NESPRESSO PERSONAL DATA PROTECTION POLICY

2. What personal data do we collect and how?

Depending on how you interact and communicate with Nespresso (online, offline, telephone, etc.), we may collect different types of information from you such as:

• Personal contact details : this includes any information you send us so that we can contact you personally, such as your name, postal address, email address or telephone number.

• Login data for your account : the data you need to access your profile via your Nespresso account. This may be your login/email address, password and/or security question and relevant response.

• Email : We analyse your interactions with our content (e.g. click, email opened) to provide you with personalised information based on your interests and preferences.

• Demographic data and interests : Information about your demographic or behavioural characteristics. This includes your date of birth, age, geographical location (e.g. your postcode), your favourite products, hobbies and interests, and information on your household and lifestyle.

• Technical data on your computer/mobile device : information relating to your computer system or any other technological device you use to access one or more of our websites or apps, such as the Internet Protocol (IP) address used to connect your computer or device to the Internet, type of operating system, and the type and version of your web browser. If you access a Nespresso site or app from a mobile device such as a smartphone, the data collected will include, where permitted, your phone's unique identifier, advertising identifier, geolocation and other similar data relating to mobile devices.

• Information on website use/interaction : when you browse and interact with our websites or newsletters, we use automatic data collection technologies to gather specific information about your actions. This includes information such as the links you click on, the pages or content you view and for how long, and other similar information, as well as statistics about your interactions such as content response times, download errors and the length of time you spend on certain pages. This information is captured using automated technologies such as cookies (browser cookies, flash cookies) and web beacons, and is also collected using third party tracking devices. You have the right to object to the use of these technologies; for more information on this subject, please read our « Nespresso Cookies Policy ».

• Market research and consumer feedback : this includes information you agree to share with us on your experience as a user of our products and services.

• Consumer-generated content : this refers to any content you create and share with us on third party social media or by posting it on one of our websites or apps, including third party social media apps such as Facebook. This includes photos, videos, personal stories or other similar content or media, or private posts or messages you may leave on the Nespresso Facebook page. If you have agreed, we will collect and publish content generated by you during various activities, such as games or other advertising activities, the website's community functions, consumer opinions and comments and presence on third party social media.

• Information related to use of third party social media : This refers to any information that you share publicly on third party social media or that forms part of your profile on third party social media (such as Facebook) and that you have authorised the third party social media to share with us. This includes your basic account information (name, email address, gender, date of birth, current location, profile photo, user ID, friends' list, etc.) and any additional information or activities that you have authorised the third party social media to share. We receive your third party social media profile information (or some of it) every time you download or interact with a Nespresso web application on third party social media such as Facebook, every time you use a social media feature integrated in a Nespresso website (such as Facebook Connect) or every time you interact with us through third party social media. To find out more about how your information from third party social media is obtained by Nespresso, or to opt out of sharing social media information, please visit the third party social media website in question.

• Financial data and payment : any information we need to fulfil an order, or that you use to make a purchase, such as your bank card details (cardholder name, card number, expiry date, etc.) or details of other payment methods (if available). In all cases, we or our payment processor(s) manage and process financial and payment data in accordance with applicable regulations and security standards, such as the Payment Card Industry Security Standard.

• Calls to the Customer Relations Centre :your communications with our CRC may be recorded or listened to, in accordance with current legislation, for the purposes of quality control or staff training. You will informed of the recording at the start of your call. Bank card information is not recorded.

• Sensitive personal data : we have no reason to collect or process sensitive personal data (e.g. health data) as part of our day-to-day business activities. If we are required to collect or process such data for the purposes of sending marketing or medical communications, we would do so in strict compliance with the provisions of the GDPR relating to the processing of special data categories, and only with your explicit consent with regard to the specific, legitimate purposes pursued by Nespresso.

3. What is Nespresso's policy regarding children’s personal data?

We believe it is extremely important to protect the privacy of children accessing the Internet and encourage parents or guardians to spend time with them, participating in and managing their online activities.

Rest assured that your children will not be able to give us your personal data on the Internet without first asking for your permission.

On some of our websites (in particular our online shops), only adults can create an account.

We do not collect the personal data of children under 13. If we become aware that we have accidentally collected personal data from children under 13, we will immediately delete their data from our databases.

The only exception applies to the collection of personal data from children under 13 directly through a parent or guardian, with their explicit consent.

You may check, change or delete your child's personal data at any time. You may also ask for your child’s data to be removed, by sending a request by email to the address given in the contacts at Question No. 8 – «Quels sont vos droits et comment les exercer ? ».

4. How do we use your personal data?

The following table lists the purposes for which Nespresso collects and processes your personal data and the different types of personal data collected for each purpose. Please be aware that not all individuals are concerned by the uses listed below.

5. Does Nespresso disclose your personal data and why ?

In addition to the legal entities in the Nespresso/Nestlé group referred to in Question No. 12 - “Who are the Data Controllers and how can you contact them ? », we may share your personal data with various groups of third-party companies:

Service providers : : external companies we use to help us carry out our activities (order fulfilment, payment processing, fraud detection, identity verification, website operation, market research, support services, advertising management, website development, data analysis, Customer Relations Centre, etc.). These service providers, and some members of their staff, are authorised to use your personal data on our behalf exclusively for the specific tasks that have been requested, according to our instructions, and are required to protect the confidentiality and security of your personal data. Where the law requires, you can obtain a list of the service providers processing your personal data (see Question No. 12 - « Who are the Data Controllers and how can you contact them ? »).

Credit reporting/debt collection agencies : to the extent permitted by the law, credit reporting agencies and debt collectors are external companies that we use for credit checks (in particular for orders with an invoice) or to collect outstanding invoices.

SThird party companies using personal data for their own marketing purposes : with the exception of cases where you have given your consent, we do not sell your personal data to third party companies for their own marketing purposes. Where applicable, you will be informed of the identity of these third-party companies when we request your consent. For example, we may share with Facebook Ireland Limited ("Facebook") certain data about your actions on our websites, such as your visits, interactions with our websites, use of Facebook Connect and information collected using cookies or similar technologies, including the Facebook pixel. This enables us to assess the effectiveness of our advertising, improve our marketing practices and help us deliver advertising that is more relevant to you and those who share your interests (including on social media such as Facebook). We are the joint data controller, together with Facebook. We have entered into a joint processing agreement under which we are obliged to provide you with the information set out in this policy and more specifically in this paragraph. You should contact Facebook directly if you wish to exercise your data protection rights for this social media network. Further information, including how Facebook lets you exercise your rights and then processes your information as an independent data controller, can be found in Facebook's data policy, available at https://www.facebook.com/about/privacy.

Third party recipients using personal data on legal grounds or due to a merger/acquisition : nwe will disclose your personal data to third parties on legal grounds or in connection with an acquisition or merger (see Question No. 4 «How do we use your personal data ? » to find out more).

6. How long do we keep your personal data for?

Your personal data is kept by Nespresso only for as long as is reasonably necessary for the purposes described in this Policy. We use the following criteria to determine how long we keep your personal data:

1. a. Nespresso will keep your personal data in a form that enables you to be identified for the duration of your participation in one or more of our loyalty programmes, or for the duration of your membership of one of our online services. Your data may then be stored and processed for 3 years following your last contact with us, so that we can send you sales or marketing information.

2. b. Your personal data may, however, be retained for longer periods, to comply with specific legal obligations or with applicable statutory limitation periods. As an example, the data will be kept for:

   • 6 years for tax documents;

   • 11 years for accounting documents;

   • The entire duration of disputes and until all avenues of appeal have been exhausted.

3. c. Personal data used to offer you a personalised experience (see Question No. 4 – « How do we use your personal data? » for more details) will be kept for the duration permitted by current legislation.

After the above-mentioned retention periods, your personal data will either be securely deleted from all Nespresso databases or made anonymous.

7. How does Nespresso store and/or transfer your personal data?

We take all necessary technical and organisational action to guarantee the confidentiality and security of your personal data. You should be aware, however, that these protective actions only cover information you choose to share in public spaces, in particular via third party social media.

• People with access to your personal data : your personal data will be processed by our staff or dedicated service providers, solely for the purposes described to you when your personal data was collected (for example, our staff responsible for customer relations issues will only have access to your customer file).

• Action taken in operating environments : nwe store your personal data in operating environments where appropriate security measures are in place to prevent unauthorised access. We comply with the applicable regulations to protect your personal data. Unfortunately, information cannot be transmitted via the Internet in a completely secure manner, and although we make every effort to protect your personal data, we cannot guarantee the security of your data during transmission via our websites or apps.

• • What we expect from you : you also have a crucial role to play to guarantee the security of your personal data. When you create an online account, make sure you choose a password that is difficult to guess and never reveal your password to anyone. You are responsible for keeping your password confidential and are liable for your use of your account, regardless of the details. If you use a shared or public computer, make sure that the option to remember the login, e-mail address or password is never ticked, and always log out of your account whenever you leave the computer. You must also use the privacy settings or controls that we make available to you on our website or app.

• Transfer of your personal data : in order to store and process your personal data, it may be necessary to transfer this data to and store this data in a country other than your country of residence, in particular Switzerland or Luxembourg. We may also transfer your personal data to countries outside the European Economic Area (EEA), for example to other legal entities within the Nespresso/Nestlé Group or to ad hoc partners, including to countries whose data protection standards differ from those applied in the EEA. In this case, we (i) have put in place "standard contractual clauses" approved by the European Commission to protect your personal data (you have the right to ask us for a copy of these clauses, by contacting us at the contact details set out below), and/or (ii) will rely on your consent.

8. What are your rights and how can you exercise them ?

Access to your personal data : you, your descendants, representatives and/or agents have the right to access, consult and request a physical or electronic copy of your personal data in our possession. You also have the right to request information on the source of your personal data.

You can exercise these rights :

• by mail : Nespresso France - Service Protection des données personnelles - TSA 71623 – 75901 Paris Cedex 15.

• • by telephone, by calling our Customer Relations Centre, by telephone on 0800 55 52 53.

If there is reasonable doubt about your identity, we may ask you to enclose a copy of your ID or other proof of identity with your request. If the request is submitted by someone other than you, without proof that the request is legally made on your behalf, it will be rejected.

You should be aware that any identification information provided to us will exclusively be processed in accordance with, and to the extent permitted by, the current legislation.

Other rights (e.g. modification or deletion of personal data) : you, your descendants, representatives and/or agents may (i) request the deletion, portability, rectification or modification of your personal data; (ii) object to the processing of the data; (iii) restrict the use and disclosure of your personal data; and (iv) withdraw your consent to any of our processing activities for your personal data.

Please be aware that, in some cases, deleting your personal data will necessarily mean deleting your user account. We may also be obliged to retain some of your personal data, following your request for deletion, in order to comply with our legal or contractual obligations. (see Question No. 6 –« How long do we keep your personal data for ? »).

Where possible, our websites include a dedicated function allowing you to view and change the personal data you have provided to us. Please note that, before accessing or modifying your account information, people registered with a website must prove their identity (e.g. by providing their login/email address, and password) to prevent unauthorised access to an account.

We hope we will be able to answer any questions or queries you may have about how we process your personal data. However, if we do not succeed in dispelling your fears, you are also entitled to submit a complaint to the CNIL (https://www.cnil.fr/fr/plaintes)

9. What are your choices about how we use your personal data ?

We are committed to helping you make the most informed possible choices about the personal data you provide to us. The following mechanisms give you control over your personal data:

Cookies/similar technologies : you manage your consent via (i) our consent management solution or (ii) your browser to decide whether to allow or refuse the use of some or all cookies/similar technologies, or whether you want to be notified when cookies/similar technologies are used. Please consult our « Nespresso Cookie Policy » to find out more.

Advertising, marketing and special deals : if you want your personal data to be used by Nespresso to send you advertising communications about our products or services, you can indicate this by ticking the relevant box(es) on the online registration form, or by answering the question(s) asked on this topic by our Customer Relations Centre or our instore representatives. If you no longer wish to receive these advertising communications, you may unsubscribe from marketing communications at any time by following the instructions provided in each of these communications. An unsubscribe link is given at the bottom of all the marketing emails you receive from Nespresso. You can request to stop receiving marketing communications sent via any media, at any time. For this purpose, contact our Customer Relations Centre, or log in to the third-party websites, apps or social media in question and change your user preferences under your account profile by unchecking the relevant boxes. You should be aware that, even if you opt out of receiving marketing communications, you may receive administrative communications from us, such as confirmations for orders or other transactions, notifications about your account activities (account confirmations, password changes, etc.), and other important non-marketing information, if you are a customer of one of our online sales sites.

Personalisation (online and offline) : ): if you would like Nespresso to use your personal data to provide you with a personalised experience/targeted advertising and content, you can indicate this by ticking the relevant box(es) on the registration form or by answering the question(s) asked on this subject by our Consumer Services and Customer Relations Centres, our instore representatives, our sales demonstrators during point of sale activities or events organised by our brands. You may ask to stop this personalised experience at any time. For this purpose, contact our Customer Relations Centre, or log in to the third-party websites or apps and change your user preferences under your account profile by unchecking the relevant boxes.

Targeted advertising : nwe may have partnerships with advertisers which display advertising banners on the Internet for one of our brands or the brands of companies outside the Nespresso Group. These advertising banners target your interests, based on information collected via Nespresso or third-party websites. You can consult the website www.aboutads.info/choices to find out more about this type of targeted advertising, and how you can block these targeted advertisements ("opt-out") for companies participating in the Digital Advertising Alliance ("DAA") self-regulation programme. You can also download the DAA app to your mobile device to block these targeted advertisements. Remember that you can also block the collection of geolocation data at any time by changing the settings on your mobile device.

10. Changes to our Policy

If we change the way we manage and process your personal data, we will update the present Policy. We reserve the right to amend our practices and this Policy at any time. Please check our Policy regularly for updates or changes.

11. Virtual Consultant

This dialogue box is designed to help you find your way around our website. However, please do not communicate any personal data that might identify you. In the same way, please do not reveal any significant private data such as information about your state of health or your personal opinions and beliefs. Nespresso refuses any liability with respect to the protection of personal data when using this box. However, just in case a mishap occurs, all records of conversations will be converted to an anonymous format within 30 days of the user closing the dialogue box.

12. Who are the Data Controllers and how can you contact them ?

If you have any questions or comments about this Policy and our personal data protection practices, or if you wish to make a complaint about non-compliance with applicable privacy laws, you can contact our Data Protection Officer by e-mail at the following address: protection-des-donnees@fr.nestle.com

We will deal with and investigate any complaints about the way we handle your personal data (including complaints that we have breached your rights under the applicable privacy laws).