GENERAL
This policy statement provides information on the obligations and policies of Lane Crawford (Hong Kong) Limited, and its affiliates (the "Company") under the Personal Data (Privacy) Ordinance - Cap. 486, Laws of Hong Kong SAR (the "Ordinance")
This policy specifically addresses the Company's obligations in respect of data privacy laws of Hong Kong SAR which is one of the most developed data protection regimes worldwide. The Company believes that the principles embedded in the Ordinance offer no less protection in personal data privacy than those in other jurisdictions. As such, the Company undertakes to apply, where practicable, these principles and the processes set out herein to its operations globally.
Where the Company's operations are subject to privacy legislation other than that of Hong Kong SAR, then this policy shall be applied so far as practicable and consistent with such local legislation.
Throughout this policy statement, the meaning of the term "personal data" is as defined in the Ordinance.
COMPANY CORPORATE POLICY
The Company shall fully comply with the obligations and requirements of the Ordinance. The Company's officers, management, and members of staff shall, at all times, respect the confidentiality of and endeavor to keep safe any and all personal data collected and / or stored and / or transmitted and / or used for, or on behalf of, the Company.
The Company shall endeavor to ensure all collection, storage, transmission and other handling of usage of personal data by the Company shall be done in accordance with the obligations and requirements of the Ordinance.
Where an individual legitimately requests access to and / or correction of personal data relating to the individual, held by the Company, then the Company shall provide and/or correct that data in accordance with the time and manner stipulated within the Ordinance.
STATEMENT OF PRACTICES
TYPES OF PERSOANL DATA COLLECTED
For the purpose of carrying on and facilitating the Company's business, including sale, daily operation, provision, enforcement of data subject's obligation arising from any transaction between the Company and the customer, registering existing and future customers to Lane Crawford Privilege Card programme and related products and services (including online products and services), the customer may be requested to provide personal data, such as, but not limited to, the following, without which it may not be possible to satisfy the customer's request:
a). Name;
b). Correspondence address, contact telephone number inclusive of mobile phone, and email;
c). Payment details, including credit card information;
d). Information for the verification of identity, including identification type and identification number.
In some instances, the customer may also be requested to provide certain data that may be used to further improve the Company's products and services and/or better tailor the type of information presented to the customer. In most cases, although the customer's provision of this type of data is optional, where the requested service is a personalized service, or provision of a product is dependant on the customer's providing all requested data, refusal or failure to provide the requested data may prevent the Company from providing the service to the customer. This type of data includes, but is not limited to:
a). Age;
b). Gender;
c). Salary range and employment details;
d). Education and Profession;
e). Hobbies and leisure activities;
f). Other related products and services subscribed to; and
g). Family and household demographics.
In support of the products and services offered by the Company, information may be automatically collected relating to those products and services so the Company may perform accurate reporting and administration on matters, such as, but not limited to, the customer's purchase and the customer's Lane Crawford Privilege Card membership.
The Company's web servers may also collect data relating to your online session, the use of which is to provide aggregated, anonymous, statistical information on the server's usage so that the Company may better meet the demands and expectations of visitors to its sites. This type of data may include, but is not limited to:
a). The browser type and version;
b). Operating system; and
c). The IP address and/or domain name.
Some of the Company's web sites may place a "cookie" on the customer's machine; for example to provide personalized services and /or maintain the customer's identity across multiple pages within or across one or more sessions. This information may include, but is not limited to, relevant login and authentication details as well as information relating to the customer's activities and preferences across the Company's web sites.
Telephone calls made to the Company's order and/or service hotline and/or inquiry telephone numbers, the identify of the customer and the conversations will in certain circumstances be recorded for the purposes of quality control, appraisal, as well as staff management and development. At all times, every care is taken to protect such recordings from inadvertent and/or unauthorized access.
ACCURACY OF PERSONAL DATA
Where possible, the Company will validate data provided using generally accepted practices and guidelines. This includes the use of check sum verification on some numeric fields such as account numbers or credit card numbers. In some instances, the data provided will be validated against pre-existing data held by the Company. In some cases, as per the requirement of the Ordinance, the Company is required to see original documentation before personal data may be used, such as with Personal Identifiers and/or proof of address.
The Company fully complies with the "Rights of Access and Correction" obligations of the Ordinance. Please refer to the section titled "Access and Correction of Personal Data" below for details on how to obtain and correct any personal data relating to the customer himself/herself that the Company may hold.
RETENTION OF PERSONAL DATA
The Company will destroy any personal data it may hold in accordance with its internal policy. Generally speaking, the Company's policies cover the following principles:
a).Personal data will only be retained for as long as is necessary to fulfill the original or directly related purpose for which it was collected, unless the personal data is also retained to satisfy any applicable statutory or contractual obligations; and
b). Personal data are purged from the Company's electronic, manual, and other filing systems in accordance with specific schedules based on the above criteria and the Company's internal procedures.
DISCLOSURE OF PERSONAL DATA
All personal data held by the Company will be kept confidential but the Company may, where such disclosure is necessary to satisfy the purpose, or a directly related purpose, for which the data was collected provide such information to the following parties:
a). Any subsidiaries, or affiliates of, or companies controlled by, or under common control with the Company;
b). Any person or company who is acting for or on behalf of the Company, or jointly with the Company, in respect of the purpose or a directly related purpose for which the data was provided;
c). Any other person or company who is under a duty of confidentiality to the Company and has undertaken to keep such information confidential, provided such person or company has a legitimate right to such information; and
d). Any financial institutions, charge or credit card issuing companies, credit information or reference bureau, or collection agencies necessary to establish and support the payment of any products and services being requested.
Personal data may also be disclosed to any person or persons pursuant to any statutory or contractual obligations or as required by court of law, provided such person or persons are able to prove the required right/authority to access such information. In addition, personal data may be disclosed under any of the circumstances described in Part VIII of the Ordinance in which the concerned personal data are exempt from the provisions of Data Protection Principle 3 of the Ordinance.
TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG
At times it may be necessary and/or prudent for the Company to transfer certain personal data to places outside of Hong Kong SAR in order to carry out the purposes, or directly related purposes, for which the personal data were collected. Where such a transfer is performed, it will be done in compliance with the requirement of the Ordinance.
SECURITY OF PERSONAL DATA
Physical records containing personal data are securely stored in locked area and/or containers when not in use.
Computer data are stored on computer systems and storage media to which access is strictly controlled and / or are located within restricted areas.
Access to records and data without appropriate management authorization are strictly prohibited. Authorizations are granted only on a "need to know" basis that is commensurate with an individual's Company responsibilities and their training.
Where the Company holds, uses, and/or transmits the Customers' personal data it will be adequately protected from accidental and / or unauthorized disclosure, change and/or destruction.
ACCESS AND CORRECTION OF PERSONAL DATA
Under the terms of the Ordinance, individuals have the right to:
a). Ascertain whether the Company holds any personal data relating to them and, if so, obtain copies of such data ("right of access");
b). Require the Company to correct personal data in its possession which is inaccurate for the purpose for which it is being used by means of a data access request ("right of correction"); and
c). Ascertain the Company's policies and practices in relation to personal data, which are those policies and practices set out in their entirely herein.
An individual may exercise his or her right of access by:
a). Completing the "Data Access Request Form" which can be obtained by calling of the Company's Customer Relationship Executive at (852) 2118 2288;
b). Sending the completed form, along with appropriate proof of identity (a copy of the applicant's Hong Kong Identity Card or Passport) and the prescribed fee (currently HK$300) to the Company's Customer Relationship Management Department;
c). Presenting the completed form together with the prescribed fee in person along with appropriate identification, at any of Lane Crawford stores if a copy of "proof of identifty" cannot be provided to the Company.
The Company will, upon satisfying itself of the authenticity and validity of the access request, make every endeavor to comply with and respond to the request within the period set by the Ordinance (i.e. within 40 days after receiving the request).
An individual may exercise their right of correction by:
a). Writing to the Company's Customer Relationship Management Department office at the address listed below, specifying the data which they believe to be incorrect, the reason they believe it is incorrect, and the applicable corrections; and
b). Providing "proof of identity" verifying that the individual making the request is authorized to request such corrections.
The Company will, upon satisfying itself of the authenticity and validity of the correction request, make every endeavor to comply with and respond to the request within the period set by the Ordinance (i. e. within 40 days after receiving the request).
DIRECT MARKETING
In accordance with the requirement of the Ordinance, the Company will honor a customer's request not to use his or her personal data for the purposes of direct marketing (inclusive of email). Should the customer wish not to receive direct marketing material from the Company, written requests can be sent to the Company's Customer Relationship Management Department at the address listed below.
Any such request should clearly state details of the personal data in respect of which the request is being made. Specifically, it is requested the corresponding Lane Crawford Privilege Card number assigned by the Company is included in the request.
Until instructed otherwise by the customer as per the above, the Company may use any of the data collected in the normal course of its business for marketing purposes.
Customer Relationship Management Department address:
25/F Tower 1,
Times Square,
1 Matheson Street,
Causeway Bay,
Hong Kong
DISCLAIMER
The Company reserves the right to amend its prevailing Data Protection and Privacy Policy at any time and will place any such amendments on its Website. This Data Protection and Privacy Policy is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it create any obligations on the Company in respect of any other party or on behalf of any party. Nothing in this policy statement shall limit the rights of data subjects under the Personal Data (Privacy) Ordinance, Chapter 486 of the Laws of Hong Kong, SAR.
