Data Protection Policy
1 POLICY STATEMENT
1.1 Everyone has rights with regard to the way in which their Personal Data is handled. During the course of the Group’s activities, the Group may collect, store and Process Personal Data about the investors, directors, employees and other third parties, and the Group recognises that the correct and lawful treatment of this Personal Data will maintain confidence in the organisation and will provide for successful business operations.
1.2 This document sets out the principles that the Group must follow when Processing Personal Data to help ensure compliance with the General Data Protection Regulation (GDPR) EU 2016/679 and other applicable regulations including the Personal Data (Privacy) Ordinance of Hong Kong. Data Users are obliged to comply with this policy when Processing Personal Data on the Group’s behalf.
2 ABOUT THIS POLICY
2.1 The types of Personal Data that the Group may be required to handle include information about current, past and prospective investors, officers and others with whom the Group transacts or communicates. The Personal Data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR.
2.2 This policy and any other documents referred to in it sets out the basis on which the Group will Process any Personal Data the Group collects from Data Subjects, or that is provided to the Group by Data Subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when the Group collects, handles, processes, transfers and stores Personal Data.
2.4 The directors of the Group are collectively responsible for ensuring compliance with the GDPR, other applicable local privacy regulations and with this policy and has documented its reasons, as required by the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Officer of the Group.
3 DEFINITION OF TERMS USED IN THIS POLICY
3.1 Data is information which is stored electronically, on a computer, or in paper-based structured filing systems.
3.2 Data Subjects for the purpose of this policy include all living individuals about whom the Group holds Personal Data. All Data Subjects have legal rights in relation to their Personal Data.
3.3 Personal Data means data relating to a living individual who can be identified directly from that data, or indirectly from that data in conjunction with other information.
3.4 Data Controllers are the people who, or organisations who, alone or jointly with others, determine the purposes for which, and the manner in which, any Personal Data is Processed. They are responsible for, and must be able to demonstrate compliance with, the GDPR data protection principles. The Group is the Data Controller of all Personal Data used in the Group’s business for the Group’s own commercial purposes.
3.5 Data Users are those of the Group’s board members, officers or delegates whose work involves Processing Personal Data. Data Users must protect the Personal Data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data Processors include any person or organisation that Processes Personal Data on the Group’s behalf and on the Group’s instructions.
3.7 Processing is any activity that involves use of the personal data. It means carrying out any operation or set of operations on the data including collecting, recording, organising, structuring, storing, amending, retrieving, using, consulting, disclosing by transmission, disseminating or otherwise making available, combining, restricting, erasing or destroying it.
3.8 Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or sexual life.
4 DATA PROTECTION PRINCIPLES
4.1 As a Data Controller, the Group is responsible for, and must be able to demonstrate compliance with, the six data protection principles. These principles provide that Personal Data must be:
4.1.1 Obtained and Processed fairly, transparently and lawfully
4.1.2 Collected for specific, explicit and legitimate purposes directly related to a function or activity of the Group, and not further Processed in a manner incompatible with those purposes
4.1.3 Adequate, relevant and not excessive
4.1.4 Accurate and up-to-date
4.1.5 Not kept for longer than necessary
4.1.6 Kept safe and secure
5 FAIR, TRANSPARENT AND LAWFUL PROCESSING
5.1 The GDPR is not intended to prevent the processing of Personal Data, but to ensure that it is done fairly and transparently.
5.2 For Personal Data to be Processed fairly and transparently, the Group (as a Data Controller) must inform Data Subjects, when the Group collects Personal Data directly from them, about all of the following:
5.2.1 That the Group is the Data Controller in regard to the Personal Data Processed by the Group and the Group’s contact details
5.2.2 The contact details of the Data Protection Officer
5.2.3 The purpose or purposes for which the Group intends to Process the Personal Data and the legal basis
5.2.4 The legitimate interests pursued by the Group or by a third party and an explanation of those interests (where Processing is based on this ground)
5.2.5 Where the Processing is based on consent their right to withdraw it at any time
5.2.6 The third parties or categories of third parties, if any, to whom the Group will disclose the Personal Data
5.2.7 Details of any transfers out of the EEA or Hong Kong, the safeguards the Group has in place and the means by which to obtain a copy of them
5.2.8 The data retention period or criteria used to determine same
5.2.9 The existence of the right to request access to their Personal Data; rectification or erasure of their Personal Data; restrict or object to Processing, and the right to data portability
5.2.10 The right to complain to the Privacy Commissioner for Personal Data, Hong Kong if they are unhappy with how the Group is handling their Personal Data
5.2.11 Details of any automated decision-making, including profiling, and the logic involved, as well as the significance and consequences of such Processing for the Data Subject
5.2.12 Whether the provision of Personal Data is a statutory or contractual requirement, and the consequences of failing to provide such Personal Data
5.3 Where the Group intends to Process the Personal Data for a further purpose, other than that for which the Personal Data were first collected, the Group will provide the Data Subject with information on that further purpose and obtain the Data Subject’s express consent prior to that further Processing.
5.4 If the Group receives Personal Data about a Data Subject from other sources, the Group will provide the Data Subject with the information at clause 5.2, as well as the categories of Personal Data concerned, from which source the Personal Data originated and, if applicable, whether it came from publicly accessible sources. The Group will provide this information to the Data Subject within one month of obtaining the Personal Data; or at the time of the first communication to the Data Subject (where applicable), or if a disclosure to another recipient is envisaged, when the Personal Data are first disclosed.
5.5 When processing personal data in the course of the Group’s business, the Fund will ensure that these information requirements are met.
5.6 The Processing of Sensitive Personal Data is prohibited unless one of another set of legal grounds set out in the GDPR applies including: the Data Subject has given his/her explicit consent; or the Personal Data have been made public by the Data Subject; or if necessary for the establishment or defence of legal claims, or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving his/her consent.
6 PROCESSING FOR LIMITED PURPOSES
6.1 In the course of the Group’s business, the Group may collect and Process the Personal Data set out in the Schedule to this Policy. This may include Personal Data the Group receives directly from a Data Subject (for example, by completing forms or by corresponding with the Group by mail, phone, email or otherwise) and Personal Data the Group receives from other sources (including, for example, business partners, counterparties, sub-contractors in technical, payment and delivery services, and others).
6.2 The Group will only Process Personal Data for the specific purposes set out in the Schedule to this Policy or for any other purposes specifically permitted by the GDPR. The Group will notify those purposes to the Data Subject when the Group first collects the Personal Data or, if the Group collects the Personal Data indirectly, as soon as possible thereafter.
7 ADEQUATE, RELEVANT AND NOT EXCESSIVE
The Group will only collect Personal Data to the extent that it is required for the specific purpose(s) notified to the Data Subject.
8 ACCURATE AND UP-TO-DATE PERSONAL DATA
The Group will take reasonable steps to ensure that Personal Data the Group holds is accurate and kept up-to-date. The Group will take reasonable steps to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. The Group will take all reasonable steps to amend or destroy inaccurate or out-of-date Personal Data.
9 STORAGE LIMITATION
The Group will not keep Personal Data for longer than is necessary for the purpose or purposes for which they were collected. The Group will take all reasonable steps to destroy, or erase the Personal Data from the Group’s systems when they are no longer required as set out in the Schedule to this Policy.
10 DATA SECURITY
10.1 The Group will or will require that its delegates will take appropriate technical and organisational security measures, taking into account the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, or stored.
10.2 The Group’s security measures include, where appropriate:
10.2.1 The ability to ensure the ongoing confidentiality, integrity and availability and resilience of Processing systems and services
10.2.2 The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
10.2.3 A process for testing, assessing and evaluating the effectiveness of technical and organismal measures for ensuring the security of the Processing
10.3 Where Processing is to be carried out on the Group’s behalf, the Group shall only engage Data Processors who provide sufficient contractual guarantees to implement appropriate technical and organisational security measures in such a manner that Processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subject.
10.4 As a Data Controller, the Group is required to enter into a written contract with the Data Processor (including in electronic form), which will set out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects. The contract shall set out, in particular, the specific mandatory obligations of Data Processors laid down in Article 28 of the GDPR, and shall contain terms that aim to prevent (i) any Personal Data transferred to the Data Processor from being kept longer than is necessary for Processing of the Personal Data, and (ii) unauthorised or accidental access, Processing, erasure, loss or use of the Personal Data transferred to the Data Processor.
11 PROCESSING IN LINE WITH DATA SUBJECT’S RIGHTS
11.1 As a Data Controller, the Group is required to Process Personal Data in line with Data Subjects’ rights, in particular their right to:
11.1.1 Request access to a copy of any Personal Data the Group holds about them (see also clause 13)
11.1.2 Request any inaccurate or incomplete data to be rectified (see also clause 8)
11.1.3 Object to or request erasure or restriction of processing in specified circumstances
11.1.4 Request a copy of the Personal Data they have provided to the Group and transmit those Personal Data to another Data Controller without hindrance from the Group, or have the Personal Data transmitted directly from the Group to another Data Controller, where technically feasible (i.e. right to data portability)
11.1.5 Not to be subject to a decision based solely on automated Processing, including profiling, which produces a legal effect or other significant effect on the Data Subject, except where the decision is necessary for the performance of a contract; authorised by EU, Irish or Hong Kong law, or based on the Data Subject’s explicit consent
11.1.6 Prevent the Processing of their Personal Data for direct marketing purposes unless the requirements of all applicable laws and regulations, including the requirement to obtain Data Subjects’ consent, are complied with
11.2 The Group will provide the Data Subject with information on action taken in response to the exercise of any of these rights without undue delay, and at the latest within one month of receipt of the Data Subject’s request. This period may, subject to the applicable laws and regulations, be extended by two further months where requests are numerous or complex. If it is expected that the a request for access to Personal Data cannot be completed within one month, the Group will inform the Data Subject as soon as practicable and the reason therefor, before the expiry of the one-month period.
12 DEALING WITH ACCESS REQUESTS
12.1 Data subjects may make a request for information the Group holds about them. This request may be made in writing or orally.
12.2 When receiving telephone enquiries, the Group will only disclose Personal Data the Group holds on the Group’s systems if the caller’s identity can be verified. If their identity cannot be verified, the Group will request the caller to put their request in writing.
12.3 Data Users who receive a request should forward it to the Data Protection Officer:
c/o Chief Compliance Officer
43rd Floor, The Center, 99 Queen’s Road Central, Hong Kong
12.4 A Data Subject has a right of access to a copy of the Personal Data the Group holds about him/her, as well as the following information:
12.4.1 The purposes of the Processing
12.4.2 The categories of the Personal Data concerned
12.4.3 The recipient to whom the Personal Data have been or will be disclosed
12.4.4 The data retention period or criteria used to determine same
12.4.5 The existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning that Data Subject or to object to such Processing
12.4.6 The right to lodge a complaint with the Data Protection Commissioner
12.4.7 Where the Personal Data are not collected from the Data Subject any available information as to their source
12.4.8 The existence of automated decision-making, including profiling; the logic involved, and the envisaged consequences of such Processing for the Data Subject, and
12.4.9 Where Personal Data is transferred out of the EEA, the Data Subject must be informed of the appropriate safeguards in place
12.5 The Group will provide a copy of the Personal Data free of charge unless a request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case it may charge a reasonable fee, based on administrative costs.
12.6 Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information will be provided in a commonly used electronic form.
13 TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
13.1 The Group may transfer any Personal Data the Group holds to a country outside the European Economic Area (EEA), provided that the Group has informed Data Subjects of the transfer, the safeguards in place and the means by which to obtain a copy of them, and one of the following conditions applies:
13.1.1 The non-EEA country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms. The European Commission deems the following countries to have an adequate level of Personal Data protection: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay. The US is deemed as providing an adequate level of protection where the US recipient of the Personal Data is Privacy Shield certified. For more information about the Privacy Shield, please see the U.S. Department of Commerce’s Privacy Shield website at: https://www.privacyshield.gov.
13.1.2 Adequate safeguards are in place, such as the Model clauses; Binding Corporate Rules (BCRs); an approved code of conduct or approved certification mechanism with binding and enforceable commitments of the Data Controller or Data Processor in the third country to apply the appropriate safeguards, including as regards Data Subjects’ rights;
13.1.3 The transfer is lawful pursuant to one of the derogations in the GDPR, including the Data Subject has given their explicit consent; the transfer is necessary for the performance of a contract; for public interest reasons; authorised by law; necessary for the defence of legal claims, or to protect the vital interests of the Data Subject; or
13.1.4 Where none of the above safeguards or derogations apply, a transfer to a non-EEA country may take place if the transfer is not repetitive, concerns only a limited number of Data Subjects, and is necessary for the legitimate interest of the Data Controller which are not overridden by the rights of Data Subjects. The Data Controller must inform the Data Protection Commissioner and the Data Subject of such a transfer, and the legitimate interests pursued.
14 CHANGES TO THIS POLICY
The Group reserves the right to change this policy at any time. Where appropriate, the Group will notify Data Users and/or Data Subjects of those changes by mail or email.
SCHEDULE 1 DATA PROCESSING ACTIVITIES
Type of personal data | Categories of data subject | Type of processing | Purpose of processing | Categories of recipient to whom personal data is transferred | Retention period |
Name, address contact details, tax number and bank details, details of investment, documentation to verify identity and address and bank details | Investor (including officers and signatories of institutional investors) | Obtaining, reviewing, verifying, storing, running [Worldcheck, adverse news checks]. Keeping records updated | Complying with legal obligations under AML/ CTF/ sanctions regimes, and to prevent fraud, bribery, corruption, tax evasion | Transfer agent/ Administrator/ Depositary/ Distributor | 7 years after investor ceases to be an investor |
Name, address contact details, number. Information on experience, qualifications. employment history and any issues | Officer of the Group | Obtaining, reviewing, verifying, storing, running searches, adverse news checks. Keeping records updated | Complying with legal obligations | The Board of the Group and the regulators | 7 years after the termination of the office |
Name, address, tax number | Investor | Obtaining, reviewing, verifying, storing, submitting reports, keeping records updated | Complying with FATCA/ CRS/ Tax reporting law | Tax authorities | 7 years after the termination of the investment |
Name address contact details, Information on experience, qualifications, employment history | Officer/ Designated Person of the Group | Obtaining, reviewing, storing, submitting keeping up to date | Complying with UCITS regulatory obligations under UCITS regime | Regulators | 7 years after the termination of the office |
Name, address contact details, details of investment | Beneficial owner or Board member | [Beneficial Ownership obligations yet to be clarified] | |||
Name, address (and other directorships for directors) | Investors and officers | Obtaining, reviewing, storing, submitting keeping up to date | Complying with legal obligations under Company/ ICAV / Investment Trust law | Companies Registration Office | 7 years after the termination of the office |
Name address contact details, tax number. Address | Officers | Obtaining, reviewing, storing, submitting keeping up to date | To facilitate payment of fees and expenses and tax and social welfare thereon | Bank, Depositary | 7 years after the termination of the office |
Name, address, bank details | Investors | Obtaining, reviewing, storing, submitting keeping up to date | To facilitate payment of distributions (dividends and redemptions) | Bank, Depositary | 7 years after the termination of the investment |
Name, work address and contact details | Contract of counterparties | Obtaining, reviewing, storing, submitting keeping up to date | The facility operators of the relevant agreements/ trades with the counterparty and otherwise in accordance with such agreements/trades | Investment manager, Administrator Depositary | 7 years after the termination of the investment |
私隱政策
1.1 任何人均有權決定如何處理其個人資料。在本集團營運期間,本集團可能收集、儲存和處理關於投資者、董事、員工及其他第三方的個人資料,而本集團確認,正確及合法處理個人資料將維持對本機構的信心,並將有助業務成功營運。
1.2 本文件列明了本集團在處理個人資料時必須依循的原則,幫助確保遵守歐盟第2016/679號《通用數據保障條例》及其他適用規例,包括香港《個人資料(私隱)條例》。資料使用者代表本集團處理個人資料時有責任遵守本政策。
2 關於本政策
2.1 本集團可能需要處理的個人資料類型包括關於現時、過往及未來投資者、人員及其他與集團交易或溝通的人士的資訊。個人資料可透過紙質、電腦或其他媒體持有,並受《通用數據保障條例》指明的若干法律保護措施所規限。
2.2 本政策及其所提述之任何其他文件列明了本集團處理任何本集團從資料當事人收集,或由資料當事人或其他來源向本集團提供之個人資料的依據。
2.3 本政策列明本集團在收集、處理、轉移及儲存個人資料時必須遵守的保障資料規則及法律條件。
2.4 本集團董事集體對確保遵守《通用數據保障條例》、其他適用的本地私隱規例及本政策負責,其理由已按《通用數據保障條例》的規定記載。任何關於實施本政策的疑問或對政策未獲依循之擔憂應立即轉介至本集團的保障資料主任。
3.1 資料為以電子方式儲存在電腦或儲存在以紙張為結構的存檔系統的資訊。
3.2 資料當事人就本政策而言包括本集團持有個人資料的所有在生個人。所有資料當事人均對其個人資料擁有合法權利。
3.3 個人資料指可直接從該資料,或間接從該資料與其他資訊中識別的在生個人的有關資料。
3.4 資料控制者指單獨或與其他人共同釐定處理任何個人資料之用途及方式的人士或機構。他們負責並必須能遵守《通用數據保障條例》保障資料保原則。本集團是出於本集團自身商業用途在本集團業務中使用的所有個人資料的資料控制者。
3.5 資料使用者為本集團董事會成員、人員或工作涉及處理個人資料的代表。資料使用者必須時刻按照本保障資料政策及任何適用的資料保安程序保護他們所處理的個人資料。
3.6 資料處理者包括代表本集團及按照本集團指引處理個人資料的任何人士或機構。
3.7 處理是涉及使用個人資料的任何活動。這指對個人資料進行任何操作或一系列操作,包括收集、記錄、整理、結構化、儲存、修改、檢索、使用、諮詢、傳送披露、傳布或以其他方式提供、合併、限制、消除或銷毀。
3.8 敏感個人資料包括關於個人的種族或族裔、政治觀點、宗教或類似信仰、工會成員資格、生理或心理健康或性生活資訊。
4.1 作為資料控制者,本集團負責並必須能遵守六大保障資料原則。這些原則規定個人資料必須:
4.1.1 公正、透明、合法地獲取及處理
4.1.2 因本集團職能或活動直接相關的具體、明示及合法用途而收集,且不得以不符合該等用途的方式進一步處理
4.1.3 充分、相關及不過量
4.1.4 準確且持續更新
4.1.5 保存時間不超過所需的時間
4.1.6 安全及穩妥地保存
5.1《通用數據保障條例》並非旨在防止處理個人資料,而是確保公正及透明地處理個人資料。
5.2 為公正及透明地處理個人資料,本集團(作為資料控制者)必須在直接向資料當事人收集個人資料時通知資料當事人以下所有事項:
5.2.1 本集團在處理個人資料方面為資料控制者,以及本集團的聯絡詳情
5.2.2 保障資料主任的聯絡詳情
5.2.3 本集團處理個人資料的擬作用途及法律依據
5.2.4 本集團或第三方追求的合法利益,以及對該等利益之解釋(如根據該理由進行處理)
5.2.5 倘處理乃根據同意而作出,資料當事人有權隨時撤銷同意
5.2.6 本集團將披露個人資料的第三方或第三方類別(如有)
5.2.7 任何轉移至歐洲經濟區或香港以外的詳情,本集團提供的保護措施以及獲取該等資料的副本的方式
5.2.8 資料留存期或用於釐定留存期的準則
5.2.9 具有要求獲取其個人資料;更正或消除其個人資料;限制或反對處理的權利,以及資料可攜性方面的權利
5.2.10 如不滿意本集團處理其個人資料的方式,有權向香港個人資料私隱專員投訴
5.2.11 任何自動決策,包括資料搜集、相關邏輯,以及處理資料對於資料當事人的意義及後果的詳情
5.2.12 提供個人資料為法定或合約要求,以及未能提供相關個人資料的後果
5.3 倘本集團有意出於進一步用途而非首次收集個人資料的用途處理個人資料,本集團將向資料當事人提供該進一步用途的資訊,並在進一步處理之前獲得資料當事人的明確同意。
5.4 如果本集團透過其他來源獲取關於資料當事人的個人資料,則本集團將向資料當事人提供第5.2條規定的資訊以及獲取個人資料的來源的相關個人資料的類別,以及是否來自可供公眾查閱的來源(如適用)。本集團將在獲取個人資料後一個月內,或與資料當事人的首次溝通時(如適用),或計劃向另一接收者披露,且為首次披露個人資料時,向資料當事人提供該資訊。
5.5 為合法處理個人資料,必須根據《通用數據保障條例》所列明的其中一個的法律依據處理。這些依據包括:資料當事人給予他/她的自由、知情及明確同意;如有需要,履行與資料當事人簽訂的合同;遵守資料控制者受約束的法律義務;出於資料控制者或向其披露個人資料的第三方之合法利益,被資料當事人利益所取代者除外。
5.6 除非《通用數據保障條例》所列明的任何或一系列法律依據適用,否則禁止處理敏感個人資料,依據包括:資料當事人給予其明確同意;資料當事人公開了個人資料;如有需要,提出法律索償或就其進行抗辯,或當資料當事人喪失生理或法律行動能力而無法給予他/她的同意時,保障資料當事人的重要利益。
6.1 在本集團業務過程中,本集團可能收集及處理本政策附表所規定的個人資料。這或包括本集團直接從資料當事人收集的個人資料(例如,透過填寫表格或以郵件、電話、電郵或其他方式與本集團聯繫),以及本集團從其他來源收取的個人資料(包括,例如業務夥伴、對手、技術、支付及交付服務分包商等)。
6.2 本集團僅出於本政策附表所列明的特定用途,或《通用數據保障條例》允許的其他具體用途處理個人資料。本集團將在首次收集個人資料時,或如本集團間接收集個人資料,則會儘快在收集個人資料後向資料當事人通知該等用途。
7 充分、相關及不過量
本集團將僅在通知資料當事人的具體用途規定範圍內收集個人資料。
8 準確且持續更新的個人資料
本集團將採取合理步驟,確保本集團所持有的個人資料保持準確且持續更新。本集團將採取合理步驟,在收集時以及收集後定期檢查任何個人資料的準確性。本集團將採取一切合理步修改或銷毀不準確或過時的個人資料。
9 儲存限制
本集團不會將個人資料保留超出收集用途的所需時間。本集團將採取一切合理步驟,按照本政策附表列明的規定,在不需要個人資料時把個人資料從本集團系統中銷毀或消除。
10.1 本集團將或將要求其代表採取適當的技術和機構安全措施,考慮處理所帶來的風險,特別是意外或非法損毀、遺失、修改、未授權披露或獲取所傳輸或所儲存的個人資料。
10.2 本集團的安全措施包括,如適用:
10.2.1 確保處理系統和服務的持續保密性、完整性、可用性及穩健性
10.2.2 發生人身或技術事故時恢復個人資料可用性和獲取渠道的能力
10.2.3 測試、評估和評測技術和機制措施有效性的程序,用於確保處理安全
10.3 如代表本集團進行處理,則本集團僅能聘用能夠提供充分合約保證,實施適當的技術和機構安全措施,使資料處理達到《通用數據保障條例》要求,並確保保障資料當事人的權利之資料處理者。
10.4 作為資料控制者,集團必須與資料處理者訂立書面合約(包括電子格式),規定處理的內容和時長,處理的性質與用途,個人資料的類型以及資料當事人類別。合約必須列明,特別是,《通用數據保障條例》第28條要求的資料處理者的特定強制義務,且必須包含防止以下行為的條款:(i)向資料處理者轉移的任何個人資料保留時間長於處理個人資料的必要時間,以及(ii)未授權或意外獲取、處理、消除、遺失或使用向資料處理者轉移的個人資料。
11 根據資料當事人權利進行處理
11.1 作為資料控制者,本集團需要根據資料當事人的權利處理個人資料,特別是以下權利:
11.1.1 要求獲取本集團持有的任何相關個人資料的副本(同時參照第13條)
11.1.2 要求更正任何不準確或不完整的個人資料(同時參照第8條)
11.1.3 在特定情況下反對或要求消除資料或限制處理資料
11.1.4 倘技術上可行(即資料可攜性方面的權利),要求獲得其向本集團提供的個人資料之副本,並將個人資料傳輸至另一資料控制者,不受本集團阻擾,或將本集團發送的個人資料直接傳輸至另一資料控制者
11.1.5 不受僅根據自動處理的決策約束,包括資料搜集,而該等決策對資料當事人產生法律影響或其他重要影響,除非為履行合約的必要決策;獲歐盟、愛爾蘭或香港法律授權,或根據資料當事人的明確同意所作出的決策
11.1.6 防止處理個人資料用於直接營銷,除非任何適用法律及規例要求,包括獲取資料資料當事人同意的要求均獲遵守。
11.2 本集團將立即向資料當事人提供關於行使任何該等權利所採取的措施之資訊,並最遲在收到資料當事人要求後一個月內提供資訊。如有多個或複雜要求,這期限可根據適用法律及規例額外延長兩個月。如預期無法在一個月內完成獲取個人資料的要求,本集團將在一個月期限到期前儘快通知資料當事人相關原因。
12.1 資料當事人可要求獲取本集團所持有的相關資訊。該要求可透過書面或口頭形式提出。
12.2 在收到電話諮詢時,本集團僅在驗證來電者身份後披露本集團系統上的個人資料。如無法驗證身份,本集團將要求來電者以書面形式提出要求。
12.3 收到要求的資料使用者應轉發至保障資料主任:
轉交法規事務主管
香港中環皇后大道中99號中環中心43樓
12.4 資料當事人有權獲取本集團持有的相關個人資料副本及以下資訊:
12.4.1 處理用途
12.4.2 相關個人資料的類別
12.4.3 已向其披露或將向其披露個人資料的接收者
12.4.4 資料留存期或用於確定留存期的準則
12.4.5 可要求資料控制者更正或消除個人資料,或限制處理資料當事人相關的個人資料,或拒絕進行處理的權利
12.4.6 向保障資料專員提出投訴的權利
12.4.7 個人資料並非從資料當事人收集,則說明資料來源的任何相關資訊
12.4.8 存在自動決策,包括資料搜集;相關邏輯以及資料處理對資料當事人的預期後果,以及
12.4.9 如個人資料轉移至歐洲經濟區外,則必須通知資料當事人所實行的適當保護措施
12.5 本集團將免費提供個人資料副本,除非該要求明顯不成立或過分,特別是因為其重複特性,在此情況下本集團可根據行政費用收取合理費用。
12.6 如資料當事人以電子方式提出要求,除非資料當事人提出其他要求,否則資訊將以通用電子格式提供。
13.1 本集團可將本集團持有的任何個人資料轉移至歐洲經濟區以外的國家,前提是本集團通知了資料當事人該轉移情況、所實行保護措施以及獲取相關個人資料的副本的方式,且以下條件之一適用:
13.1.1 轉移個人資料的目的非歐洲經濟區國家確保達到資料當事人權利和自由保障的適當水平。歐盟委員會認為以下國家達到適當的個人資料保障水平:瑞士、根西島、阿根廷、馬恩島、法羅群島、澤西、安道爾、以色列、新西蘭和烏拉圭。美國在美國個人資料接收方經過私隱防護認證時可視為達到適當的保障水平。如需關於私隱防護的更多資訊,請參見美國商務部的私隱防護網站:https://www.privacyshield.gov。
13.1.2 已實行充足的保護措施,例如模型條例;約束性公司規則;獲批行為守則或獲批認證機制,以及第三國的資料控制者或資料處理者應用適當保障措施的約束力及可執行承諾,包括關於資料當事人權利的保護措施;
13.1.3 轉移根據《通用數據保障條例》的損毀規定屬合法,包括資料當事人已給予明確同意;轉移對於履行合約而言屬必要;出於公眾利益原因;獲法律授權;為抗辯法律索償而屬必要,或保障資料當事人的重要利益;或
13.1.4 如上述保護措施或損毀規定均不適用,則轉移並非重複,僅與少數資料當事人相關,且為資料控制者的合法利益(並未被資料當事人的權利所替代)所必要的情況下可轉移至非歐洲經濟區國家。資料控制者必須向保障資料專員和資料當事人通知轉移情況以及相關的合法權利。
14 本政策的更改
本集團保留隨時更改本政策的權利。如適用,本集團將以郵件或電郵向資料使用者和/或資料當事人通知變更情況。
附表 1 資料處理活動
個人資料類型 | 資料當事人類別 | 處理類型 | 處理用途 | 轉移個人資料的接收者類別 | 留存期 |
姓名和地址等聯絡方式、稅號及銀行資料、投資資料,以及驗證身份、地址及銀行資料的文件 | 投資者(包括主管人員及機構投資者簽字人) | 獲取、審查、驗證、儲存、運行【Worldcheck、負面新聞檢查】。持續更新記錄 | 遵守反洗錢/反恐怖融資/制裁機制下的法律義務,預防詐騙、賄賂、腐敗、避稅等 | 轉移代理/管理員/受託人/分發人 | 投資者不再為投資者的7年後 |
姓名、地址等聯絡方式、號碼等經驗、資格資訊僱傭歷史及任何問題 | 集團主管人員 | 獲取、審核、驗證、儲存、運行檢索、負面新聞檢查等持續更新記錄 | 遵守法律義務 | 本集團董事會及監管機構 | 公司終止7年後 |
姓名、地址、稅號 | 投資者 | 獲取、審核、驗證、儲存、提交報告、持續更新記錄 | 遵守FATCA/ CRS/稅務匯報法律 | 稅務機關 | 投資終止7年後 |
姓名、地址等聯絡方式,經驗、資格、僱傭歷史等資訊 | 集團人員/指定人士 | 獲取、審核、儲存、提交、持續更新 | 遵守UCITS機制下的UCITS監管義務 | 監管機構 | 公司終止7年後 |
姓名、地址等聯絡方式,投資資料 | 實益所有人或董事會成員 | 【實益所有權義務待說明】 | |||
姓名、地址(以及董事的其他董事身份) | 投資者和人員 | 獲取、審核、儲存、提交、持續更新 | 遵守公司/ICAV/投資委託法項下的法律義務 | 公司註冊辦公室 | 公司終止7年後 |
姓名、地址等聯絡方式、稅號地址 | 人員 | 獲取、審核、儲存、提交、持續更新 | 為協助支付費用和支出以及相關的稅務和社會福利費用 | 銀行、存托機構 | 公司終止7年後 |
姓名、地址、銀行資料 | 投資者 | 獲取、審核、儲存、提交、持續更新 | 為協助支付分配費用(分紅和贖回金) | 銀行、存托機構 | 投資終止7年後 |
姓名、工作地址及聯絡方式 | 對手合約 | 獲取、審核、儲存、提交、持續更新 | 相關協議的設施經營方/按照相關協議與對手進行的交易等/交易 | 投資管理人、管理受託人 | 投資終止7年後 |
文義如有歧異,以英文本為準。