HCR Data and Privacy Protection Policy
Last updated on: [November 6, 2019]
HCR Co., Ltd. and its affiliates (“we”, “us”, “our” or “HCR”) respect and are committed to protecting Personal Information and privacy. Therefore, we have formulated this Data and Privacy Protection Policy (“Policy”), which specifies the overall situation relating to our data protection, including our basic information and data protection principles.
This Policy is only an overview of our Personal Information and privacy protection to state our unified requirements and standards for data Processing. For the avoidance of doubt, this Policy does not include all information on our Processing of Personal Information for specific purposes through certain products or under certain service scenarios. For the specific data Processing practices through certain products or under certain service scenarios, please refer to the privacy protection policies or statements applicable under such circumstances which are further provided by our clients (“Clients”) or us. In addition, for the purpose of clarification, this Policy is independent of any privacy protection policies or statements which may be displayed or provided by our Clients to individual end users (“Users”, “you” or “your”).
This Policy will help the Clients and the Users understand the following:
I Our Basic Information
II Our Data Protection Principles
III How Do We Process Personal Information?
IV How Do We Disclose Your Personal Information?
V How Do We Retain Your Personal Information?
VI How Do We Protect Your Personal Information?
VII Your Rights to Your Personal Information
VIII How Do We Process Personal Information about Children?
IX How Do We Update This Policy?
X Defined Terms
Our Profile: HCR, a data analysis service provider founded in 2008, mainly provides the industry-leading enterprises and domestic government authorities with business operation analysis and application, customized industry analysis and application solutions and other services based on the internal and external corporate data, consumer attitude and behavioral data and industrial data.
Contact Address: Floor 1, South Building, No.18, Middle Jiuxianqiao Road, Chaoyang District, Beijing, China
Contact Details: 8610-5326 3633
We always abide by the following principles in our data Processing:
1. Principle of Transparency:
- We guarantee that we will not use the Personal Information to engage in any unlawful activities;
- We will, together with the Clients, ensure that the Processing of Personal Information is based on a justified, efficient and reasonable legal basis;
- We will make our best efforts to provide more publicly available information on the Processing of Personal Information, so as to ensure the transparency of the data Processing;
- We respect and undertake to protect the relevant rights of Personal Information Subjects in accordance with applicable laws, including but not limited to the rights to inquiry, correction, Deletion and withdrawal of Consent.
2. Principle of Security:
- We will take appropriate technical and organizational measures to protect Personal Information from loss, unauthorized access, destruction, modification, disclosure and other risks;
- We have established a dedicated internal management department with dedicated managing personnel, to strictly control the number of personnel who have access to Personal Information, and to reduce the risks of data leakage;
- We will take proper measures to ensure the accuracy, completeness, availability and timeliness of Personal Information;
- We undertake to take effective measures in the transfer of Personal Information to other parties so as to achieve sufficient protection before and after the data transfer.
3. Principle of Necessity:
- We undertake to Process the data only to the extent of strictly necessary for specific purpose in our business operation (including in terms of data quantity and types);
- We undertake to Process the data for legitimate purposes only, to explain such purposes before the data Processing and to strictly comply with the restrictions set for such purposes;
- We undertake to design and implement a strict access control system internally to limit the number of employees having the right to access and Process the Personal Information;
- We undertake to keep the Personal Information for a period necessary for the purpose of Processing only, unless it is required not to be Deleted pursuant to mandatory laws, regulations or regulatory requirements; and
- We undertake to Process the data strictly in a way minimizing the impact on the right to Personal Information.
1. Which Personal Information do we Process?
HCR will conduct various types of business cooperation with Clients in different business scenarios. We will, together with the Clients, ensure that the Personal Information is collected and Processed by us with your full and valid authorization and Consent, unless:
1) the collection and Processing of Personal Information are related to the performance of obligations under the laws and regulations ;
2) the collection and Processing of Personal Information are directly related to national security or national defense security;
3) the collection and Processing of Personal Information are directly related to public security, public health or major public interests;
4) the collection and Processing of Personal Information are directly related to criminal investigation, prosecution, trial, enforcement of judgment or otherwise;
5) the collection and Processing of Personal Information are for the purpose of protecting your or other individual’s life, property or other major lawful rights and interests, where it is difficult to obtain your or such individual’s authorization and Consent;
6) the Personal Information involved is disclosed voluntarily by you to the public;
7) the collection and Processing of Personal Information are necessary for the execution and performance of contract upon your request;
8) the Personal Information involved is collected from the information disclosed through lawful channels, such as lawful news reports or information disclosure by government;
9) the collection and Processing of Personal Information are necessary for maintaining safe and stable operation of the products or services provided, such as for identifying and handling defects in products or failure of services;
10) the Personal Information is necessary for the lawful news report where the Personal Information Controller is a news agency, or for carrying out statistical or academic studies for the purpose of public interests where the Personal Information Controller is an academic institution, provided that the Personal Information in the results of such studies will be de-identified when the results are to be disclosed to the public.
In some business scenarios, we may Process the data as the Personal Information Controller, e.g., in the market surveys and other types of data collection conducted in HCR's own name. In such cases, we will provide you with HCR privacy protection policies or statements in strict accordance with the applicable laws and regulations, and may further provide you with specific privacy statements, which specify the detailed information with respect to such specific business scenarios.
In some other business scenarios, we will act as the Personal Information Processor, and strictly follow the instructions given by the relevant Personal Information Controller to Process the data, e.g., in the collection and analysis of data which we are engaged by the Clients to conduct. In such cases, please refer to the privacy policies provided by the Clients to you in such specific scenarios for the information on Processing scope, Processing purpose, sharing, storage and otherwise of the Personal Information.
In general, the Personal Information Processed by us may include the following categories:
1) Identity data - e.g., names, identification certificate numbers or other identifiers;
2) Contact information - e.g., addresses, email addresses, telephone numbers;
3) Feature data - including interests, preferences, feedbacks, research results and other relevant information.
In the relevant business processes, we will Process the Personal Information in accordance with the specific requirements of the Clients or the specific needs of the projects, and ensure that all Personal Information used by us is of categories necessary for the completion of business processes.
2. Cookie Statement
Cookies are small files that are sent by websites, applications or services to and stored on your devices. HCR’s websites, online services, interactive applications, email boxes and advertisements may use cookie and other similar technologies, such as pixel tag and web beacon. Cookie may be stored on your computer for a short period (e.g., only when your browser is open) or a long period and even for years. Please note that we are unable to access the cookies not set by HCR.
- As is true of most websites, we will automatically collect certain information to analyze general usage trends and administer our websites. Such information may include IP address, browser type, Internet service provider (“ISP”), referring/exit page, files visited on our websites (e.g., HTML pages and graphics), operating system, date/time stamp, and/or clickstream data.
- However, if you enable Do Not Track on your browser, we will respect your choice in terms of all HCR websites.
The management and preference setting of cookies must be done in the options/preferences of your browser. Please visit www.allaboutcookies.org for detailed information on cookies and the instructions on how to set your browser to accept, delete or block cookies.
IV How Do We Disclose Your Personal Information?
We will share and disclose your Personal Information only for lawful, proper, necessary, specific and express purposes. We will, and will cause our partners to, use your Personal Information in strict accordance with the data Processing purpose.
We may share Personal Information with Third Parties in the sales, transfer or merger of some of our businesses or assets. In the case of any change of control in business, we will take practical measures to request purchasers of our business in part or in whole to Process and protect your Personal Information in accordance with the same standards as set out in this Policy.
We may also disclose Personal Information as required by laws and regulations, courts or law-enforcement authorities, or under other circumstances where the laws so require or allow.
With respect to how your Personal Information will be disclosed under specific business scenarios, you may refer to the privacy policies or other relevant legal documents otherwise provided by us or our Clients.
Unless expressly specified by applicable laws and regulations or regulatory requirements, we will only retain your Personal Information in the PRC for the minimum length of period necessary for the purpose of Processing thereof. Upon the expiry of such retention period, we will seal up your Personal Information in a physically-isolated back-up database as required by Clients or applicable laws and regulations, and no person (including us) will have access to such Personal Information unless as required by Clients or regulators.
We have adopted reasonable and practicable measures and technical means to protect Personal Information we Process. However, please note that notwithstanding the foregoing, no website, Internet transmission, computer system or Wi-Fi connection is completely secure.
We undertake that we have adopted security measures in compliance with the industry standards to protect the Personal Information provided by you from unauthorized access, public disclosure, use, modification, damage or loss. We will take all reasonable and practical measures to protect your Personal Information, including the following:
(1) We will de-identify your Personal Information as soon as practicably possible to reduce the risk of you being re-identified by other organizations or individuals through such de-identified Personal Information; We will review the methods of data Processing (including physical security measures) on a regular basis to avoid unauthorized access;
(2) We have established a system to control the access to and the Processing of Personal Information at the group level and have caused each department and business team to comply with such system; we grant the access to Personal Information only to the employees with a need to know such Personal Information for the Processing purpose and other personnel authorized to Process Personal Information on our behalf, and ensure that such employees and personnel will be subject to strict contractual confidentiality obligations;
(3) We will make continued efforts to protect the security of your Personal Information and implement encryption and other security measures throughout the storage and transmission of Personal Information, so as to prevent unauthorized access, use or disclosure of your Personal Information;
(4) We will take encryption and other security measures in the transmission and storage of your Sensitive Personal Information.
Upon occurrence of any Personal Information security incident, we will, in accordance with the requirements of laws and regulations, notify you of the basic information and potential influence of such security incident, countermeasures we have taken or will take, suggestions on how you may prevent or reduce risks on your own, and remedies to be taken for you. We will promptly notify you of the relevant information of such incident through email, letter, phone, push notification or other means. If it is difficult to notify each Personal Information Subject affected by such incident, we will publish announcements in a reasonable and effective manner. In addition, we will also proactively report the handling of Personal Information security incidents in accordance with the requirements of regulatory authorities.
VII How Do We Transfer Your Personal Information Globally?
Subject to the PRC laws and regulations, any Personal Information collected and generated by us globally shall be stored within the PRC in principle.
However, please acknowledge that you have been aware of and Consented that upon the requests of Clients from various countries/regions, your Personal Information may be transferred to or accessed from the countries/regions where such Clients are located.
We will transfer your Personal Information globally subject to the mandatory regulations and requirements of the PRC and other relevant jurisdictions (including without limitation the requirements of PRC for security assessment of cross-border transfer of Personal Information).
We highly respect your rights to your Personal Information. Your rights under laws and how we will protect such rights are specified as follows. Please note that under specific products or service scenarios, for security purposes, we may verify your identity before handling your requests.
1. Right to information: We will notify you of how we will Process your Personal Information through this Policy and other relevant legal documents. We commit ourselves to improving the transparency of data Processing.
2. Right of access: You have the right to access your Personal Information.
3. Right of correction: In the event that you become aware of any error in your Personal Information Processed by us, you have the right to request us to make correction.
4. Right of Deletion: In the event that we have no legitimate reason to continue to retain and Process your information, you may request us to Delete your Personal Information.
5. Right of rejection: You have the right to reject any Processing of your Personal Information, even if such Processing is for the purposes of our legal interests, exercise of public authority, direct marketing (including data aggregation) and statistics.
6. Right to withdraw Consent: If you grant your Consent to us for Processing your Personal Information and later change your mind, you may withdraw such Consent at any time, and in such case, we will promptly cease such Processing of your Personal Information.
7. Right to reject automated decision making: You have the right to make yourself not subject to any decision made by automated Processing, including user profiling. If such decisions have notably affected your legal rights, you have the right to request explanations.
Given that we provide services to corporate Clients from a wide range of industries, and in general, we, as the service provider, will hand over to Clients all original materials (including Personal Information) involved in specific projects after the completion thereof, we suggest you put forward any requests directly to the Personal Information Controllers (which are usually our Clients) under the specific business scenarios (such as specific projects), which will then forward such requests to us as applicable, so as to have your requests handled promptly and fully. We will respond to your requests as soon as possible after the receipt thereof.
If your request is reasonable, in principle, we will not charge any fees. However, we will charge certain costs on a case-by-case basis if any request is raised repeatedly beyond the reasonable extent. We may reject the requests that are unreasonably repeated, or that require excessive technical means (e.g., development of new systems or change of present practice fundamentally), or that may cause risks to others' legal rights and interests, or that are impractical (e.g., involving information stored on back-up tapes).
In general, we will respond as soon as possible within thirty days or such period as specified by laws and regulations, unless:
1) it is related to the performance of obligations under laws and regulations;
2) it is directly related to national security and national defense security;
3) it is directly related to public security, public health or major public interests;
4) it is directly related to criminal investigation, prosecution, trial, enforcement of judgment or otherwise;
5) There is sufficient evidence to prove that you may have actual malice or abuse their rights;
6) it is for the purpose of protecting life, property or other major lawful rights and interests of you or other individuals, where it is difficult to obtain their authorization and Consent;
7) our responses to your requests will result in severe damage to legitimate rights and interests of you or other individuals or organizations; or
8) it is related to trade secrets.
Given that all our products, websites and services are mainly targeted at corporate Clients, we will not voluntarily collect or Process Personal Information about children. If any Client or User wishes or intends to provide us with Personal Information about a child, we will ensure that the prior Consent and authorization have been obtained from his/her guardian. If we collect the Personal Information about children with the Consent of their parents, we will use or disclose such information only to the extent permitted by laws, expressly agreed by the parents or guardians or necessary for protection of children. Any person who is under the age of 14 will be deemed as a child in this Policy.
We reserve the right to update or modify this Policy from time to time.
Without your express Consent, we will not reduce the rights you are entitled to under this Policy. We will publish any change to this Policy on this page.
With respect to any material changes, we will also provide a notice in a more prominent way (with respect to certain services, we will send notices via email to specify the changes to this Policy in detail).
The material changes herein include but are not limited to:
1) material changes of our service mode, such as the purpose of Processing Personal Information, the types of Personal Information we Process and the ways in which we use Personal Information;
2) material changes of our ownership structure, organizational structure and other aspects, such as the change of owner due to business adjustment or bankruptcy buyout;
3) change of the main subjects with or to which the Personal Information will be shared, transferred or disclosed;
4) material changes of your rights to participate in the Processing of Personal Information or the way to exercise such rights;
5) change of our department responsible for the security of Personal Information Processing, the contact information thereof or the complaint channel; and
6) high risks as indicated in the Personal Information security impact assessment report.
“Personal Information” means all kinds of information, recorded electronically or otherwise, that can be used to identify a natural person or reflect his/her activities, whether on its own or in combination with other information, such as name, birth date, identification certificate number, personal biometric information, address, contact details, history and contents of communications, account and password, financial information, credit information, whereabouts, accommodation information, physical health information and transaction information.
“Sensitive Personal Information” means Personal Information the disclosure, illegal provision or abuse of which might harm personal and property safety and is very likely to damage personal reputation or physical or mental health or to result in discrimination, such as identification certificate number, personal biometric information, bank account number, history and contents of communications, financial information, credit information, whereabouts, accommodation information, physical health information, transaction information, and Personal Information of children aged under 14.
“Third Party” means any company or person not related as a result of co-ownership or control (i.e., unrelated company) or other unrelated individual.
“Personal Information Subject” means the owner of Personal Information, i.e., an identified or identifiable natural person.
“Personal Information Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of Personal Information Processing.
“Personal Information Processor” means any natural or legal person or other body which Processes Personal Information on behalf of the Personal Information Controller.
“Processing” or “Process” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether by automated means or not, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, access, use, disclosure by transmission, dissemination or otherwise making available, adjustment, combination, restriction, Deletion, or destruction.
“Consent” means any voluntarily given, specific, informed and unambiguous consent of a Personal Information Subject that he/she, based on his/her intention and by a statement or by a clearly affirmative action, agrees with the Processing of his/her Personal Information.
“Deletion” or “Delete” means the removal of Personal Information from the systems involved in daily business operations so as to keep such information irretrievable and inaccessible.