MUJI Website and In-store Privacy Policy

Introduction

Ryohin Keikaku Europe Ltd (“Muji”) respects your privacy and protects your personal data. This Privacy Policy explains how we process and protect your personal data when you visit our website (regardless of where you access it from). This Privacy Policy also explains how we process and protect your personal data when you visit our physical stores – in these circumstances, a different controller may be in charge of your personal data. We indicate who this is at 1 below (‘Controller’). This Privacy Policy is provided in an organised format so that you can click through to the areas listed below.

Important information and who we are
The data we collect about you
How is your personal data collected?
How we use your personal data
Sharing your personal data
Where we transfer your personal data
Data storage
Your rights

1. Important information and who we are

Purpose of this privacy policy

This Privacy Policy explains how Muji collects and processes your personal data when you use this website, including any data you may provide through this website when you sign up to receive Muji Mail, purchase a product or register an online account. It also explains how personal data may also be collected from you in-store.

This website is not intended for children, and we do not intentionally collect data about children

Controller

The relevant controller for the processing of your personal data is as set out below:

Processing Activities	Controller	Contact Details
Website	Ryohin Keikaku Europe Ltd	privacy@muji.co.uk Bedford House, 21a John Street, London
UK stores	Ryohin Keikaku Europe Ltd	privacy@muji.co.uk Bedford House, 21a John Street, London
France stores	RYOHIN KEIKAKU FRANCE S.A.S.	21 Rue D’Artois, 75008 Paris privacy@muji.fr
Germany stores	MUJI Deutschland GmbH	Kurfürstendamm 236, 10719 Berlin datenschutz@muji.de
Italy stores	MUJI ITALIA S.p.A.	Largo Arturo Toscanini 1 (20122 Milano) privacy@muji.it
Spain stores	MUJI SPAIN, S.L.	c/Provenca, 292 2-1, Barcelona, 08008 España gdpr@muji.es
Portugal stores	MUJI PORTUGAL, LDA	c/Provenca, 292 2-1, Barcelona, 08008 España gdpr@muji.es
Finland stores	MUJI Finland Oy	Urho Kekkosen katu 1, 00100 Helsinki privacy@muji.co.uk

If you wish to exercise your legal rights, per section 8 below, please contact the relevant controller noted above).

Ryohi Keikaku Europe Ltd is part of the Muji group of companies, further information can be found here. When we mention "Muji", "we", "us" or "our" in this Privacy Policy, we are referring to the Muji group company that is controller of your data. We have appointed a Data Protection Manager who is responsible for answering questions in connection with this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact them through the following contact details:

Contact details

DPM:

Email: privacy@muji.co.uk

Address: Bedford House, 21a John Street, London

Changes to the Privacy Policy and our obligation to inform you of changes

This Privacy Policy was last updated on 16/08/2024.

We will keep this Privacy Policy up to date and will notify you of any material changes. Any notification of changes to this Privacy Policy will be displayed on a banner at the top of our website for 30 days following the change.

2. The data we collect about you

We may process different types of personal data about you, in particular:

Identity Data includes your first name, surname, and date of birth.
Contact Details include the billing address, delivery address, e-mail address and telephone numbers.
Transaction Data includes details of payments to and from you and other details of products and services you have purchased from us.
Technical Data includes the Internet Protocol (IP) address, your login data, browser type and version, , operating system and other technologies on the devices you use to access this website.
Account Profile Data includes your username and password, your purchases or orders, your interests, preferences, your feedback and your responses to surveys.
Usage Data contains information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing materials from us and your preferred method of receiving such marketing communications.
CCTV Data includes images captured and recorded of you when you visit our stores. For more information on our use of CCTV, see 3 below ‘When you visit our stores’.

We also collect and use aggregated data, such as statistical or demographic data. Aggregated data may be derived from your personal data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a particular part of the website. If we combine or connect aggregated data with your personal data so that we can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

If you do not provide us with any personal data

If we are required by law to collect personal data or we need personal data to enter into or perform a contract with you and you do not provide us with that data, we may not be able to perform the contract we have entered into or will enter into with you (for example, to deliver the goods you have ordered). In this case, we may have to cancel an order, but we will notify you at the relevant time if this is the case.

3. How is your personal data collected?

We use different methods to collect data from and about you, namely

Direct communication: You may give us your Identity Data, Contact Details, Account Profile Data and Transaction Data as well as your Marketing and Communications Data by making a purchase, filling in forms or communicating with us in store, by post, phone, email or otherwise. This includes personal data that you share with us when you:
- purchase our products;
- create an account on our website;
- sign up to receive our offers or notifications, including Muji Mail;
- request advertising material;
- participate in a competition, promotion or survey;
- engage with us for customer service assistance; or
- give us feedback.
Automated technologies or interactions: While you are visiting our website, we may automatically collect Technical Data and Usage Data about your device and browsing activities and behaviour. We collect this personal data through the use of cookies, server logs and other similar technologies. We may also receive Technical Data about you when you visit other websites that use our cookies. For more details, please see our Cookie Policy.
When you visit our stores: We may collect your image on a video surveillance system which our stores use for public safety reasons, for the protection of people and property, and for the prevention and detection of crime. We have an information circular about our use of video surveillance systems available on request and a video surveillance logo sufficiently visible in-stores to indicate that the store is a video-monitored establishment. The images captured by the cameras shall be limited to footage from inside our store. No images of the public road will be captured except for a minimum strip of the entrances to the stores and sufficient signs with a video surveillance logo are also visible here. The recording system shall be located in a guarded or restricted location. The images obtained will only be accessed by an authorised person and will be [kept for a maximum period of 14 days from their capture unless they are to be retained for a longer period in the context of investigative proceedings].
Third parties or publicly available sources: We may receive personal data about you from various third parties as described below:
- Technical data from the following parties:
  - [Providers of web analytics and advertising services, such as Google and Meta,;
  - Search engine providers such as Google.]
- Contact, credit and transaction data from providers of technical, payment and delivery services such as Barclaycard based in the EU.

4. How we use your personal data

We will only process your personal data where we have a lawful basis to do so. In the most common cases, we will use your personal data where:

It is necessary for us to process your personal data in order to perform our contract with you, or to take steps at your request prior to entering into a contract with you.
This is necessary for our legitimate interest (or that of a third party) and that interest is not overridden by your own interests, rights or freedoms.
We have to fulfil a legal obligation.
We have your consent.

Purposes for using your personal data

We have described below in table form how we use your personal data and the legal basis for this processing. Where necessary, we have also stated our legitimate interest in doing so. Please contact us if you need further details about the legal basis we are relying on to process your personal data where more than one basis is set out in the table below.

Purpose	Types of data	Legal basis for processing including the basis of legitimate interest
Registration and creation of an account on our website as a new customer	(a) Identity Data (b) Contact details	Fulfilment of a contract with you Article 6(1)(b) GDPR
Processing and delivery of your order including: (a) administration of payments, costs and charges (b) organising delivery of the products	(a) Identity Data (b) Contact details (c) Transaction Data	Fulfilment of a contract with you Article 6(1)(b) GDPR
Managing our business relationship with you, which includes: (a) notifying you when our contact details, terms and conditions or privacy policy change (b) responding to any customer service queries or complaints you may have (c) administering and maintaining your account	(a) Identity Data (b) Contact details (c) Transaction Data (d) Account Profile Data	(a) Fulfilment of a contract with you Article 6 (1) (b) GDPR (b) Necessity to fulfil legal obligations that require us to notify you to changes in our terms and this Privacy Policy (under UK consumer laws and the GDPR) (c) Necessary for our legitimate interests (for communicating with you for the purposes of providing effective customer service and handling any complaints you may have) Article 6(1)(f) GDPR
Enabling participation in a review, prize draw, competition or survey	(a) Identity Data (b) Contact details (c) Account Profile Data	(a) Consent Article 6(1)(a) GDPR (b) Necessary for our legitimate interests (for the purposes of contacting you to ask for feedback about your experience or to participate in a survey (where your consent is not required)) Article 6(1)(f) GDPR (c) Fulfilment of a contract with you (when you participate in prize draws or competitions) Article 6(1)(b) GDPR
Administering and protecting our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity Data (b) Contact details (c) Technical data (d) Usage Data (e) Transaction Data (f) Account Profile Data	(a) Necessary for our legitimate interests (for our ongoing business operations, the provision of administrative and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring) Article 6(1)(f) GDPR (b) Necessary to comply with a legal obligation where laws in the EU or UK require us to prevent and detect fraud and other criminal activities Article 6(1)(c) GDPR
Undertaking data analytics to improve our products and services and to provide a personalised experience through appropriate website content and targeted advertising and determining or evaluating the impact of advertising in accordance with our Cookie Policy	(a) Identity Data (b) Contact Details (c) Account Profile Data (d) Transaction Data (e) Usage Data (f) Marketing and Communications Data (g) Technical Data	(a) Consent Article 6(1)(a) GDPR
Making suggestions or recommendations regarding goods or services that may be of interest to you (profiling and automated processing).	(a) Identity Data (b) Contact Details (c) Technical Data (d) Usage Data (e) Account Profile Data	(a) Consent Article 6(1)(a) GDPR
Ensuring public safety, the protection our customers, employees and property , and undertaking the prevention and detection of crimes,	(a) CCTV Data	Necessary for our legitimate interests (to maintain the safety and security of our customers and employees and to protect our business interests in preventing theft or other antisocial behaviour) Article 6 (1) (f) GDPR

Please note: In accordance with Article 21 (2) of the EU General Data Protection Regulation ("GDPR"), you have the right to object to the processing of your personal data for marketing purposes, including the profiling described above. Please refer to the subsection "Your rights" for a detailed explanation of your rights and how you can assert them.

Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of the Privacy Policy.

Cookies

Using your browser settings, you can choose to reject all but strictly necessary cookies or selected browser cookies or to be notified when websites use or access cookies. If you disable or refuse cookies, please note that you may not be able to access some parts of this website or it may not function properly. For more information about the cookies we use, please see our Cookie Policy.

5. Sharing your personal data

Internal third parties

We will share personal data that we collect from you with other companies in the Muji group (click here for more information) for the purposes described in this Privacy Policy in particular to help us operate, improve and develop our services.

External third parties

Personal Data Category	Category of Recipient	Why?
All categories of data may be shared	Third party service providers	We employ other companies and individuals to perform functions on our behalf. Examples include website hosting and maintenance, customer service operations, fulfilling orders for products or services, analytics, delivering packages, sending e-mail marketing, targeted advertising, processing payments, survey providers and CCTV provision.
All categories of data may be shared	Professional advisors	During the course of our business, we engage professional advisors to assist us, including lawyers, bankers, auditors, who provide consulting, banking, legal, insurance and accounting services.
All categories of data may be shared	Governmental agencies, courts, law enforcement and fraud prevention agencies	To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law.
All categories of data may be shared	Prospective buyers, transferees or merger partners and their advisers in connection with an actual or potential transfer or merger of part or all of Muji’s business or assets or to enter into a merger with another business.	In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.

Where we do share your personal data with third parties who supply services to us, we require all third parties to apply appropriate security measures to your personal data and to use it in accordance with the law.

6. Where we transfer your personal data

We share your data within the Muji group of companies and to the external third parties set out above. This includes the transfer of your data outside the European Economic Area (EEA), in particular to Japan.

If we transfer your personal data outside the EEA, we will ensure that a similar level of protection is afforded to it by ensuring that at least one of the following safeguards is in place:

We will only transfer your personal data to countries deemed by the European Commission or the UK government (as applicable) to provide an adequate level of protection for personal data – such as when we transfer your personal data to Japan. Further details can be found here (EU adequacy decisions) and here (UK adequacy decisions).
When we use certain service providers, we use specific standard contractual clauses recognised by the European Commission or the Information Commissioner’s Office in the UK (as applicable) to ensure that personal data is protected in the same way as in Europe.

Please contact us if you would like further information on the specific mechanism used by us when we transfer your personal data outside the EEA.

7. Data storage

How long will my personal data be used?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, plus a reasonable period in order to take into account the applicable legal retention requirement or statute of limitation period, or otherwise as required for our purposes described above. You may be able to ask us to erase your data, see ‘your rights’ for more information.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Specifically, where we process personal data to enable you to have an account with us, we do this for as long as you are an active user of our sites and for 1 year after account closure. We keep order fulfilment records for 6 years from completion of your order and order confirmations, delivery forms and delivery requests for 1 year.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data for 6 years after the consent is withdrawn so that we can respect your request in future.

Where we process personal data for site security purposes, we retain it for the current year plus 1 year. Where we process CCTV Data, this is [retained for 14 days unless they are to be retained for a longer period in the context of investigative proceedings.]

Where we process personal data in connection with performing a contract, we keep the data for [6 years from your last interaction with us.]

Where we process personal data as part of providing technical support and responding to customer support requests, we keep the data for 3 years from the end of the support ticket.

In certain circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In this case, we may use this information indefinitely without notifying you.

8. Your rights

You have various rights in relation to your personal data:

to request information about your personal data (also known as an "access request to stored data"). This enables you to obtain a copy of the personal data we hold about you.
to request the correction of your personal data that we have stored about you. This enables you to correct any incomplete or inaccurate data that we hold about you.
request the erasure of your personal data. This enables you to have personal data erased or removed where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data if you have successfully exercised your right to object to processing (see below). This right also applies where we may have processed your information without a legal basis or where we need to erase your personal data to comply with applicable law.
to object to the processing of your personal data if we are relying on a legitimate interest (or that of a third party) and you wish to object to the processing on grounds relating to your particular situation. You also have the right to object if we process your personal data for direct marketing purposes and are not relying on consent to do so, or where we are performing a task in the public interest.
request the restriction of the processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following situations: (a) where you want us to establish the accuracy of the data; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to continue to store the data even though we no longer need it because you have a legal claim or defence; or (d) where you have objected to our processing of your data but we need to verify whether we have overriding legitimate grounds to use it.
using the right of data portability you are also able to request the transfer of your personal data to you or to a third party. We will provide to you, or your chosen third party, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use, or where we used the information to fulfil a contract with you.
to withdraw your consent at any time if your consent is the basis for the processing of your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may no longer be able to provide you with certain products or services. We will inform you if you withdraw your consent.
for individuals in France only: to instruct us regarding the use of your personal data after your death. This right enables you to instruct us on the processing (retention, deletion, and disclosure) of your personal data after your death. You can change or revoke such instructions at any time.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you wish to exercise any of these rights, please contact us at the contact details set out above. If you have unresolved concerns, you have the right to complain to a data protection authority in the country that you reside in or, the country of your place of work or the country where the alleged infringement took place.

Fees

Generally, you will not have to pay a fee to access your personal data or to exercise other rights. We may exceptionally charge a reasonable fee if your request is clearly unfounded or repetitive.

What we might need from you

We may need certain information from you to help us verify your identity before we respond to an enquiry. This is a security measure to ensure that personal data is not disclosed to unauthorised persons. We may contact you to ask you for further information regarding your enquiry so that we can speed up the process.

Time frame for a response

We endeavour to respond to all enquiries without undue delay, but latest within one month. Occasionally it may take longer than a month if, for example, your enquiry is particularly complex or you have made a number of enquiries. In this case, we will notify you and keep you informed.