This Policy is separate and in addition to client confidentiality obligations we may owe you – please refer to the terms and conditions applicable to your engagement for further details.
Who decides why and how we process your personal data?
OLN determines why and how we process your personal data. In each case, your personal data will controlled by OLN which you have given instructions to, or with which you are otherwise dealing with or receiving communications from or OLN which provides services to a third party which you are associated with, for example a company of which you are a director or shareholder.
What personal data might we collect?
We collect different types of personal data for different reasons – this may include:
Contact information: Information such as your name, job title, postal address, home address where you provide this to us, business address, telephone number, mobile number, fax number and email address.
Payment data: Data necessary for us to process payments and implement fraud prevention measures, including credit / debit card numbers, security code numbers and other such relevant billing details.
Business details: Business information which we necessarily process as part of our instructions or projects we are involved in or otherwise provided by you voluntarily.
Compliance details: Information we are legally required to collect for compliance purposes, such as ‘know your client’ information, details relevant to international sanctions and restrictive measures and information about relevant and significant litigation, which may impact our ability to act.
Preferences: Information about your preferences, where it is relevant to the services we provide.
Publicly available information: Information collected from publicly available resources, including but not limited to information collected from databases we use to carry out compliance checks or credit rating agencies.
Statutory Register Information: Information about you on account of an interest or office you may hold in or certain relationships you may have with a corporate entity, partnership, trust or other vehicle to which we provide services (each such entity, a Third Party Entity).
Details for events: In some cases, we may collect information about you, which may include sensitive information in relation to your health, for the purpose of tailoring our events to your needs. The processing of such data is based entirely on your consent – in the event that you do not want us to maintain such data, we may not be able to take the necessary precautions.
When do we collect your personal data?
We may collect personal data about you in various cases, such as for example:
In some circumstances, we may collect personal data about you from third parties – for example, we may collect personal data from your organisation, other organisations with whom you have dealings including Third Party Entities, government agencies, a credit reporting agency, an information or service provider or from a publicly available record.
How will we use your personal data?
We will use your personal data for the following purposes (Permitted Purposes):
Where you have expressly given us your consent, we may process your personal data also for the following purposes:
With regard to newsletters, legal updates and other general communications, we will - where legally required - only provide you with such information if you have opted in. You have the opportunity to opt out of receiving such communications at any time. We will not use your personal data for taking any automated decisions affecting you or creating profiles other than described above.
Depending on for which of the above Permitted Purposes we use your personal data, we may process your personal data on one or more of the following legal grounds:
We may also process your data based on your consent where you have expressly given that to us.
How will we share your personal data?
We may share your personal data in the following circumstances:
We will otherwise only disclose your personal data when you direct us or give us permission to do so, when we are required by applicable law or regulations or judicial or official request to do so, or as required to investigate actual or suspected fraudulent or criminal activities.
Can you refuse to share your personal data with us?
In general, we receive your personal data where you provide this on a voluntary basis, and there will typically be no detrimental effect for you if you wish not to provide this or otherwise withhold your consent for it to be processed. However, there are certain cases where we will unfortunately be unable to act without receiving such data, for example where we need to carry out legally required compliance screening or require such data to process your instructions or orders, or otherwise to provide you with our online services or communications.
Where it is not possible for us to provide you with what you request without the relevant personal data, we will let you know accordingly.
How do we keep your personal data safe?
We take appropriate technical and organisational measures to keep your personal data confidential and secure, in accordance with our internal policies and procedures regarding storage of, access to and disclosure of personal data. We may keep your personal data in our electronic systems, in the systems of our contractors, or in paper files.
Personal data we receive from you about other people
Where you provide us with the personal data of other people, such as your employees, directors of your companies, or other persons you may have dealings with, you must ensure that you are entitled to disclose that personal data to us and furthermore that, without being required to take further steps, we can collect, use and disclose that data in the manner described in this Policy. More specifically, you must ensure that the individual whose personal data you are sharing with us is aware of the matters discussed in this Policy, as these are relevant to that individual, including our identity, how to get in touch with us, the purposes for which we collect data, our disclosure practices, and the rights of the individual in relation to our holding of the data.
Transfers of personal data abroad
OLN is active across the world – this means that we may transfer your personal data abroad if required to do so for the Permitted Purposes. In certain cases, this may include transferring data to countries which do not offer the same level of protection as the laws of your country (such as for example the data protection legislation of the EU/EEA).
When making such transfers, we will ensure that they are subject to appropriate safeguards in accordance with the General Data Protection Regulation (Regulation 2016/679) or other relevant data protection legislation. This may include entering into the EU Commission’s Standard Contractual Clauses. Please get in touch with our Data Protection Officer at [email protected] if you wish to obtain further information on the appropriate safeguards which we are adhering to.
All entities and offices within OLN will ensure an adequate level of protection for your personal data at all times.
How long do we keep your personal data?
We delete your personal data once it is no longer reasonably necessary for us to keep it for the Permitted Purposes, or, where we have relied on your consent to keep your personal data, once you withdraw your consent for us to do so, and we are not otherwise legally permitted or required to keep the data. Importantly, OLN will keep your personal data as necessary for the purposes of defending or making legal claims until the end of the period during which we may retain the data and otherwise until the settlement of any such claims, as relevant.
In determining the appropriate retention period for personal data we consider such factors as the nature of the information, the purposes for which the data is retained, appropriate security measures, relevant technical constraints and applicable legal requirements. Please contact us if you want further information about our record retention policy.
What rights do you have?
Subject to certain conditions under applicable legislation, you have the right to:
To do any of the above, please contact us at [email protected] To enable us to process your request, we may require that you provide us with proof of your identity, such as by providing us with a copy of a valid form of identification – this is to ensure that we appropriately protect the personal data we hold from unauthorised access requests and comply with our security obligations.
We may charge you a reasonable administrative fee for any unreasonable or excessive requests we may receive, and for any additional copies of the data you may request.
In relation to complaints, we will promptly respond to your requests and complaints. In the event that you are unhappy with our response, you may submit a complaint to the relevant privacy regulator. We can provide you with the details of the relevant regulator upon request.
Correcting and updating your personal data
Where any personal data you have provided us with has changed, or where you believe the personal data we hold is inaccurate, please let us know at [email protected] In addition, please note that if you hold an office or are interested in or have certain relationships with a Third Party Entity to which we provide services, you and/or the Third Party Entity may have a contractual or legal obligation to notify us of any change within a prescribed time period. We cannot be responsible for any loss that may arise due to us having any inaccurate, incomplete, inauthentic or otherwise deficient personal data which you or a Third Party Entity have provided to us. Please also let us know if you wish to withdraw any request.
Get in touch
We would be happy to hear your views about our website and this Policy – please let us know any questions, comments or clarifications you may have at [email protected] or send us a letter to our Data Protection Officer, Oldham, Li & Nie of Suite 501, St. George’s Building, 2 Ice House Street, Central, Hong Kong.