all the categories of information listed in Section 2: The Information We Hold About You of this Lush California and Canada Personnel Privacy Policy. We use this information in accordance with applicable laws and primarily for the purpose of carrying out our contract with you and to comply with our legal obligations.
A. Do we need your consent?
In general we do not need your consent if we use special categories of your personal information in accordance with this Lush California and Canada Personnel Privacy Policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances (i.e. occasions where we do specific things such as providing a reference or obtaining medical reports), we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
B. If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
C. Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you, explain the legal basis for this decision, and seek additional consent to allow us to do this.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
D. Information about criminal convictions and offences
We may only use information relating to criminal convictions where the law requires us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy. Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
In general, we do not envisage that we will hold information about criminal convictions.
We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally obliged to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will only use information about criminal convictions and offences where the processing is authorised by the law providing for appropriate safeguards for your rights and freedoms
5. Disclosing Your Personal Information
We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal information outside of the province or country you reside to members of our Group and/or processors. If we do, you can expect the same level of protection in respect of your personal information.
Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Specific circumstances in which your personal data may be disclosed include:
- Disclosure to organizations that process data on our behalf such as our payroll service, insurers and other benefit providers, our bank and organizations that host our IT systems and data;
- Disclosure to external recipients of electronic communications (such as emails) which contain your personal data;
- Disclosure on a confidential basis to a potential buyer of our business or company for the purposes of evaluation – but only if we were to contemplate selling;
- Disclosure to respond to law enforcement agency requests or where required by applicable laws, pursuant to court orders, or arbitral or tribunal orders or rules of procedure, or to government regulations departments or agencies or regulatory bodies (including disclosures to tax and employment authorities), employment and any other regulatory bodies);
- Disclosure on a confidential basis to our advisers for example to our lawyers for the purposes of seeking legal advice or to further The Lush Group’s interests in legal proceedings and to our accountants for auditing purposes;
- Disclosure to our insurers;
- Disclosure of aggregated and anonymised diversity data to relevant regulators as part of a formal request.
How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes without your prior consent. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
When might we share my personal information with other entities in the Lush Group?
We may share your personal information with other entities in our group as part of our regular business activities, such as reporting on company performance, system maintenance support and communication. We will share personal data relating to your participation in any pension arrangements operated by a group company with other entities in the group for the purposes of administering share plans.
What about other third parties?
We will never knowingly sell your personal information to other third parties. However, we may need to share your personal information with a regulator or to otherwise comply with the law such as local regulatory authorities, or law enforcement in accordance with various laws.
Transferring information outside of Canada and Quebec
Where necessary in order to deliver our services, we may transfer personal information to countries/provinces/states outside of Canada and Quebec. When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including having a lawful basis for transferring personal information and putting appropriate safeguards in place (i.e., Standard Contractual Clauses) to ensure an adequate level of protection for the personal information.
If you require further information about the security arrangements, you can request it by writing to [email protected]
6. Data Security
We use procedures, practices and technical and physical measures appropriate to the sensitivity of your personal information, to protect it against loss, unauthorized access, disclosure, duplication, use or modification.
We use technical and physical security measures such as passwords, encryption, multi-factor authentication, security monitoring software, and secure cloud storage and restrict access to our offices.
We restrict access to your personal information for those individuals and parties on a business, need-to-know basis. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We regularly train our personnel on information-security and privacy best practices and ensure the third parties we work with also provide data security and privacy training to their employees.
When we need to disclose personal information to third parties for processing, we contract with these third parties to ensure that they safeguard personal information in a way that is consistent with our privacy principles, procedures and practices. Third parties will only be given the information necessary to perform the services set out in our contract with them.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
7. Data Retention: How long will we use your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
8. Your Rights, Your Choices
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us in order to ensure the accuracy of your personal information is maintained.
Your rights in connection with personal information
Under certain circumstances and within Canada and Quebec, by law you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you.
- Request correction of your personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where we no longer have a legal obligation to continue to store or process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to opt out of how we might process your personal information for direct marketing purposes, such as unsubscribing from marketing emails.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Make a complaint with the relevant Privacy Commissioner in Canada. While you have the right to make a complaint at any time to the relevant Privacy Commissioner, we would, however, appreciate the chance to deal with your concerns before you approach them so please contact us in the first instance.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact your department manager in writing. Please note, that depending what state/province/country you live in, you might not have the ability to exercise certain rights listed above.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
9. Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact your department manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Withdrawing your consent will not affect the lawfulness of what we have done before you do so.
10. Contact Details and Challenging Compliance
In processing your personal data, we act as a data controller but please note that other entities within The Lush Group with which we share data for business administration purposes will also be considered data controllers. If you need any accessibility requirements in order to read and understand this policy, or if you have any questions or concerns about this Lush California and Canada Personnel Privacy Policy or other data protection related queries, please contact Lush’s Privacy Officer using the contact information below:
In North America:
Lush Fresh Handmade Cosmetics
8860 Cambie Street, Vancouver, British Columbia, Canada V6M 6P9
Attention: Privacy Officer
1-888-733-5874
11. Changes to this Lush California and Canada Personnel Privacy Policy
We reserve the right to update this Lush California and Canada Personnel Privacy Policy at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
ADDENDUM I - CALIFORNIA PERSONNEL NOTICE
Under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), we are required to notify you that we collect certain personal information in connection with your employment, application for employment or independent contractor relationship. This privacy notice solely applies to personnel, who are California residents. To the extent there is any inconsistency between the main terms of the Lush California and Canada Personnel Privacy Policy and this Addendum I, this Addendum I shall govern. For purposes of this Addendum I, “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
We collect, use and disclose the following categories of personal information regarding personnel and their emergency contacts and beneficiaries. Below the categories of personal information collected are the categories of third parties to whom the personal information is disclosed; all categories of personal information listed below are disclosed for business purposes.
Categories of Personal Information Collected
- Name,
- alias,
- postal address,
- unique personal identifier (e.g., employee identification number),
- online identifier,
- Internet Protocol address (IP address),
- email address,
- social security number,
- driver’s licence number,
- passport number,
- state identification card number or other similar identifiers,
- signature,
- telephone number,
- insurance policy number,
- education information,
- employment,
- employment history,
- bank account number or any other financial information,
- medical information, or health insurance information,
- characteristics of protected classifications under California or federal law (e.g., race, color, national origin, gender (including pregnancy), disability, age (eg., at least 40 years old), citizenship status, gender identity and gender expression)
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding interaction with an internet web site or application
- Geolocation,
- Audio, electronic, visual, or similar information
- Professional or employment-related information
Third Parties to whom Personal information is Disclosed
- Third-party service providers including, but not limited to, payroll service providers, insurance and other benefit providers, data storage providers, our bank, and organizations that host our IT systems
- Members of our Group, including but not limited to our parent company, subsidiaries, affiliates or other related companies
- Government or law enforcement agencies to comply with legal obligations or valid legal processes such as search warrants, subpoenas or court orders; and to protect our rights and property or protect the rights, property or safety of others
- Buyers/acquirors in the event of a corporate transaction, including but not limited to a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy
We collect, use and disclose the following categories of sensitive personal information regarding personnel and their emergency contacts and beneficiaries; all categories of sensitive personal information listed below are disclosed for business purposes:
Categories of Sensitive Personal Information Collected
- Personal information that reveals social security, driver’s license, state identification card, or passport number
- Personal information that reveals account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- The contents of mail, email or text messages, where Lush is not the intended recipient of the communication
- Personal information that reveals racial or ethnic origin, or union membership
- Personal information collected and analyzed concerning an individual’s health
Categories of Third Parties to whom Sensitive Personal information is Disclosed
- Third-party service providers including, but not limited to, payroll service providers, insurance and other benefit providers, data storage providers, our bank, and organizations that host our IT systems
- Members of our Group, including but not limited to our parent company, subsidiaries, affiliates or other related companies
- Government or law enforcement agencies to comply with legal obligations or valid legal processes such as search warrants, subpoenas or court orders and to protect our rights and property or protect the rights, property or safety of others
- Buyers/acquirors in the event of a corporate transaction, including but not limited to a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy
Lush does not use or disclose the above sensitive personal information for any purpose other than those permitted under the CCPA.
The personal information, including the sensitive personal information, described above are collected directly from you when you apply for employment and during your employment or from other sources, including, but not limited to, third parties for reference checks (e.g., past employers), recruitment agencies, background check agencies, the trustees or managers of pension arrangements.
We use the personal information, including the sensitive personal information, described above only for business purposes related to your employment or independent contractor relationship. Those purposes may include, but are not limited to the following:
- Where we need to perform the contract we have entered into with you.
- When we need to assess your candidacy for employment (i.e. information on resumes and application forms, results of criminal record checks, and so on).
- In order to administer compensation and payroll processing.
- When we need to contact the personnel or designate(s) outside of work (i.e. health emergencies).
- To offer, authorize or administer benefits.
- Where we need to comply with a legal obligation.
- Where it is necessary for the purposes of the legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.
- In order to provide performance management (i.e., performance reviews, corrective/disciplinary action).
- Where we need to provide you workplace accommodation or travel.
- When you participate in training and further education.
- In order to investigate workplace safety concerns or complaints.
- Where you have given consent to processing your personal information.
- Where we need to carry out legal or compliance obligations (i.e. in response to a search warrant or other legally valid inquiries or orders) or exercise rights in connection with employment.
- Where processing is necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity.
- Where processing is necessary for the purpose of establishing, making or defending legal claims.
- We process sensitive personal information for equality and diversity purposes to the extent permitted by law.
- Where processing relates to data about you that you have made public (e.g. if you tell colleagues that you are ill).
- We must comply with employment or other laws, such as recording information related to leaves of absence, including sickness absence or family related leaves.
- We want to ensure the health and safety in the workplace and provide appropriate workplace adjustments where necessary.
- Where processing is necessary to administer benefits including statutory pay (i.e. maternity or sick), pensions, and permanent health insurance.
We will retain the personal information, including sensitive personal information, described above as long as necessary to fulfil the purpose for which it was collected, or as required by applicable laws or regulation.
CCPA Rights
As a California resident, you have the following rights under the CCPA:
Right to Know: You have the right to request that we disclose certain information to you about our collection and use of certain personal information, including sensitive personal information, about you as described below:
- The specific pieces of personal information collected;
- The categories of personal information collected;
- The categories of sources from whom the personal information is collected;
- The purpose for collecting, selling or sharing the personal information;
- The categories of third parties with whom we have disclosed the personal information;
- The categories of personal information that we have sold or shared, and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each third party to whom the personal information was sold or shared;
- The categories of personal information that we disclosed for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions.
Right to Correct Inaccurate Personal Information: You have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Right to Opt-Out of Sale or Sharing: Lush does not sell or share (as such terms are defined under the CCPA) your personal information. Lush does not have actual knowledge that it sells or shares such information of children under 16 years of age.
Right to Limit the Use and Disclosure of Sensitive Personal Information for Certain Purposes: As stated above, we do not use or disclose your sensitive personal information for any purpose other than those permitted under the CCPA.
Freedom from Discrimination: You have the right not to receive discriminatory treatment for exercising your rights above, including not to be retaliated against for exercising such rights.
To exercise the rights above, you must submit a verifiable request to us by calling us at 1-888-733-5874 or by visiting: our contact us page. To submit a verifiable request, you will be asked to provide certain information to help us verify your identity. The information we ask you to provide to initiate a request may differ depending upon the type of request, the type, sensitivity and value of the personal information that is the subject of the request, and the risk of harm to you that may occur as a result of unauthorized access or deletion, among other factors.
You may designate an authorized agent to make a request on your behalf by providing the agent with signed written permission to do so.
Contact
If you have any questions regarding the information contained in this Addendum I, please contact us at:
Attention: Privacy Officer
1-888-733-5874
Changes to Our Notice
We reserve the right to update this Addendum I at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.