PENTASTIC SECURITY LIMITED
Statement of Policy
1. PENTASTIC SECURITY LIMITED (‘we”, “our”, “us”) respects personal data privacy and is committed to implement and comply with the data protection principles and provisions under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).
Meaning of Personal Data
2. Under the PDPO, it is defined as data relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable.
Personal Data collected, used, stored and held by us into groups as follows:
(i) Customer’s identity includes information such as first name, last name, title, date of birth, and other identifiers that you may have provided at some time;
(ii) Customer’s contact information includes information such as e-mail address, billing address, delivery address, telephone number, and other information you have given to us for the purpose of communication or meeting;
(iii) Transaction data includes details about payments or communications to and from you and information about services you have engaged us;
(iv) Technical data includes your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and version, operation system and platform and other technology on the devices you use to access our website.
4. If you do not agree with these terms, please refrain from providing any Personal Data to us. If you refuse or withdraw your consent, or if you choose not to provide us with the required Personal Data, we may be unable to provide you with services that require access to certain Personal Data.
Statement of Practices
Categories of Personal Data Held
5. We hold the following categories of personal data –
(i) Employment-related records which include data on job applications, personal particulars, education and qualifications, employment history, salary and allowances, participation in Mandatory Provident Fund, terms and conditions of service, housing and medical benefits, leave records, training and development, appraisal reports, conduct and discipline, etc.;
(ii) General administrative records which include personal data collected in connection with the office administration functions, records containing information supplied by data subjects and collected in connection with the handling of enquiries and complaints made to us, etc.;
(iii) Customers records which include personal data collected in the course of handling customers’ membership applications, transactions, complaints and enquiries, etc.; and
(iv) Other records which include administrative and programme records containing personal data.
Main Purposes of Keeping Personal Data
6. The main purposes of keeping the personal data are as follows:
(i) Employment-related records are kept for a range of appointments and human resource management purposes, including postings and transfers, training and career development, performance appraisal and promotion, discipline, offer of benefits, etc.;
(ii) General administrative records are kept for the purposes of carrying out various office administration functions, responding to and taking follow-up actions on enquiries and complaints, etc.;
(iii) Customer records are kept for the purposes of handling customers’ membership applications, transactions, complaints and enquiries, etc.; and
(iv) Other records are kept for various purposes, which vary according to the nature of the records, such as procurement of stores and equipment, organisation of activities, etc.
Practices of Personal Data Handling
7. The practices at (a) to (f) below are implemented to ensure that personal data held by us is handled in accordance with the data protection principles enshrined in the PDPO.
(a) Collection of personal data
8. When collecting personal data, we will satisfy itself that:
(i) the purposes for which the data is collected are lawful and directly related to our function or activity;
(ii) the manner of collection is lawful and fair in the circumstances of the case; and
(iii) the personal data collected is necessary but not excessive for the purpose(s) for which it is collected.
9. When we collect personal data from an individual, the individual will be provided with a Personal Information Collection Statement on or before the collection in an appropriate format and manner. Practicable steps will be taken to ensure that –
(i) the data subject is informed of whether it is obligatory or voluntary for him/her to supply the data and, if obligatory, the consequences for him/her if he/she fails to do so; and
(ii) the data subject is explicitly informed of the purpose for which his/her personal data is to be used, the classes of persons to whom the data may be transferred or disclosed, the rights of the data subject to request access to and correction of the data, and the contact details of the individual to whom any such request may be made.
(b) Accuracy and retention of personal data
10. Personal data collected and maintained by us shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.
11. A destruction exercise on records containing personal data will be conducted as and when necessary.
(c) Use of personal data
12. All personal data collected will be used only for purposes, which are directly related to the discharge of our duties and responsibilities.
(d) Security of personal data
13. We observe strictly relevant security standards and regulations. Security arrangements will also be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements adopted include but not limited to the following:
(i) restriction of access to personal data on a “need-to-know” basis;
(ii) regular review and enhancement of security measures for protection of personal data in the servers, user computers, transmission of electronic messages, etc.;
(iii) regular change of passwords for IT facilities, accounting and personnel systems, etc.;
(iv) encryption of all backup storage devices that are to be transported to off-site storage; limited staff access rights to office areas storing confidential information; and
(v) provision of clear guidelines to staff as to the types of data that may or may not be disclosed to a phone enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity.
(e) Transparency of the personal data policy and practices
(f) Access to and correction of personal data
15. We recognise an individual’s rights of access to and correction of his/her own personal data in accordance with the PDPO. To make a data access request, an individual should reach out to us by email: email@example.com or by post: 11/F Admiralty Centre Two, 18 Harcourt Road, Admiralty, Hong Kong
16. When handling a data access or correction request, we will check the identity of the requester to ensure that he/she is the person legally entitled to make the data access or correction request.
17. Our services are not generally aimed at children. In some cases which we may collect and use Personal Data about children provided by you, we will comply with applicable laws.
Period we keep hold of your Personal Data
20. We keep your Personal Data for as long as we need it to satisfy our regulatory and legal requirements. Once the Personal Data is no longer required, it is either deleted or anonymised.
Incident Reporting and Breach Handling
21. A mechanism is set up for incident reporting and breach handling in case there is loss or leakage of personal data, or there is a reason to believe that the personal data held by us has been compromised.
Ongoing Monitoring and Review
11/F Admiralty Centre Two,
18 Harcourt Road,
Tel: +852 5608 0238
Updated as of 8 Nov 2020