Privacy Notice for Suppliers and other Business Partners
The Lyko Group is an international chain of hair care and beauty specialists who are
passionate about beauty. When maintaining our business relationship with our
suppliers and business partners we use certain personal data of their contact
persons. This privacy notice explains how and why we use such personal data. You
can learn about our policies and practices regarding the collection and use of your
personal data as well as your privacy rights.
Table of Contents
1 Introduction
2 Our principles
3 Personal data that we collect
4 How and why we use your personal data
5 When and how we share information with others
6 Data subject rights
7 Security of your information
8 Data storage and retention
9 Changes and updates to the Supplier Privacy Notice
10 Questions, concerns or complaints
Welcome to Lyko! Lyko is an international chain of hair care and beauty specialists who are
passionate about beauty! This Supplier Privacy Notice applies to Lyko’s processing of the
personal data of our suppliers and business partners’ contact persons within our collaboration.
With Lyko we are referring to Lyko Group AB, org. nr. 556975-8229, as the legal entity
responsible for the processing of your personal data. With regards to certain aspects our
collaboration, Lyko Group AB acts via different affiliated group entities such as Lyko Sverige
AB or Lyko Operations AB. Lyko Group AB and its affiliated companies are for the purpose of
this Privacy Notice individually or collectively referred to as “Lyko”, “we” or “us”.
This Supplier Privacy Notice sets forth your privacy rights and describes our policies and
practices regarding our collection and use of your personal data, when you communicate or
enter into agreements with us and when you use our services within our collaboration which
are offered via Lyko.com or the Lyko App, according to applicable Data Protection Legislation.
Applicable Data Protection Legislation will, for the purpose of this Notice and our processing
of your personal data, be Regulation (EU) 2016/679, the General Data Protection Regulation
(‘GDPR’). The terms and concepts used in this Notice shall have the same legal scope and
meaning as in the GDPR.
We understand and acknowledge that privacy is an ongoing responsibility. We will therefore
from time to time update this Supplier Privacy Notice as we undertake new personal data
practices or adopt new privacy policies.
- 2.1 We do our best to protect your privacy by using security technology appropriately.
This means that:
We make sure that we have appropriate security measures to protect your
information. - We make sure that when we ask another company to provide a service for us, they
have appropriate security measures. - We will collect and use your personal data only if we have your permission or we
have sensible business reasons for doing so, such as for marketing purposes. - We will be clear and transparent regarding what personal data we collect and
how we will use it. - We will use personal data for the purposes for which it was collected.
Privacy Notice for Suppliers and other Business Partners 26 February 2025 - We will make sure we keep your personal data no longer than necessary and that
we delete it securely.
2.2 If we or our service providers transfer any information out of the European Union and
European Economic Area (EEA), it will only be done with the relevant protection (stated
under applicable data protection legislation) in place. This includes, for example, the
standard contractual clauses approved by the European Commission for data transfers
to third countries (the so-called ‘SCCs’) with the necessary safeguards in the
agreements with our sub-processors.
3.1 Collection of personal data
Lyko collects personal data from you in your role as a representative/contact person of
our supplier or other business partner, such as your name, email address, telephone
numbers and other information that you provide us with in order to conduct business.
3.2 Personal data you provide to us
When you negotiate or enter into an agreement with us as a company representative,
we will process personal data necessary to proceed with and fulfill the agreement.
4.1 We use your personal data for the purposes described below
4.2 Managing business partner and supplier relationship. We process your personal data
to manage our relationship with our suppliers and other business partners, such as
entering and performing under agreements.
Legal basis: We use your personal data to enter into or to fulfill a contract (art. 6.1(b)
of the GDPR).
4.3 Security: We use visitor data to protect the security of our products, services and
customers, to detect and prevent fraud and to resolve disputes and to enforce our
agreements.
Legal basis: We carry out this processing because it is necessary for our legitimate
interest to protect our systems and services (art. 6.1(f) GDPR).
4.4 Communication with you: As is mentioned above in section 3, certain information that
you provide to us when you contact us is stored and processed in order to best manage
your inquiry with us and manage any issues.
Privacy Notice for Suppliers and other Business Partners 26 February 2025
Legal basis: This processing is carried out to reply to your requests and to fulfil our
contract obligations (art. 6.1(b) GDPR) and legal obligations (art. 6.1(c)
GDPR).
4.5 Marketing communication: We process your contact information to provide you with
marketing opportunities such as possibilities to host an event or collaborate with us for
a particular campaign.
Legal basis: We use your contact information as necessary to perform and fulfill our
obligations and services to you under our contract (art. 6.1(b) of the
GDPR). Note – you will not be subjected to marketing as a customer in
your role as a business representative.
4.6 Marketing of your brand and products via Lyko Community:
Lyko Community is a social media platform for our Club members offered via our
website or in the Lyko App where you as a representative of our supplier or other
business partner can promote your brand and products by uploading photos, videos or
product reviews which might be personal data under the GDPR. You can even organize
competitions for other users.
Legal basis: We process your personal data to the extent necessary to offer you the
performance of marketing activities via our social media platform and
thereby fulfill our contract with you (art. 6.1.(b) GDPR).
When you use Lyko Community, you accept that Lyko receives a perpetual license to
your comments, reviews, photos, videos or other activities that you post and share in
the Lyko Community. This means that everything you share in the Lyko Community
may be used for marketing purposes by Lyko. If we ever want to use something you
post or share, which includes a picture or film where your person can be distinguished
(for example, your face), we will ask for your express permission.
Legal basis: We might process your personal data for own marketing purposes
based on our legitimate interest (art. 6.1.(f) GDPR) to promote our
business and brand or based on your consent where applicable (art.
6.1.(a) GDPR).
4.7 Legal Obligations:
We process your personal data, if any, to fulfill legal obligations, such as fulfillment of
payment, bookkeeping, accounting and taxation rules.
Legal basis: This processing is necessary to fulfill a legal obligation (art. 6.1(c) of the
GDPR).
4.8 Other Purposes:
If we intend to use any personal data in any manner that is not consistent with this
Supplier Privacy Notice, you will be informed of such anticipated use prior to or at the
time the personal data is collected, or we will obtain your permission subsequent to
such collection but prior to such use.
5.1 We share your personal data when it is necessary for the completion of any transaction
or for the performance of any contract, or when we have sensible business reasons for
doing so.
5.2 We may share your personal data with other companies within the Lyko Group in order
to fulfill our agreements or to provide our services. We may also disclose your personal
data to third parties if we have good reasons to believe that access, use, retention or
disclosure of such information is reasonably necessary to:
- comply with any court order, governmental order or decision, or other legal
obligation, - enforce or apply our agreements,
- manage and maintain the security of our products, including preventing or
stopping an attack on our computer system or network, and - protect the rights, property, or safety of Lyko, its customer, its franchisees, or
others.
- 6.1 Lyko complies with current data protection laws in the European Union, which, when
applicable, include the following rights: - Right to access:
You are free to request access to a record of your processed personal data (as
defined in the law), and you have the right to information about the processing and
access to a copy of your personal data. - Right to rectification:
You have the right to request a correction of your personal data if they are
incorrect as well as the right to have incomplete personal data completed.
Privacy Notice for Suppliers and other Business Partners 26 February 2025 - Right to erasure :
You have the right to request deletion of your personal data under certain
circumstances, e.g. if the personal data we process is no longer necessary for the
purpose it was collected. - Right to restriction of processing:
You are entitled to request restriction of our processing of your personal data
under certain circumstances, e.g. if the personal data is no longer necessary for the
purposes of the processing, but they are required for defense of legal claims. - Right to data portability:
You are entitled to data portability, which is the right to request that we provide
your personal data to another organisation responsible for processing your
personal data (controller) in cases where our right to process your personal data is
based either on your consent or the performance of an agreement with you and
when the processing is carried out by automated means. - Right to object:
You have the right to object to the processing of your personal data which is based
on the legal basis of our legitimate interests or the legal basis necessary for a
public interest. We can continue processing your data if we can demonstrate a
compelling interest of the continued processing. - Right to file a complaint:
You have the right to file a complaint with a data protection authority. The Swedish
Authority for Privacy Protection (Sw. ‘Integritetsskyddsmyndigheten’) is the
authority in Sweden that oversees how we as a company comply with relevant
data protection legislation. - Right to withdraw your consent:
If the processing of personal data is based on your consent, you are entitled to
withdraw your consent for future processing of your personal data at any time.
6.2 You will receive access to your personal information at no extra cost. You can exercise
your right by contacting us via privacy@lyko.com. If we cannot provide you with the
information within 30 days, as defined by law, we will give you a date for when the
information can be provided and will explain the reason for the delay.
If such access is denied, we will explain to you why access has been denied.
6.3 When processing your personal data, we will do so in cooperation with our affiliates to
operate our business, meet our contractual and legal obligations, protect our systems
and customers, or meet the legitimate interests as described in detail in the sections
"How and why we use your personal data" and "When and how we share information
with others" above. When we transfer personal data from the European Union, we do
so based on several legal mechanisms, as described in the section "Data storage and
retention".
6.4 Note: if you ask Lyko not to contact you by email at a particular email address, Lyko will
retain a copy of that email address on its “master do not send” in order to comply with
your request.
Privacy Notice for Suppliers and other Business Partners 26 February 2025
7.1 To help protect the privacy of data and personal data you transmit through the use of
our website, we maintain physical, technical and administrative safeguards. We
regularly update and test our security technology.
7.2 We restrict access to your personal data to those employees who need to know this
information to provide services to you or to administer our systems. We train our
employees on the importance of confidentiality, privacy and security.
7.3 We commit to taking appropriate disciplinary measures to enforce our employees'
privacy responsibilities.
8.1 Personal data handled by Lyko is stored and processed in the region in which you live,
in Sweden or in other European countries where Lyko, its affiliates, subsidiaries,
partners or suppliers are active. We take steps to ensure that the information we collect
following this Supplier Privacy Notice is dealt with in accordance with the provisions of
this Notice and in accordance with applicable laws.
8.2 If we transfer your personal data to third countries, i.e. countries outside the EU / EEA,
we will enter into agreements and take other appropriate measures in accordance with
applicable Data Protection Legislation, to ensure the safety of your persona data.
8.3 Lyko retains personal data for as long as necessary to provide you with our services
and to fulfil the purposes set out in section 4. Different types of data may be stored
different periods of time, due to certain criteria.
8.4 The criteria that determine how long we store your personal data may be:
- For how much time is the personal data needed for us to be able to provide you
with the functions of our data sharing portal, website or app?
This includes, among other things, maintaining and improving the portal, our
website and app, managing your account, protecting our systems, and
administering necessary business and accounting information. This is the
general rule underlying the calculation of most storage periods. - In accordance with the principles of data minimisation and storage limitation as
set forth in the GDPR, we retain the personal data of our business partners only
for as long as necessary to fulfil the purposes for which it was collected.
Specifically, the retention period is directly aligned with the typical duration of
the sales cycle for the products in question, plus an additional period to cover
any post-sale activities, contractual obligations, and statutory requirements.
Once this period has elapsed, we will either securely delete or irreversibly
anonymise your data, unless a longer retention period is mandated by
applicable law. Do we have legal, contractual or other similar obligations to
store the data?
Privacy Notice for Suppliers and other Business Partners 26 February 2025
Examples of this may include mandatory legislation on retention of information,
such as for accounting reasons, government orders to store data which is
relevant for surveys or data that must be retained for resolving a possible
dispute.
8.5 For more information on where and how long your personal data is stored, and for more
information on your rights of erasure and portability, please contact us at
privacy@lyko.com.
9.1 To reflect feedback changes to the collaboration or adhere to new legal requirements,
we might from time to time update this Supplier Privacy Notice. The latest update date
will be shown at the top of the Notice. If there are significant changes in the Notice or
how Lyko uses your personal data, you will be notified via web or email before the
changes come into force to the extent required by law. Please read this Supplier
Privacy Notice from time to time to keep you informed about how Lyko processes your
personal data and protects your privacy.
10.1 The responsibility for the processing of your personal data lies with:
Lyko Group AB
reg. no. 556740-9502
For questions, concerns or complaints about our Supplier Privacy Notice and our
privacy practices, you can reach us via our following group entity:
Lyko Operations AB
Sveavägen 53
113 59 Stockholm
Sweden
Kindly contact us via email at privacy@lyko.com.
10.2 You are also welcome to contact our data protection officer at:
Sharp Cookie Advisors AB
with lead attorney Mrs. Sofia Edvardsen
P.O. Box 45411,
SE-104 31 Stockholm, Sweden
dpo@lyko.se