1.1 Generally, this Statement provides information on the policy of the Hong Kong Applied Science and Technology Research Institute Company Limited, its subsidiaries and other affiliates (collectively, “Company”) in accordance with the Personal Data (Privacy) Ordinance (Cap. 486, the Laws of Hong Kong) (“Ordinance”) of the Hong Kong Special Administrative Region (“Hong Kong”). The meaning of the terms “personal data” and “matching” used in paragraphs 1 to 9 of this Statement shall have the same meaning given to them in the Ordinance, unless otherwise provided herein.
1.2 Paragraph 10 of this Statement only applies to the EU Data Subjects (as defined in paragraph 10).
2. Collection of Personal Data
For the purposes of carrying on the Company’s businesses (including: (a) the handling of inquiries; (b) the provisioning of technologies or services by the Company; (c) the carrying out of technological research and development; and (d) the marketing and promotion of the Company’s technologies or services), it may be necessary for you to provide the Company with certain personal data. The failure to provide such personal data may result in the Company’s inability to provide the technologies or services to you. Examples of the personal data which you may be required to provide are as follows:
(i) your name;
(ii) correspondence address and/or billing address;
(iii) contact details (such as, contact name, telephone number and email address); and
(iv) information for the verification of identity (such as, the type of identification document and its number).
Emails or newsletters sent by the Company to you may use links designed to lead you to a relevant area on the Web. The Company’s server will check if such a web link has been clicked and such information about the interaction may be connected to the viewer’s personal identity stored in the Company’s server.
3. Use of Personal Data
Your personal data may be collected, used or otherwise processed for:
(a) verifying your identity;
(b) handling inquiries or application for technologies and/or services provided by the Company;
(c) communication with you about the technologies, services and/or events of the Company, its agents, contractors and third party suppliers or otherwise in accordance with paragraph 4 below;
(d) providing and improving technologies and services to you or your employer;
(e) updating you on the Company’s new technologies and/or services;
(f) selecting content to be communicated to you;
(g) personalising the Company’s websites;
(h) enabling the Company to comply with the obligations to third parties or government agencies in relation to the supply of the Company’s technologies and/or services to you or your employer;
(i) analysing or enforcing contractual rights, checking of your credit (where applicable), payment and/or status regarding the supply of the Company’s technologies and services to you or your employer;
(j) allowing you to participate in surveys;
(k) matching your personal data with other data collected for other purposes and from other sources in relation to the provision of technologies and/or services to you or your employer;
(l) processing your job application made to the Company (if you are a job applicant);
(m) prevention and detection of crime, security threats, fraud or other malicious activity;
(n) disclosure as permitted by or as required by law, subpoena or court order; and
(o) any other purposes as agreed from time to time by you and the Company.
4. Use of Personal Data in Direct Marketing
The Company may send to you various direct marketing materials including:
(a) the publications of the Company (such as, the Company’s annual report, newsletters, marketing leaflets and/or technical brochures) and information about the Company’s collaboration with other organisations (such as the government of Hong Kong and the various Hong Kong government sub-vented organisations related to technological research and development);
(b) the publicity and marketing materials on the technology and service of the Company and the Company’s achievements; and
(c) materials on the technological-related events, exhibitions, forums, seminars and conferences in Hong Kong held by the Company, the government of Hong Kong and/or the various Hong Kong government sub-vented organisations related to technological research and development, through various communication channels by using your email address, correspondence address, telephone number and any other communications channels agreed by you.
You may at any time send a written request to the Company’s Privacy Compliance Officer in accordance with paragraph 11 below to: (a) stop the receipt of the Company’s direct marketing materials; or (b) start receiving the same, together with your name, email address and telephone number. You should clearly state in such request the details of your personal data in respect of which the request is made.
5. Safekeeping and Retention of Personal Data
5.1 Personal data collected by the Company will be maintained securely in the Company’s system. The Company will at all times use all reasonable and practical steps to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure.
5.2 The Company will only retain the personal data for as long as necessary to fulfil the purposes for which such personal data are collected. In any event, the personal data will generally not be retained for more than seven years after the purposes for which the data are collected have been fulfilled.
6. Disclosure of Personal Data
The Company will at all times use all reasonable and practical steps to keep personal data held by the Company confidential. However, if it is necessary for the Company to disclose such personal data for a reason related to the purpose for which the data were collected, the Company may provide the personal data to:
(a) the Company’s agents, contractors, professional advisers (including the Company’s lawyers, auditors and accountants) and any other persons acting for and on behalf of the Company who: (i) have a need to know such information; and (ii) are under a duty of confidentiality to the Company to keep such personal data confidential and under a duty not to use your personal data for any purposes other than to carry out the services such agents, contractors, professional advisers and other persons shall perform for the Company;
(b) the government, regulatory authorities or law enforcement agencies if so required by law;
(c) Hong Kong-government sub-vented organisations and other statutory bodies in Hong Kong where the Company considers their communications would be of interest to you (such as matters related to innovation and/or technological developments in Hong Kong); and
(d) the Company’s affiliates for the purposes of internal administration, reporting activities on company performance, business reorganisation or group restructuring exercise, system maintenance support or hosting of data.
7. Access and Correction of Personal Data
You have a right to request access to your personal data held by the Company by submitting to the Company the duly completed “Data Access Request Form (Form OPS003)” (available for download at https://www.pcpd.org.hk/english/publications/files/Dforme.pdf) as specified by the Privacy Commissioner for Personal Data in Hong Kong.
You may exercise your right of correction of your personal data by writing to the Company’s Privacy Compliance Officer in accordance with paragraph 11 below and indicating:
(a) the personal data which are required to be corrected; and
(b) the reasons (if applicable) why your personal data are incorrect or incomplete.
8. No Transfer of Personal Data Outside of Hong Kong
Generally, the Company does not transfer your personal data to places outside of Hong Kong. If for some reason, there is a need to transfer your personal data to places outside of Hong Kong, it will be done in compliance with the requirements of the Ordinance.
9. Handling Personal Data for Recruitment
During the recruitment process, a job applicant may be required to provide the requisite personal data to the Company for the Company’s assessment of the applicant’s suitability for the position applied for.
By applying for a job at the Company, the job applicant agrees that the Company can:
(a) contact the job applicant if the job applicant’s profile meets the job requirements;
(b) use the job applicant’s personal data for processing his job application; and
(c) keep the job applicant’s Curriculum Vitae (“CV”) and personal data for a reasonable period, after which such CV and personal data will be deleted.
The failure of the job applicant to provide the requisite personal data to the Company may result in the Company’s inability to consider such job applicant for employment purposes.
10. GDPR Applicable to EU Data Subjects
10.1 This paragraph 10 is only applicable to those data subjects (each, an “EU Data Subject”) governed by the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Paragraphs 1 to 9 above are equally applicable to the EU Data Subjects to such extent that they are not inconsistent with the GDPR. For the purposes of this paragraph 10, the expressions “consent”, “controller”, “personal data” and “processing” shall have the same meanings given to them in the GDPR.
10.2 The Company is committed to complying with the GDPR to such extent that the GDPR applies to such EU Data Subjects’ personal data. For the purposes of the GDPR, the Company is a data controller in respect of the EU Data Subjects’ personal data.
10.3 The Company requires the personal data of the EU Data Subjects primarily to allow the Company to: (a) perform its contract with the EU Data Subjects; (b) enable the Company to comply with legal obligations; and (c) pursue legitimate interests of the Company (such as those set out in paragraphs 3 and 4 above), provided that the EU Data Subjects’ interests and fundamental rights do not override those interests.
10.4 The Company will only use the EU Data Subjects’ personal data for the purposes set out in paragraphs 3 and 4, and, any other purposes for which the Company collected such data, unless the Company reasonably considers that it needs to use such data for another reason and that reason is compatible with the original purpose. If the Company needs to use the EU Data Subjects’ personal data for an unrelated purpose, the Company will notify the relevant EU Data Subjects and explain the legal basis which allows the Company to do so. The Company may process the EU Data Subjects’ personal information without their knowledge or consent, in compliance with the GDPR, where this is required or permitted by law.
10.5 All of the Company’s third-party service providers are required to take appropriate security measures to protect the EU Data Subjects’ personal data in line with the Company’s policies. The Company does not allow its third-party service providers to use the EU Data Subject’s personal data for their own purposes. The Company only permits them to process the personal data for specified purposes and in accordance with the Company’s instructions.
10.6 The Company may share the EU Data Subject’s personal data with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation, the Company will, as far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, the Company will share the EU Data Subject’s personal data with the other parties if and to the extent required under the terms of the transaction.
10.7 Considering the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights of the EU Data Subjects, the Company has implemented appropriate security measures to prevent the EU Data Subjects’ personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, the Company limits access to the EU Data Subject’s personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process the personal data of the EU Data Subjects on the Company’s instructions and they are subject to a duty of confidentiality.
10.8 The Company has put in place appropriate procedures to deal with any suspected data security breach and will notify the EU Data Subjects and any applicable regulator of a suspected breach where the Company is legally required to do so.
10.9 Generally, the Company does not transfer the personal data of the EU Data Subjects to places outside of Hong Kong. If there is a need to transfer the EU Data Subjects’ personal data to places outside of Hong Kong, it will be done in accordance with the GDPR.
10.10 The Company will only retain an EU Data Subject’s personal data for as long as necessary to fulfil the purposes for which such personal data are collected. In any event, the personal data will generally not be retained for more than seven years after the purposes for which the data are collected have been fulfilled.
10.11 In accordance with the GDPR, the EU Data Subject is entitled to:
(a) check whether the Company holds the personal data of the EU Data Subject;
(b) be informed of: (i) the kind of personal data of the EU Data Subject which are held by the Company; (ii) the purposes of the processing; and (iii) the recipients or categories of recipients to whom such personal data have been or will be disclosed;
(c) access such EU Data Subject’s personal data and request the Company to provide the EU Data Subject with a copy of such data in accordance with the GDPR;
(d) request the Company to correct any personal data relating to the EU Data Subject which are inaccurate;
(e) withdraw the consent to processing of personal data (such withdrawal will not affect the lawfulness of processing prior to the withdrawal);
(f) require the Company to erase any personal data relating to the EU Data Subject (however, there may be circumstances where the Company is legally entitled to retain the personal data despite the request);
(g) object to the processing of personal data of the EU Data Subject and the processing for direct marketing purposes;
(h) require a restriction of processing of the personal data of the EU Data Subject in some circumstances;
(i) receive his personal data from the Company in a structured, commonly used and machine-readable format, provided that the processing of the relevant data is carried out by automated means, and to require his personal data be transferred directly to another entity; and
(j) make a complaint at any time to the relevant supervisory authority under the GDPR for data protection issues.
In relation to the matters mentioned in sub-paragraphs 10.11(a) to (j) above, you may send a written request to the Company’s Privacy Compliance Officer in accordance with paragraph 11 below.
10.12 The Company may need to request specific information from an EU Data Subject to help the Company confirm the EU Data Subject’s identity and ensure the EU Data Subject’s right to access his personal data (or to exercise any of the EU Data Subject’s other rights). This is an appropriate security measure to ensure that personal data are not disclosed to any person who has no right to receive it.
Enquiries relating to your personal data should be sent to the Company’s Privacy Compliance Officer at the following address or email address:
5th Floor, Photonics Centre
2 Science Park East Avenue
Hong Kong Science Park
Shatin, New Territories
Email address: [email protected]
If there is any conflict between the English and Chinese versions of this Statement, the English version shall prevail.