Privacy Notice: CSIAORG.COM
Introduction and Context
This privacy notice stands as part of the compliance framework of Corporate Secretaries International Association Limited (herein referred to as “CSIA”, “we”, “our” and “us”), in respect of the GDPR and the Personal Data (Privacy) Ordinance (Hong Kong) (“PDPO”).
Information is inevitably passed and handled by many parties during the normal course of business. The POPI Act and GDPR seek to encourage all parties to manage these processes in an appropriate, reasonable, and lawful manner.
While fulfilling its stated business and contractual functions, CSIA (and/or it’s appointed agents and providers) needs to process information about individuals and businesses which may constitute Personal Information or Special Personal Information. This collection and processing may include accessing, storing, merging with other information, deleting, destroying, and sharing with third parties.
We are committed to fulfilling our responsibilities in respect of implementing PDPO and GDPR at CSIA.
This notice brings to public attention certain specific matters relating to this personal information, which are detailed herein.
You are encouraged to familiarise yourself with the conditions under which CSIA will handle such data and the rights of the individual pertaining to personal and special personal information.
|Personal Information||Any information that identifiably describes an aspect of a Data Subject. Some examples of these types of records are contact details, address, identity documentation, health, religion, education, employment, biometric data, still and moving images, finances, etc.|
|Special Personal Information||Certain types of personal information are classified as “special”, which means in most cases that their processing is more restricted and subject to differing requirements. Most relevant for the purposes of this privacy notice is information relating to children. Other categories that are classified as “special” include information about a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal record.|
|Data Subject||The person or business whose Personal Information (PI) is being processed by or on behalf of CSIA. (by definition: any juristic entity). In this notice “you”, “your”, “they”, “their” and “them” are all equivalent to Data Subject(s).|
|Processing||The actions taken in respect of Personal Information by the Responsible Party/Data Controller or by Operator/Data Processor(s) on CSIA’s behalf. This includes most forms of interaction with the records containing such information, such as creating new records, transmitting information, storing it, updating it, and deleting or destroying it.|
|Operator (POPIA)/ Data Processor (GDPR)||Third parties who under contract or mandate process personal information on behalf of the Responsible Party/Data Controller, whilst not under the direct control of the Responsible Party/Data Controller.|
|Responsible Party (POPIA) / Data Controller (GDPR)||The entity (or person) who decides why and how personal information will be processed, and who is also tasked to ensure compliance. In the context of this privacy notice, CSIA is the Responsible Party/Data Controller.|
|Information Officer (POPIA) / Data Protection Officer (GDPR)||The person designated by the Responsible Party/Data Controller to ensure compliance.|
What PDPO and GDPR Requires of CSIA
- Encouraging and maintaining sustainable compliance practices in daily activities.
- Handling information requests correctly.
- Co-operating with the Regulatory Authority if there is an investigation or query.
- Taking other measures as may be prescribed by regulation.
Limitations on processing
This condition is aimed at ensuring that processing of Personal Information is as limited as possible, with reference to the purpose for which it is processed. It requires that:
- Processing must be done in a lawful manner (i.e., comply with PDPO/GDPR and other applicable laws) and in a manner which does not reasonably infringe on the Data Subject’s privacy rights.
- The extent of the Personal Information that is processed must be limited to such information as is relevant, adequate, and not excessive in relation to the reason for processing the information.
- Personal Information may be processed if necessary, to provide a service to a Data Subject, or if they consent to its processing. The Data Subject may withdraw this consent, but it may then become impossible to provide them with certain services. (At which time the Data Subject will be informed of this condition).
- Whenever reasonably possible, Personal Information must be collected directly from the Data Subject to whom it pertains and not from third parties, although this is subject to other applicable laws (assuming they have jurisdiction), which may require verification with third parties.
Reasons for processing
This condition relates to the purpose for which personal information is being processed. In most cases, a Data Controller must explain to the Data Subject, what their reason is for needing the information and what they are going to use it for.
Quality of information
A Data Controller is required to take “reasonably practicable” steps to ensure that the information it processes is complete, accurate, not misleading and updated where necessary, with reference to the purpose for which the information is being processed. In other words, reasonable systems must be put in place to make it as simple and easy as possible to keep information accurate and up to date.
Notices and communication
This condition relates to communication and notifications to Data Subjects, which helps them to understand what their information is being used for and how to exercise their rights in respect of their information. This privacy notice forms part of that commitment.
A Data Controller is required to take “appropriate, reasonable technical and organisational measures” to prevent loss, damage, unauthorized destruction, and unauthorized access to or processing of personal information.
Where a Data Controller allows information to be processed by a Data Processor in its behalf, it is required to have a written and signed contract with such Data Processor, wherein the Data Processor agrees (at minimum) to align its security measures with those of the Data Controller.
In the event of a suspected data breach, a Data Controller is required to notify the Regulatory Authority, as well as affected Data Subjects.
Data Subject Participation
This condition relates to a Data Subject’s rights to access Personal Information relating to them and to request corrections, deletion, or destruction thereof.
Procedures for handling personal information at CSIA
The Personal Information that we process:
We process various types of information relating to various Data Subjects, which will differ depending on your relationship with CSIA.
Please refer to Appendix 1 of this notice for a breakdown of the Personal Information commonly processed by CSIA.
How we process personal information:
Digital format information is physically and logically handled in accordance with the provisions of our IT Security Policies.
Other information is captured manually by way of application and other handwritten forms. These records are kept in hardcopy (paper) and secured physically, in accordance with the Physical Information Security Policy. Such information is also captured digitally and stored on our IT infrastructure.
Our reasons for processing personal information and consequences of not doing so:
The proper functioning of CSIA requires us to process certain personal information for any of the following reasons:
- To provide the educational services, activities, shared resources, functions and events, and related services forming part of the ordinary course of the operations of an association.
- To provide employment to our employees and to interact with them in the context of the employment relationship.
- To engage with affiliates and members of CSIA, or with prospective affiliates and members, in the context of the operations of CSIA.
- To market CSIA to the existing membership, the community and to prospective members.
- To procure services and manage relationships with service providers.
- To provide legally required information to Government and other relevant oversight bodies.
- Any other reason which is vital to our functioning properly as an organisation.
If reasonably requested Personal Information is not provided to us, we may not be able to properly fulfil the above-mentioned functions, which may result in the relevant interaction being interrupted, or CSIA not engaging in such interaction at all. This condition of operations is at the sole discretion of CSIA. We accept no responsibility for any such interruptions or other liability if Personal Information was requested by us but not provided, or if consent is withdrawn at any time.
Where we may obtain your personal information from:
In most cases, we will request your personal information directly from you. However, in some cases we may need to obtain it from third parties. This will be the case if you have authorized us to do so, or where the nature of our interaction with you reasonably requires us to do so. If we process your personal information on behalf of a third party, they in turn, must warrant that they possess legal authority or obligation to provide us with your Personal Information.
We may also be legally required to independently verify some of the information provided to us in terms of applicable anti-terrorism and anti-money laundering legislation, which may include our accessing government or public directories to obtain certain personal information about you.
Our sharing of your personal information with third parties:
We may need to share your Personal Information with third parties. In general, this is limited to transmitting or storing such information through, or on, electronic communication and storage infrastructure administered by third party service providers, which is subject to reasonable security safeguards. However, depending on the nature of our interaction with you, we may need to share some of your Personal Information with other third parties. For example, all schools are legally required to submit information about their students, exam results and similar information to Government for statistical purposes.
Should you be in arrears with fees that are due and owing to us, we may share your contact, identity, and financial information with our authorized representatives for purposes of recovering the debt due to us.
Your Information leaving the Region
We may need to transmit your Personal Information to a location outside of the country, where it may be processed by third parties. This may, for example, happen when we are communicating with you while you are not within the borders of Hong Kong (PDPO) or Europe (GDPR). It may also happen where our information is processed or stored in another country or region. In such cases, the transmission and processing will either be subject to laws, or a contract with us, or corporate binding rules, which requires them to employ the same reasonable safeguards in respect of your Personal Information that we are required to comply with.
Retention of your personal information
In general, we only retain your personal information for the duration of our interactions with you and for a reasonable period thereafter, to facilitate further similar interactions. We are, however, in some cases legally required to keep certain information for specific periods of time, which usually does not exceed a period of 5 years. Please refer to Appendix 2 of this notice for further instances where specific retention periods apply.
Information that we retain for marketing or statistical purposes may be retained indefinitely, if you have authorised us to use the information for marketing purposes or, in the case of use for statistical purposes, that the information has been anonymised.
The confidentiality and integrity of any Personal Information processed by us is subject to reasonable technical and organisational safeguards to prevent loss, damage, destruction, or unauthorised access, having due regard to generally accepted information security practices and procedures. We will notify any known affected data subjects, and the Regulatory Authority (PDPO) / Supervisory Authority (GDPR), should we suspect that a data breach has occurred.
CSIA does not accept liability for any harm, loss, damage, destruction, or unauthorised access that may occur, despite our implementation of such reasonable measures.
You have the right to access, and to request us to correct, any personal information retained by us.
You also have the right to object to our holding and/or processing of your personal information.
Please contact the Information Officer / Data Protection Officer or the Regulatory Authority / Supervisory Authority (GDPR) for more specific information on the exact processes to follow in this regard.
Should you wish to lodge a complaint, you may contact the appropriate official. Contact details appear below.
Information Officer/Data Protection Officer:
CSIA has appointed a Data Protection Officer. This should be the first point of contact for all Personal Information queries regarding CSIA.
Office of the Privacy Commissioner for Personal Data (PCPD): (Hong Kong – PDPO)
The PCPD is the official body appointed to regulate PDPO compliance. They may be contacted for any queries regarding PDPO in general, or to lodge formal complaints.
The Commissioner’s contact and other information can be found here:
The Information Commissioner’s Office: (UK – GDPR)
The Information Commissioner (ICO) is the official governmental body appointed to regulate GDPR-UK compliance. They may be contacted for any queries regarding GDPR-UK in general, or to lodge formal complaints.
The ICO’s contact and other information can be found here:
European Data Protection Supervisor: (EU – GDPR)
The European Data Protection Supervisor (EDPS) is the official EU body appointed to regulate GDPR-EU compliance. They may be contacted for any queries regarding GDPR-EU in general, or to lodge formal complaints.
The EDPS’s contact and other information can be found here:
Appendix 1 - Personal Information Process
|Identifying and age information, e.g. name, surname, ID number||To identify the data subjects that we interact with or, in some cases, to contact persons related to them (such as next of kin) in the case of an emergency.|
|Contact information, e.g. telephone numbers, email addresses, etc.||To contact the data subject (or in some cases their next of kin), if necessary; to provide employees’, contractors’ or officers’ contact information to other members and service providers as part of the proper functioning of CSIA;|
|Financial information of employees, parents, or service providers||To provide employment-related benefits or remuneration to our employees; to screen potential employees; to invoice members; or to pay 3rd parties.|
|Criminal history of potential employees||To screen potential employees before hiring them.|
|Still images, video, and audio recordings||To secure our premises; to provide relevant multi-media content to CSIA community; for historical archives.|
Appendix 2 - Retention Periods
|User/Member Information||For the duration of their membership/subscription and up to 5 years thereafter. Historically significant or achievement-related information may be archived for indefinitely, for historical purposes.|
|Financial records||For as long as required in terms of relevant legislation.|
|Prospective Employees||From application date, to the date that a decision is made to hire or not and up to 1 year thereafter. Unsolicited CV’s may be deleted or destroyed immediately upon delivery.|
|Unsolicited or spam emails may be deleted or destroyed immediately upon delivery. Email contained within CSIA’s IT systems may be securely indefinitely, being archived 5 years from last accessed date.|
|Employee Records||For duration of employment and up to a maximum of 5 years thereafter.|
|Service Provider Information||For the duration of the contract and up to a maximum of 5 years thereafter.|