Update your browser for a better shopping experience!

Get faster load times, stronger security and access to all features.

Skip to content
Help
Find a store

Free delivery when you spend over £60*
Next-day Click & Collect
Free returns for online orders

M&S Customer Privacy Notice

We’ve recently updated our Privacy Notice to provide detailed information about how we use your personal data. The main changes include:

  • greater detail on the types of personal data we collect and how we use it.

  • more information about partners who help us provide our services to you and those who run M&S‑branded services.

These changes don’t alter your rights or our commitment to protecting your privacy.

At M&S, we are committed to respecting your privacy rights and complying with data protection laws. This Privacy Notice sets out what personal data we collect, how we use it, how we maintain your privacy and what rights you have over your personal data. The Notice applies whether you visit our stores, shop with us online or otherwise engage with us. If you have any questions or need further information about how we use your data, please contact our Data Protection Team using the details in the Privacy Complaints section of this Notice.

Who we are

We are Marks and Spencer plc, a company registered in England and Wales which is part of the M&S group of companies, which includes Marks and Spencer (Ireland) Limited, registered in the Republic of Ireland (collectively referred to as "M&S", "we" or "us" in this Notice).

This Notice does not cover the processing of personal data by:

  • other businesses who partner with us to provide M&S branded services, including M&S Bank, M&S Insurance, M&S Opticians and M&S Travel Money;

  • our UK and international franchise partners who sell our products in stores and on-line under the M&S brand;

  • Ocado Retail Limited (which operates ocado.com and is a joint venture between M&S and Ocado Group);

  • Marks and Spencer Reliance India Private Limited (which operates the M&S India website and stores, and is a joint venture between M&S and Reliance Group); or

  • The Sports Edit (which is a wholly owned subsidiary of M&S).

The processing of personal data by these companies is covered in their privacy notices. Please see the How We Use Your Personal Data section for further information.

This Notice also does not cover the collection, use and disclosure of your vehicle registration and images for parking enforcement purposes. This is because car parks are operated by third parties. You can find the name of the third party and its privacy notice on signs in the car park.

The data we collect about you

We collect, use, store and transfer different kinds of personal data about you which we have split into the categories listed below. For most customers, we will only collect data for some rather than all of the categories listed. Some of the personal data we collect comes from you, for example when you set up an M&S online account, make a purchase or contact our customer services team. Other personal data is collected through your use of our services, for example your browsing or shopping activity. We also collect your data where it’s provided by another customer as part of a purchase (for example gift card or flowers) and the customer provides your details as the recipient. If you use one of our branded services, such as M&S Bank or M&S Insurance, we will also receive your data from them as explained in the How We Use Your Personal Data section.

Categories of personal data

  • Contact Data includes your billing address, delivery address, email address and telephone number.

  • Financial Data includes payment card details and bank account information.

  • Identity Data includes your name, M&S username, customer number, Sparks number or similar identifier, marital status, title, date of birth and gender, limited information on your children, such as their name(s) and age(s) (if you’ve provided that information when joining our parent hood club), and in certain circumstances copies of identity documents like passport or driving licence.

  • Image Data includes your image as captured on our CCTV and body worn cameras in store.

  • Physical characteristic data includes details of your appearance such as your height, body shape, measurements, clothing, eye and hair colour, distinguishing features and so on (where necessary for security purposes or shared by you so we can provide recommendations or tailored services).

  • Transaction Data includes details of products you have purchased (including where and how purchased, the retail price and the date and time),services you have used from us and our branded partners, and details of transactions you’ve made using an M&S Bank credit card or similar.

  • Customer Service Data includes calls and correspondence when you contact our customer service teams, interact with us on social media or respond to our surveys.

  • Technical Data includes the internet protocol (IP) address of your device, details of the cookies on your device, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site/App.

  • Profile Data: your interests and preferences which we collect from you (such as your marketing consent status and clothing or food preferences) or we infer from your use of our services and through demographic and household information we obtain from Experian.

  • Usage and Browsing Data: information about how you use our services (including our websites and apps), your browsing activity on our websites and your responses to marketing messages and campaigns (including whether marketing emails are opened and /or acted upon).

  • Behavioural and Incident Data: details of your behaviour in store, including involvement in any incidents or accidents, whether as participant or witness.

  • Shareholder Data: information about any shares you hold in M&S (including any share sales or purchases, the number of shares held and their value), dividend payments, your rights as a shareholder and how to exercise them.

  • Sensitive Personal Data: also known as Special Category Data this is information given extra protection under data protection law. We do not process sensitive personal data routinely but will collect health information and biometric data for the specific activities set out in the ‘How We Use Your Personal Data’ section

  • Criminal Offence Data. This covers information about actual or suspected offences in the context of criminal activity, allegations, investigations and proceedings.

How We Use Your Personal Data and Our Lawful Grounds for Doing So

We must tell you why we process your personal data and what lawful ground we rely on. There are several grounds but, in most cases, we rely on one or more of the following.

  • Contract – this is where we process your data to fulfil our contract with you or because you have asked us to carry out a service before entering a contract. For example, when you make an order you enter a contract with us and we cannot fulfil your order without collecting some personal data such as your contact data and payment data.

  • Consent – this is where you have provided permission to us to use your data for a particular purpose. Generally, we only rely on your consent to send you electronic direct marketing communications. If we request it for another purpose, we will make you aware at the time we collect your data. If you provide your consent, you can withdraw it at any time (see Your Rights section).

  • Legitimate Interests - this is where we rely on our interests or the interests of third parties. These interests can include our commercial interests.

  • Legal requirement - this is where we must process your data to comply with a legal requirement.

Where we process Special Category Data or Criminal Offence Data, we usually rely on one of the following lawful grounds.

  • Explicit consent – this is where we collect your explicit consent to process your data, for example where you provide health information as part of a bra fit appointment.

  • Legal claims – this is where we process your data to establish, exercise or defend legal rights or claims such as legal claims following an accident or incident at our stores.

  • Preventing or detecting lawful acts – this is where processing is necessary to prevent or detect an unlawful act, must be carried out without the consent of the individual so as not to prejudice those purposes, and is necessary for reasons of substantial public interest.

In the section below, we have described the purposes for which we use your data, what categories of data we use and the lawful ground(s) we rely on. Where we process your data for our, or a third party’s legitimate interests, we have explained what these interests are. Where we process your data to comply with a legal requirement, we have said what this requirement is. For each use we have also explained whether we share data with, or receive data from, third parties. Like all companies our size, we use lots of suppliers to help provide our goods and services and we change suppliers from time to time. It’s not practical to list them all so we have provided details of the main ones. Most of these third parties act as ‘data processors’ which means they act on our instruction, cannot use your data for their own purposes and we remain responsible for your data. Where the third party is a data controller, meaning it is responsible for your data, we have highlighted this by adding (C) next to their name. Privacy notices for these data controllers can be found on their websites.

Customer Services

Activity: Customer Service queries, complaints and so on.

Types of data: Behavioural and Incident Data, Contact Data, Customer Service Data, Financial Data, Identity Data, Image Data, Transaction Data.

Special Category Data (Health information) is also processed but only when dealing with specific queries where you provide health information to us, for example if you contact us about: allergic reaction to/sickness from products, post-surgery lingerie/swimwear requests/queries, accidents in store or sunflower lanyard (hidden disability) requests.

Lawful grounds: Contract, Explicit consent, Legal obligation, Legitimate Interests (to provide customer support).

Sharing: Suppliers of technology used as part of providing customer services such as Zendesk.

Activity: Interaction analytics which provides insight into reason for contact, trends, volume and to produce Management Information.

Types of data: Contact Data, Customer Service Data, Identity Data.

Lawful ground: Legitimate Interests (to help improve our services).

Sharing: Suppliers that provide sentiment analysis platforms such as Google Conversational Analytics and Medallia.

Activity: Training our colleagues and monitoring their performance (known as quality assurance).

Types of data: Contact Data, Customer Service Data, Identity Data.

Lawful ground: Legitimate Interests (to train our colleagues and to monitor the performance they provide to customers).

Sharing: N/A

Sale and delivery of goods and services

Activity: Sale, checkout, reservations and payments.

Types of data: Contact Data, Financial Data (tokenised), Identity Data, Transaction Data.

Lawful grounds: Contract, Legitimate Interests (to facilitate checkout, reservations and payments).

Sharing: We work with various payment providers. For the latest list please see the ‘Ways to Pay’ section of our website.

Activity: Order fulfilment and returns.

Types of data: Contact Data, Identity Data, Transaction Data.

Lawful grounds: Contract, Legitimate Interests (to facilitate order fulfilment and returns).

Sharing: We use various delivery companies including Royal Mail and Evri. We partner with Rithum for fulfilment for third party brands.

Activity: Fraud prevention.

Types of data: Contact Data, Financial Data (tokenised), Identity Data, Transaction data.

Lawful ground: Legitimate Interests (to protect us and you from fraudulent transactions).

Sharing: Suppliers of fraud prevention services such as Accertify and Appriss Retail.

Activity: Service-related communications such as order updates.

Types of data: Contact Data, Identity Data, Transaction Data.

Lawful grounds: Contract, Legitimate Interests (it is in ours and our customers’ legitimate interests to send service-related communications).

Sharing: Suppliers of communication platforms such as Salesforce.

Activity: Stock reminders. Where requested by you we will send emails to inform you that an item is back in stock.

Types of data: Contact Data, Profile Data.

Lawful ground: Legitimate Interests (to send the stock reminders).

Sharing: Suppliers of communication platforms such as Salesforce.

Activity: Competitions. To administer and follow up on competitions and events.

Types of data: Contact Data, Identity Data.

Lawful ground: Legitimate Interests (to administer the competitions).

Sharing: This depends on the competition and will be made clear on the entry form.

To provide our Sparks loyalty scheme

Activity: To provide you with the services and benefits in our loyalty scheme. This includes:

  • notifying you of your membership rewards and benefits such as offers, promotions and birthday treats as well as recommendations, services and events organised by us or our partner companies;

  • letting you know about important updates and changes to your membership status or terms; and

  • detecting and addressing non-compliance with our Membership Terms & Conditions or fraudulent behaviour.

Types of data: Contact Data, Identity Data, Browsing Data Profile Data Usage Data.

Lawful grounds: Consent (for electronic marketing), Contract, Legitimate Interests.

Sharing: Activity: To provide you with the services and benefits in our parent hood (powered by Sparks), if you choose to enrol, such as exclusive offers, discounts, and tailored content based on your child’s age or stage.

Types of data: Contact Data, Identity Data, Transaction Data, Usage Data.

Lawful ground: Contract, Legitimate Interests (to tailor offers and content to your needs and improve your experience).

Sharing: N/A

Activity: To provide you with the services, rewards and benefits if you choose to link your M&S Sparks account with our Sparks Partners (such as Virgin Red).

Types of data: Contact Data, Identity Data, Transaction Data, Usage Data.

Lawful grounds: Contract, Legitimate Interests (to provide a seamless experience and ensure offers meet customer expectations).

Sharing: Sparks Partners such as Virgin Red (C).

Marketing, profiling, analytics and digital advertising

Activity: Analytics.

We analyse personal information and other data to make recommendations about changes to our business or improvements to the services we offer our customers. For example, we analyse how our customers use our services (including our website and mobile app) so we can identify where we can make improvements. As part of our analytics, we also use your data to create what’s known as a Single Customer View which is where we clean and combine your data into a unified profile which allows us to better understand your needs and preferences.

Types of data: Contact Data, Identity Data. Profile Data, Transaction Data, Technical Data, Usage Data.

Lawful ground: Legitimate Interests (to define types of customers for our products and services, to keep them updated and relevant, to develop our business and to inform our marketing strategy).

Sharing: To support Single Customer View, we use services provided by Experian. Also, as part of our relationship with our partners, such as Ocado Retail, and potential partners, we combine our data securely with that of our partners’/potential partners’ customers, to identify whether we share mutual customers, allowing us to enhance our marketing; operate a smooth, mutually beneficial relationship; and better understand our customers.

Activity: Profiling.

Profiling analyses an individual’s behaviour and interests to better understand them. We use profiling to support our direct marketing activities as it helps us understand what offers and information may interest you and other people. This does not produce legal or similarly significant effects, but it may influence the marketing you receive or the products we recommend. If you have a Sparks account we may use a credit propensity model to identify customers' likelihood of applying and being accepted for credit.

Types of data: Contact Data, Identity Data, Profile Data, Transaction Data, Technical Data, Usage Data.

Lawful ground: Legitimate Interests (to define types of customers for our products and services, to keep them updated and relevant, to develop our business and to inform our marketing strategy).

Sharing: We work with Experian which provides demographic data to help us to understand our customers better and provide products and services that people will want to purchase.

Activity: Electronic Direct Marketing (Email, SMS).

Types of data: Contact Data, Profile Data, Transaction Data.

Lawful ground: Consent (for electronic data marketing).

Sharing: Suppliers of communication platforms such as Salesforce.

Activity: Digital advertising on websites.

When you visit our websites, you may be served personalised advertisements for M&S branded products and services whilst using other websites. Any advertisements you see will relate to products you have viewed whilst browsing our websites on your computer or other devices, or which we believe are of interest to you.

These advertisements are provided by M&S via our partners using ‘cookies’ and similar technologies placed on your computer or other devices (see further information on the use of cookies in our Cookie Policy). You can reject all (non-essential) cookies at any time by using our cookies consent tool.

Types of data: Contact Data, Profile Data, Technical Data, Transaction Data.

Lawful grounds: Legitimate Interests (to grow our business and to inform our marketing strategy). We collect consent for the storage of, or access to, information on your device via technologies such as cookies which is required for most digital advertising.

Sharing: Flashtalking.

M&S uses the Flashtalking platform, provided by Innovid, for advertising creation and delivery, device recognition and campaign analysis. Flashtalking use both cookie-based (if you accept the use of cookies on M&S website) and cookie-less technologies to identify and connect devices to M&S customers.

Cookie-less technologies means Flashtalking can recognise your device using your IP address or device identifier. This allows them to display personalised ads that are more relevant to you.

Further information on how Flashtalking processes your personal data and how to exercise your data subject rights can be found in their consumer privacy statement. You can also opt out personalised ads displayed by Flashtalking using this link.

Activity: Digital advertising on social media platforms or search engines.

Types of data: Contact Data, Identity Data, Profile Data, Transaction Data, Technical Data, Usage Data.

Lawful grounds: Legitimate Interests (to grow our business and to inform our marketing strategy). We collect consent for the storage of or access to information on your device via technologies such as cookies which is required for most digital advertising.

Sharing: If you have an account with a Meta platform (such as Facebook or Instagram), Pinterest or TikTok, or use Google, and accept cookies on our website, your personal data, including purchasing and browsing activity, will be shared with them. This data is shared so they can serve tailored and personalised advertisements to you (including relevant M&S products and services) when you are using their platforms and apps.

For certain data processing activities, Meta, Pinterest TikTok or Google act as a data controller using data solely for their own purposes. In other data processing activities, Meta, Pinterest and TikTok act as joint data controller with M&S.

As required under data privacy laws, M&S has entered into agreements with Meta, Pinterest and TikTok which determine the parties’ respective responsibilities for compliance with the obligations under the UK General Data Protection Regulation (UK GDPR) relating to the joint processing. These agreements are referred to as the Controller Addendum, for Meta, the Joint Controller Addendum for Pinterest and the Joint Controller Terms, for TikTok.

We have agreed that M&S is responsible for providing data subjects with the information set out above, and that, Meta, Pinterest and / or TikTok respectively are responsible for enabling data subjects’ rights under Articles 15-20 of the UK GDPR with regard to the personal data stored by Meta, Pinterest and/or TikTok after the joint processing.

Further information on how these organisations handle your personal data, including the legal basis for data processing and how you can exercise your data subject rights, is set out in their Privacy Policies at the links below:

Meta | Privacy Centre | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy.

Pinterest Privacy Policy.

TikTok Privacy Policy.

Activity: Postal marketing.

Types of data: Contact Data, Profile Data.

Lawful ground: Legitimate Interests (to grow our business and to inform our marketing strategy).

Sharing: Suppliers of communication platforms such as Paragon and printers.

Surveys, Product Reviews and Research

Activity: To contact you so you can take part in customer satisfaction surveys, provide feedback and rate our products and services. If you respond to survey requests or otherwise provide your views on our products or services, we collect your feedback and use it to develop the products and services we offer.

Types of data: Contact Data, Customer Service Data, Identity Data, Transaction Data.

Lawful ground: Legitimate interest (to improve our product range, services and stores which allows us to serve you better as a customer).

Sharing: Suppliers of survey and ratings platforms including Medallia and Bazaarvoice.

Activity: Research Projects. Our research partners may provide your information to us if you have agreed to participate in a research project. The purpose of the research and the data sharing will be explained to you when you agree to take part.

Types of data: Contact Data, Identity Data, Profile Data, Sensitive Personal Data (this is collected where the research concerns accessibility needs).

Lawful grounds: Consent, Legitimate interest (to improve our product range, services and stores which allows us to serve you better as a customer).

Sharing: Examples of the research companies we partner with are Maze (C) and User Testing.

Safety and security

Activity: Crime and fraud prevention and detection and related activities undertaken to:

  1. protect colleagues and customers from harm, abuse, inappropriate conduct, assault and other crimes;

  2. protect M&S and its assets, as well as other businesses, against crime including theft, fraud and criminal damage; and

  3. assist the police and law enforcement agencies in preventing, detecting, apprehending and prosecuting offenders.

The processing includes recording and handling CCTV images and creating information about security incidents and crimes as well as the individuals involved - principally suspects/offenders, but also victims and witnesses. CCTV images are collected by fixed and body worn cameras. Body worn cameras record both audio and video and are activated in high-risk situations where it is necessary such as aggressive behaviour and/or when there is a threat of violence. In some stores our CCTV cameras are also used at self-checkout to identify non-scanned items and in aisle areas to identify product concealment or the removal of high value items in suspicious circumstances. This does not involve the use of facial recognition. It focuses on recognising objects, movements and interactions that may indicate theft, error or safety concerns. Alerts are reviewed by trained colleagues, ensuring appropriate human oversight. Our incident database Where suspicious or criminal activity occurs, we will record this within our retail incident database managed by a specialist partner (Auror), alongside footage, images and information about suspects. This personal data is used for the purposes of prevention and detection of crime, anti-social or inappropriate behavioursand the apprehension and prosecution of offenders and, in particular, to:

  • issue and enforce 'trespass notices' which ban known individuals from M&S stores;

  • undertake monitoring or surveillance of suspects or offenders;

  • identify and disrupt the activity of organised criminal gangs and networks;

  • recover the value of goods stolen via legal proceedings; and/or

  • report offenders to the police and support prosecutions.

Please see the sharing section for further information about Auror’s services

Biometric data and non-live facial recognition technology We use non-live facial recognition technology, involving the temporary processing of biometric data, to better identify a suspect whose details are recorded in our retail incident database, subject to compliance with the law and appropriate human oversight. Such processing is only carried out in relation to individuals who are recorded in the incident database and suspected of an offence (and is only used in our UK stores).

Types of data: Behavioural and Incident Data, Biometric Data (for image matching in the Auror platform), Contact Data, Criminal Offence Data, Identity Data, Image Data, Payment Data, Physical characteristic Data, Usage Data.

Lawful grounds: Legitimate Interests (to protect our business, the local community, customers and colleagues), Legal claims, Preventing or detecting unlawful acts.

Sharing: Law enforcement agencies (C), Local retail crime data sharing schemes (C), Auror who maintain the platform (see below), Mitie Security which provides security guards who work in our stores, Seechange.

Auror: In relation to personal data of suspects held in the incident database, some limited data processing activity is undertaken by M&S and Auror acting as joint controllers, as defined in data protection law, because we jointly determine the purposes and means of the processing. This joint controller processing is undertaken solely for:

  • suspect identification using biometric data and non-live facial recognition technology (UK only);

  • reporting and providing insights and aggregated data to identify trends using information in the incident database; and

  • obtaining information on vehicles associated with suspects using Automated Number Plate Recognition technology.

For further information on Auror’s processing of personal data, Auror’s Privacy Statement for the UK is available here and for Ireland here. Apart from the joint controller processing activity described above, Auror otherwise act as a data processor on our behalf.

To provide M&S branded and partner services

If you hold one or more of our financial services products (Credit Card, insurance, travel money) or use other M&S branded services provided by third parties we will also use your personal data in the ways described below. Our partners use your data in the ways described in their privacy notices set out below.

M&S Bank: https://bank.marksandspencer.com/legal-information/privacy-notice/.

M&S Pet Insurance: https://pet.insurance.marksandspencer.com/privacy-cookie-policy

M&S Travel Insurance: https://privacy-notice.rockinsurance.com/

M&S Travel Money: https://mandstravelmoney.com/legal/privacy

M&S Opticians: https://mandsopticians.com/privacy

Activity: Customer identity and account matching to streamline onboarding by prepopulating application forms (but this data will only be retained if you sign up for the product/service) and to provide M&S Credit Card Rewards for our credit card customers.

Types of data: Contact Data, Identity Data, Payment Data, Technical Data, Transaction Data.

Lawful grounds: Contract, Legitimate Interests.

Sharing: We share and receive the data listed with our branded and partner services for this purpose.

Activity: For data analytics and customer insight purposes (see Marketing, profiling, analytics and digital advertising section for more information).

Types of data: Contact Data, Identity Data, Profile Data, Transaction Data, Technical Data, Usage Data.

Lawful ground: Legitimate Interests (see Marketing, profiling, analytics and digital advertising section for more information).

Sharing: We share and receive the data listed with our branded and partner services for this purpose.

Activity: To apply discounts to Sparks Members (where applicable).

Types of data: Contact Data, Identity Data.

Lawful ground: Contract.

Sharing: We share and receive the data listed with our branded and partner services for this purpose.

Activity: Managing customer contacts and queries

Types of data: This depends on the nature of your contact or query.

Lawful ground: Legitimate Interests (to ensure your complaint is managed properly).

Sharing: We share and receive the data listed with our branded and partner services for this purpose.

Activity: Data quality purposes - to update or verify the information we hold about you.

Types of data: Contact Data, Identity Data.

Lawful ground: Legitimate Interests (to maintain accurate customer information).

Sharing: We receive the data listed from our branded and partner services for this purpose.

Activity: Fraud prevention

Types of data: Contact Data, Identity Data, Transaction Data

Lawful ground: Legitimate Interests (to protect us and you from fraudulent transactions).

Sharing: We share and receive the data listed with our branded and partner services for this purpose.

M&S Franchise Partners.

Activity: Complaints Management

Types of data: Contact Data, Identity Data, Transaction Data.

Lawful grounds: Contract, Legitimate Interests (to ensure your complaint is managed properly).

Sharing: We will share and receive personal data where needed to help handle complaints.

To fulfil our legal obligations and manage legal claims

Activity: Keeping records of health and safety incidents in our stores

Types of data: Behavioural and Incident Data, Contact Data, Identity Data, Image Data and Sensitive Personal Data. 13:03

Lawful grounds: Legal requirement under health and safety laws, Legitimate Interests (to protect M&S and its customers, employees, directors and shareholders), Legal claims.

Sharing: Law enforcement agencies (C), Health and Safety Executive (UK) (C), Health & Safety Authority (Ireland) (C), Courts (C).

Activity: Keeping records to meet tax requirements such as VAT relief declaration forms.

Types of data: Payment Data, Transaction Data

Lawful ground: Legal requirement under tax laws, Legitimate Interests (effective financial controls and operational processes).

Sharing: Office of the Revenue Commissioners (Ireland) (C), HMRC (UK) (C)

Activity: To inform you about product recalls or other similar product quality issues

Types of data: Contact Data, Identity Data, Transaction Data

Lawful grounds: Legal requirement under product safety regulations, Legitimate interests (protecting customers from harm).

Sharing: Local authorities and Environmental Health Officers (C) The Food Standards Agency (C) and Food Safety Authority of Ireland (C).

Activity: To comply with our legal obligations in connection with the sale of age restricted products.

Types of data: Contact Data, Identity Data, Transaction Data.

Lawful ground: Legal requirement under licensing and offensive weapons legislation.

Sharing: N/A

Activity: Complying with court disclosure requirements including under legal proceedings.

Types of data: This depends on the scope of the order.

Lawful ground: Legal requirement.

Sharing: Law firms (C) HM Courts & Tribunal Service (UK) (C) Director or Public Prosecutions (Ireland) (C).

Activity: To manage legal claims made by customers.

Types of data: This depends on the nature and type of claim.

Lawful ground: Legitimate Interests (to defend ourselves from legal claims).

Sharing: Law firms (C).

Activity: If we sell or transfer any parts of our business to third parties or we acquire new businesses then we will acquire or disclose personal data as required.

Types of data: All categories could be transferred.

Lawful ground: Legitimate Interests (necessary to allow the relevant part of the business to be valued, transferred or operated smoothly).

Sharing: This will depend on the acquisition or disposal.

To manage your shareholding interest in M&S

Activity: If you hold shares in M&S we will process your personal data to:

  • allow you to exercise your rights as a shareholder;

  • pay dividends or other similar payments;

  • keep our shareholder register up to date (for example where you move address or change your name);

  • contact you with shareholder related information, including important information about dividend distributions, shareholder resolutions, reports and meetings, including details of our Annual General Meeting; and

  • address any queries you raise with us.

Types of data: Contact Data, Financial Data, Identity Data and Shareholder Data.

Lawful grounds: Legal obligations, including those under the Companies Act 2006. Legitimate Interests (to operate and improve our business and keep our shareholders informed about our products and services).

Sharing: Equiniti (our registrar). Regulators and related bodies who regulate how we operate, these include the Financial Conduct Authority (C) and the London Stock Exchange (C).

International transfers

Our main operations are based in the UK, and your personal data is generally processed, stored and used within the UK. However, we work with partners that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from, a country outside of your country of residence. For example, we operate a customer contact centre in South Africa and staff in this location will have access to your account data to assist you with your query. We also work with suppliers and partners who make use of Cloud and/or hosted technologies across multiple geographies.

When we transfer your personal data to, or make it accessible from, countries outside of the UK and Ireland we must meet certain requirements. We meet these requirements in one of the following ways.

  1. Protection by local law. The UK government and European Commission consider some countries safe to transfer your personal information since they have adequate data protection laws. The UK’s list is here and the European Commission’s is here. For our customers in the UK and Europe we can, where needed, freely transfer your personal information to these countries.

  2. Protection by other safeguards. We can also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:

  • regulator-approved Standard Contractual Clauses (Those clauses can be accessed here (opens a PDF file) and here)

  • additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer).

How long we keep your data

How long we keep your data depends on the purpose for which we collected it.

  • We keep CCTV footage on our systems for up to 30 days. Where accidents, incidents, criminal activities or breaches of our policies are recorded, we will keep CCTV footage for longer - but only as long as necessary.

  • Information about purchases might be kept for up to 7 years after the transaction to allow us to investigate fraud and handle legal claims.

  • Incidents recorded on our retail crime platform are kept for 4 years.

  • Accident records are kept for up to 10 years or longer for a legal claims, or where a minor is involved until they turn 18.

  • Records relating to furniture orders are kept for 10 years for product guarantee purposes.

Keeping your data secure

We ensure that personal data is secure by continuously developing our security systems and training for our employees. We have implemented appropriate technical and organisational security measures designed to protect your personal data in accordance with applicable law.

Your data rights

You have the right to:

  • ask for a copy of personal data that we hold about you (the right of access);

  • request that we delete personal data held on you; where we no longer have a valid reason to retain it (the right of erasure or to be forgotten);

  • ask us to update and correct any out-of-date or incorrect personal data that we hold about you (the right of rectification);

  • opt out of any marketing communications that we may send you and to object to us using/holding your personal data for direct marketing purposes or otherwise if we have no legitimate reasons to do so (the right to object);

  • ask us to ‘restrict processing of data’ which means that we would need to secure and retain the data for your benefit but not otherwise use it (the right to restrict processing); and

  • ask us to supply you with some of the personal data we hold about you in a structured machine-readable format and/or to provide a copy of the data in such a format to another organisation (the right to data portability).

To exercise your right to opt of marketing communications you can:

  1. change your marketing preferences via your M&S online account;

  2. use the “unsubscribe” link in emails or the “STOP” number for texts; and/or

  3. contact M&S via the contact channels set out in this Notice.

Privacy complaints

To raise a data protection complaint or concern or otherwise to communicate with our Data Protection Officer’s team, please contact us using the contact details set out below.

You always have the right to complain to the relevant data protection regulator. For UK residents this is the Information Commissioner’s Office (https://ico.org.uk) and for Republic of Ireland residents it is the Data Protection Commissioner (https://www.dataprotection.ie/).

Although you can complain to the relevant data protection regulator without speaking to us first, they expect you to raise the issue with us first so if you haven’t already, please contact us at generaldataprotectionrequests@customer-support.marksandspencer.com and we will try and help.

Changes to this Notice

This Privacy Notice was last updated in May 2026. Any changes we may make to our Privacy Notice in the future will be posted on this page. If we make material changes we will notify you.

Published 05/05/2026