DATA PRIVACY POLICY STATEMENT
PERSONAL DATA (PRIVACY) ORDINANCE
GENERAL
This Privacy Policy Statement provides information on the obligations and policies of CXC Express Limited, its subsidiaries, affiliates, and associated companies (collectively, the “Company”, “we”, “us” or “our”) under the Hong Kong SAR Personal Data (Privacy) Ordinance - Cap.486 (the “Ordinance”). This Privacy Policy Statement specifically describes the Company's obligations in respect of the data privacy laws of the Hong Kong SAR. Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements.
In this Privacy Policy Statement, the meaning of the term “personal data” is as defined in the Ordinance.
COMPANY POLICY
The Company shall fully comply with the obligations and requirements of the Ordinance. The Company's representatives, officers, management, staff shall, at all times, respect the confidentiality of and endeavour to keep safe any and all personal data collected and/or stored and/or transmitted and/or used for, or on behalf of, the Company. The Company shall endeavour to ensure all collection, storage, transmission and other handling or usage of personal data by the Company shall be done in accordance with the requirements of the Ordinance. Where an individual legitimately requests access to and/or correction of personal data relating to the individual, held by the Company, the Company may provide and/or correct that data in accordance with the time and manner stipulated within the Ordinance.
STATEMENT OF PRACTICES OF PERSONAL DATA COLLECTED FROM CUSTOMERS
For the purpose of carrying on the Company's businesses, including (i) uses of the Company’s website and applications; (ii) shipping activities, including delivery and pick-up of shipments; (iii) enquiries on shipments and tracking; (iv) promotion events hold by us; and (v) other related products and services, customer may be requested to provide personal data such as, but not limited to, the following, without which it may not be possible to carry out our businesses:
- Individual and business contact information (such as name, company name, physical address, email address and telephone or fax number);
- Service installation address, correspondence address, and/or billing address;
- Payment information (including payment card details or online payment services number and invoicing address) and financial information (such as bank account numbers);
- Shipping information (such as (i) shipping-related contact details like the shipper's and consignee's name, physical address, email address and telephone number, (ii) signature for proof of delivery, (iii) the Company’s account number, and (iv) information given to us that helps us access locations to which we provide service) and information provided to us regarding the content of certain shipments, but only to the extent an identifiable person can be linked to such content;
- Information for the verification of identity, including identification type and identification number;
- Information provided in response to surveys;
- Username, password and other credentials used to access the Company’s products and services;
- The geographic location of your mobile device if you use certain features of our mobile applications;
- Other personal information that may be provided to us to obtain the Company’s product or service.
In addition, when you visit our websites, use our mobile applications, or interact with our tools, widgets or plug-ins, the Company's web servers may also collect data relating to your online session by automated means, the use of which is to provide aggregated, anonymous, statistical information so that the Company may better meet the demands and expectations of visitors to its sites, and take necessary actions in respect of any illegal or unlawful contents on any website visited through the Company’s web servers. The types of data may include, but are not limited to: the browser characteristics; operating system; IP address and/or domain name; language preferences; device characteristics; URLs; information on actions taken; and dates and times of activity.
A "cookie" is a text file that the Company’s websites send to your machine to uniquely identify your browser or to store information or settings in the browser. This information may include, but is not limited to, relevant login and authentication details as well as information relating to your activities and preferences across the Company’s web sites. You can disable cookies on your web browser, however if you do so you may not be able to access all parts of our web sites.
Telephone calls made to and from the Company’s service hotlines and/or inquiry telephone numbers will be recorded for the purposes of quality control, appraisal, as well as staff management and development. At all times, care is taken to protect such recordings from inadvertent and/or unauthorized access. Any personal data supplied by you will be retained by the Company and will be accessible by our employees and third parties (as applicable) for the purposes set out in this Privacy Policy Statement or as otherwise indicated by prior notice to you.
USE OF PERSONAL DATA
Your personal data may be used for:
- Verifying your identity;
- Pick up, deliver and track shipments;
- Provide products and services you request (such as logistics, supply chain management, customs clearance, and financial services);
- Provide customer support and respond to and communicate with you about your requests, questions and comments;
- Establish and manage your account;
- Communicate about, and administer your participation in, special events, programmes, surveys, contests, prize draws and other offers or promotions;
- Send information to your contacts if you ask us to do so;
- Process claims we receive in connection with our services;
- Matching (as defined in the Ordinance) your personal data with other data collected for other purposes and from other sources including third parties in relation to the provision of goods, services to you;
- Marketing and advertising of any goods, services to you by the Company, related companies, agents, contractors and third party suppliers upon your consent in accordance with the prevailing requirements in the Ordinance;
- Business planning and improving goods, services supply to you, by the Company, related companies, agents, contractors and third party suppliers, which may be performed by various means including without limitation research, analyses and/or surveys;
- Analysing, verifying, enforcing contractual rights, and/or checking of your credit, payment and/or status in relation to supply of goods and services to you;
- Enabling the daily operation of your account and/or the collection of amounts outstanding in your account with the Company including the use of debt collection agents;
- Maintaining and developing our business systems and infrastructure, including testing and upgrading of these systems;
- Keeping you informed about goods and services supplied to you and other goods and services made available by the Company;
- Prevention, detection or investigation of crime;
- Disclosure as permitted or required by law; and/or
- Any other purposes as may be agreed to between you and the Company.
ACCURACY OF PERSONAL DATA
Where possible, the Company will validate data provided using generally accepted practices and guidelines. This includes the use of check sum verification on some numeric fields such as account numbers or credit card numbers. In some instances, the data provided will be validated against preexisting data held by the Company. In some cases, as per the requirements of the Ordinance, the Company is required to see original documentation before the personal data may be used, such as with personal identifiers (as defined in the Ordinance) and/or proof of address. The Company fully complies with the “Rights of Access and Correction” obligations of the Ordinance. Please refer to the section titled “Access and Correction of Personal Data” below for details on how you can obtain and correct any personal data relating to you that the Company may hold. Please note that the accuracy of such personal data we collect, use and disclose depends to a large extent on the information you provide. You have a right to request correction of your personal data and we recommend that you let us know if there are any errors in your personal data and keep us up-to-date with changes to your personal data such as your name or address.
RETENTION OF PERSONAL DATA
The Company will destroy any personal data it may hold in accordance with its internal policy. Generally speaking, the Company’s policies cover the following principles:
- Personal data will only be retained for as long as is necessary to fulfil the original or directly related purposes for which it was collected, unless the personal data is also retained to satisfy any applicable statutory or contractual obligations; and
- Personal/business data are safeguarded by either accounts authentication and passwords or access rights permission to avoid unauthorized access of personal data. For digital records or physical copies containing nonrecurring/non-current personal data not required by audit requirement, the Company will purge/destroy them after use.
DISCLOSURE OF PERSONAL DATA
All personal data held by the Company will be kept confidential but the Company may, where such disclosure is necessary to satisfy the purpose, or a directly related purpose, for which the data was collected provide such information to the following parties:
- Any subsidiaries, holding companies, associated companies, or affiliates of, or companies controlled by, or under common control with the Company;
- Any person or company who is acting for or on behalf of the Company, or jointly with the Company, in respect of the purpose or a directly related purpose for which the data was provided;
- Any other person or company who is under a duty of confidentiality to the Company and has undertaken to keep such information confidential, provided such person or company has a legitimate right to such information;
- The Company’s dealers, agents, contractors, suppliers; its professional advisers, including its accountants, auditors and lawyers;
- Government and regulatory authorities and law enforcement agencies and other organisations, as required or authorised by law;
- Any financial institutions, charge or credit card issuing companies, credit providers, credit information or reference bureaux, or collection agencies, security agencies, necessary to establish and support the payment of any services being requested;
- Your authorized representatives or your legal advisers when requested by you to do so;
- Any proposed or actual participant, assignee or transferee of all or any part of the Company's operation or business;
Personal data may also be disclosed to any person or persons pursuant to any statutory or contractual obligations or as required by court of law, provided such person or persons are able to prove the required right/authority to access such information. In addition, personal data may be disclosed under any of the circumstances described in Part VIII of the Ordinance in which the concerned personal data are exempt from the provisions of Data Protection Principle 3 of the Ordinance.
TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG
At times it may be necessary for the Company to transfer certain personal data to places outside the Hong Kong SAR in order to carry out the purposes, or directly related purposes, for which the personal data were collected. Where such a transfer is performed, it will be done in compliance with the prevailing requirements of the Ordinance.
SECURITY OF PERSONAL DATA
Physical records containing personal data are securely stored in locked areas and/or containers when not in use.
All physical computer data are safeguarded by storing in locked cabinets. Computer data are stored within computer systems which are protected within server room with access control system. Storage media will also be placed in cabinets or server rooms.
Access to records and data without appropriate management authorization are strictly prohibited. Authorizations are granted only on a “need to know” basis that is commensurate with an individual's Company responsibilities and their training.
Where the Company holds, uses and/or transmits the customers’ personal data it will be adequately protected from accidental and/or unauthorized disclosure, change and/or destruction.
LINKS TO THIRD PARTY WEBSITES
Our websites may contain links to other sites and pages which are operated by third parties. We have no control over the content of the linked websites or the way in which the operators of those websites deal with your personal data. You should review the privacy policy for those third party websites to understand the ways in which your personal data may be used by those third parties.
ACCESS AND CORRECTION OF PERSONAL DATA
Under the Ordinance, individuals have the right to:
- Ascertain whether the Company holds any personal data relating to them and, if so, obtain copies of such data (“right of access”);
- Require the Company to correct personal data in its possession which is inaccurate for the purpose for which it is being used by means of a data access request (right of correction); and
- Ascertain the Company's policies and practices in relation to personal data, which are those policies and practices set out in their entirety herein.
An individual may exercise his or her right of access by:
- Completing the “Data Access Request Form” as prescribed by the Privacy Commissioner for Personal Data or the “Personal Data (Privacy) Ordinance - Data Access Request Form”;
- Sending the completed form, along with appropriate proof of identity (a copy of the applicant's Hong Kong Identity Card or Passport) and the prescribed fee to the Company's Information Technology Department at the address listed below;
- Alternatively, if you do not wish to provide a copy of your proof of identity, you may present the completed form in person, along with appropriate identification, at the Company's office.
The Company will, upon satisfying itself of the authenticity and validity of the access request, make every endeavour to comply with and respond to the request within the period set by the Ordinance (i. e. within 40 days after receiving the request).
An individual may exercise their right of correction by writing to the Company's Information Technology Department at the address listed below, specifying the data obtained through the Data Access Request mentioned above which needs to be corrected.
Satisfactory proof and/or explanation of the inaccuracy is essential before the Company would consider correcting the specified data.
Upon satisfying itself of the authenticity and validity of the correction request, the Company will comply with and respond to the request as required by the Ordinance.
DIRECT MARKETING
In accordance with the requirements of the Ordinance, the Company will honour a customer's request not to use his or her personal data for the purposes of direct marketing.
Upon customer’s consent, the Company may use his or her personal data (including name, contact information, and information about the products and services that he or she has purchased or subscribed to) to deliver to customer, through various communication channels by using email address, correspondence address, mobile phone number, telephone number, service number and service account number, etc., various promotion materials including the Company’s latest offers, gifts, discounts, benefits, information relating to the Company’s products and services, computer peripheral, accessories and mobile applications, personal assistance services and information services. Customer may also be provided with the latest offers on various kinds of products or services. For the avoidance of doubt, this consent can be withdrawn at any time as per this Privacy Policy without reference to the duration of the services, and will survive the termination or expiration of customer’s service contracts.
Customer can at any time send request to our Information Technology Department together with your contact details to stop receiving the promotion materials aforesaid or to start receiving the same (if customers have unsubscribed from receiving such materials before).
Any such request should clearly state the details of the personal data in respect of which the request is being made.
HANDLING OF PERSONAL DATA IN RECRUITMENT AND EMPLOYMENT
RECRUITMENT
During the recruitment process, job applicants may be required to provide sufficient personal data so that the Company may, as appropriate and/or applicable:
- Assess the applicant's suitability for the position being applied for;
- Assess the applicant's suitability for other positions the Company may have available;
- Determine preliminary remuneration and benefit packages;
- Verification of credentials and/or experience; and
- Perform security vetting and/or integrity checking.
At a minimum, such personal data will include:
- The applicant's name and contact details, including address and telephone number(s);
- Previous employment and relevant experience; and
- Education and relevant training.
Additional information may also be required dependent on the nature of the position being applied for.
The applicant is responsible for ensuring all personal data they provide is accurate and complete. The provision of inaccurate information or the withholding of requested information may:
- Prevent the Company from making an offer of employment;
- Invalidate such offer if the inaccuracy or omission is discovered after an offer has been made; or
- Lead to termination of employment if the inaccuracy or omission is discovered after employment has commenced.
The personal data so provided may be transferred to persons within the Company, its associated companies, and its clients in client projects; who are involved in the assessment of the applicant's suitability for the position applied for and/or other positions, which may be, or may become, available within the Company. The data may also be transferred to third parties, such as investigation agencies or previous employer, as are necessary to satisfy the purposes set out above.
The Company shall retain the personal data of unsuccessful applicants for future recruitment purposes for a period of not exceeding two years from the day on which the recruitment period ends.
EMPLOYMENT, INCLUDING POST EMPLOYMENT
In the course of employment by the Company, personal data of employees and their families, as appropriate, will be collected and used on an ongoing basis for various Human Resource purposes including but not limited to; administering staffing, performance management, training, career development, salary and benefits administration, communication (e.g. Company news, staff benefit offerings and promotions), medical benefits, provident fund administration, insurance, taxation, welfare and providing information in compliance with legal requirements. It will be transferred to those internal departments, intra-company, and/or to other third parties as is necessary for the purposes.
The Company retains certain personal data of employees when they cease to be employed by the Company (and such data will be retained for no longer than seven years after their cessation of employment). Such data are required for any residual employment-related activities of the former employee including, but not limited to:
- The provision of job references;
- Processing applications for re-employment;
- Matters relating to retirement benefits; and
- Allowing the Company to fulfill contractual or statutory obligations.
THE COMPANY'S PERSONAL DATA (PRIVACY) ORDINANCE CONTACT DETAILS
All enquiries regarding the Company's compliance with its obligations under the Ordinance should be in writing to:
2/F, Tin On Ind Bldg, 777 Cheung Sha Wan Road
Lai Chi Kok