STATEMENT OF POLICY
SWAY LIMITED (hereinafter “SWAY,” “we,” and “us”) respects personal data privacy. We will comply with the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong Special Administrative Region) (hereinafter the “Ordinance”) and are committed to fully implementing the data protection principles promulgated under the Ordinance.
STATEMENT OF PRACTICE
Information We Collect
From time to time, we may collect various types of personal information (“personal information” or “personal data”) (such as Hong Kong Identity Card Number, email address, full name, and contact number) from you in connection with our provision of services, activities, and facilities, including but not limited to account registration, ticketing transaction, e-newsletter subscription, event registration, membership, Wi-Fi usage, payment, following up on enquiries, conducting customer surveys, advertising, venue booking, fundraising campaigns, job application and/or employment-related issues, and contractor management, etc.
We do not actively collect personal data of minors under the age of 18 but we may collect their personal data while they use our services or register for our activities and events. Minors must have obtained prior consent from their parents or guardians before providing personal data to us.
Main Purpose of Collecting Personal Data
The main purposes of collecting the personal data are as follows:
- for processing your service requests (including but not limited to event registration, ticket purchase, e-newsletter subscription, product purchase, Wi-Fi usage, S’way Recital Hall Membership (hereinafter the “membership”) account registration, membership registration, venue booking, and donation) with us and providing you with our services;
- for administering your membership account and maintaining your records;
- for facilitating communications between you and us;
- for notifying you of changes to our services that may affect you;
- for responding to and following up on your enquiries;
- for enhancing your experience in the S’way Music Studio and/or S’way Recital Hall with programmes and offerings that are of interest;
- for direct marketing upon obtaining explicit consent from you;
- for managing customer relationships between/within S’way Music Studio and/or S’way Recital Hall;
- for communicating with you for potential support to S’way Music Studio and/or S’way Recital Hall that is relevant to your interests and appropriate;
- for conducting and facilitating promotional activities, events, lucky draws or redemption of prize;
- for customising and sending contents, advertisements, notifications and other information on our websites, mobile applications, social media platforms and other platforms (“platforms”) based on your habits, experience, interests and preferences;
- for administering, maintaining and improving our platforms;
- for conducting statistical analysis, research, surveys, quality assurance, behavioural analysis and review;
- for processing your job application and/or employment-related issues;
- for executing the service contracts between you and us; and
- for other purposes directly relating to any of the above.
We may collect and combine/process information from you (except for Purposes 14 and 15) through various channels, such as online channels (e.g. websites, mobile applications, social media platforms), offline channels (e.g. physical application forms), or publicly available information about you. We use this information to help improve your experience and communicate with you about events or offerings that may be of interest.
Implementation of Practices
We will implement the practices at (a) to (f) hereinbelow in accordance with the data protection principles in the Ordinance.
(a) Collection of personal data
When collecting personal data, SWAY will satisfy itself that:
- the purposes for which the data is collected are lawful and directly related to a function or activity of the SWAY;
- the manner of collection is lawful and fair in the circumstances; and
- the personal data collected is necessary but not excessive for the purpose(s) for which it is collected.
When we collect personal data from you, you will be provided with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner. Practicable steps will be taken to ensure that:
- you are informed of whether it is obligatory or voluntary to supply the data and, if obligatory, the consequences in failing to do so; and
- you are explicitly informed of the purpose(s) for which the personal data is to be used, the classes of persons to whom the data may be transferred or disclosed, your right to request access to and correction of the data, and the contact details of the officer to whom any such request may be made.
If we intend to use the personal data collected for a new purpose, other than the purpose of first collection as stated in the PICS, we will obtain prior consent from the data subject before the usage. If the data subject is under the age of 18, we will only use the personal data for a new purpose after we obtained prior consent from the parent or guardian of the data subject.
(b) Accuracy and retention of personal data
Personal data collected and maintained by us will be as accurate, complete, and up-to-date as is necessary for the purpose(s) for which it is to be used.
We maintain a personal data inventory, which contains the kinds of personal data that we hold, the purposes for which the personal data is collected, used and disclosed, and how the personal data is stored. The personal data inventory will be reviewed periodically to ensure that it is accurate and up-to-date.
We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we will consider the amount, nature, and sensitivity of the personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Should there be a need to retain personal data for statistical purposes, such personal data will be anonymised so that the individuals concerned can no longer be identified.
(c) Use of personal data
All personal data collected will be used by and shared among SWAY for purposes which are directly related to the discharge of SWAY’s activities or functions. We will never sell or rent your information with any other organisation outside SWAY. We may transfer your personal information to our service providers such as IT contractors, cloud service providers, event agents and confidential documents disposal service agents, etc., in order for them to perform services on our behalf. We may also share your personal data with partners or service providers that are involved in co-organising events with us or providing goods and services to you or fulfilling your requests. We will ask for your consent before sharing personal information with any third party partners for direct marketing purposes such as external online platforms and social media platforms, etc. Personal data may also be disclosed to other entities which are authorised to receive such information for law enforcement, prosecution or review of decisions purposes, or otherwise as required or permitted by law. We may also need to transfer your personal data outside of Hong Kong for necessary handling, processing or storage.
You will be informed of the transferees of personal data when your personal data is collected. We require all transferees to respect the security of your personal data and comply with the Ordinance and other applicable personal data laws. We do not allow our transferees to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
If personal data is to be used for a purpose other than the purposes for which the data is collected, prior consent will be sought from you where practicable. In seeking the consent, all practicable steps will be taken to ensure that:
- information provided to you is clearly understandable and readable; and
- you are informed that you are entitled to withhold your consent or withdraw your consent subsequently by giving notice in writing.
We will not use personal data or provide personal data for use in direct marketing without your explicit consent. Such direct marketing communications may take the form of mails, emails, SMSs, targeted online advertisements, notifications via our mobile applications, push notifications, instant messaging, etc. Such direct marketing communications may relate to products, activities, events and services of SWAY, including those sponsored by or jointly organised by SWAY with third parties, and those on offer or taking place at the S’way Recital Hall (“Marketing Communications”). Examples of these Marketing Communications include newsletters, membership benefits, shop/merchandise promotions, event invitations, invitations to donations, etc. If we intend to use your personal data for direct marketing, we will obtain explicit consent from you before using your personal data and will notify you when using personal data for direct marketing for the first time that you have a right to request us to cease using the data for direct marketing if you so require. These Marketing Communications may be sent by SWAY and/or an external party on our behalf (e.g. external online platforms and social media platforms). If we intend to provide your personal data to an external party (e.g. our service providers or third party partners) for use by that other person for their direct marketing purposes, we will inform you in writing in advance that we intend to provide the personal data and will not provide the personal data unless we have received your explicit consent. You may, at any time, require us to cease using your personal data in direct marketing by informing us through the channels as stated in practice (f) below.
(d) Security of personal data
We observe strictly the relevant security standards and regulations. Security arrangements will be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements include, without limitation, the following:
- restriction of access to personal data on a ‘need-to-know’ basis;
- regular review and enhancement of security measures for protection of personal data in the servers, user computers, or transmission of electronic messages;
- regular change of passwords for IT facilities, or accounting and personnel systems;
- encryption of all backup tapes that are to be transported to offsite storage;
- limited staff access rights to office areas storing confidential information; and
- provision of clear guidelines to staff as to the types of data that may or may not be disclosed to an enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity.
(e) Transparency of the personal data policy and practices
(f) Access to and correction of personal data
We recognise your rights of access to and correction of your personal data in accordance with the Ordinance. To make a data access request, you should complete the form specified by the Office of the Privacy Commissioner for Personal Data, which is available at https://www.pcpd.org.hk/english/publications/files/Dforme.pdf, and submit the completed form to us in any one of the following ways —
- via email to firstname.lastname@example.org
- in person or by mail to:
Unit 01, 2/F, Knutsford Commercial Building
4-5 Knutsford Terrace
Tsim Sha Tsui, Kowloon
When handling a data access or correction request, we will check the identity of the requester to ensure that the requester is the person legally entitled to make the data access or correction request.
We may impose a fee for the necessary cost of complying with a data access request. We will clearly inform the requester the amount to be charged.
We may refuse a data access request in the circumstances specified in Section 20 of the Ordinance.
We maintain a logbook recording the data access or correction requests received as required under Section 27 of the Ordinance.