Privacy Notice for Key Opinion Leaders (KOLs)

1. Introduction
2. About Us and Contact Details
3. Data Collection
4. Why We Collect Your Personal Data and What Types
5. Use of Special Category Data (Sensitive Data)
6. Data Sharing
7. How do we protect your Personal Data?
8. International Transfers of Personal Data
9. How Long Do We Store Your Personal Data
10. Your Rights
11. How to Lodge a Complaint
12. Updates to the Privacy Notice
13. Glossary

1. Introduction

This Privacy Notice explains how Kenvue collects, uses, and protects personal data of our Key Opinion Leaders (KOLs). We value your privacy and are committed to handling your personal information responsibly and in accordance with applicable data protection laws.

We have organised this Privacy Notice into sections and included a Glossary at the end where you can find explanation of any defined terms we have used. We will update this Privacy Notice from time to time. Any changes will be available on the Privacy Notice accessible from the website and will include the last reviewed date. If we make any significant changes, we will notify you and provide you with additional information. We encourage you to check this Privacy Notice regularly to stay informed about how we use your Personal Data.

Links on our website may direct you to other brands or services we offer, each with its own privacy notice distinct from this one. We encourage you to review the specific privacy notices of these sites to understand how they use your personal data.

2. About Us and Contact Details

Johnson & Johnson Ltd, part of Kenvue registered at 50-100 Holmers Farm Way, High Wycombe, Bucks HP12 4EG

Under Applicable Data Protection Laws, we are the Controller of your Personal Data.

We have designated a Data Protection Officer (DPO). You can contact our DPO and the EMEA DPO Team at emeaprivacy@kenvue.com

3. Data Collection

We collect personal data that you provide to us directly, such as your name, contact details, professional background, and areas of expertise. We may also collect information from public sources and social media platforms to better understand your influence in relevant fields.

4. Why We Collect Your Personal Data and What Types

Why We Collect Your Personal Data	Personal Data Processed	Our Legal Basis
To understand and review your expertise and experience within your industry.	(All publicly available) Name, contact details, professional background, experience (CV), your academic research, publication history, speaking engagements, awards, social media profiles, workplace, membership of professional bodies, your photo and any publicly shared work that demonstrates expertise and experience.	Legitimate interest. The company's legitimate interest here is to ensure that potential collaborators have the necessary expertise and experience for the projects or campaigns being considered.
To decide whether we want to collaborate with you on any projects or campaigns	Contact information (name, email, phone number), professional profiles (LinkedIn, professional websites), and information about past collaborations or projects.	Legitimate interest. The legitimate interest is in conducting due diligence to select the most suitable KOLs for potential projects or campaigns, optimising the selection process for collaborations.
To communicate with you about our products, services, and events	Contact information, (name, email, phone number) areas of interest based on professional expertise, preferences based on previous interactions.	Consent (for potential collaborations without a current contract) or performance of a contract (if there is an agreement to collaborate). When based on legitimate interest (e.g., initial outreach), it's to inform KOLs about opportunities they might find valuable.
To build and maintain our relationship with you as a KOL.	Contact information, (name, email, phone number) records of communication and previous collaborations, feedback and opinions on past events or products.	Legitimate interest and, in some cases, performance of a contract. The legitimate interest is in nurturing professional relationships with KOLs, which is beneficial for both the company and the KOL for future collaborations and opportunities.
To seek your expert opinion and insights.	Professional expertise, public writings, and presentations, opinions shared in professional forums.	Legitimate interest. The interest is in leveraging the KOL's expertise to inform product development, marketing strategies, or content creation, improving the relevance and effectiveness of the company's offerings
To collaborate on marketing and promotional campaigns.	Contact information, (name, email, phone number) content created during collaborations, feedback on campaigns.	Performance of a contract. When a KOL agrees to collaborate on a campaign, processing their data is necessary to fulfil the obligations of the contract. Prior to the contract, legitimate interest in identifying suitable KOLs for campaigns applies.
To provide customer service and support	Email, name, communication/content of support requests.	Contractual necessity (to resolve issues and provide support) legitimate interest (to ensure satisfactory customer experience and service quality).
To find, investigate and prevent fraudulent activities.	Email, name, transaction history, browsing behaviour, and any other relevant data that could indicate fraudulent activities	Legitimate Interest (to investigate and prevent fraudulent activities).
For claims, legal disputes, investigations, enforcement of terms and conditions, for the defense of our rights.	Email, phone number, transaction data, communication records, legal documents.	Legitimate Interest (for the purpose of establishing, exercising, or defending legal claims.)
We may process and disclose your Personal Data to comply with legal process or applicable law, which may include laws outside your country of residence.	As required by the specific legal request or obligation, which could include a wide range of data, Contact details (email, phone number), As account details, transaction history, and communication records.	To comply with our legal obligations Legitimate Interest (to comply with the laws and regulations in other countries we are subject to).

5. Use of Special Category Data (Sensitive Data)

In our efforts to collaborate with and understand the expertise and experience of KOLs in their respective fields, we sometimes incidentally collect personal data that falls under the category of special category data as defined by data protection legislation. This is the case where in the context of your professional background you have directly made information publicly available by way of publications, public statements, interviews and similar revealing sensitive personal data about yourself.

We will rely on both the following for processing special category data:

Data Made Public by the Data Subject - We process data that you have manifestly made public in accordance with Article 9(2)(e) of the General Data Protection Regulation (GDPR). This pertains to special category data about you that you have chosen to make public through professional platforms, publications, or public appearances.
Legitimate Interests - We process your special category data based on our legitimate interests (Article 6(1)(f) GDPR) in identifying and collaborating with experts in their field. When relying on legitimate interests, we ensure that the processing is necessary for our legitimate activities and does not unduly impact your rights and freedoms. Our legitimate interest lies in the need to assess and verify the expertise and professional background of potential collaborators to make informed decisions about potential partnerships and collaborations.

Internal teams and Kenvue Affiliates for business purposes, including those located outside the UK and EEA.
External partners and service providers, under confidentiality agreements.
Regulatory authorities, if required by law.

7. How do we protect your Personal Data?

We seek to use effective organisational, technical, and administrative measures designed to protect Personal Data under our control. For example, we implement robust security measures to protect your information, which include encryption of transmitted data and secure password practices. If you have a reason to believe that your interaction with us is no longer secure (for example, you believe that the security of your account with us has been compromised), please immediately notify us via the Contact Details section above.

8. International Transfers of Personal Data

To ensure your data is protected in the countries we transfer to outside [name country], we either:

Transfer your Personal Data to countries recognised by the UK as providing adequate data protection, please see list here. or
Transfer your Personal Data by contractually ensuring that the recipient is bound by the UK International Data Transfer Agreement or the UK Addendum to the EU's Standard Contractual Clauses/ EU Standard Contractual Clauses.

You may obtain a copy of these adequate measures by contacting our Data Protection Officer and the EU DPO Team at emeaprivacy@kenvue.com

9. How Long Do We Store Your Personal Data

We will retain your Personal Data for as long as needed or permitted considering the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you and provide our services to you; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable considering our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

10. Your Rights

Your rights	Description
The right to object to the processing of your Personal Data	You can object to the use of your Personal Data for certain purposes. You have the right to stop your Personal Data being used for direct marketing at anytime
The right to be informed	You have the right to know if and how we process your Personal Data, as detailed in this Privacy Notice.
The right of access	You can request access to and a copy of your Personal Data we have unless legal exceptions and exemptions apply.
The right to rectification (correct)	You can ask us to complete or correct any incomplete or incorrect Personal Data.
The right to Erasure (also known as the “right to be forgotten”)	You have the right to ask us to delete your Personal Data in certain circumstances, for example, we cannot delete if there is a legal or regulatory obligation on us to keep it.
The right to restrict the processing	You can request that we limit processing your Personal Data in specific situations: a) when its accuracy is contested, b) the processing is unlawful, but you do not require the deletion of your Personal Data c) your Personal Data is no longer needed for processing, but you need it for the establishment, exercise or defence of legal claims d) If you object to processing of your Personal Data occurring based on our Legitimate Interest.
The right to data portability	You can request your Personal Data in a machine-readable format, only when processing is based on your consent or contract and is carried out by automated means.
The right to withdraw consent	If you gave consent for processing your Personal Data, you can withdraw it anytime. Withdrawing consent will not affect the lawfulness of past processing, and we will inform you if we can no longer provide you with your chosen service.

11. How to Lodge a Complaint

If you have any questions, concerns or complaints about this Privacy Notice, please contact CONS-professionalsprivacy@Kenvue.com

You may also lodge a complaint with a data protection supervisory authority in particular where you reside, you work or the matter you are complaining about took place.

The competent data protection supervisory authority in the UK is the Information Commissioner’s Office (ICO), Make a complaint | ICO

12. Updates to the Privacy Notice

This policy was last updated on [21st May 2024 ]

13. Glossary

Terms	Definitions
Applicable Data Protection Laws	means all applicable UK and EU legislation and regulation relating to data protection and privacy including without limitation UK's version of the EU GDPR (the "UK GDPR") and the UK's ePrivacy rules ("PECR").
Controller	is a person(s) or company (either alone or jointly or in common with other persons) who decides how Personal Data will be processed.
Legitimate Interest	This is a legal basis which we are able to rely on where we are processing Personal Data for our activities and needs or the activities and needs of others, including providing you with the best service and experience we can offer. We will balance our interests against any potential impact on your rights or freedom. If your rights, interests and freedoms override our interests, we will not process your Personal Data under this legal basis.
Personal Data	This refers to any Information relating to an identified or identifiable individual, who can be directly or indirectly identified by reference to identifiers (e.g. name, email, demographic information, and online identifiers).
Privacy Notice	Also referred to as a Fair Processing Notice or a Privacy Policy – informs individuals what Personal Data is processed and how and why a company will process it. This document is the Privacy Notice for the Services.