GENERAL PRIVACY NOTICE

Transcription

1 GENERAL PRIVACY NOTICE 1. INTRODUCTION This General Privacy Ntice ( Ntice ) explains hw we may cllect and use infrmatin that Keppel Crpratin Limited, its related crpratins and/r assciated cmpanies ("Keppel") btains abut yu, and yur rights in relatin t that infrmatin. Please read this Ntice t understand hw we will cllect, use and prcess yur persnal data and the rights yu have in relatin t yur persnal data. This Ntice may be amended frm time t time. Please visit this page if yu want t stay up t date, as we will pst any changes in ur apprach t data privacy here. By visiting ur website, by using ur prducts and/r services and/r by yur prvisin f infrmatin t us, yu acknwledge the terms f this Ntice and the use and disclsure f yur persnal data as set ut in this Ntice. If yu have any questins in relatin t this Ntice, please cntact us at the cntact details fund in Annex SCOPE OF NOTICE This Ntice applies t ur prcessing f persnal data in relatin t the prvisin f any f ur prducts and/r services, including: when yu request infrmatin frm us; when yu engage ur services and/r purchase ur prducts; as a result f yur relatinship with ne r mre f ur clients; where yu apply fr a jb r wrk placement; and yur use f ur websites (including ur assciated sites) and nline services (including ur mbile apps, if any). 3. HOW YOUR PERSONAL DATA IS COLLECTED Custmers We generally cllect yur persnal data directly frm yu when yu are ne f ur custmers. When yu enter int a cntract with us, yu will be asked t prvide persnal data. This infrmatin is likely t include yur name, address, date f birth, passprt number, date f expiry, sex, natinality, address, phne number, and credit card infrmatin (this is nt an exhaustive list). We may als cllect persnal data frm yu when yu make transactins r therwise interact with us, fr example by cntacting ur custmer service persnnel r reprting a prblem n ur website. The categries and range f persnal data we cllect and hld will vary frm custmer t custmer. Hwever, ur plicy is t cllect nly the persnal data necessary fr the particular wrk r services. Keppel website When yu use ur nline services r visit ur website, we may cllect the fllwing infrmatin frm yu directly and/r autmatically: 1

2 infrmatin yu prvide t us if yu cntact us, fr example t reprt a prblem with ur nline services r raise a query r cmment; and details f visits made t ur website such as the vlume f traffic received, lgs (including, the internet prtcl (IP) address and lcatin f the device cnnecting t the nline services and ther identifiers abut the device and the nature f the visit) and the resurces accessed. 4. HOW YOUR PERSONAL DATA IS USED We may use yur persnal infrmatin if: it is necessary fr the perfrmance f a cntract with yu; necessary in cnnectin with a legal r regulatry bligatin; yu have prvided yur cnsent t such use; we cnsider such use f yur infrmatin as nt detrimental t yu, within yur reasnable expectatins, having a minimal impact n yur privacy, and necessary t fulfil ur legitimate interests; r we are therwise required r authrised by law. We use yur infrmatin t: prvide and imprve ur services and prducts t yu (including auditing and mnitring use f thse services and prducts); maintain and develp ur relatinship with yu; mnitr and analyse ur business; facilitate ur internal business peratins; fulfil ur legal requirements (including in relatin t anti-mney laundering) and prfessinal bligatins; send yu marketing materials and establish, exercise r defend legal rights. We may nt be able t d these things withut yur persnal infrmatin. We als use yur persnal data fr the nn-exhaustive list f purpses as set ut in Annex 1 herein. 5. WHY WE COLLECT YOUR PERSONAL DATA General We cllect, use and disclse yur persnal data fr a number f reasns, including: t carry ut ur bligatins as a result f any cntract entered int between yu and us and t prvide yu with the infrmatin and services that yu request frm us; t ntify yu abut changes t the prducts and/r services that we ffer and (where yu have indicated yur cnsent) t directly market these prducts and/r services t yu; t administer ur websites fr internal peratins, including trubleshting, data analysis, testing, research, statistical and survey purpses; t allw yu t participate in interactive features f ur prducts and services; as part f ur effrts t keep ur prducts and/r services safe and secure; t measure r understand the effectiveness f ur advertising and marketing; fr statistical and research purpses (including market research, marketing and data analysis purpses); 2

3 t handle payment and cllectin prcesses t and frm custmers; t ensure the effective peratin f sftware and IT services prcured by us (including disaster recvery) r fr ther reasns with yur cnsent. Marketing We (and permitted third parties) may cntact yu fr direct marketing purpses via scial media, direct messages, pst, telephne, and SMS/MMS. This marketing may relate t: Prducts and services we (r permitted third parties) feel may interest yu; Infrmatin abut ther gds and services we ffer that are similar t thse that yu have already used r enquired abut; Upcming events, prmtins and new prducts and/r services r ther pprtunities as well as thse f selected third parties; and If yu n lnger wish t receive marketing cmmunicatins frm us, yu may click n the unsubscribe link n any marketing cmmunicatin that yu receive frm us. Fr infrmatin abut the legal basis which allw us t d this, please see sectin [13] belw. 6. WHO DO WE SHARE YOUR PERSONAL DATA WITH We may share yur persnal data, in varius ways and fr varius reasns, with the categries f entities r peple listed in Annex 2 herein. 7. HOW WE SAFEGUARD YOUR PERSONAL DATA We care abut prtecting yur infrmatin and put in place apprpriate measures that are designed t prevent unauthrised access t, and misuse f, yur persnal data. These include measures t deal with any suspected data breach. We are cmmitted t taking all reasnable and apprpriate precautins and steps t prtect the persnal data that we hld frm misuse, interference and lss, unauthrised access, mdificatin r disclsure. We d this by having in place a range f apprpriate technical and rganisatinal measures, including, fr example, the prtectin f passwrds using industry standard encryptin, measures t preserve system security and prevent unauthrised access and back-up systems t prevent accidental r malicius lss f data. We may use third party data strage prviders t stre persnal data electrnically. We take reasnable steps t ensure this infrmatin is held as securely as infrmatin stred n ur wn equipment. Unfrtunately, there is always risk invlved in sending infrmatin thrugh any channel ver the internet. If yu send infrmatin ver the internet, this will be entirely at yur wn risk. Althugh we will d ur best t prtect yur persnal data, we cannt guarantee the security f yur data transmitted ver the internet and we d nt warrant the security f any infrmatin, including persnal data, which yu transmit t us ver the internet. If yu suspect any misuse r lss f r unauthrised access t yur persnal data please let us knw immediately. Details f hw t cntact us can be fund in Annex 3. 3

4 8. HOW LONG WE KEEP YOUR PERSONAL DATA We will nt keep yur persnal data fr lnger than is necessary fr the purpses fr which we have cllected it, unless we believe that the law r ther regulatin requires us t keep it (fr example, because f a request by a tax authrity r in cnnectin with any anticipated litigatin) r if we require it t enfrce ur agreements. The precise length f time will depend n the type f data, ur legitimate business needs and ther legal r regulatry rules that may require us t retain it fr certain minimum perids. Fr example, we may be required t retain certain data fr the purpses f tax reprting r respnding t tax queries r where it might be relevant t any ptential litigatin. In general, we will retain yur persnal data fr as lng as we prvide prducts and/r services t yu and fllwing that perid, fr as lng as we prvide yu directly with any ther prducts and/r services. In determining the apprpriate retentin perid fr different types f persnal data, the amunt, nature, and sensitivity f the persnal data in questin, as well as the ptential risk f harm frm unauthrised use r disclsure f that persnal data, the purpses fr which we need t prcess it and whether we can achieve thse purpses by ther means are cnsidered. Once we have determined that we n lnger need t hld yur persnal data, we will delete it frm ur Systems. While we will endeavur t permanently erase yur persnal data nce it reaches the end f its retentin perid, sme f yur persnal data may still exist within ur Systems, fr example if it is waiting t be verwritten. Fr ur purpses, this data has been put beynd use, meaning that, while it still exists in the electrnic ether, ur emplyees will nt have any access t it r use it again. 9. RIGHT TO ACCESS, AMEND OR TAKE BACK THE PERSONAL DATA THAT YOU HAVE GIVEN Under the GDPR, yu have varius rights in relatin t yur persnal data which we hld, as set ut belw. If yu wish t exercise any f these rights, please cntact us (see Annex 3). We will seek t deal with yur request withut undue delay, and in any event within ne mnth (subject t any extensins t which we are lawfully entitled). Please nte that we may keep a recrd f yur cmmunicatins t help us reslve any issues which yu raise. The GDPR gives yu the fllwing rights in relatin t yur persnal data: 9.1 Right t bject Yu have the right t bject t us prcessing yur persnal data fr ne f the fllwing reasns: (i) where it is within ur legitimate interest; (ii) t enable us t perfrm a task in the public interest r exercise fficial authrity; and/r (iii) t send yu direct marketing materials; and/r (iv) fr scientific, histrical, research, r statistical purpses. The "legitimate interests" categry abve is the ne mst likely t apply in relatin t ur relatinship, and if yur bjectin relates t us prcessing yur persnal data because we deem it necessary fr ur legitimate interests, we will act n yur bjectin by ceasing the activity in questin unless we: have cmpelling legitimate grunds fr prcessing which verrides yur interests; r are prcessing yur data fr the establishment, exercise r defence f a legal claim. 4

5 9.2 Right t withdraw cnsent Where we have btained yur cnsent t prcess yur persnal data fr certain activities (fr example, fr autmatic prfiling), yu may withdraw this cnsent at any time and we will cease t carry ut the particular activity that yu previusly cnsented t, unless we cnsider that there is an alternative legal basis t justify ur cntinued prcessing f yur data fr this purpse, in which case we will infrm yu f the same. 9.3 Right t submit a data subject access request (DSAR) Yu may ask us t cnfirm what infrmatin we hld abut yu at any time, and request us t mdify, update r Delete such infrmatin. We may ask yu fr mre infrmatin abut yur request. We may refuse yur request where we are legally permitted t d s, and we will infrm yu f the reasns fr ur refusal. If we prvide yu with access t the infrmatin we hld abut yu, we will charge yu if yur request is "manifestly unfunded r excessive". If yu request further cpies f this infrmatin frm us, we may charge yu a reasnable administrative cst where legally permissible. 9.4 Right t erasure Yu have the right t request that we "erase" yur persnal data in certain circumstances. Nrmally, the infrmatin must meet ne f the fllwing criteria: the data is n lnger necessary fr the purpse fr which we riginally cllected and/r prcessed them; where previusly given, yu have withdrawn yur cnsent t us prcessing yur data, and there is n ther valid reasn fr us t cntinue prcessing; the data has been prcessed unlawfully (i.e. in a manner which des nt cmply with the GDPR); it is necessary fr the data t be erased in rder fr us t cmply with ur bligatins as a data cntrller under EU r Member State law; r if we prcess the data because we believe it necessary t d s fr ur legitimate interests, yu bject t the prcessing and we are unable t demnstrate verriding legitimate grunds fr ur cntinued prcessing. We wuld nly be entitled t refuse t cmply with yur request fr erasure fr ne f the fllwing reasns: t exercise the right f freedm f expressin and infrmatin; t cmply with legal bligatins r fr the perfrmance f a public interest task r exercise f fficial authrity; fr public health reasns in the public interest; fr archival, research r statistical purpses; r t exercise r defend a legal claim. When cmplying with a valid request fr the erasure f data, we will take all reasnably practicable steps t Delete the relevant data. 9.5 Right t restrict prcessing Yu have the right t request that we restrict ur prcessing f yur persnal data in certain circumstances. Upn acceptance f yur request, we can nly cntinue t stre yur data and will nt be able t carry ut any further prcessing activities with it until either: (i) ne f the circumstances listed belw is reslved; (ii) yu cnsent; r (iii) further 5

6 prcessing is necessary fr either the establishment, exercise r defence f legal claims, the prtectin f the rights f anther individual, r reasns f imprtant EU r Member State public interest. The circumstances in which yu are entitled t request that we restrict the prcessing f yur persnal data are: where yu dispute the accuracy f the persnal data that we are prcessing abut yu. In this case, ur prcessing f yur persnal data will be restricted fr the perid during which the accuracy f the data is verified; where yu bject t ur prcessing f yur persnal data fr ur legitimate interests. Here, yu can request that the data be restricted while we verify ur grunds fr prcessing yur persnal data; where ur prcessing f yur data is unlawful, but yu wuld prefer us t restrict ur prcessing f it rather than erasing it; and where we have n further need t prcess yur persnal data but yu require the data t establish, exercise, r defend legal claims. If we have shared yur persnal data with third parties, we will ntify them abut the restricted prcessing unless this is impssible r invlves disprprtinate effrt. We will ntify yu befre lifting any restrictin n prcessing yur persnal data. 9.6 Right t rectificatin Yu als have the right t request that we rectify any inaccurate r incmplete persnal data that we hld abut yu, including by means f prviding a supplementary statement. If we have shared this persnal data with third parties, we will ntify them abut the rectificatin unless this is impssible r invlves disprprtinate effrt. Yu may als request details f the third parties that we have disclsed the inaccurate r incmplete persnal data t. Where we think that it is reasnable fr us nt t cmply with yur request, we will explain ur reasns fr this decisin. 9.7 Right f data prtability The right f data prtability applies t: (i) persnal data that we prcess autmatically (i.e. withut any human interventin); (ii) persnal data prvided by yu; and (iii) persnal data that we prcess based n yur cnsent r in rder t fulfil a cntract. Yu have the right t transfer yur persnal data between data cntrllers which means that yu are able t transfer the details we hld n yu t anther emplyer r a third party. We will prvide yu with yur data in a cmmnly used machine-readable frmat t allw yu t effect such transfer. Alternatively, we may directly transfer the data fr yu. 9.8 Right t ldge a cmplaint with a supervisry authrity Yu als have the right t ldge a cmplaint with yur lcal supervisry authrity. Details f hw t cntact them can be fund in Annex 4. If yu wuld like t exercise any f these rights, r withdraw yur cnsent t the prcessing f yur persnal data (where cnsent is ur legal basis fr prcessing yur persnal data), details f hw t cntact us can be fund in Annex 3. Please nte that we may keep a recrd f yur cmmunicatins t help us reslve any issues which yu raise. It is imprtant that the persnal infrmatin we hld abut yu is accurate and current. Please keep us infrmed if yur persnal infrmatin changes during the perid fr which we hld yur data. 6

7 10. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA Yu can find ut which Keppel entity is respnsible fr prcessing yur persnal data and where it is lcated by fllwing Annex STORAGE AND TRANSFER YOUR DATA INTERNATIONALLY In rder fr us t carry ut the purpses described in this Ntice, yur data may be transferred t the fllwing recipients lcated utside f yur jurisdictin: between and within Keppel entities; t third parties (such as advisers and suppliers t the Keppel business r prviders f benefits); t verseas candidates and clients; t clients within yur cuntry wh may, in turn, transfer yur data internatinally; t a clud-based strage prvider; r t ther third parties, as referred t in this Ntice. We want t make sure that yur data are stred and transferred in a way which is secure. We will therefre nly transfer data utside f the Eurpean Ecnmic Area r EEA (i.e. the Member States f the Eurpean Unin, tgether with Nrway, Iceland and Liechtenstein) where it is cmpliant with data prtectin legislatin and the means f transfer prvides adequate safeguards in relatin t yur data, fr example (where applicable): by way f data transfer agreement, incrprating the current standard cntractual clauses adpted by the Eurpean Cmmissin fr the transfer f persnal data by data cntrllers in the EEA t data cntrllers and prcessrs in jurisdictins withut adequate data prtectin laws; by signing up t the EU-U.S. Privacy Shield Framewrk fr the transfer f persnal data frm entities in the EU t entities in the United States f America r any equivalent agreement in respect f ther jurisdictins; where we are transferring yur data t a cuntry where there has been a finding f adequacy by the Eurpean Cmmissin in respect f that cuntry's levels f data prtectin via its legislatin; where it is necessary fr the cnclusin r perfrmance f a cntract between urselves and a third party and the transfer is in yur interests fr the purpses f that cntract; r where yu have cnsented t the data transfer. T ensure that yur persnal infrmatin receives an adequate level f prtectin, we have put in place apprpriate prcedures with the third parties we share yur persnal data with t ensure that yur persnal infrmatin is treated by thse third parties in a way that is cnsistent with the law n data prtectin. 12. COOKIES Ckies are small data files sent by a website t yur cmputer that are stred n yur hard drive when yu visit certain nline pages f ur website. 7

8 Ckies allw the website t identify and interact with yur cmputer (fr example s we can remember yur lgin details if yu have pted t 'stay signed in'). We d nt use ckies t retrieve infrmatin that was nt riginally sent by us t yu in a ckie. Yu can set yur brwser t accept r reject all ckies, r ntify yu when a ckie is sent. If yu reject ckies r delete ur ckies, yu may still use ur websites, but yu may have reduced functinality and access t certain areas f ur websites r yur accunt (if applicable). In additin t the express ntice prvided n ur website when yu first visit, yur cntinued use f ur website is yur acceptance f ur cntinued use f ckies n ur website. Yu may refuse t accept ckies by changing the settings f yur Internet brwser. If yu d nt want ckies t be placed n yur device, yu can cntrl this thrugh yur brwser s settings. 13. LEGAL BASIS FOR USING YOUR PERSONAL DATA There are a number f different ways that we are lawfully able t prcess yur persnal data. We have set these ut belw. Where using yur data is in ur legitimate interests, except where such interests are verridden by yur interests r fundamental rights r freedms which require prtectin f persnal data 1 We are allwed t use yur persnal data where it is in ur interests t d s, and thse interests are nt utweighed by any ptential prejudice t yu. We believe that ur use f yur persnal data is within a number f ur legitimate interests, including but nt limited t: T help us satisfy ur legal bligatins and cmpliance with any law and regulatins that may be applicable t us r ur businesses (fr example, in relatin t preventin f mney laundering and anti-terrrism); T help us understand ur custmers better and prvide better, mre relevant services t them; T ensure that ur service and/r ur relatinship runs smthly; T help us keep ur systems secure and prevent unauthrized access r cyber attacks; and T drive cmmercial value fr the benefit f ur sharehlders. Yu have the right t bject t us prcessing yur persnal data n this basis. We have set ut details regarding hw yu can g abut ding this in sectin [9] abve. Where yu give us yur cnsent t use yur persnal data 2 We are allwed t use yur data where yu have specifically cnsented. In rder fr yur cnsent t be valid: It has t be given freely, withut us putting yu under any pressure; Yu have t knw what yu are cnsenting t s we will give yu enugh infrmatin; Yu are asked t cnsent t ne prcessing activity at a time we therefre avid "bundling" cnsents tgether s that yu knw exactly what yu agree t; and Yu need t take psitive and affirmative actin in giving us yur cnsent we are likely t prvide a tick bx fr yu t check s that this requirement is met in a clear and unambiguus fashin. When yu engage ur services and/r purchase ur prducts, enter int a relatinship with us, use ur websites r nline services r register fr an accunt with us (as may be applicable), we may ask yu fr specific cnsents t allw us t use yur data in certain ways. If we require 1 Article 6(1)(f) f the GDPR 2 Article 4(11) f GDPR 8

9 yur cnsent fr anything else in the future, we will prvide yu with sufficient infrmatin s that yu can decide whether r nt yu wish t cnsent. Yu have the right t withdraw yur cnsent at any time. We have set ut details regarding hw yu can g abut this in sectin [9] abve and in Annex 3. Where using yur persnal data is necessary fr us t carry ut ur bligatins under ur cntract with yu 3 We are allwed t use yur persnal data when it is necessary t d s fr the perfrmance f ur cntract with yu. Fr example, we need t cllect yur credit card and bank accunt details in rder t be able t prcess yur payments fr the services and/r prducts we prvide yu. Where prcessing is necessary fr us t carry ut ur legal bligatins 4 As well as ur bligatins t yu under any cntract, we als have ther legal bligatins that we need t cmply with and we are allwed t use yur persnal data when we need t in rder t cmply with thse ther legal bligatins. Fr example, we may be required t carry ut anti-mney laundering checks abut ur custmers and we need t cllect and use certain infrmatin abut yu in rder t d s. 3 Article 6(1)(b) f the GDPR 4 Article 6(1)(c) f the GDPR 9

10 ANNEX 1 PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA Prviding prducts and/r services We prvide a range f prduct and/r services. Sme f ur prducts and/r services require us t prcess persnal data in rder t prvide such prducts, services, advice and deliverables and t carry ut ur bligatins arising frm ur cntracts with yu. Receiving services We prcess persnal data in relatin t ur suppliers, service prviders and their staff as necessary t receive the services in questin. Fr example, where a supplier is prviding us with facilities management r ther utsurced services, we will prcess persnal data abut thse individuals that are prviding services t us. Administering, managing and develping ur businesses and services We prcess persnal data in rder t run ur business, including: managing ur relatinship with custmers; develping ur businesses and services (such as identifying custmer needs and imprvements in service delivery); prmting ur gds and services; maintaining ur wn accunts and recrds; maintaining and using IT systems; hsting r facilitating the hsting f events; and administering and managing ur website and systems and applicatins. Security, quality and risk management activities We have security measures in place t prtect ur and ur clients infrmatin (including persnal data), which invlve detecting, investigating and reslving security threats. Persnal data may be prcessed as part f the security mnitring that we undertake. Fr example, autmated scans t identify harmful s. We mnitr the services prvided t custmers fr quality purpses, which may invlve prcessing persnal data stred n the relevant custmer file. We cllect and hld persnal data as part f ur client engagement and acceptance prcedures. As part f thse prcedures we carry ut searches using publicly available surces (such as internet searches and sanctins lists) t identify plitically expsed persns and heightened risk individuals and rganisatins and check that there are n issues that wuld prevent us frm wrking with a particular client (such as sanctins, criminal cnvictins (including in respect f cmpany directrs), cnduct r ther reputatinal issues). Prviding ur clients with infrmatin abut us and ur range f services We use client business cntact details t prvide thse individuals with infrmatin that we think will be f interest abut us and ur services. Cmplying with any requirement f law, regulatin r a prfessinal bdy f which we are a member We may be subject t legal, regulatry and/r prfessinal bligatins. We need t keep certain recrds t demnstrate that ur services are prvided in cmpliance with thse bligatins and thse recrds may cntain persnal data. 10

11 ANNEX 2 CATEGORIES OF ENTITIES OR PEOPLE WE SHARE YOUR PERSONAL DATA WITH We may share yur persnal data with the fllwing categries f recipients: Related Entities Yur persnal data will be used by us and disclsed t ur grup cmpanies (including ur Keppel headquarter in Singapre and all f its subsidiaries). Regulatry bdies We may disclse yur persnal data: t regulatrs and law enfrcement agencies (including thse respnsible fr enfrcing anti-mney laundering legislatins); Service prviders in respnse t an enquiry frm a gvernment agency; t data prtectin regulatry authrities; and t ther regulatry authrities with jurisdictin ver ur activities. We may disclse yur persnal data t third party service prviders wh require access t such infrmatin fr the purpse f prviding specific services t us. These third parties will generally nly be able t access yur data in rder t prvide us with their services and will nt be able t use it fr their wn purpses. Prfessinal advisrs and Auditrs We may disclse yur persnal data t prfessinal advisrs (such as legal advisrs and accuntants) r auditrs fr the purpse f prviding prfessinal services t us. Replacement prviders In the event that we sell r buy any business assets, we may disclse yur persnal data t the prspective seller r buyer f such business r assets. If Keppel r substantially all f its assets are acquired by a third party, persnal data held by us abut ur clients will be ne f the transferred assets. 11

12 ANNEX 3 OUR CONTACT DETAILS Cuntry Relevant Keppel Entity Hw yu can get in tuch with us: t access, amend r take back the persnal data that yu have given t us; if yu suspect any misuse r lss f r unauthrised access t yur persnal infrmatin; t withdraw yur cnsent t the prcessing f yur persnal data (where cnsent is the legal basis n which we prcess yur persnal data); with any cmments r suggestins cncerning this General Privacy Ntice Singapre Keppel Land Hspitality Management Pte Ltd Yu can write t us at the fllwing address: Keppel Land Hspitality Management Pte Ltd 230 Victria Street #06-07 Bugis Junctin Twers, Singapre Alternatively, yu can send an t: dp@keppelland.cm 12