Last updated on: Friday, 24 August 2018
This sets out the policies and practices of South China Morning Post Publishers Limited and all subsidiaries and affiliated companies of which it forms part (“SCMP GROUP” or “We”) in relation to the handling of personal data.
Statement of Notice
We respect privacy. SCMP GROUP is committed to complying with all applicable personal data privacy laws and regulations.
When we collect and process personal data, we will ensure that there is legal basis for us to do so – including but not limited to issuing a Privacy Notice and/or fulfilling any other requirements as provided under all applicable laws.
Statement of Practice
Kinds of Personal Data Collected
We collect personal data in five broad categories below (“Categories of Personal Data”):
Subscription Records which include records containing the personal information of the subscribers of our publications, job alert services and any other subscription based products or services.
Personnel Records which include job applicants and our employees’ personal information.
Event Attendee Records which include the personal information provided by the attendees of our events such as conferences, promotion or charity activities.
Other Operational Records which include the personal data of such data subjects involved in newsgathering, security checks, cleaning, maintenance services, consultancy, technology, auditing, supplier, service provider, licensor and other data subjects providing services in relation to all aspects of our operations.
Records collected on/from Webservers which include but not limited to the email addresses, location data and other online identifiers such as IP addresses of such data subjects who visit our websites, platforms.
Main Purposes of Processing Collected Personal Data
Subscription Records are processed for the purposes of: (i) provision of subscription, job alert orders and any other subscription based products or services; (ii) billing and payment (if applicable); and (iii) conducting market research for statistical purposes.
Personnel Records are processed for the purposes of: (i) recruitment; and (ii) human resources management and employment related activities such as employment benefits, termination, performance appraisal and discipline.
Event Attendee Records are processed for the purposes of: (i) organising and managing the relevant events; and (ii) running the related competitions, prize draws and promotions.
Other Operational Records are processed for the purposes of facilitating the effective operation of our business such as newsgathering, security, maintenance, consultancy, technology, auditing, supplier, service provider, licensor and other data subjects providing services in relation to all aspects of our operations.
Records collected on/from Webservers are kept for the purposes of: (i) providing and/or improving on the news, information and related services to you; and (ii) keeping abreast of and analysing the latest trends in the global media landscape.
Data Protection Principles
All processing of personal data shall be conducted according to the data protection principles as follows:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data can only be collected for specific, explicit and legitimate purposes.
- Personal data must be relevant and limited to what is necessary for processing.
- Personal data must be accurate and kept up to date with every effort to erase or correct.
- Personal data must be kept in a form such that the data subject can only be identified if it is necessary for processing.
- Personal data must be processed in a manner that ensures the appropriate security.
We have also kept a data inventory and data flow process to determine various aspects of our data processing including:
- Business processes that use personal data.
- Purposes for collecting and/or using the personal data.
- Source of personal data.
- Processing activities.
- Any data transfer, and to whom.
- Any data access, correction or opt-out request.
Such data inventory would facilitate SCMP GROUP in tracking its data and the related processing activities, and put us in a better position to comply with the relevant privacy and other laws and regulations.
Legal Basis of Data Processing
We ensure that there is legal basis for our processing of the personal data.
Such legal basis includes: (i) legitimate business interests of SCMP GROUP in processing personal data; (ii) if required by applicable laws or regulations, seeking your specific consent to process such personal data; and/or (iii) any other relevant basis under applicable laws and regulations.
SCMP GROUP processes personal data under the “legitimate interests” legal basis which means that the processing of the personal data is necessary for the legitimate interest pursued by SCMP GROUP except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data.
Legitimate Interests Assessment
In each relevant situation, we assess: (i) what these legitimate interests are; (ii) whether it is necessary to process such data to attain the objective; and (iii) the relevant rights of the data subjects; and balance such rights against our interests in achieving such objective, and ensure that such rights do not override SCMP GROUP’s legitimate interests before we conclude that SCMP GROUP can process the personal data on the basis of legitimate interests.
Communicate with the Data subjects
All data subjects will be informed that we are collecting their personal data, the Categories of Personal Data concerned and the purpose of processing. This is to ensure that the data subjects are clear about our collection and process of personal data and such collection and processing are within the data subjects’ reasonable expectation.
Please be informed that all data subjects can object to our collection and processing of their personal data at any time, in addition to their rights of requesting for accessing and/or correcting their personal data in our possession.
Data Security Mechanisms
We have also implemented appropriate mechanisms, policies and procedures to protect the confidentiality and security of the personal data that we collect and process, as we respect the privacy and related rights of the data subjects relating to such personal data by reducing the risks or potential negative impact of processing including but not limited to data minimisation, de-identification, encryption, restricted access and all other technical security methods and efforts to protect personal data. Such protection of the privacy and related rights of the data subjects would enable SCMP GROUP GROUP’s in processing personal data under the legitimate interest legal basis.
Having conducted the above assessment thoroughly, SCMP GROUP’s concludes that it is collecting and processing personal data under its legitimate interests as follows:
a. Serving our Customers and Operational Needs
The main purposes for processing the Categories of Personal Data have been set out above. They are legitimate interests for SCMP GROUP to process the same because all such purposes are essential to SCMP GROUP serving its customers and its operational needs as a corporation and a media organisation.
A corporation like SCMP GROUP needs employees to work for its business (and hence Personnel Records) and service providers to keep it running (and therefore Other Operational Records).
A media organisation such as SCMP GROUP needs the personal data of its newspaper subscribers, event attendees and website visitors so as to be able to have relevant and timely provision of information and/or other services (and thereby Subscription and Event Attendee Records together with Records collected on Webservers).
b. Inform the Public
As a news organisation – SCMP GROUP respects the public’s right to know about what is happening in our community and the world. SCMP GROUP has a duty both under law and journalistic ethics to inform the public of such happenings (“duty to inform”).
We collect and process such data as the name, email address, online identifier and/or location data of those data subjects who visit any of our news, media or other websites. We take note of the web pages being viewed as well as the time and frequency of such viewing. All of such data (“Public View Data”) are used to recommend to such data subjects relevant articles or content which should be of their interests.
Such recommendation does not prohibit or restrict anyone from viewing all of the other articles or content on such websites which they can access at any time as available.
c. Market Analysis
We analyse the Public View Data to: (i) gain insightful knowledge of the reading habits, preferences or tastes of the public; and (ii) conduct market segmentation and related studies.
Such analysis is necessary because it enhances SCMP GROUP’s capability to carry out its duty to inform and contribute to the welfare of our international community as a global digital news organisation. The knowledge and study results from such analysis would enable SCMP GROUP to fulfil its duty to inform more effectively by providing more relevant and timely information, products and services to the public.
This would benefit not just SCMP GROUP – but also the international society as a whole. Our world is becoming more globalised and inter-connected. What is happening in one part of the world could have instant, far-reaching and/or significant ramifications on others.
d. Direct Marketing
SCMP GROUP also uses personal data for direct marketing purposes as part of its legitimate interests unless the data subject explicitly objects or such is otherwise specifically prohibited under applicable laws.
How you enjoy SCMP GROUP’s products or services (such as news, media, advertising, events, etc.) may indicate your consumption preferences or inclinations. Based on such preferences or inclinations, we use such personal data to conduct direct marketing in respect of various goods and/or services offered by SCMP GROUP, its affiliates or business partners including:
- Insurance, banking and financial products and services;
- Products and services relating to airlines, hotel, health club, travel and hospitality;
- Beauty, skin care, health, medical devices, biotechnology, pharmacy and wellness;
- Eyewear and optical, fashion, sports, sports events, sports clubs, watches and jewellery, flower shop, stationery, toys, department stores and shopping malls;
- IT, electronic goods and electrical appliances, mobile phones and accessories, telecommunications and media products and services;
- Food and beverages and restaurants;
- Design, automotive, education, antique and auction, arts and gallery, boat and accessories, services for children, real property, construction, furniture and household items, interior design, consular services, trade or industry associations, non-governmental organisations, government services, energy, events and exhibitions, personal announcements, pets and accessories, post and courier services, public utilities, professional services, career, security services, shopping, transportation and logistics.
We note that given the global spread of our businesses, there could be cases where our use of personal data for direct marketing is governed by laws of certain jurisdictions (such as Hong Kong) which require the consent of the data subject(s) in this regard. Please refer to the “Consent” section immediately below for more information.
Where applicable legal requirement demands specific consent must be obtained before we can process personal data including conducting direct marketing, we will ensure that such specific consent will be obtained as follows:
- the consent has to be clear, explicit and specific;
- data subject is fully aware of the types of the personal data that we intend to use; and the purposes of such usage (such as improving our services to the data subject or direct marketing); and
- the name/identity of the transferee (if we ever intend to transfer your data) and how the transferee shall use your personal data.
Rights of the Data subjects
SCMP GROUP respects that data subjects have the following rights about the data processing, and the data which is recorded about them:
- To request for access regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress.
- To prevent processing for purposes of direct marketing.
- To be informed about the mechanics of automated decision-making process which will significantly affect them.
- Not to have significant decisions that will affect them taken solely by automated process.
- To sue for compensation if they suffer damage by any contravention of the applicable privacy and other laws.
- To take action to rectify, block and erase including the right to be forgotten or destroy inaccurate data.
- To request the supervisory authority (eg. a privacy commissioner or a data protection officer) to assess whether any provision of the relevant privacy and other laws has been violated.
- To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have such data transmitted to another data controller.
- To object to any automated profiling which is occurring.
Transfer of Personal Data
We will keep confidential the personal data that we hold, which may be transferred to the following parties within Hong Kong for the purposes as stated above.
- Delivery agents of SCMP GROUP for delivering the newspapers or other publications relating to the subscriptions or free trials;
- Agents, contractors or third parties which/who provide administrative, technology or other services to SCMP GROUP for its operations;
- Credit reference or debt collection agencies; and
- Any affiliates of SCMP GROUP.
In the event of such transfer, SCMP GROUP shall use contractual or other means to ensure that the data transferees shall keep the transferred personal data confidential and comply with all relevant personal data privacy laws and regulations.
Regarding the situation as described under sub-clause (iv) above – If such intra-group transfer among SCMP GROUP affiliates involves cross-border data transfer, SCMP GROUP may adopt binding corporate rules for safeguarding the security of such personal data; and ensuring that all affiliates involved shall comply with the relevant privacy and other laws.
SCMP GROUP has been using its in-house resources to develop and maintain its IT systems. Occasionally SCMP GROUP engages a third-party vendor to provide certain services relating its IT systems. This vendor does not have access to the personal data stored in the IT systems under usual circumstances.
In the exceptional case where such vendor has such access, SCMP GROUP uses reasonable measures to ensure that: (i) such vendor is contractually bound to keep such personal data confidential and adopt appropriate means to prevent any unauthorised access, use, loss, retention, modification, transfer or otherwise.
We implement data retention policies and records to ensure that personal data will not be kept longer than is necessary in relation to the purpose for which they were collected.
Different retention period apply to various types of personal data that we hold, depending on the respective data collection/usage purpose and relevant legal requirements.
Data Protection Officer
We have appointed a Data Protection Officer show responsibilities include the following:
- To inform and advise SCMP GROUP and its employees of their obligations pursuant to the applicable privacy and other laws and regulations (collectively “Privacy Laws”);
- To monitor SCMP GROUP’s compliance with such Privacy Laws;
- To co-operate with the supervisory authority (eg. privacy commissioner or equivalent bodies); and
- To act as the contact point for the supervisory authority on issues regarding the data processing and related matters.
Data Access / Correction and Other Inquiries
You have the right to know whether SCMP GROUP holds your personal data, access the data and/or correct any inaccuracies of such data. You also have the right to make reasonable inquiries about SCMP GROUP’s personal data policies and procedures. You have the right to object to the processing of your personal data or withdraw your consent (if applicable) at any time. Please note however that if you object to the processing of your personal data, it may affect SCMP GROUP’s ability to provide the services that you required to you or may affect the quality of such services. If you withdraw your consent (if applicable), SCMP Group will stop providing such services to you which applicable laws requires specific consent.
All of the above requests should be made in writing to our Data Protection Officer at [email protected]
European Union Representative
Pursuant to Article 27 of the EU General Data Protection Regulation (“GDPR”), South China Morning Post group (“SCMP GROUP”) has appointed European Data Protection Office (“EDPO”) as its GDPR representative in the EU as shown below:
Persons who are in the EU or persons whose personal data was processed while they were in the EU can contact EDPO regarding matters pertaining to the GDPR by:
- Sending an email to [email protected]
- Using EDPO’s online request form at https://www.edpo.brussels/contact
- Writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
A reasonable fee may be charged in light of the administrative costs that SCMP GROUP shall incur in addressing your request(s).
We keep our Privacy Notice under regular review, and reserve the right to amend it from time to time as appropriate.
This Notice was last updated on 24 August 2018.