PERSONAL DATA PROTECTION POLICY – SG
The Singapore Personal Data Protection Act 2012 (the “PDPA”) protects the personal data of individuals, i.e. natural persons.
Quarz Capital/Black Crane Capital is responsible for the personal data of all individuals in our possession or under our control.1 Every current, former and prospective client, employee, business partner (including agents and third party service providers) and any other individuals who have dealings with Quarz Capital/Black Crane Capital] and our other group companies (collectively, the “Company”, “we”, “our” or “us”) has legal rights to personal data protection.2 We respect these rights when collecting, using, transferring, storing, accessing and correcting personal data. It is our policy to comply with the requirements of the PDPA. In doing so, we ensure our adherence with industry standards pertaining to the security and confidentiality of personal data. In case of doubt, we shall consider what a reasonable person would deem appropriate in the circumstances.3 A strong personal data protection policy further boosts our clients’ confidence in the discretion of our services and enhances our public image.
The PDPA applies to activities involving personal data in Singapore. Where personal data is collected overseas and subsequently transferred into Singapore, the PDPA will apply in respect of the activities involving the personal data in Singapore.4 Personal data collected outside Singapore may be subject to the data protection laws of the jurisdiction in which it was collected, if any, and all collection carried out by the Company shall be in accordance with applicable laws.
The PDPA is intended to be the baseline law which operates as part of Singapore law. It does not supersede existing statutes, such as the Security and Futures Act and the Financial Advisers Act, but will work in conjunction with them and the common law. To the extent that any PDPA provisions on data collection, protection, use and disclosure is inconsistent with the provisions of other written laws, note that the provisions of the other written law shall prevail.5
Personal data refers to data, whether true or not, about a natural person who can be identified from that data, or from that data and other information to which we have or are likely to have access. The data may be in electronic or non-electronic form.
Examples (non-exhaustive) of such personal data include:
NRIC, FIN, passport or other identification numbers;
Mobile, residential or other contact numbers;
Age/Date of birth;
Financial information, such as amount of assets under management or transaction-related information;
Photos and videos/voice recording;
Business contact information is not subject to the rules on data protection, collection, use and disclosure.6 Business contact information means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his/her personal purposes.7
INFORMATION AND CONSENT
General Requirement for Informed Consent
We shall not collect, use or disclose an individual’s personal data beyond what is reasonable to provide our service(s) or product(s) to him/her8 or to work with him/her.9
We shall inform the individual of the purpose(s) for collecting, using and disclosing of his/her personal data and obtain consent (except if legally exempted) for the collecting, using and disclosing of the personal data. The information we provide concerning the purposes shall be, as far as is reasonably practicable, true, accurate and complete.
We shall inform the individual and obtain his/her consent for any other purpose of the use or disclosure of his/her personal data of which he/she has not yet been informed and agreed to, prior to such use or disclosure.10
As best practice, we shall use our best endeavours to obtain written consents. In situations where we receive verbal consent, we shall use our best endeavours to document such verbal consent internally for records purposes.
An individual is deemed to consent to the collection, use or disclosure of personal data about him/her by us for a purpose not specifically informed to him/her, if:
(a) the individual, without actually giving consent, voluntarily provides the personal data to us for that purpose; and
(b) it is reasonable that the individual would voluntarily provide the data.
There are certain exemptions from the consent requirement. These are set out below in Exemptions from the Consent Requirement.
In relation to Clients & Prospective Clients
Deemed Consent from Prospective Clients
In the case where, during prospecting and preliminary discussions, the prospective client voluntarily provides his/her personal data with a view to engaging our asset management services , he/she is deemed to consent to the Company collecting, using and disclosing this personal data for presenting our asset management services to him/her and providing preliminary assessments.11 The Relationship Manager shall also inform the prospective client about the structure of our group companies and the manner in which we may co-operate and share information amongst group companies.
Provision of Consent by Clients
In the process of on-boarding the client, the Relationship Manager shall ensure that the asset management agreement executed by such client includes the purposes of us collecting, using, disclosing, processing and maintaining personal data of an individual customer, an individual appointed to act on behalf of a customer, an individual connected party of a customer or an individual beneficial owner of a customer.
By signing our asset management agreement, the client provides consent to our collection, use and disclosure of his/her personal data for the purposes specified in the asset management agreement, in particular asset management services.
Representation of Third Party Consents
In order for us to provide our asset management services to clients and for the purposes of complying with the MAS Notices on Prevention of Money Laundering and Countering the Financing of Terrorism (“AML/CFT”), clients are required to provide us with personal data of certain third party individuals, e.g. that of their family members, persons they have business dealings with, or persons that are a source of their wealth.
It is the responsibility of the client or prospective client (as applicable) to ensure that his/her disclosure of such third party personal data for the purpose(s) of possibly establishing a business relationship with us and/or engaging our services is consented to by such third parties, in accordance with applicable laws.
If the client or prospective client has consent from the third parties to use and/or disclose their personal data for the purpose of engaging in preliminary discussions with us and/or engaging our services, such third parties are also deemed to consent to our collection and use of their personal data for the same purposes.12 Notably, the third party may be deemed to consent to the disclosure of his/her personal data by the client or prospective client (as applicable) for the purposes of the client or the prospective client engaging our services, if the third party voluntarily gave his/her personal data to the client or prospective client for this purpose and it is reasonable that such third party would voluntarily provide this data.13
In relation to Current, Prospective or Former Employees
Exemptions to Consent Requirement due to Employment-Related Purposes
A number of exemptions apply to the general consent requirement in the context of the employer-employee relationship. These are described below in Exemptions from the Consent Requirement.
Deemed Consent from Prospective Employees
In the case where, during the course of applying for a position with the Company, a prospective employee voluntarily provides personal data to us, he/she is deemed to consent to the Company collecting, using and disclosing this personal data for making our hiring and/or staff management decisions with respect to him/her.14 The personnel handling the hiring process shall also inform the prospective employee about the structure of our group companies and the manner in which we may co-operate and share information amongst group companies.
Provision of Consent by Employees
All employees shall indicate their consent to the Company’s collection, use and disclosure of their personal data for the purposes set out in the “Consent to Our Processing of Your Personal Data” by signing our employment agreement.
In relation to Third Parties with No Direct Dealings with Us
Introducers and Referrors: Deemed Consent of Prospective Clients
From time to time, we work with individuals and/or entities who introduce or refer us to prospective clients who may engage our services (collectively, the “Introducers”).
The Introducers shall obtain the consent of such prospective clients (whether actual or deemed consent) to the disclosure of the prospective clients’ personal data to us for the purposes of introducing our services and evaluating whether or not a business relationship may be established between us and the prospective clients.15
The prospective clients are then deemed to have consented to the collection and use of their personal data by us, from the Introducers, for the same purposes.16
Exemptions from the Consent Requirement for Data Collection, Use & Disclosure
Subject to applicable laws, notable exemptions from the consent requirement for collection, use and/or disclosure of personal data include the following17 :
• when the personal data is publicly available18;
• when the use and/or disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its use or disclosure cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
• when such data collection, use and/or disclosure is necessary for evaluative purposes19;
• when such data collection, use and/or disclosure is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
• when the disclosure is to a public agency and such disclosure is necessary in the public interest; or
• specifically in relation to clients, prospective clients and their representatives:
o for the purposes of complying with our anti-money-laundering and countering-the-financing-of-terrorism (“AML/CFT”) obligations, such as in the course of our performing client due diligence, we may, directly or through a third party, collect, use, and disclose personal data of the client, prospective client, individuals appointed to act on behalf of the client or persons holding executive powers at corporate clients20 without the respective individual’s consent21; or
specifically in relation to current or prospective employees:
o when the personal data is included in a document produced in the course, and for the purposes, of the individual’s employment, business or profession; and collected for purposes consistent with the purposes for which the document was produced; or
o when the personal data is collected by us and the collection is reasonable for the purpose of managing or terminating our employment relationship with the individual.
We are committed to implementing strict physical, electronic, administrative and procedural safeguards to protect personal data in our possession or under our control against loss, misuse, damage and unauthorized access, modifications or disclosures, at each stage of data collection, processing22, retention and disclosure including (without limitation):
requiring all employees to be bound by confidentiality obligations as stated in the Quarz Capital/Black Crane Capital Compliance and Operational Risk Manual;
• implementing robust staff policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations;
• storing confidential documents in locked file cabinet systems;
• restricting employee access to confidential data on a need-to-know basis;
• restricting access to our physical premises only to authorized personnel;
• requiring that our working desktops and information systems are password-protected; and
• sensitive data is segregated and access is limited to authorised users only.
INVOLVEMENT OF THIRD PARTIES
In the course of our business operations, personal data in our possession or under our control may be collected, processed and disclosed23, pursuant to written contracts, on our behalf by third parties such as the following:
other group companies;
• third party agents, contractors or service providers who provide operational services such as courier services, telecommunications, information technology, payment, printing, billing, processing, technical services, security and other services; and
• professional advisers such as auditors and lawyers.
Such parties are our data intermediaries.24
The Compliance Officer shall ensure, via our contracts with such third parties, that the data intermediaries handle the personal data in accordance with this Policy25, particularly in relation to the protection and retention of personal data.
In the course of our business dealings with Introducers, where we seek to collect and use personal data about prospective clients from them, we shall provide the Introducers with sufficient information concerning the purposes for which we seek the personal data, to allow the Introducers to determine whether their disclosure of the personal data of prospective clients to us would be in accordance with applicable laws.26
Processing of Personal Data for Other Organisations
Where we handle personal data on behalf of any other organisation, including but not limited to other group entities, this Policy shall apply to our handling of such personal data, too.
TRANSFER TO OTHER JURISDICTIONS
As a matter of practice we do not transfer personal data in our possession or under our control outside of Singapore.
In the event such a transfer is approved by management to proceed, prior to such transfer, the Compliance Officer shall take reasonable steps to verify that the overseas receiving party(s) have in place, a standard of protection for the transferred data equal to or higher than that set out in this Policy, in adherence with applicable laws and cross-border data protection policies.27
When personal data is transferred overseas, the Compliance Officer or Relationship Manager shall inform the affected individuals of the extent to which their personal data will be protected in the foreign jurisdiction(s) to which the data will be transferred and seek their consent.
We shall not collect, use or disclose any personal data on any prospective client, client, prospective employee, employee, business partner or any other individual without having obtained the individual’s consent and only for purposes the individual has been informed about, unless an exemption provided by statutory regulations, in particular in the PDPA and the Notice to Capital Markets Intermediaries on Prevention of Money Laundering and Countering the Financing of Terrorism (“SFA04-N02”), as indicated in this Policy applies.
In our operations we may monitor and record physical and communicative interaction concerning or involving the Company, including in the following manners:
monitoring and/or recording of voice calls with clients and banks for employee training and performance evaluation, identity verification and, most of all, control purposes;
• monitoring and/or recording of internet use; and
• carrying out closed circuit television cameras (“CCTVs”) surveillance and conducting security clearances to manage the safety and security of our premises and services.
Generally, we shall inform all concerned individuals that we are carrying out the monitoring of and recording of information, be it data, video or voice.
In relation to CCTVs, we shall place notifications of CCTV deployment in prominent locations within our office in order to enable individuals to have sufficient awareness of the CCTVs and to inform such individuals of the purpose for which we deploy CCTVs. The placement or content of the notifications need not reveal the exact location of the CCTVs.
Duty to determine Accuracy and Completeness
We shall, as far as reasonably practicable, ensure that personal data collected by or on behalf of us is accurate and complete, particularly in the case where:
(a) an individual’s personal data is likely to be used by us to decide a matter that affects him/her, e.g. on-boarding a new client, or making a hiring decision; or
(b) we are likely to disclose such personal data to another organization, e.g. when assisting a client to open an account at a custodian bank.28
We may presume personal data provided directly to us by concerned individuals is accurate in most circumstances.29 As best practice, our on-boarding and employment documentation process shall include a representation and warranty by all clients and employees, that the personal data provided by them is accurate and complete, as well as research where appropriate or legally required.
From time to time, the Compliance Officer shall review all data and take steps to verify that the personal data in our possession and under our control remains up to date and, if necessary, update the relevant data.
RETENTION OF PERSONAL DATA
We shall retain personal data for as long as it is reasonable to assume the need for retention, to fulfil the purposes for which such data was collected, our business purposes, or as is otherwise required under any applicable laws. This Policy is subject to our rights and obligations under applicable laws to ensure retention of records which may contain personal data as well as the Company’s archiving and records retention policies.30
(a) under the Quarz Capital/Black Crane Capital Compliance and Operational Risk Manual, corporate records are kept for a period of not less than 6 years from the date on which they were first produced;
(b) under the AML/CFT laws and regulations presently in force, we are required to retain records which may contain clients’ personal data for at least 5 years following termination of our business relations or at least 5 years following the completion of relevant client transactions (as applicable31;
(c) under the Companies Act, we are required to retain accounting records which may contain personal data of individuals for at least 5 years from the end of the financial year in which the relevant transactions or operations are completed32; and
(d) under the Income Tax Act and the Goods and Services Tax Act, we are required to keep our business records for a period of at least 5 years.33
As soon as the expiry of (i) validity of the purposes for which personal data was collected; and (ii) all records retention obligations under applicable laws and our business needs, may be reasonably assumed, on approval by management and the Compliance Officer, we shall erase or destroy our documents and other media containing personal data, or remove the means by which the personal data can be associated with particular individuals.
All data that contains personal data which should no longer be retained shall either be destroyed or any personal data therein erased.
In the event of extenuating circumstances which require us to retain certain personal data beyond its usual retention timeframe, e.g. if the client is involved in an on-going AML/CFT investigation, or if the Company is engaged in an legal dispute, we shall preserve such data as long as is reasonably necessary, such as until the AML/CFT investigation is concluded or the legal dispute is settled.
In the case of a contemplated business asset transaction34, should personal data of the employees, clients, directors, officers or shareholders of the prospective counterparty have been collected, and such business asset transaction did not proceed or complete, we shall destroy, or return to the prospective counterparty, all such personal data collected.35
Prohibition Against Cold Calling or Any Other Similar Marketing Technique
We do not engage in the cold calling strategy for lead generation or to make unsolicited offers, in any other similar manner or via any other similar medium including text messaging, of our services.
WHO WE MAY DISCLOSE CLIENTS’ PERSONAL DATA TO
Generally, we shall protect and keep confidential personal data of our clients and prospective clients. However, subject to applicable laws, we may disclose such personal data to parties such as those set out below:
our group companies;
• banks, financial institutions, credit card companies and their respective service providers;
• companies providing services relating to insurance and/or reinsurance to us, and associations of insurance companies, including the Life Insurance Association Singapore;
• agents, contractors or third party service providers who provide services to us such as telecommunications, call centre, mailing, information technology, payment, payroll, data processing, training, market research, storage and archival;
• our professional advisers such as our auditors and lawyers; and
• regulators and authorities.
Who We May Disclose Current, Prospective or Former Employees’ Personal Data to
Without limitation, parties to whom current, former or prospective employees’ personal data may be disclosed include:
other group companies;
• vendors, landlords, agents and representatives;
• regulators, authorities, professional bodies;
• other financial institutions; and
• employees’ representatives.
ACCESS TO PERSONAL DATA, CORRECTION OF PERSONAL DATA AND WITHDRAWAL OF CONSENT
Request for Access to Personal Data and/or Correction of Personal Data
Any individual may request us in writing to grant him/her access to his/her personal data and/or to correct an error or omission in his/her personal data.36
The Compliance Officer shall first identify the person making the request and ensure that this person is authorised to access the personal data, in particular personal data regarding clients and prospective clients.37
Access to Personal Data
The Compliance Officer shall collect the personal data to which access is requested. He/She shall submit the collected data to senior management for consent before disclosing it to the applicant.
Generally, we shall, as soon as reasonably practicable and as accurately and completely as reasonably possible, provide the applicant with his/her personal data in our possession or controlled by us within 15 business days after receiving the request.
However, there are certain circumstances under which we may be prohibited from providing access or we may in our discretion, deny access requests.
For example, we are prohibited from providing an individual access if the provision of the data could reasonably be expected to38:
threaten the safety or physical or mental health of another individual;
• reveal personal data about another individual;
• reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
• be contrary to national interest.39
We may also at our discretion deny access requests to personal data if40:
• it is opinion data kept solely for an evaluative purposes. For example, we need not provide access to records of the Company’s opinions formed about a potential employee in the course of interviewing him/her to determine suitability and eligibility for the position;
• the disclosure of the information would reveal confidential commercial information that could harm our competitive position; or
• it is related to an on-going prosecution or on-going investigation, in which case we may, if necessary, refuse to confirm or deny the existence of such personal data.41
Where the individual is not to be granted access to portions of the personal data, we shall omit such data while still providing the individual access to the other personal data.42
The Compliance Officer shall make efforts to verify if the requested amendments are true, accurate and complete. He/she shall submit his/her findings to senior management for consent.
If no good reason to the contrary is detected, the Compliance Officer shall correct the personal data as soon as practicable to do so and send the corrected data to every organisation to which we have.
If other organizations notify us of corrections to be made to personal data in our possession or under our control, we shall make the necessary corrections as soon as practicable to do so, unless we have good reason to believe such correction should not be made.43
In the case where we have good reason to reject making the requested amendments, we shall annotate the relevant personal data to reflect the amendments requested but not made.44
We need not correct personal data on request if the request is in respect of opinion data kept solely for an evaluative purposes or data related to an ongoing prosecution.45
Limited Exception: Access and Correction Requests from Clients
Where clients, prospective clients, individuals appointed to act on their behalf or persons holding executive powers at corporate clients are concerned, for purposes of complying with our AML/CFT obligations, we need not:
(a) provide any access to their personal data in our possession or under our control, or any information on how we may have used or disclosed such personal data; and
(b) correct any error or omission in such personal data,
except if they seek access to the following types of personal data:
(1) full name including any alias;
(2) unique identification number, such as identity card number, birth certificate number or passport number;
(3) existing residential address and contact telephone number(s);
(4) date of birth;
(5) nationality; or
(6) any other personal data supplied by them
they request to correct an error or omission in relation to these types of data, and we are satisfied that there are reasonable grounds for the correction request.46
Withdrawal of Consent
At any time, by giving us prior written notice, an individual may withdraw any actual or deemed consent in respect of our collection, use or disclosure of his/her personal data.47
On receipt of such notice of withdrawal we shall first highlight the consequences of withdrawal to the individual concerned even if those consequences have been set out somewhere else.48 Thereafter, should the individual still wish to proceed, we shall, as soon as is reasonably practicable, cease the collection, use or disclosure of such personal data. Concerned data intermediaries and third party service providers must also be informed of the withdrawal and we shall ensure that they cease collecting, using or disclosing such personal data for our purposes.49
Despite withdrawal, we are not required to delete or destroy the personal data upon request and may continue to retain such data in accordance with this Policy.50 In particular, we shall retain personal data where we have a legal obligation to maintain records.51
Likely Consequences of Withdrawal of Consent by Prospective Clients
In the event of notification by a prospective client of withdrawal of his/her consent, the Relationship Manager shall advise such prospective client that we will discontinue the on-boarding process.52
Likely Consequences of Withdrawal of Consent by Clients
In the event of notification by a client of withdrawal of his/her consent, the Relationship Manager shall advise such client of the likely consequences of such withdrawal, including the probable limitation or cessation of the asset management services we are able to provide to him/her.53
Likely Consequences of Withdrawal of Consent by Prospective Employees
In the event of notification by a prospective employee of withdrawal of his/her consent, we shall advise him/her that we will discontinue the hiring process.54
Likely Consequences of Withdrawal of Consent by Current Employees
Current employees are advised that in the event of such withdrawal of consent, we reserve the right to terminate the employment relationship, reassign such employees’ current responsibilities and/or transfer such employees to a different role.55Moreover, salary payments and benefits may be delayed or may not be provided anymore.
In the event an individual submits a complaint in connection with our handling of his/her personal data, the Compliance Officer shall acknowledge in writing the receipt of such complaint.
Within 7 business days, the Compliance Officer shall contact the individual to inform him/her if it becomes apparent that the complaint cannot be resolved and that the matter is still being investigated. The Compliance Officer shall then investigate the complaint and submit the findings to senior management for consent. The Compliance Officer will use all efforts to ensure that the complaint is satisfactorily resolved within 28 days of the initial reporting.
Disclosure of Policy and Procedures
We shall provide to all concerned individuals information on our personal data protection policies and practices in the following manners:
(a) incorporating information on our personal data protection policies and practices in our legal documentation, such as the asset management mandates and employment contracts; and
(b) dispatching of letter updates to the concerned individuals informing of legal or policy updates to our personal data protection policies and practices.
Officer in Charge of Personal Data Protection
Our Compliance Officer is our designated responsible person in charge of ensuring that the Company complies with this Policy and the PDPA at all times.56 He/She is also the point of contact for all matters related to personal data protection. Should any employee who is not the Compliance Officer receive requests from individuals concerning personal data protection, they are to forward these requests to the Compliance Officer immediately.
On request by any person, the Company shall provide him/her with the business contact information of the Compliance Officer.57
At the end of each financial year, a review of personal data in our possession and under our control, this Policy and our execution thereof shall be conducted to:
(a) affirm that the collection, use and disclosure of the data is limited only to purposes that we have obtained consent for;
(b) affirm the classification of the personal data held by us to ensure that our employees, third party service providers and business partners are accessing such data only on a need-to-know basis;
(c) enhance our data security policies and security measures to ensure a consistently high level of security;
(d) affirm that contractual provisions are in place to ensure proper safeguards in respect of personal data disclosed to our third party data intermediaries; and
(e) affirm the work carried out by the Compliance Officer, in particular the proper removal of personal data which are no longer subject to any retention requirements.
Such review may be carried out either by management or by internal or external auditors.
1See Sec. 11(2) PDPA.
2In this Policy, “group companies” means Quarz Capital/Black Crane Capital and/or any of its subsidiaries, parent companies, affiliates, associated entities and any of their branches and offices and their subsidiaries, parent companies, affiliates, associated entities and any of their branches and offices.
3See Sec. 11(1) PDPA. Under guidelines issued by the Personal Data Protection Commission, a “reasonable person” is judged based on an objective standard and can be said to be a person who exercises the appropriate care and judgement in the particular circumstances.
4See Sec.11.1 Advisory Guidelines On Key Concepts In The PDPA.
5See Sec. 4(6)(b) PDPA.
6See Sec. 4(5) PDPA.
7See Sec. 2(1) PDPA.
8 See Sec. 14(2)(a) PDPA.
9 See sec. 11(1) PDPA.
10See Sec. 14(1), 20(1)(b) PDPA.
11See Sec. 15(1) PDPA.
12See Sec. 15(2) PDPA.
13See Sec. 15(1) PDPA.
14See Sec. 15(1) PDPA.
15See Sec. 15(2) PDPA.
16See Sec. 15(2) PDPA
17Please refer to Sec. 17 PDPA and Schedules 2, 3 & 4 to the PDPA for the full list of exemptions.
18“publicly available” means personal data generally available to the public and includes personal data which can be observed by reasonably expected means at a location or an event at which the individual appears and that is open to the public.
19“evaluative purpose” means (a) for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates (i) for employment or appointment to office; (ii) for promotion in employment or office or for continuance in employment or office; (iii) for removal from employment or office; or (iv) for the awarding of contracts, awards or other similar benefits; or (b) for the purpose of determining whether any contract, award or other similar benefit should be continued, modified or cancelled.
20See the definition of “connected party” in para. 11(1)(c) SFA04-N02.
21See Para. 11(4) SFA04-N02.
22Sec. 2(1) PDPA sets out the definition of “processing”. “Processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: (a) recording; (b) holding; (c) organisation, adaptation or alteration; (d) retrieval; (e) combination; (f) transmission; (g) erasure or destruction.
23See Note 20 for the definition of “processing”.
24Sec. 2(1) PDPA defines “data intermediary” as ‘an organization which processes personal data on behalf of another organization but does not include an employee of that other organization”.
25See Sec. 4(3) PDPA.
26See Sec. 20(2) PDPA.
27See Sec. 26(1) PDPA, Reg. 9 PDP Regulations 2014.
28See Sec. 23 PDPA.
29See Sec. 16.6 Advisory Guidelines On Key Concepts In The PDPA.
30See. Sec.25 PDPA.
32See Sec.199 of the Companies Act (Cap.50, 2006 Rev.Ed.).
33See Sec.67 Income Tax Act (Cap.134, 2014 Rev.Ed.), Sec.46(2) Goods and Services Tax Act (Cap.117A, 2005 Rev.Ed.).
34“business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of the Company or any part thereof or of any of our business or assets other than the personal data to be disclosed.
35See Para. 3(4) of the Second Schedule to the PDPA.
36See Reg. 3(1) PDP Regulations.
37See Reg. 3(1) PDP Regulations.
38For the full list of prohibitions see sec. 21(3) PDPA.
39See Sec. 21(2),(3) and (4) PDPA.
40For the full list see 5th Schedule to the PDPA.
41See Reg. 6 PDP Regulations.
42See Sec. 21(5) PDPA.
43See Sec. 22(4) PDPA.
44See Sec. 22(5) PDPA.
45See 6th Schedule to the PDPA.
46See Para.11 SFA04-N02.
47See Sec. 16(1) PDPA.
48See Sec 12.46 Advisory Guidelines On Key Concepts In The PDPA.
49See Sec. 12.47 Advisory Guidelines On Key Concepts In The PDPA.
50See Sec. 12.49 Advisory Guidelines On Key Concepts In The PDPA.
51See Retention of Personal Data.
52Pursuant to Sec. 16(2) PDPA.
53Pursuant to Sec. 16(2) PDPA.
54Pursuant to Sec. 16(2) PDPA.
55Pursuant to Sec. 16(2) PDPA.
56See Sec. 11(3) PDPA.
57See Sec. 20(1)(c) PDPA.
PERSONAL DATA PROTECTION POLICY – HK
The Personal Data (Privacy) Ordinance (“PDPO”) provides individual with rights to the protection of their personal data. Organisations must implement good personal data management practices and procedures to comply with the requirements of the data protection principles (“DPP”) of the PDPO. The DPP requirements are listed below for reference:
Principle 1 – Purpose and manner of collection
Principle 2 – Accuracy and duration of retention
Principle 3 – Use of personal data
Principle 4 – Security of personal data
Principle 5 – Information to be generally available
Principle 6 – Access to personal data
In accordance with the DPP requirements, Employees are required to abide by the following practices and procedures:
Client’s personal information (information that allows the client to be identified e.g. client’s identification and contact details) collected by an Employee shall only be use for the purposes (“Purpose”) explained to the client at the time of collecting such personal information.
2. The information to bee collected from a client must be clearly set out in the relevant personal information collection document. The Company must also notify clients as to how they may access, correct or update personal information held by the Company.
3. Clients are entitled to access, correct or update personal information collected by the Company. If a client wishes to access, correct or update personal information, he/she may do so in writing addressed to the Compliance Officer of the Company.
4. All personal information held by the Company will be kept for the period necessary for the carrying out of the Purpose.
5. No personal information of any client may be disclosed to any third party by an Employee and/or the Company without the client’s prior consent, except as required by law or unless reasonably necessary for fulfilling the Purpose.
PROTECTION OF EMPLOYEE DATA
Under the definitions in the Ordinance, “personal data” includes much of the data you provide in the employment process as well as personal data, which is subsequently collected and held by the Company during your employment. The following information is provided to you under the terms of this ordinance.
You will be informed if it is obligatory for you to provide your personal data when requested.
If it is obligatory, you will be informed of the consequences to you if you fail to provide the data.
Use of Your Personal Data:
All personal data concerning you (whether provided by you or any other persons) may be used by any of the following people (each being a “User”):
(i) any person controlling, controlled by or under common control with the Company;
(ii) any director, officer or employee of the Company; or
(iii) any person authorized by the Company.
All personal data concerning you (whether provided by you or any other person) may be used by any User for any of the following purposes:
(i) the specific uses provided to you at the time of data collection;
(ii) transfer of data to any place outside Hong Kong;
(iii) any purpose relating to or in connection with your employment with the Company; or
(iv) any purpose relating to or in connection with the ordinary course of business of the Company.
(c) Rights of Access and Correction
You have the righty to have access to and correction of your personal data as set out in the Ordinance. In general, and subject to certain exemptions, you are entitled to:
(i) ascertain whether the Company holds personal data in relation to you;
(ii) request access to your personal data within a reasonable time, at a fee which is not excessive, in a reasonable manner, and in a form that is intelligible;
(iii) request the correction of your personal data; and
(iv) be given reasons if a request for access or correction is refused, and object to any refusal.
(d) Contact Person
The title and address of the person to whom any request for access to and/or correction of personal data concerning yourself, or further information about this Ordinance, may be made to the Compliance Officer.