Privacy Policy
1. Contact Details
For any questions about this notice, please contact:
Data Controller: Mac Kurata
Address: Room 507B, 5/F, Empire Centre, 68 Mody Road, Tsim Sha Tsui, Kowloon, Hong Kong
Email: [email protected] | Phone: +852-5803-1111
2. Types of Personal Data Processed
We process the following types of personal data:
– Name, email address, phone number, and mailing address
– Employment details, including job title and employer information, salary information.
– Any other data necessary for our recruiting services
3. Lawful Basis for Processing Personal Data
We process personal data based on:
– Consent from the individual
– Contractual necessity for our services
– Compliance with legal obligations
4. How Personal Data is Processed
We collect and store data securely, using encryption and other safeguards.
Data may be shared with trusted partners for recruiting purposes only.
5. Data Retention Period
Personal data is retained for up to 1 year unless legally required otherwise.
6. Data Subject Rights
Individuals have the following rights:
– Access and obtain a copy of personal data
– Request correction or deletion of data
– Restrict or object to processing
– Data portability to another provider
Data Confidentiality Policy OR Data Privacy Policy
Policy Effective Date: <01/10/2022>
No part of this documentation may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying or recording, for any purpose
without express written permission of the CEO of < Prolink Consulting Limited >.
© 2024, <Prolink Consulting Limited>. All Rights Reserved
Data Controller of Prolink Consulting : Mac Kurata
Address : Room 507B, 5/F, Empire Centre, 68 Mody Road, Tsim Sha Tsui, Kowloon,
Hong Kong
Contact Details :
[email protected]
+852-5803-1111
1. Objective
The objective of Data Confidentiality or Data Privacy Policy (hereinafter referred to
as ‘Data Privacy Policy’) is to set standards and/or framework for the usage and
protection of confidential data related to the organization. Data Privacy Policy intends
to communicate the organization’s commitment in terms of protecting the privacy of
user data and protection of consumer data within the organization. It is evidence of
the organization’s commitment to data protection principles.
2. Scope & Applicability
The Scope of Data Privacy Policy covers all employee/s, customers, suppliers,
external consultants, partners, contractors and any other external entity. The policy
defines the types of data and their appropriate usage.
3. Policy / Process
3.1 Procedures
The Data Privacy Policy implementation is defined via procedures.
Information Technology (IT) department plays a vital role in implementing policy
and ensuring adherence to the policy across the organization.
IT department, i.e. the IT Manager and/or chosen representative from the IT
department, shall devise a comprehensive inventory cataloguing the storage
locations of sensitive company data.
The comprehensive inventory should include the following analysis:
● HR systems data storing employee records in terms of name, gender
orientation, designation, department, date of joining, compensation and
wages details, payroll, health and retirement benefits.
● Employee record/s in the policy is defined as Personal data. Personal data is
any information about an identified or identifiable person, known as a data
subject, i.e. employee/s. Personal data includes any information that can be
used to identify someone, alone or in combination with other information. This
includes the employee/s name, date of birth, address proof and/or passport
details, compensation & benefits, and educational qualifications- all of which
can be utilized as identification of employee/s.
● Unstructured data residing in company equipment, remote servers and email
accounts)
● Persons with a view or edit access to the data
● The volume of data ageing
The Data Privacy Policy of the organization is implemented by adhering to the
following steps:
● Data Life Cycle Management – This refers to a framework that standardizes
data processes in the organization, from data creation through storage and
archiving until its final deletion.
● Data Risk Management – This includes identifying and assessing all risks and
threats that may affect the data and thereby protecting the data confidentiality
via undertaking necessary steps as may be deemed to be considered
necessary.
● Data Back-up and Recovery – This includes the backup support mechanisms
for data once data is created. All organization data is supported by a backup
drive that is accessible in the case of an emergency, i.e. all systems failure.
● Data Access Management Controls – This includes that the data related to
the organization shall be used only by authorized user/s. The records of the
same shall be kept by the organization’s IT department.
● Data Storage Management – This includes tasks related to securely moving
data on-premises or in external cloud environments. These may be data
stores for frequent, high-performance access or archival storage for infrequent
access.
● Data Breach Prevention – Data breach prevention measures are implemented
for the purpose of preventing unauthorized access to data. The goal is to
avoid external malicious viruses or internal threats from gaining unauthorized
access to information and systems. Cyber security measures are put in place
for the purpose of preventing attacks on internal networks, network
perimeters, data-in-transit, and data-at-rest. Typically, these measures include
data encryption, implementation of antivirus software, protection against
ransomware, perimeter security hardware and software, and access
management software.
● Monitoring and Reviewing – Monitoring and reviewing processes help
organizations gain visibility into data activities, risks and controls, helping
improve protection and respond to threats and anomalies. Monitoring and
reviews may also be necessary to meet compliance requirements. Ongoing
monitoring provides visibility into all aspects of the data lifecycle, including
data creation, storage, transmission, archiving, and destruction. These
activities offer essential evidence for internal and external auditors that
examine controls for data protection and management.
The organization upholds the highest responsibility in data collection from the
subscribers if any, and the data received for job applications.
Therefore data collected from subscribers, if any, job applicants, employee/s, data
related to products, new product development and innovations, finance, supply chain
and any other data shall be treated with confidentiality.
All data shall be treated in the following manner:
● All data shall be processed within its legal and moral boundaries.
● All data shall be protected against illegal and unauthorized access.
● All data shall be protected against any unauthorized or illegal access by
internal or external parties.
● Data shall not be communicated informally.
● The data shall not be stored for more than the specified time.
● Data shall not be distributed or transferred to organizations, states or
countries that do not have adequate data protection policies.
● Data shall not be distributed to any other parties other than the agreed
upon (exempting legitimate requests from law enforcement authorities)
● Data shall not be collected for use or disclosed, including the purpose
which is permitted under section 24 for the collection of Personal Data
without the data subject’s consent.
●Personal Data’s personnel will be notified when the data subject is provided
for compliance with a law, or contract, or where it is necessary to provide
the Personal Data for the purpose of entering into contract, including whe
the data subject does not provide such Personal Data.
the Collected Personal Data will be retained for 1 year from the date of
collection. 5
● Let the employee/s and/or parties involved from whom the data is being
collected and keep them informed of how, i.e. how, the data shall be
processed/used and who has access to it.
3.2 Responsibility – IT Department / HR Department /
Finance Department / Supply Chain
● The IT Manager must formulate an effective governance strategy to keep
track of inward or outward data flow.
● The IT Manager and the Supply Chain Manager shall have to maintain
oversight of third-party service providers and data processors since the Data
Protection Law considers the collecting party responsible for the safeguarding
of personal data even if the information has subsequently been shared with
other parties.
● HR Manager/s and/or Business Head/s of the organization are strictly
responsible for adhering to and ensuring the culture of data confidentiality
with respective teams. Building an enterprise-wide appreciation of good
information security practices requires a combination of senior-level buy-in
and a commitment to continuous learning.
● The IT Manager should constantly be vigilant in maintaining IT security and
controls similar to the adoption of information security frameworks.
● Adoption of effective data breach response measures
4. Non-compliance and consequences
In the event of non-compliance with Data Privacy Policy, the concerned Department
Manager/s and/or concerned parties involved shall be suspended and/or terminated
and/or legal action shall be taken towards parties involved in non-compliance.\
5. Special Circumstances and Exceptions
In the event the Manager/s are unable to comply with the Data Privacy Policy due to
challenges that involve specific situation/s or circumstances, then the party and/or
parties involved shall be exempted in writing by the management from any legal
action