The personal data we collect through our websites or when you purchase products from us or have other dealings with us may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection.
In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
Some of the personal data we collect is processed in New Zealand (where our operations are located). New Zealand is recognised by the European Commission as a country that ensures an adequate level of data protection and we rely on this decision in transferring personal data from the EEA to New Zealand.
Transfers to our global distributors
As noted in our privacy policy, if you access and use our websites, purchase products from us or have other dealings with us, we may transfer personal data outside the EEA to our third party global distributors. Such transfers may be subject to an adequacy decision under Article 45, depending on the location of the distributor. If the distributor is not located in a country subject to an adequacy decision, transfers of personal data will be subject to adequate safeguards under Article 46 of the GDPR, namely, we have entered into Standard Contractual Clauses as published by the European Commission with our distributors. The Standard Contractual Clauses provide specific guarantees around transfers of personal data and we rely on the Standard Contractual Clauses in transferring personal data to our distributors located in countries without an adequacy decision.
Transfers to other third party processors
The personal data we collect is also processed by the third party processors set out below.
For personal data processed in the United Sates, the European Commission has determined that the United States ensures an adequate level of protection for personal data transferred from the EU to organisations in the United States under the EU-U.S. Privacy Shield. We have verified that our United States-based data processors have self-certified under the EU-US Privacy Shield framework.
For data held outside the EEA or the United States, we have entered into Standard Contractual Clauses as published by the European Commission with our third party processors.
List of third party processors as at 24 May 2018: