Data Privacy

Pandora A/S and its group companies, together referred to as Pandora, is committed to protecting personal data and maintaining high standards of privacy and information security across our global operations. This page provides prospective suppliers with an overview of Pandora’s approach to data privacy and the expectations that may apply when working with us. The information below is intended to support informed decision-making prior to onboarding or participating in at ender.

Pandora’s Privacy Commitment ​

Pandora processes personal data in accordance with applicable data protection laws and regulations, including the EU General Data Protection Regulation (GDPR) where applicable. We are committed to transparency, accountability, and safeguarding personal data throughout our value chain.

Core Privacy Principles

Pandora’s data privacy approach is guided by the following principles:​

  • Lawfulness, fairness, and transparency: personal data is processed only for legitimate purposes and in a transparent manner​
  • Purpose limitation: data is collected for specified, explicit purposes​
  • Data minimization: only data necessary for the intended purpose is processed​
  • Accuracy: reasonable steps are taken to ensure data is accurate and up to date​
  • Storage limitation: data is retained only as long as necessary​
  • Integrity and confidentiality: appropriate security measures are applied​
  • Accountability: responsibilities for data protection are clearly defined

Supplier’s Data Use

Depending on the nature of the engagement, suppliers may have access to or process limited categories of personal data on behalf of Pandora.

This may include, for example: ​

  • Business contact details
  • Information about employees, customers, consumers and visitors
  • User or account information related to supplier systems
  • Operational or transactional data containing personal identifiers

The exact scope of data processing will depend on the specific services provided and is defined during onboarding or contract discussions.

Data processing agreement

When a supplier processes personal data on behalf of Pandora, a Data Processing Agreement (DPA) is required.

  • DPA’s are addressed during the onboarding or contracting phase, not at the pre-tender stage
  • Pandora’s DPA template is based on the EDPB approved standard text (exceptions may apply in jurisdictions outside the EEU/EEA)
  • Pandora uses standard contractual clauses for transfers aligned with applicable data protection laws
  • The need for a DPA is assessed based on the role of the supplier ​

For questions related to DPA’s or data protection roles, suppliers may contact Pandora using the details below.

Supplier’s privacy responsibilities

Suppliers working with Pandora are expected to:​

  • Process personal data only in accordance with applicable laws and contractual instructions
  • Maintain appropriate confidentiality and security safeguards ​
  • Ensure that access to personal data is limited to authorized personnel
  • Support Pandora in fulfilling data protection obligations, where relevant
  • Promptly, without undue delay, communicate any data protection concerns or incidents

Detailed requirements and obligations are communicated as part of onboarding and contractual commitments.

Information Security Expectations ​

Pandora expects suppliers to apply risk-based technical and organizational security measures appropriate to the nature of the services provided.

These may include:

  • Access controls and user management
  • Protection against unauthorized access or data loss
  • Secure handling and transmission of data
  • Incident detection and response capabilities

Security requirements are proportionate and may vary depending on the type and risk level of the engagement. Specific security requirements will be outlined in the DPA and depend on the nature of the processing taking place.

Data Retention and Deletion

Pandora retains personal data only for as long as necessary to fulfill its business and legal obligations.

Suppliers are expected to:

  • Retain personal data only for the agreed duration
  • Securely delete or return personal data at the end ofthe engagement, as contractually agreed

Specific retention and deletion obligations are defined incontracts and DPA’s where applicable.

Data Subject Rights

To comply with data subject rights under applicable data protection laws, Pandora expect Suppliers to have appropriate technical and organizational measures in place to promptly be able to support Pandora in fulfilling such rights. This includes, but is not limited to rights requests related to access, deletion, rectification, objection and restriction to the processing of personal data.

Pandora and Supplier will agree, where applicable, on a Standard Operating Procedure (SOP) to effectively manage data subject rights requests

International Data Transfers and Sub-Processors

Where personal data is transferred outside the country or region in which it was originally collected, suppliers must ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

This may include, where relevant:

  • Transfer mechanisms such as adequacy decisions, standard contractual clauses, binding corporate rules (BCRs)
  • Transfer Impact Assessments (TIA) or equivalent assessment
  • Implementation of supplementary measures where required

Pandora may request confirmation of these safeguards, including copies or summaries of TIAs, or similar assessments during onboarding or contracting depending on the nature and risk level of the engagement.

Where a supplier engages third parties such as affiliates and sub-processors to support the delivery of services toPandora, the supplier remains responsible for ensuring that such arrangements meet applicable data protectionrequirements.

Suppliers are expected to:

  • Maintain appropriate oversight of third parties processing personal data related to Pandora
  • Ensure that all third parties processing personal data are subject to minimum the same contractual obligations asagreed between Pandora and Supplier, including confidentiality and data protection requirements
  • Inform Pandora, where applicable, of the use of third parties involved in the processing of personal data

Incident and Breach Notification ​

Suppliers are expected to notify Pandora without undue delay in the event of any actual or suspected personal data incident or security breach affecting Pandora data. ​

Detailed notification timelines and procedures are established in DPA’s where applicable. Notification of a breach is reported through the designated channel below: ​

Report a security incident (incl. personal data breach)

Tools and Systems

During onboarding, tendering, or collaboration, Pandora may use third-party platforms (such as procurement, contract management, or collaboration tools) to exchange information with suppliers. These platforms are selected with privacy and security considerations in mind.

Contact & Support

For questions specifically related to data privacy, please contact:

[email protected]

Please note: security‑related questions should be directed to the Security team, and questions about supplier responsibilities should be sent to the Procurement team.