隱私聲明

DATA PROTECTION POLICY / CODE OF CONDUCT

­資料保護政策 / 行為準則

1.                Introduction

引言

1.1              This Policy gives important information about:

本項政策提供了有關以下各方面的重要資訊:

1.1.1          the data protection principles with which Hainan Airlines Holding Company Limited (hereinafter the "Company", "we", "us" or "our") must comply;

海南航空控股股份有限公司(下稱“本公司”、“我們”、“我司”或者“我們的”)必須遵守的資料保護原則;

1.1.2          what is meant by personal information (or data) and sensitive personal information (or data);

個人資訊(或資料)以及敏感個人資訊(或資料)的含義;

1.1.3          how we gather and use personal information and sensitive personal information in accordance with the data protection principles under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the requirements of other relevant laws and regulations of other countries and regions; and

我們是如何依據《一般資料保護條例》(EU) 2016/679 ("GDPR") 等其他國家、地區相關法律法規要求中的資料保護原則來收集和使用個人資訊以及敏感個人資訊的;

1.1.4          data subjects' rights and obligations in relation to data protection.

資料主體與資料保護有關享有的權利和承擔的義務。

1.2              This Policy applies to all personal information collected by or on behalf of the Company, and may include personal information about its customers, potential customers, website visitors and job applicants. This Policy may be provided to you using a number of methods, including through the use of any of our websites, through the use of any of our mobile applications, through the use of telephone, or in-person at any of our retail locations. 

本項政策適用于本公司自行或委託他方收集的所有個人資訊,其中可包括有關本公司客戶、潛在客戶、網站使用者和求職者的個人資訊。本項政策可通過多種方式向您提供,包括通過訪問本公司的任何網站、使用本公司推出的任何一種移動應用程式、打電話或在本公司任何一家實體門店與服務人員面對面溝通。

1.3              We will review and update this Policy as we deem necessary or in accordance with our data protection obligations.

我們將在必要的情況下或依據我們承擔的資料保護義務,對本項政策進行審查和更新。

1.4              The Company may obtain, keep and use personal information (also referred to as personal data) about its customers, potential customers, website visitors and job applicants for a number of specific lawful purposes.

本公司可為多個特定的合法目的而取得、保存並使用有關其客戶、潛在客戶、網站使用者和求職者的個人資訊(也稱為“個人資料”)。

1.5              This Policy sets out how we comply with our data protection obligations and seek to protect personal information. Its purpose is also to ensure that our staff understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.

本項政策對我司具體如何履行我們承擔的資料保護義務,以及採取何種措施來保護個人資訊作出了規定。起草本項政策的另一個目的是為確保我們的員工瞭解並遵守適用於收集、使用和刪除其在履行工作職責的過程中可能接觸到的個人資訊的相關規則。

1.6              We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal information, and how (and when) we delete that information once it is no longer required.

我們承諾將遵守我們所承擔的資料保護義務,並對我們如何取得並使用個人資訊,以及當不再需要時我們如何(以及何時)刪除該等資料保持簡明、清晰和透明的態度。

1.7              The Company’s Data Protection Officer has overall responsibility for addressing all issues relating to the protection of your personal information, and is responsible for assisting us in monitoring internal compliance, informing and advising on our data protection obligations and acting as a contact point for you and any supervisory authority. If you have any questions or comments about the content of this Policy or if you need further information, you can contact the following persons:

本公司的資料保障負責人(或稱“資料保護主管”)對處理有關保護您個人資訊的各方面事宜承擔總體責任,並負責協助本公司監控內部合規情況、就本公司承擔的資料保護義務提供資訊和建議、以及作為本公司與您和任何監管機構之間的連絡人。您對本項政策的內容有任何問題或意見,或需要瞭解更多資訊的,請與下列人員聯繫:

1.7.1          The Company's Data Protection Officer: [HNA-DPO@hnair.com]; or

本公司的資料保障負責人:[HNA-DPO@hnair.com]

1.7.2          The Company's EU representative: [HNA-DPO@hnair.com].

本公司的歐盟代表:[HNA-DPO@hnair.com]

 

2.                Definitions

定義

"criminal records information"

means personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures;

"data breach"

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information;

"data subject"

means the individual to whom the personal information relates;

"personal information" or "personal data"

means information relating to an individual who can be identified (directly or indirectly) from that information;

"processing"

means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it;

"pseudonymised"

means the process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual;

"sensitive personal information"

(sometimes known as "special categories of personal data" or "sensitive personal data") means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

"Websites"

means any website(s) owned or operated by the Company.

“犯罪記錄資訊

指涉及刑事定罪和犯罪、指控、法律程式和相關安保措施的個人資訊;

數據違規”“資料洩露”

指違反安保措施,導致個人資訊被意外或非法損毀、丟失、更改、未經授權地披露或獲取的情形;

“數據主體”

指個人資訊所涉及的個人;

個人資訊” 或“個人資料”

指與某一個人相關的、從中可(直接或間接)識別此人身份的資訊;

“處理

指獲取、記錄、組織、儲存、修改、檢索、披露及/或銷毀資訊、使用資訊或利用資訊實施任何一種行為;

“假名化

指對個人資訊採取的一種處理方式,經處理後,不利用額外資訊將無法識別相關個人的身份,而上述額外資訊被單獨存放,受制於技術和組織管理手段,以確保有關的個人資訊無法與一名可識別的個人相關聯;

“敏感個人資訊

(也稱作“特殊類別個人資料”或“敏感個人資料”)指有關個人的人種、種族、政治傾向、宗教或哲學信仰、工會會員(或非會員)的個人資訊、遺傳信息、(用於識別個人身份的)生物資訊以及有關個人健康、性生活或性取向方面的資訊;

“網站”

指本公司擁有或運營的任何一個網站。

 

3.                DATA PROTECTION PRINCIPLES

資料保護原則

3.1              The Company will comply with the following data protection principles when processing personal information:

在處理個人資訊時,本公司將遵守下列資料保護原則:

3.1.1          we will process personal information lawfully, fairly and in a transparent manner;

我們將以合法、公平和透明的方式來處理個人資訊;

3.1.2          we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;

我們僅為指定、明確及合法的目的收集個人資訊,不會以和該等合法目的不相符的方式來處理個人資訊;

3.1.3          we will only process the personal information that is adequate, relevant and necessary for the relevant purposes;

我們僅在針對相關目的而言適當、有關及必要的情況下才會處理個人資訊;

3.1.4          we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information are deleted or corrected without delay;

我們將保持個人資訊的準確和更新,並採取合理行動確保及時刪除或更正不準確的個人資訊;

3.1.5          we will keep personal information in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and

我們將以恰當的形式來保存個人資訊,確保就識別資料主體之身份而言,資訊的保存時間不長於處理資訊之目的所需;

3.1.6          we will take appropriate technical and organisational measures to ensure that personal information are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

我們將採取適當的技術和組織管理手段,以確保個人資訊的安全,並保障資訊不會受到未經授權或非法的處理,或遭受意外丟失、損毀或破壞。

 

4.                PRIVACY NOTICE

隱私通知

4.1              The Company may supplement this Policy by issuing privacy notices from time to time, informing you about the personal information that we collect and hold relating to you, how you can expect your personal information to be used and for what purposes.

本公司可能不時對本項政策作出補充,告知您有關本公司收集和持有的有關您的個人資訊,以及本公司將會以何種方式以及為何種目的使用您的個人資訊。

4.2              We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

我們將採取適當措施以簡潔、透明、易於理解和閱讀的形式,並採用清晰直白的語言通過隱私通知向您傳達資訊。

4.3              When personal information is collected

何時收集個人資訊

4.3.1          We collect personal information where it is necessary for us to conduct our everyday activities or functions.

我們在開展日常經營活動或履行日常職責所需時收集個人資訊。

4.3.2          Here are some examples of situations where we collect personal information:

以下列舉了一些我們收集個人資訊的情形:

(a)              when you register for an account on our Websites, apps or kiosks;

當您在本公司網站、應用程式或櫃檯註冊帳戶時;

(b)              when you complete purchase orders, requests or applications for our products, services and/or facilities (by telephone, in person, by post, on forms, through our Websites or by any other means);

當您(通過電話、親自、通過郵件、表格,或通過本公司網站或任何其他方式)針對本公司產品、服務及/或設施填寫採購訂單、書面要求或申請時;

(c)               when you communicate with us directly in relation to our products, services and/or facilities (by telephone, in person, by post, on forms, through our Websites or by any other means);

當您(通過電話、親自、通過郵件、表格,或通過本公司網站或任何其他方式)就與本公司產品、服務及/或設施有關的問題直接與我們溝通時;

(d)              when you use services and/or facilities that are made available on our Websites or at our physical locations;

當您使用我們通過本公司網站或實體門店提供的服務及/或設施時;

(e)              when you conduct certain types of transactions such as booking tickets, redeeming points for tickets, purchasing points, or refunds;

當您實施某一類交易(如購票、兌換機票、購買積分、退款)時;

(f)               when you enter, and when you interact with us during, any of our promotions, competitions, contests, lucky draws or special events;

當您參加我們組織的任何一項促銷、比賽、競賽、抽獎或特別活動,並在活動期間與我們進行互動時;

(g)              when you subscribe to any of our membership programmes;

當您註冊參與我們組織的任何一個會員專案時;

(h)              when you participate in our surveys and other types of research; or

當您參與我們發起的意見調查及其他類型的調研時;

(i)                when you apply for employment with us.

當您向本公司提出就職申請時。

4.3.3          We do not collect personal information from persons under the age of 16 without prior permission from a parent or a guardian. If you believe that we have accidentally collected personal information from a person under the age of 16 without the prior permission of a parent or guardian, please contact our Data Protection Officer at once under paragraph 1.7 of this Policy in order to have the relevant personal information erased. If you are under the age of 16, please do not proceed to provide us with any of your personal information through any means whatsoever unless you have first procured permission from your parent or your guardian.

未經父母或監護人事先許可,我們不會向未成年人(根據適用法律)收集其個人資訊。如果您認為我們在未經父母或監護人事先許可的情況下不慎收集了未成年人(根據適用法律)的個人資訊,請立即通過本項政策第1.7條下所述的聯繫方式與本公司的資料保障負責人聯繫,從而確保將相關的個人資訊刪除。如果您是未成年人(根據適用法律),請不要通過任何方式向本公司提供您的個人資訊,除非您已事先取得您父母或監護人的許可。

4.4              What personal information is collected

何種個人資訊將被收集

4.4.1          The provision of your personal information is voluntary unless otherwise indicated as mandatory. If you do not provide any personal information to us which is mandatory, we may not be able to provide the products and/or services that you require of us.

除非指明是強制性要求,否則提供您的個人資訊均是自願性質的。如果您不向我們提供我們強制要求您提供的資訊,我們可能無法向您提供所要求的產品及/或服務。

4.4.2          The types of personal information which we may collect include the following:

我們可能收集的個人資訊的種類包括:

(a)              contact information such as names, addresses, telephone numbers, email addresses, delivery addresses and usernames;

聯絡資訊,例如姓名、位址、電話號碼、電子郵箱位址、收貨地址、用戶名;

(b)              billing information such as billing address, bank card information and credit card information;

收費資訊,例如帳單位址、銀行卡資訊和信用卡資訊;

(c)               unique information such as nationality and identity document information (including but not limited to identity card numbers, passport numbers, photographs and date of birth), occupational duties, health status and meal preferences;

獨特資訊,例如國籍、證件資訊(包括但不限於身份證號碼、護照號碼、照片和出生日期)、職業職務、健康狀況、餐食偏好;

(d)              contact and marketing preferences;

偏好接受的聯繫方式和行銷資料;

(e)              details of any membership that you have with us;

您在本公司的會員資料;

(f)               details of your visits to our Websites, such as traffic data, location data, and the resources that you access on our Websites;

您訪問本公司網站的詳情,例如流量資料、地點資料以及您進入本公司網站所訪問的資源;

(g)              details of your online identifiers, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags;

您網上識別字的詳情,例如IP地址、cookie識別字或諸如射頻識別標籤等其他識別字;

(h)              your transaction history with us; and

您在本公司的交易記錄;

(i)                if you are a candidate for employment, any personal information that you provide to us during the recruitment process including personal details from your resume and any application form that you submit to us. Such personal information may include your employment history and working eligibility rights. 

如果您是求職者,您在招聘過程中向我們提供的任何個人資訊,包括您提交給本公司的簡歷和入職申請表中包含的個人詳情。該等個人資訊可能包括您的工作經歷和就業權資訊。

4.4.3          You may, in certain circumstances, provide us with personal information relating to third parties (for example, your designated Fortune Wings Club beneficiaries, next-of-kin, traveling companion or, if you are a candidate for employment, any person whom you have nominated as your referee). When this happens, you are deemed to have represented and confirmed to us that you have obtained the consent of such third party to provide his/her personal information to us for processing in the manner set out in this Policy.

在特定情況下,您可能向我們提供涉及協力廠商(比如,您的指定金鵬受益人、直系親屬、旅伴或者(若您是求職者)您的推薦人)的個人資訊。在此情況下,您被視為已向本公司聲明並確認,您已取得該等協力廠商的同意,向本公司提供其個人資訊並且本公司可按照本項政策規定的方式處理該等資訊。

4.5              Purposes for collection, use and processing of personal information

收集、使用和處理個人資訊的目的

4.5.1          The personal information which we collect from you may be collected, used, disclosed and/or processed for various purposes, depending on the circumstances at hand and your consent, including for example:

取決於當下的情形以及您的同意,我們向您收集的個人資訊可能是為各種目的而採集、使用、披露及/或處理,包括(舉例而言):

(a)              to assess, process and provide our products, services and/or facilities requested by you; including but not limited to:

l   selling flight tickets, flight ticket and hotel packages, in-flight merchandise, etc.

l   sending you product or service booking confirmations

l   providing you with flight-related services, such as check-in, meals, seat selection, luggage services, transit accommodation, irregular flight guarantees and special passenger services

l   providing notifications and instructions related to products or services during your journey, such as instructions about boarding gates and baggage collection

評估、處理和提供您要求的本公司的產品、服務及/或設施。包括但不限於:

l   銷售機票、機票加酒店、機上商品等

l   向您發送產品或服務的預訂確認

l   為您提供與航班相關服務,例如值機、餐食、選座、行李服務、中轉住宿、不正常航班保障、特殊旅客服務等

l   在您的旅途中提供與產品或服務相關的通知與提示,例如登機口提示、行李轉盤提示等

(b)              to provide you with any assistance that you have requested; including but not limited to:

l   related enquiries or information confirmation operations that you have authorized us to carry out

l   responding to your enquiries

l   assisting you with transaction operations

l   providing you with technical assistance

向您提供您所要求的任何協助。包括但不限於:

l   您授權我們進行相關的查詢或者資訊確認操作

l   解答您的疑問諮詢

l   協助您進行交易操作

l   為您提供技術援助

(c)               to maintain and improve our customer relationship with you; including but not limited to:

l   inviting you to join the Fortune Wings Club

l   inviting you to participate in various satisfaction surveys

維護並提升您與本公司之間的客戶關係。包括但不限於:

l   邀請您加入金鵬俱樂部

l   邀請您參與形式多樣的滿意度調研

(d)              to establish your identity; including but not limited to:

l   requesting that you present the relevant documents during check-in, boarding, baggage inspection and other procedures

l   informing you about login activity on your online account

l   requesting that you present the relevant documents when proceed with membership affair

確定您的身份。包括但不限於:

l   在值機、登機、行李檢查等環節要求您出示相關證件

l   向您告知網路帳號的登錄行為

l   在辦理會員業務時要求您提供相關證件

(e)              to administer and process any payments (including refunds) related to products, services and/or facilities or other commercial transactions requested by you; including but not limited to:

l   making order payments

l   handling your refund requests

l   fulfilling our compensation obligations

管理並處理與您要求的產品、服務及/或設施或其他商業交易有關的任何付款(包括退款)。包括但不限於:

l   進行訂單支付

l   處理您提出的退款要求

l   履行我們的補償義務

(f)               to respond to your enquiries or complaints and resolve any issues and disputes which may arise in connection with any dealings between us;

對與你我之間的任何交易有關您所提出的問詢或投訴作出回復,並解決出現的任何問題和爭議;

(g)              to provide you with information and updates on products, services, facilities, loyalty programmes, promotions, launches, campaigns, contests and/or events offered or organised by us and our affiliated partners from time to time, in accordance with your consent; including but not limited to

l   sending you event invitations

l   delivering or distributing prizes to you

在取得您同意的情況下,向您提供有關本公司及我們的關聯合作方不時提供或組織的產品、服務、設施、客戶忠誠計畫、促銷、產品投放、專項行銷、比賽及/或會展活動的相關資訊和最新資訊。包括但不限於:

l   向您發送活動邀請

l   向您交付或分發獎品

(h)              for direct marketing purposes via SMS, phone, email, fax, mail, instant messaging, social media and/or any other appropriate communication channels, in accordance with your consent;

在取得您同意的情況下,通過短信、電話、電子郵件、傳真、郵件、即時通訊、社交媒體及/或任何其他適當的通訊手段達到直接行銷的目的;

(i)                to administer our loyalty or rewards programmes, including the use of airport lounges and the administration of the Fortune Wings Club;

管理我們的客戶忠誠或獎勵計畫,包括使用機場貴賓休息室和管理金鵬俱樂部事務;

(j)                to engage in codesharing or similar business arrangements with other airlines;

實施航班代碼共用或與其他航空公司之間的類似商業安排;

(k)              to cater to your dietary requirements when using our products, services and/or facilities;

滿足您在使用我們的產品、服務及/或設施時提出的餐飲要求;

(l)                for internal administrative purposes and record-keeping;

滿足內部管理和記錄存檔要求;

(m)             to send you seasonal greetings messages from time to time;

不時向您發送節日祝福訊息;

(n)              to send you service or account change notifications and information when necessary;

必要時向您發送服務、帳戶變動通知消息;

(o)              to monitor, review and improve our products, services, facilities, promotions and/or events; including but not limited to:

l   cookies used by our websites and apps

l   traffic analysis and performance monitoring tools used by our websites and apps

監控、審查並改進我們的產品、服務、設施、促銷方案及/或展會活動。包括但不限於:

l   我們的網站、APP使用cookie

l   我們的網站、APP使用流量分析與性能監控工具

(p)              to conduct market research or surveys, internal marketing analysis, customer profiling activities, analysis of customer patterns and choices, planning and statistical and trend analysis in relation to our products, services and/or facilities;

針對我們的產品、服務及/或設施開展市場調查或調研、內部行銷分析、客戶資料管理、客戶模式和選擇分析、規劃/統計/趨勢分析;

(q)              to process, combine and/or analyse your personal information for the above purposes;

為上述目的處理、整合及/或分析您的個人資訊;

(r)               for detecting, investigating and preventing fraudulent, prohibited or illegal activities;

發現、調查及防止欺詐、禁止或非法的活動;

(s)               for our audit, risk management and security purposes;

滿足本公司審計、風險管理及安保目的;

(t)               for enabling us to perform our obligations and enforce our rights under any agreements or documents that we are a party to;

使本公司能夠履行我們作為當事方的任何協議或檔下應承擔的義務,並行使我們在該等協議或檔下享有的權利;

(u)              to transfer or assign our rights, interests and obligations under any agreements entered into with us;

轉讓或出讓我們所訂立的任何協議下所享有的權利、權益及承擔的義務;

(v)               for meeting any applicable legal or regulatory requirements and making disclosure under the requirements of any applicable law, legislation, regulation, direction, court order, by-law, guideline, circular or code applicable to us from time to time ("Applicable Law");

遵循任何適用的法律或監管要求,根據不時適用於本公司的任何法律、立法、法規、指令、法庭命令、規章、指南、通知或法典(“適用法律”)的規定作出資訊披露;

(w)             to enforce or defend our rights and your rights under, and to comply with, our obligations under any Applicable Law.

行使或保障你我雙方於任何適用法律項下享有的權利,及履行本公司於任何適用法律項下應承擔的義務。

4.5.2          We will notify you in advance of any other purpose(s) for which we intend to use your data and obtain your consent where necessary, unless we are permitted by the GDPR or any other Applicable Law to process your personal information without your consent.

如果本公司意圖將您的資料用於任何其他目的,我們將事先向您告知並取得您的同意,除非根據GDPR或任何其他適用法律,我們獲准在未取得您同意的情況下處理您的個人資訊。

4.5.3          Please note that you have the right to object to the processing of your personal data for direct marketing purposes and the right to opt-out of any direct marketing from us and to unsubscribe from any SMS, phone, email, fax, mail, instant messaging, social media and/or other communication channels we use to engage in direct marketing with you. We will endeavour to provide instructions in all such communications on how to opt-out, but you may also contact our Data Protection Officer under paragraph 1.7 of this Policy if you wish to exercise your right to opt-out and are not clear how to exercise such right accordingly.

敬請注意,您有權拒絕為達到直接行銷的目的而處理您的個人資料,並有權退出本公司的任何直接行銷計畫,從我們將您納入其中展開直接行銷的任何短信、電話、電子郵件、傳真、郵件、即時通訊、社交媒體及/或其他通訊系統中進行退訂。我們將盡力在上述各種通訊系統中提供如何退訂系統的說明,但如果您想行使退訂系統的權利並且不清楚如何行使該權利,您也可參見本項政策第1.7條,與本公司的資料保障負責人聯繫。

4.6              Transfer of personal information

個人資訊的傳輸

4.6.1          In order to smoothly conduct our business operations and/or to fulfil our obligations to you, we may disclose the personal information that we have collected from you to third parties, for one or more of the purposes set out at paragraph 4.5 of this Policy. Examples of third parties to whom we may disclose your personal information include:

為順利開展我們的業務運作,及/或為履行我們對您承擔的義務,我們可能會為了達成本項政策第4.5條所述的一個或多個目的,而將我們向您收集的個人資訊披露給協力廠商。舉例而言,我們可能會向其披露您個人資訊的協力廠商包括:

(a)              other companies in our group, such as our sister airlines, for the purposes of paragraphs 4.5.1(a), 4.5.1(b), 4.5.1(i), 4.5.1(j) and 4.5.1(k).

4.5.1(a)4.5.1(b)4.5.1(i)4.5.1(j)4.5.1(k)所述之目的而言,我司集團旗下的其他公司,比如我們的姐妹航空公司;

(b)              third party service providers, agents, affiliates or related companies who provide operational services in connection with our business such as data entry, telecommunications, information technology, logistics, storage and warehousing, catering, delivery, assembly, installation, printing and postal services, credit checks, credit facilities or services relating to marketing and promotional activity; including but not limited to:

l   providers of related supplementary services, such as hotels, insurance companies, logistics companies, food supply companies and sales product suppliers

l   other airlines, such as codesharing partners and mutual sales partners. Please note: Other airlines have their own privacy policies. If your travel plan includes traveling with other airlines, we recommend that you check the other policies, as they may differ from this Privacy Policy

l   information technology providers, such as TravelSky, Amadeus and Google

提供與本公司業務相關的運營服務(如數據錄入、通訊、資訊技術、物流、倉儲、餐飲、送貨、裝配、安裝、列印和郵遞服務、信用調查、融資或與行銷推廣活動有關的服務)的協力廠商服務提供者、代理商、關聯方或關聯企業。包括但不限於:

l   相關附加服務的提供商,例如酒店、保險公司、物流公司、餐食供應公司、銷售產品供應商等

l   其他航空公司。例如代碼共用合作夥伴、互售合作夥伴等。請注意:其他航空公司有其自己的隱私政策。如果您的旅行計畫包含其他航空公司的旅行,我們建議您查看其他政策,因為這些政策可能與本隱私權聲明有所不同。

l   資訊技術提供商,例如中國民航資訊集團、AmadeusGoogle

(c)               our professional advisors, consultants and/or auditors; and

我們的專業顧問及/或審計師;

(d)              relevant government regulators or authorities (in accordance with any Applicable Law). Including but not limited to:

l   public security agencies (such as the National Civil Aviation Public Security Big Data Operation & Training Center) to which we submit personal information for screening in the interests of public safety and anti-terrorism

(根據任何適用法律行使職權的)相關政府監管機構或政府機關。包括但不限於:

l   提交至公安機關(例如全國民航公安大資料戰訓中心)進行篩查,用於維護公共安全和反恐。

4.6.2          The third parties with whom we conduct business are only authorised to use your personal information to perform the service for which they were hired. As part of our agreement with them, they may be required to adhere to the GDPR and/or any policies that we provide, and to take reasonable measures to ensure your personal information is secure.

與我們有業務往來的協力廠商僅有權將您的個人資訊用於履行受委託的服務職責。作為我們與之訂立的協議的一部分,這些協力廠商可能被要求遵守GDPR/或我們提供的任何方針,並採取合理措施確保您個人資訊的安全。

4.7              Transfer of personal information of EEA data subjects out of the EEA

將歐洲經濟區資料主體的個人資訊轉移出歐洲經濟區

4.7.1          Due to the global nature of the services that we provide, it is sometimes necessary for us to share the personal information of data subjects in the EEA with parties outside the EEA, for example:

由於我們提供的服務具有全球性,有時我們有必要與歐洲經濟區以外的各方共用歐洲經濟區資料主體的個人資訊,例如:

(a)              with our offices outside the EEA;

與我們在歐洲經濟區之外的辦事處共用;

(b)              with our service providers located outside the EEA;

與位於歐洲經濟區以外的服務提供者分享;

(c)               if the data subject is based outside the EEA; or

當資料主體在歐洲經濟區工作生活;

(d)              where there is an international dimension to the services we are providing to the data subject.

我們正在向資料主體提供的服務具有國際性元素。

4.7.2          These transfers are subject to special rules under European data protection law.

這些轉移受歐洲資料保護法下的特殊規定約束。

4.7.3          The Company may transfer personal information outside the EEA to:

公司可將個人資訊轉移出歐洲經濟區至:

(a)              a country, territory or organisation that is designated as having an adequate level of protection; or

被指定的具有適當保護水準的國家、地區或組織;

(b)              an organisation receiving the information that has provided adequate safeguards by way of binding corporate rules, standard data protection clauses or compliance with an approved code of conduct.

一個已通過有約束力的公司規則、標準資料保護條款或遵守已批准的行為規範的方式來提供適當保障措施的組織。

4.7.4          In the absence of a European Commission adequacy decision, or of appropriate safeguards, we may need to transfer personal information of an EEA data subject to non-EEA countries where this is necessary for the performance of a contract or the implementation of pre-contractual measures.

在沒有歐盟委員會適當性決定(指擬將個人資料轉移至的國家、地區或組織是否具有適當保護水準的決定)或適當保障措施的情況下,我們可能需要將歐洲經濟區資料主體的個人資訊轉移至履行合同或執行合同前措施所必需的非歐洲經濟區國家。

4.7.5          There may also be circumstances where we ask for the explicit consent of an EEA data subject to the transfer of personal information to a non-EEA country for purposes other than the performance of a contract or the implementation of pre-contractual measures. In such circumstances, we will inform the data subject of the increased risks of such transfer due to the absence of safeguards and the fact that these non-EEA countries (for example, the People's Republic of China) do not have the same data protection laws as the EEA.

在某些情況下,為了一些並不是履行合同或實施合同前措施的其他目的,我們也可能會尋求歐洲經濟區資料主體的明確同意,將人資訊轉移給非歐洲經濟區國家。在這種情況下,我們將通知資料主體,由於缺乏保障措施以及這些非歐洲經濟區國家(例如中華人民共和國)沒有與歐洲經濟區相同的資料保護法,這些轉移可能會有增加的風險。

4.7.6          We will, however, ensure that all transfers of personal information of EEA data subjects out of the EEA comply with the GDPR. Our practice is, wherever possible and applicable, to use standard data protection contract clauses that have been approved by the European Commission. Those clauses are available on the following website of the European Commission:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

但是,我們將確保所有將歐洲經濟區資料主體的個人資訊轉移出歐洲經濟區的轉移符合GDPR。我們的做法為,在可能和適用的情況下,使用經歐盟委員會批准的標準資料保護合同條款,這些條款可在歐盟委員會的以下網站上找到:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

4.7.7          If you would like further information please contact the Data Protection Officer as shown at paragraph 1.7 of this Policy.  

如果您想瞭解更多資訊,請與本政策第1.7條中所述的資料保護主管聯繫。

 

5.                Basis for processing personal information

處理個人資訊的基礎

5.1              In relation to any processing activity we will, before the processing starts for the first time, and then regularly while it continues:

對於任何處理活動,我們會在處理活動開始之前,以及處理活動進行的過程中定期執行以下的操作:

5.1.1          review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing, i.e.:

審查特定處理活動的目的,並為該處理­選擇最適合的合法基礎,即:

(a)              that the data subject has consented to the processing;

數據主體已經同意該處理;

(b)              that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

該處理為履行資料主體所訂立的合同所必需的,或者該處理是為了在訂立合同前根據資料主體的要求採取措施所必需的;

(c)               that the processing is necessary for compliance with a legal obligation to which the Company is subject;

為了遵守公司所承擔的法律義務,該處理是必需的;

(d)              that the processing is necessary for the protection of the vital interests of the data subject or another natural person; or

為保護資料主體或其他自然人的切身利益,該處理是必需的;

(e)              that the processing is necessary for the purposes of legitimate interests of the Company or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject – see paragraph 5.2 of this Policy.

為了公司或者第三方正當利益,該處理是必需的,除非這些利益被資料主體的基本權利和自由利益所淩駕­—參見本政策第5.2條。

5.1.2          except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose);

除基於同意所進行的處理外,確保處理是為了相關的合法基礎的目的所必需的(即沒有其他合理的方法來達到此目的);

5.1.3          document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;

記錄我們關於適用何種合法基礎的決定,以幫助證明我們遵守資料保護原則;

5.1.4          include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);

在我們的相關隱私通知中包含有關處理的目的及其合法基礎的資訊;

5.1.5          where sensitive personal information is processed, also identify a lawful special condition for processing that information (see paragraph 6.2.2 of this Policy), and document it; and

在處理敏感個人資訊的情況下,還應確定處理該資訊的合法特殊條件(見本政策的第6.2.2條)並予以記錄;

5.1.6          where criminal offence information is processed, also identify a lawful condition for processing that information, and document it.

在處理刑事犯罪資訊的情況下,還應確定處理該資訊的合法條件並予以記錄。

5.2              When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will:

當確定公司的正當利益是否為合法化處理最合適的基礎時,我們將:

5.2.1          conduct a legitimate interests assessment ("LIA") and keep a record of it, to ensure that we can justify our decision;

進行正當利益評估(“LIA”)並記錄下來,以確保我們能夠證明我們的決定是合理的;

5.2.2          if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment ("DPIA");

如果LIA確定有重大的隱私影響,我們會考慮我們是否還需要進行資料保護影響評估(“DPIA”)

5.2.3          keep the LIA under review, and repeat it if circumstances change; and

保持對LIA的審查,並在情況發生變化時重複進行;

5.2.4          include information about our legitimate interests in our relevant privacy notice(s).

在我們的相關隱私通知中包含有關我們正當利益的資訊。

 

6.                Sensitive personal information

敏感個人資訊

6.1              Sensitive personal information is sometimes referred to as ‘special categories of personal data’ or ‘sensitive personal data’ (e.g. information about your health status).

敏感個人資訊有時候又被稱為“特殊類別的個人資料”或者“敏感個人資料”(如您的健康狀況資訊)。

6.2              The Company may from time to time need to process sensitive personal information. We will only process sensitive personal information if:

公司可能時不時需要處理敏感個人資訊。我們只會在以下情況下處理敏感個人資訊:

6.2.1          we have a lawful basis for doing so as set out in paragraph 5.1.1 above, for example, it is necessary to comply with the Company’s legal obligations or for the purposes of the Company’s legitimate interests; and

我們有上述第5.1.1條所述的合法基礎,比如,為遵守公司的法律義務或者為公司的正當利益所必需;

6.2.2          one of the special conditions for processing sensitive personal information applies, for example:

處理敏感個人資訊的特殊條件之一適用,如:

(a)              the data subject has given explicit consent; including but not limited to:

l   when you request special passenger services from us, such as for passengers with wheelchairs or passengers requiring a stretcher

l   when you request refunds from us

資料主體已經給予明確同意。包括但不限於:

l   當您向我們申請了特殊旅客服務,例如輪椅旅客、擔架旅客等

l   當您向我們申請因病退款時

(b)              the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject;

處理是為行使公司或者資料主體的勞動法律權利或者義務之目的所必需的;

(c)               the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent;

處理是為保護資料主體的切身利益所必需,並且資料主體在身體上無法給予同意;

(d)              processing relates to personal data which are manifestly made public by the data subject;

處理涉及資料主體明顯公開的個人資料;

(e)              the processing is necessary for the establishment, exercise or defence of legal claims; or

處理對於建立、行使或者辯護法律索賠所必需;

(f)               the processing is necessary for reasons of substantial public interest.

處理是為了重大公共利益所必需的。

6.3              Before processing any sensitive personal information, our staff shall notify the Data Protection Officer of the proposed processing, in order that the Data Protection Officer may assess whether the processing complies with the criteria noted above.

在處理任何敏感個人資訊之前,我們的員工應當將擬進行的處理通知予資料保護主管以便其可以評估該處理是否符合上述標準。

6.4              Sensitive personal information will not be processed until:

敏感個人資訊不會被處理直到:

6.4.1          the assessment referred to in paragraph 6.3 has taken place; and

已進行第6.3條所述的評估;

6.4.2          the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

相關人士已經被適當通知了處理的性質(通過隱私通知或者其他方式),進行處理的目的以及其法律基礎。

6.5              During the recruitment process: the HR department, with guidance from the Data Protection Officer as necessary, will ensure that (except where the law permits otherwise):

在招聘的過程中:人力資源部門會根據來自于資料保護主管的指引來確保(除法律另有規定外):

6.5.1          during the short-listing, interview and decision-making stages, no questions are asked relating to sensitive personal information, such as race or ethnic origin, trade union membership or health;

在篩選,面試和做出決定階段,不會詢問有關個人敏感資訊的問題,比如種族或族裔、工會會員身份或者健康狀況;

6.5.2          if sensitive personal information is received, for example, the applicant provides it without being asked for it within his or her resume or during the interview, no record is kept of it and any reference to it is immediately deleted or redacted;

如果收到敏感個人資訊,例如申請人在他或她的簡歷或者面試過程中在未被詢問的情況下提及敏感個人資訊,則對於所提供的敏感個人資訊不保留任何記錄,並立即刪除或者修改任何對其的引用;

6.5.3          any completed equal opportunities monitoring form is kept separate from the individual’s application form, and not be seen by the person shortlisting, interviewing or making the recruitment decision;

任何完成的平等機會監測表和個人申請表會分開放置並且不會被篩選、面試和做出招聘決定的人所看到;

6.5.4          ‘right to work’ checks are carried out before an offer of employment is made unconditional, and not during the earlier short-listing, interview or decision-making stages;

“就業權”檢查在提供無條件聘用之前進行,而不是在較早的篩選、面試或做出決定階段進行;

6.5.5          we will only ask health questions once an offer of employment has been made.

一旦聘用決定做出,我們只會詢問健康狀況問題。

 

7.                Criminal records information

犯罪記錄資訊

7.1              We do not process criminal records information unless required to do so by relevant government authorities (for example, for immigration and security purposes) and under the control of the relevant official authority or authorities.

我們不會處理犯罪記錄資訊,除非有關政府機構這樣要求(例如,為了移民或者安全目的)以及在有關官方機構的控制下。

 

8.                Data protection impact assessments (DPIA)

資料保護影響評估DPIA

8.1              Where processing is likely to result in a high risk to an individual’s data protection rights, we will, before commencing the processing, carry out a DPIA to assess:

在處理可能會對個人的資料保護權造成高風險的情況下,我們會在開始處理之前,進行DPIA以評估:

8.1.1          whether the processing is necessary and proportionate in relation to its purpose;

就其目的而言,處理是否必需以及適當;

8.1.2          the risks to individuals; and

對個人造成的風險;

8.1.3          what measures can be put in place to address those risks and protect personal information.

能夠採取什麼樣的措施來解決這些風險和保護個人資訊。

 

9.                Documentation and records

檔和記錄

9.1              We will keep written records of processing activities which are high risk (for example, which may result in a risk to individuals’ rights and freedoms or involve sensitive personal information or criminal records information), including:

我們會保存高風險處理活動(比如,可能會對個人權利和自由造成風險或者涉及敏感個人資訊或者犯罪紀錄資訊)的書面記錄,包括:

9.1.1          the name and details of the employer’s organisation (and where applicable, of other controllers, the employer's representative and Data Protection Officer);

雇傭機構(如適用,以及其他控制人、雇主代表和資料保護主管)的名稱和詳細資訊;

9.1.2          the purposes of the processing;

處理的目的;

9.1.3          a description of the categories of individuals and categories of personal data;

個人類別和個人資料類別的描述;

9.1.4          categories of recipients of personal data;

個人資料接收方的類別;

9.1.5          details of cross-border transfers, including documentation of the transfer mechanism safeguards in place;

跨境資料轉移的細節,包括已制定轉移機制保障措施的檔;

9.1.6          where possible, retention schedules; and

如果可能,資料保留時間表;

9.1.7          where possible, a description of technical and organisational security measures.

如果可能,技術和組織安全措施的描述。

9.2              As part of our record of processing activities we document, or link to documentation, on:

作為我們記錄處理活動的一部分,我們會以文檔記錄,或者連結到文檔,如下內容:

9.2.1          information required for privacy notices;

隱私通知所需要的資訊;

9.2.2          records of consent;

同意記錄;

9.2.3          controller-processor contracts;

控制人—處理人合同;

9.2.4          the location of personal information;

個人資訊的位置;

9.2.5          DPIAs; and

資料保護影響評估(DPIAs);

9.2.6          records of data breaches.

資料洩露/資料違規的記錄。

9.3              If we process sensitive personal information or criminal records information, we will keep written records of:

如果我們處理敏感個人資訊或者犯罪記錄資訊,我們會對以下內容保持書面記錄:

9.3.1          the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;

進行處理的相關目的,包括(如有需要)為何必須進行處理;

9.3.2          the lawful basis for our processing; and

我們處理的合法基礎;

9.3.3          whether we retain and erase the personal information in accordance with our policy documents (including this Policy) and, if not, the reasons for not following our policy.

我們是否根據我們的政策檔(包括本政策)保留和刪除個人資訊,如果不遵守的話,提供不遵守我們的政策的原因。

9.4              We will conduct regular reviews of the personal information we process and update our documentation accordingly. This may include:

我們將定期審查我們處理的個人資訊並且相應地更新我們的文檔記錄。這可能包括:

9.4.1          carrying out information audits to find out what personal information the Company holds;

進行資訊審查以查明公司所持有的個人資訊;

9.4.2          distributing questionnaires and talking to staff across the Company to get a more complete picture of our processing activities; and

分發問卷並與全公司員工交談,以更全面的瞭解我們的處理活動;

9.4.3          reviewing our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.

審查我們的政策、程式、合同和協定以處理資料保留、安全以及資料共用等方面的問題。

 

10.              rights IN RELATION TO PERSONAL INFORMATION

與個人資訊有關的權利

10.1           All data subjects have the following rights in relation to their personal information:

所有的資料主體對其個人資訊擁有下列權利:

10.1.1        to be informed about how, why and on what basis that information is processed – see paragraph 4 of this Policy regarding the Company’s privacy notices;

被告知如何、為什麼以及以什麼為基礎處理資訊—參見本政策第4條關於公司隱私通知;

10.1.2        to obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request – see paragraph 10.3 below;

通過提出主體訪問請求,以確認您資訊正在被處理並且獲取您資訊及其他相關資訊的存取權限—參見下文的10.3條;

10.1.3        to have data corrected if it is inaccurate or incomplete;

若資料不準確或者不完整,可要求更正;

10.1.4        to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’);

如果資料對於其最初被收集/處理的目的而言已不再必需,或者處理沒有可淩駕性的正當理由,可要求將資料刪除(這有時被稱為“被遺忘權”);

10.1.5        to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but the data subject does not want the data to be erased); and

當資訊的準確性有爭議時,或者處理不合法時(但資料主體不希望刪除資料),可要求限制該個人資訊的處理;

10.1.6        to restrict the processing of personal information temporarily where you do not think it is accurate, or where you have objected to the processing.

當您認為資料不準確時,或者您拒絕處理時,可要求臨時限制個人資訊的處理。

10.2           If you wish to exercise any of the rights in paragraph 10.1 above, please contact the Data Protection Officer as shown at paragraph 1.7 of this Policy.

如果你想行使上述10.1條中的任何權利時,請聯繫本政策1.7條所述的資料保護主管。

10.3           Subject access requests

主體訪問請求

10.3.1        The Company will seek to comply with subject access requests and to provide the appropriate data within one month of a request being made. Where this isn't possible, the data subject will be kept informed. The Company may take professional advice about how to comply with any request, to ensure that appropriate information is provided. Usually there will be no charge for providing the information.

公司將盡力遵守主體訪問請求並且在請求後的一個月內提供適當的資料。如果不可能做到,資料主體將被知會。公司可能會就如何遵守請求接受專業建議以確保提供適當的資訊。通常情況下提供資訊是免費的。

10.3.2        In the unlikely event of manifestly unfounded or repetitive requests, the Company may decide not to provide information. However professional advice will be taken in those circumstances.

雖然不太可能發生,但如果發生明顯無理或重複的要求的情況,公司可能決定不提供資訊。然而在這些情況下公司將會接受專業意見。

 

11.              Information security

資訊安全

11.1           The Company will use appropriate technical and organisational measures to keep personal information secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:

公司將會採取適當的技術和組織措施來確保個人資訊的安全,特別是防止未經授權或者非法地處理以及意外丟失、破壞或損壞。這些措施可能包括:

11.1.1        making sure that, where possible, personal information is pseudonymised or encrypted;

可能的話,確保個人資訊被假名化或者加密;

11.1.2        ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

確保處理系統和服務持續的保密性、完整性、可用性以及靈活性;

11.1.3        ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a timely manner; and

確保在發生實地或者技術事件時及時恢復個人資訊的可訪問性和存取權限;

11.1.4        a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

定期測試、評估和評價技術和組織措施的有效性以確保處理的安全性。

11.2           Where the Company uses external organisations to process personal information on its behalf, additional security arrangements will need to be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations will provide that:

如果公司使用外部組織代表其處理個人資訊,則需要在與這些外部組織簽訂的合同中實施額外的安全措施以保護個人資訊的安全。尤其是,與外部組織的合同將規定:

11.2.1        the organisation may act only on the written instructions of the Company;

該組織只能按照公司的書面指示行事;

11.2.2        those processing the data are subject to a duty of confidence;

處理資料的該組織有保密義務;

11.2.3        appropriate measures are taken to ensure the security of processing;

需採取適當的措施以確保處理的安全性;

11.2.4        sub-contractors are only engaged with the prior consent of the Company and under a written contract;

只有在獲得公司的事先同意並且有書面合同的情況下才能聘請分包商;

11.2.5        the organisation will assist the Company in providing subject access and allowing individuals to exercise their rights in relation to data protection;

該組織將協助公司提供主體訪問,並協助公司允許個人行使其在資料保護方面的權利;

11.2.6        the organisation will assist the Company in meeting its obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;

該組織將協助公司履行其在處理安全、資料洩露通知和資料保護影響評估方面的義務;

11.2.7        the organisation will delete or return all personal information to the Company as requested at the end of the contract; and

該組織將刪除或者按照合同結束時要求的那樣向公司返還所有個人資訊;

11.2.8        the organisation will submit to audits and inspections, provide the Company with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Company immediately if it is asked to do something infringing data protection law.

該組織同意被審計和檢查,向公司提供所需的任何資訊以確保雙方都履行了其資料保護的義務,並且在被要求做一些侵犯資料保護法的事情時及時通知公司。

 

12.              retention of personal information

個人資訊的保留

12.1           Personal information (and sensitive personal information) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. In general, personal information will be retained as long as is necessary, or for 7 years after it is no longer in use, whichever is earlier.

個人資訊(和敏感個人資訊)不應保留超過必要的時間。資料應該保留的時間長短取決於具體情況,包括獲取個人資訊的原因。一般而言,個人資訊將在必要時保留,或者在不再使用後7年內保留,以先發生者為准。

12.2           Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.

不再需要的個人資訊(和敏感個人資訊)將永久的從我們的資訊系統中刪除,且任何硬拷貝副本將會被安全銷毀。

 

13.              Data breaches

資料洩露

13.1           A data breach may take many different forms, for example:

資料洩露可能有多種不同的形式,例如:

13.1.1        loss or theft of data or equipment on which personal information is stored;

儲存個人資訊的資料或者設備的丟失或者失竊;

13.1.2        unauthorised access to or use of personal information either by a member of staff or third party;

員工或者協力廠商未經授權訪問或者使用個人資訊;

13.1.3        loss of data resulting from an equipment or systems (including hardware and software) failure;

設備或者系統故障(包括硬體和軟體)所造成的資料丟失;

13.1.4        human error, such as accidental deletion or alteration of data;

人為錯誤,如意外刪除或者更改資料;

13.1.5        unforeseen circumstances, such as a fire or flood;

不可預見的情形,比如火災或者洪水;

13.1.6        deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and

針對IT系統的蓄意攻擊,如駭客攻擊、病毒或者網路釣魚詐騙;

13.1.7        ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.

“欺詐”罪行,其中資訊是通過欺詐持有它的組織而獲得的。

13.2           In the event of a data breach, the Company will act in accordance with its Data Breach Notification Plan without undue delay.

如果發生資料洩露事件,公司將毫不延遲地按照其個人資料洩露通知計畫行事。

 

14.              CONTACT US

聯繫我們

14.1           At any time, if you

在任何時候,如果您

14.1.1        have any complaints, grievances or comments regarding how we are handling your personal information or about our compliance with the GDPR or any other applicable data protection law; or

對於我們如何處理您的個人資訊或者對我們遵守GDPR或者其他適用的資料保護法有任何的投訴、不滿或意見;

14.1.2        wish to revoke any consent you have previously given to us to use your personal information;

希望撤銷您之前向我們做出的關於使用您個人資訊的任何同意;

we welcome you to contact our Data Protection Officer and/or our EU Representative using the contact details provided under paragraph 1.7 of this Policy. We will strive to deal with any complaints, grievances or comments that you may have speedily and fairly.

我們歡迎您通過本政策第1.7條的聯繫方式與我們的資料保護主管和/或我們的歐盟代表聯繫。我們將竭盡全力迅速且公平的處理您可能提出的任何投訴、不滿或意見。

 

15.              Privacy Policy amendment

隱私條款修改

Hainan Airlines may amend this Privacy Policy from time to time. Use of the website, mobile site and mobile applications after the effective date of the amendments constitutes acceptance of the amended terms and conditions. We reserve the right to apply the amended terms to the information we have already collected, subject to any legal constraints. You should read and review this page regularly to see if there have been any changes.

本隱私條款的修改權、更新權均屬中國海南航空控股股份有限公司。我們可能會不定期修訂、更新本隱私條款,並在網站上公佈最新版本。我們建議您在使用我們的網站時,定期查閱這一頁面,以便您能瞭解隱私條款是否有任何的變動。 

Last updated: June 2018

最近更新時間:2018年6月