1 Overview
We, the Orchard Partnership Limited understand that each individual’s privacy is important, and that it is our responsibility to care about how personal data we collect is stored and used. We respect and value the privacy of everyone who uses our individual and corporate coaching and training services (our “Services”), or that visits our website, and we will only collect and use information in ways that are useful to our clients and in a manner consistent with their rights, and our obligations under the law.
This Privacy Policy sets out how we, collect, store and use personal data. This Privacy Policy is effective from 1st October 2018.
2 Our details
The Orchard Partnership Limited (‘we’, ‘us’ or ‘our’) is a corporation registered in Hong Kong, having Company number 927335 with its registered office at 15th Floor, 100 Queens Road Central, Central, Hong Kong
Any queries related to our privacy policy can be sent by post to the above address, or by email to [email protected] .
3 Collection and use of Personal Data
3.1 Personal data
We consider that personal data is any kind of data that can identify an individual. We do not request any personal data from our clients or anyone who contacts us other than data that is legitimately required, appropriate and relevant to our business purposes, and only to the extent necessary to provide our Services, or to enable us to provide information that we consider will be of value to individuals that contact us.
3.2 Personal Data received directly from individuals
When anyone contacts us, we may collect personal data necessary to be able to provide our Services, which could include personal details such as: names, email addresses, business address, Instant Messaging contact information, corporate information (where applicable).
Where individuals have entered into a contract with us or requested that we enter into a contract with them to provide our Services, we may also obtain more detailed personal about that individual in order to enable us to provide our Services to a sufficient standard.
Once personal data has been submitted to us, it is used solely for providing our Services or for providing information that we may consider relevant, which may include contacting individuals by email, telephone, text message with information, news about our Services. We will not, however, send any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully comply with our obligations under the law.
3.3 Personal Data received from third parties
We may receive personal data from the human resources department of companies or entities that have contracted with us for our Services which may include information such as the results of personality profile assessments, corporate assessments of individuals, corporate opinions and reports on individuals and peer group review information. We may also occasionally receive personal information from professional referrals that have recommended the use of our Services. Such information is kept in strictest confidence and is used solely for the purposes of providing our Services.
We do not solicit personal data about individuals from any other third-parties. If we receive personal data about individuals from a third party in error and/or we do not have a legitimate basis for using that personal data, we will delete such personal data.
In certain circumstances (for example, to verify the information we hold about individuals or to obtain missing information that we require to provide our Services) we may obtain personal data from certain publicly accessible sources, both EU and non-EU, such as online customer databases, business directories, media publications, social media, and websites.
3.4 Personal Data collected on our website
We may automatically collect information from visitors to our website. We use a third-party server to host our website in Singapore and, accordingly, personal data for clients based in the European Economic Area (EEA) may be stored outside the EEA.
We do not access or use the log data from our website server. Furthermore, unless we are investigating suspicious or potential criminal activity, we do not make, nor do we allow our hosting provider to make, any attempt to identify individuals from the information collected via server logs. However, our third-party hosting provider may use website server log information to analyse website use and improve our website.
Google collects information through our use of Google Analytics on our websites. Google uses this information, including IP addresses and information from cookies, for a number of purposes, such as improving its Google Analytics service. Information is shared with Google on an aggregated and anonymized basis.
Cookies are data files which are sent from a website to a browser to record information about users for various purposes. Our website may use cookies and similar technologies, including essential, functional, analytical and targeting cookies. Visitors to our website can reject some or all the cookies we use on or via our website by changing their browser settings but doing so may impair the visitor’s ability to use our website or some or all of its features. For further information about cookies, including how to
change browser settings, please visit www.allaboutcookies.org.
3.5 Sensitive Personal Information
‘Sensitive personal information’ is information about an individual that reveals their racial or ethnic origin, political opinions, genetic information, biometric information for the purpose of uniquely identifying an individual, information concerning health or information concerning a natural person’s sex life or sexual orientation.
We do not intentionally collect any sensitive personal information at any time. Where such information is provided to us from clients that we have contracted with, in the course of providing our Services, such personal data is treated in strictest confidence, and only stored if we have a legitimate reason to do so and the client explicitly consents to us storing such information.
4 Retention and Storage of Personal Data
4.1 Retention
We will only store personal data if we have an ongoing legitimate business need to do so in order to provide our Services and only for as long as we have permission to keep it. In any event, personal data will be deleted if we are notified via email, telephone or post to do so.
4.2 Storage
Clients based in the EEA should note that personal data will be stored outside of the European Economic Area (“the EEA”) We will take all reasonable steps to ensure that personal data is treated as safely and securely as it would be within the EEA under the EU General Data Protection Regulation (‘GDPR’).
Data security is of great importance to us, and to protect personal data we have in place suitable physical, electronic and managerial procedures to safeguard and secure personal data.
5 Security of Personal Data
We shall ensure that the following measures are taken with respect to the collection, storage, and use of personal data:
- All employees, agents, contractors, or other parties working on behalf of The Orchard Partnership Limited shall be made fully aware of both their individual responsibilities and our responsibilities under this Policy, and shall be provided with a copy of this Policy;
- Only employees, agents, sub-contractors, or other parties working on behalf of The Orchard Partnership Limited that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by us;
- All employees, agents, contractors, or other parties working on behalf of The Orchard Partnership Limited handling personal data will be appropriately trained to do so;
- All employees, agents, contractors, or other parties working on behalf of The Orchard Partnership Limited handling personal data will be bound to do so in accordance with the principles of this Policy by contract;
- All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy.
Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure and that individuals are advised to take suitable
precautions when transmitting personal data to us via the internet
6 Disclosure of Personal Data
6.1 Disclosure of personal data to service providers
We may use third-parties to provide us with services which are necessary to run our business or to enable us to perform our obligations under any contract we have with them, or for the purposes of providing our Services. Where any personal data is required for such a purpose, we will take all reasonable steps to ensure that the personal data will be handled safely, securely, and in accordance with the rights of our clients, our obligations, and the obligations of the third party under the law. Furthermore, only the minimum necessary personal data will be disclosed to enable such services to be provided to us and where we have consent to do so.
We do not display the identities of our service providers publicly by name for security and competitive reasons. However, individuals can request further information about the identities of our service providers, by contacting us directly via our contact form on our website or by email. In which case we will provide the individual with such information where they have a legitimate reason for requesting it (for example, where we have shared personal data with such service providers).
6.2 Disclosure of information to other third parties
We will only disclose personal data to other authorised third parties if:
- We have consent from the client to share their personal data with an authorised third party;
- We have a legitimate need to do so in order to provide our Services;
- The third party complies with all legal requirements and obligations regarding the use of personal data.
We do not sell personal data to any third parties at any time.
7 Access and Rights in relation to Personal Data
We want to make sure that all personal information that we hold is accurate and up to date. All individuals have the following rights in relation to their personal data held by us:
- to request access to personal data kept by us and information related to our use of that personal data;
- to request the correction or deletion of personal data;
- to request that we restrict our use of personal data;
- to receive information which individuals have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file) and the right to have that information transferred to another entity or person;
- to object to the use of personal data for certain purposes; and
- to withdraw consent to our use of their personal data at any time.
Please note that withdraw of consent will not affect the lawfulness of our use of personal data on the basis of consent obtained prior to such withdrawal of consent.
These rights can be exercised by sending an email to [email protected] .
8 Compliance with Legislation
We strive to maintain compliance with key legislation applicable to privacy, in particular, we comply with the general requirements of the Hong Kong Personal Data (Privacy) Ordinance (Cap.486) and the EU General Data Protection Regulation (GDPR).
8.1 The Personal Data (Privacy) Ordinance
The objective of the Personal Data (Privacy) Ordinance (Cap. 486) is to protect the privacy rights of a person (the Data Subject) in relation to their personal data. Personal Data is the information which relates to a living person and can be used to identify that person that exists in a form in which access or processing is practicable.
There are six Data Protection Principles (“DPPs”) which represents the core of the Ordinance covering the life cycle of personal data:
8.1.1 DPP1 – Data Collection Principle: Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred. Data collected should be necessary but not excessive.
8.1.2 DPP2- Accuracy & Retention Principle: Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used.
8.1.3 DPP3 – Data Use Principle: Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
8.1.4 DPP4 – Data Security Principle: A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.
8.1.5 DPP5 – Openness Principle: A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
8.1.6 DPP6 – Data Access & Correction Principle: A data subject must be given access to their personal data and allowed to make corrections if it is inaccurate.
8.2 EU General Data Protection Regulation (GDPR) compliance
The EU General Data Protection Regulation (GDPR) is a comprehensive set of rules designed to keep the personal data of all EU citizens collected by any organization, enterprise, or business safe from unauthorized access or use. The GDPR went into effect on 25th May 2018, and the provisions in the law affect the manner in which every business transaction involving EU citizens is conducted.
Under the GDPR, before processing any personal data, a business must ask for explicit permission from the subject. The request must use clear language. The provisions of the regulation specifically outlaw the use of long documents filled with legalese. The consent must be given for a specific purpose and must be requested separately from other documents and policy statements.
The GDPR defines personal data as any information related to a natural person (data subject) that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address. The key Provisions of the GDPR are:
8.2.1 Consent: The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
8.2.2 Breach notification: Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it. The method of this notification will include as many formats as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
8.2.3 Right to access: The GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. Companies must also be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
8.2.4 Right to be forgotten: Under the GDPR, companies must erase all personal data when asked to do so by the data subject. At that point, the company must cease further dissemination of the data, and halt all processing. Valid conditions for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject’s subsequent withdrawal of consent.
8.2.5 Data portability: The GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another processor, free of charge.
8.2.6 Privacy by Design: Companies must follow Privacy by Design principles and implement appropriate technical and organisational measures in an effective way to meet the requirements of the GDPR and protect the rights of data subjects. This provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
9 Children’s Privacy
We do not knowingly contact or collect information from persons under the age of 18. Our website is not intended to solicit information of any kind from persons under the age of 18.
It is possible that we could receive information pertaining to persons under the age of 18 by the fraud or deception of a third-party. If we are notified of this, as soon as we verify the information, we will, delete the information from our servers.
10 Changes to our Privacy Policy
We update and amend our Privacy Policy from time to time.
10.1 Minor changes to our Privacy Policy
Where we make minor changes to our Privacy Policy, we will update our Privacy Policy with a new effective date stated at the beginning of it. Our processing of personal data will be governed by the practices set out in that new version of the Privacy Policy from its effective date onwards.
10.2 Major changes to our Privacy Policy or the purposes for which we process personal data
Where we make major changes to our Privacy Policy or intend to use personal data for a new purpose or a different purpose than the purposes for which we originally collected it, we will notify individuals by email (where possible) or by phone, or instant messaging if email is not applicable.
We will provide individuals with the information about the change in question and the purpose and any other relevant information before we use that personal data for any new purpose.