Personal Data Protection Policy
(Updated on 02/22/2023)
1 Policy
1.1 This is the Personal Data Protection Policy (“Policy”) of STO Smart Store (“STO Smart Store"), and its affiliated organisation(s) (each an “affiliated organisation” and collectively, the “STO”). The terms “we” and “our” in this Policy refer to the State Trading Organization PLC, STO Smart Store and/or any affiliated organisation which has adopted this Policy, as appropriate. The term “you” refers to the customer or entity which interacts and consumes the services provided by STO.
1.2 Application. STO Smart Store and each affiliated organisation have different channels of collecting personal data, but each are committed to complying with this Policy in its collection, use and disclosure of personal data, to ensure that there is accountability and uniformity in the way STO protect your personal data. Although this Policy is in common use by STO Smart Store and the affiliated organisations, each is responsible to you to the extent of its own collection, use and disclosure of your personal data, and its own actions.
1.3 Compliance with this Policy. This Policy applies to all personal data customer provide to STO, or that STO may collect about customer. Please do not provide any personal data to STO if customer do not accept this Policy.STO may also require you to accept this Policy when you contact, interact, transact or deal with us, or when you access and use our websites, applications or services. If you notify us that you do not accept this Policy, we may not be able to establish a relationship with you or be able to service your requests.
1.4 Concerns and Contacting Us. If you have any feedback or issues in relation to your personal data, or about this Policy, or wish to make a complaint to us, you may contact our Support Officer whose email address is set out in the Annex.
1.5 Amendment to this Policy. We may amend this Policy from time to time without notice to you, to comply with applicable laws or as we update our data usage and handling processes. The updated Policy will supersede earlier versions and will apply to personal data provided to us previously. The amended Policy will take effect when made available at the website as set out in the Annex.
2 Personal Data
2.1 What personal data we collect. The Personal data we collect depends on the purposes for which we require the personal data and what you have chosen to provide. This may include your name, address, contact information (e.g. telephone number and email address), identification number, photograph, video image and any other information that may identify you or is personal to you
2.2 How we collect personal data. We collect personal data relevant to our relationship with you. We may collect your personal data directly or indirectly through various channels, including when:
● you use our services or enter into transactions with us (or express interest in doing so);
● you apply to be a member of any of our loyalty programs, respond to our promotions, or subscribe to our mailing lists;
● you visit our websites, download or use our mobile applications;
● you register an account with us through our websites or applications;
● you transact with us, contact us or request that we contact you through various communication channels, for example, through social media platforms, messenger platforms, face-to-face meetings, telephone calls, emails, fax and letters;
● your images are captured via photographs or videos taken by us or our representatives when you are within our premises or attend events organised by us;
● you participate in events and programs, competitions, contests or games organised by us;
● we seek information about you and receive your personal data in connection with your relationship with us, for example, if you are a customer, investor or shareholder; or
● you submit your personal data to us for any other reason.
Depending on your relationship with us, we may also collect your personal data from third parties, including:
● from other organisations which are part of the STO Group;
● from your family members or friends who provide your personal data to us on your behalf; and
● from public agencies or other public sources.
Our website and applications may also contain or involve certain technologies that automate the collection of data (including personal data). These technologies include cookies, web beacons and web analytics. If you do not wish to have your data collected through such technologies you may disable the operation of these technologies on your devices (where possible), or you may refrain from using our websites and applications.
2.3 Voluntary provision of personal data. Your provision of personal data to us is voluntary and you have the right to withdraw your consent for us to use your personal data at any time by contacting and submitting a request to us. Your withdrawal will take effect after your request is processed. However, if you choose not to provide us with the personal data we require, it may not be possible for us to fulfil the purposes for which we require the personal data, including providing products and services which you need from us.
2.4 Providing personal data belonging to others. In certain circumstances, you may also provide the personal data of persons other than yourself (including your family members). If you do so, you are responsible for informing him/her of the purposes for which we require his/her personal data and warrant that you are validly acting on behalf of him/her to consent to our collection, use and disclosure of his/her personal data.
2.5 Accuracy and Completeness of personal data. You must ensure that all personal data that you provide is true, accurate and complete and promptly inform us of any changes to the personal data.
3 Purposes
3.1 We collect, use and disclose your personal data where:
● you have given us consent;
● necessary to comply with our legal or regulatory obligations;
● necessary for our legitimate business interests, provided that this
does not override your interests or rights; and/or
● necessary to perform a contract or transaction you have entered into
with us, or provide a service that you have requested or require from
us.
3.2 General purposes. Generally, we collect, use and disclose your
personal data for purposes connected or relevant to our business,
including:
● processing your transactions with us, or to provide products and
services to you;
● managing your relationship with us;
● facilitating your use of our platforms and services;
● assisting you with your requests, enquiries and feedback;
● administrative purposes, e.g. accounting, risk management and record
keeping, business research, data, planning and statistical analysis, and
staff training;
● security and safety purposes, e.g. protecting our platforms from
unauthorised access or usage and to monitor for security threats, and
your image may be captured by security cameras;
● carrying out research, data and statistical analysis;
● compliance with laws and regulations, internal policies and
procedures, e.g. audit, accounting, risk management and record keeping;
● enforcing legal obligations owed to us, or responding to complaints,
litigation or investigations concerning us;
● managing and engaging third parties or data processors that provide
services to us, e.g. IT services, data analytics, marketing, and other
professional services;
● such purposes that may be informed to you when your personal data is
collected;
● carrying out our legitimate business interests (listed below); and/or
● any other reasonable purposes related to the aforesaid.
3.3 Marketing purposes. Where you give us consent, we collect, use and
disclose your personal data for purposes of:
● managing and/or administering your request to receive news (including
events and product launches), promotions and marketing information from
us (and/or our affiliates or related entities) and on our group
products;
● analyzing and/or profiling your purchases, transactions and/or likes
or dislikes so as to be better able to send you relevant or targeted
news (including events and product launches), promotion and marketing
information from us (and/or our affiliates or related entities) and on
our group products; and/or
● sending you news (including events and product launches) and
promotions from us (and/or our affiliates or related entities) as well
as marketing information from us (and/or our affiliates or related
entities) and on our group products.
3.4 Legitimate business interests. Our legitimate business interests
include:
● managing our business and relationship with you, and providing
services to our users and customers;
● protecting our rights and interests and those of our users and
customers;
● preventing and investigating possible misuse of our websites,
applications and services;
● understanding and responding to inquiries and feedback;
● understanding how our users use our websites, applications and
services;
● identifying what our users want and improving our websites,
applications, services and offerings;
● enforcing obligations owed to us, or protecting ourselves from legal
liability; and
● sharing data in connection with acquisitions and transfers of our
business.
3.5 Purposes involving STO Group. For administrative efficiencies and to
allow us to better serve your needs, your personal data will also be
collected, used and disclosed to an organisation which are part of the STO
Group for the following purposes:
● facilitating the provision of centralised administrative and
management services;
● facilitating use of centralised resources e.g. shared information
technology resources and systems;
● facilitating internal audits, reporting and management of our
operations; and/or
● facilitating the conduct of centralised business activities and
functions e.g. data analytics.
3.6 Use permitted under applicable laws. We may also collect, use,
disclose and process your personal data for other purposes, without your
knowledge or consent, where this is required or permitted by law.
3.7 Contacting you. When using your personal data to contact you for the
above purposes, we may contact you via mail, e-mail, SMS, telephone,
pop-up notifications (when you are using our applications), or any other
means. We will not contact you for marketing purposes unless with your
consent, or we are exempted by applicable law from having to obtain
consent. When contacting you for marketing purposes, we will not contact
you through your telephone number, unless you have specifically consented
to such a mode of communication. If you do not wish to receive any
communication or information from us, or wish to restrict the manner by
which we may contact or send you information, you may contact us to do so.
4 Disclosure of Personal Data
4.1 Disclosure to organisations which are part of the STO Group. We may
disclose or share your personal data with organisations which are part of
the STO Group for the purposes described in paragraphs 3.2, 3.3, 3.4 and
3.5.
4.2 Other Disclosures. We may also disclose or share your personal data in
connection with the purposes described in paragraphs 3.2, 3.3 and 3.4
above, including to the following parties:
● third parties who are appointed to provide services to us, e.g. IT
vendors, marketing companies and event organisers;
● third parties that we conduct joint marketing and cross promotions
with; and/or
● regulatory authorities and public agencies.
When disclosing personal data to third parties, we will (where appropriate
and required by applicable law) enter into contracts with these third
parties to protect your personal data in a manner that is consistent with
applicable laws and/or ensure that they only process your personal data in
accordance with our instructions.
5 Cross Jurisdiction Transfers of Personal Data
5.1 Safeguards. We may transfer your personal data out of Maldives for the
purposes set out in paragraph 3 above. When transferring personal data
outside Maldives, we will require recipients of the personal data to
protect personal data at a standard comparable to that under the laws of
Maldives. For example, we may enter into legally enforceable agreements
with the recipients to ensure that they protect your personal data. You
may obtain details of these safeguards by contacting us.
6 Protection of Personal Data
6.1 Period of retention. We keep your personal data only for so long as we
need the data to fulfil the purposes we collected it for, and to satisfy
our business and legal purposes, including audit, accounting or reporting
requirements. How long we keep your personal data depends on the nature of
the data, e.g. we keep personal data for at least the duration of the
limitation period for bringing claims if the personal data may be required
to commence or defend legal proceedings. Certain information may also be
retained for longer, e.g. where we are required to do so by law.
Typically, our data retention period is from 3 years upwards, depending on
the limitation period.
6.2 Anonymised data. In some circumstances we may anonymise your personal
data so that it no longer identifies you, in which case we are entitled to
retain and use such anonymised data without restriction, including for
data analytics.
6.3 Unauthorised access and vulnerabilities. While we take reasonable
precautions to safeguard your personal data in our possession or under our
control, we cannot be held responsible for unauthorised or unintended
access that is beyond our control, including hacking or cybercrimes. We
also do not guarantee that our websites and applications are invulnerable
to security breaches, or that your use of our websites and applications is
safe and protected from viruses, worms, Trojan horses, and other
vulnerabilities.
7 Your Rights
7.1 You enjoy certain rights at law in relation to your personal data that
we hold or control. These rights include:
● Withdrawal of consent: you may withdraw consent for our use of your
personal data.
● Correction. you may request that any incomplete or inaccurate data
that we hold or control be corrected.
● Access. you may ask if we hold or control your personal data and if we
are, you can request access or a copy of such data.
7.2 Exercising your rights. If you have an account with us, you may access
or correct your personal data at any time by accessing your account on our
website. If you do not have an account with us but would like to request
for access or correction of your personal data in our possession or
control, please contact us. Where permitted by law, we may charge you a
fee to process your request. We may also be permitted under applicable
laws to refuse a request.
7.3 Limitations. We may be permitted under applicable laws to refuse your
request to exercise your rights, for example, we may refuse (a) a request
for erasure where the personal data is required for in connection with
claims; or (b) an objection request and continue processing your personal
data based on compelling legitimate grounds for the processing.