隐私声明
DATA PROTECTION POLICY / CODE OF CONDUCT
数据保护政策 / 行为准则
引言
1.1 This Policy gives important information about:
本项政策提供了有关以下各方面的重要信息:
1.1.1 the data protection principles with which Hainan Airlines Holding Company Limited (hereinafter the "Company", "we", "us" or "our") must comply;
海南航空控股股份有限公司(下称“本公司”、“我们”、“我司”或者“我们的”)必须遵守的数据保护原则;
1.1.2 what is meant by personal information (or data) and sensitive personal information (or data);
个人信息(或数据)以及敏感个人信息(或数据)的含义;
1.1.3 how we gather and use personal information and sensitive personal information in accordance with the data protection principles under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the requirements of other relevant laws and regulations of other countries and regions; and
我们是如何依据《一般数据保护条例》(EU) 2016/679 ("GDPR") 等其他国家、地区相关法律法规要求中的数据保护原则来收集和使用个人信息以及敏感个人信息的;
1.1.4 data subjects' rights and obligations in relation to data protection.
数据主体与数据保护有关享有的权利和承担的义务。
1.2 This Policy applies to all personal information collected by or on behalf of the Company, and may include personal information about its customers, potential customers, website visitors and job applicants. This Policy may be provided to you using a number of methods, including through the use of any of our websites, through the use of any of our mobile applications, through the use of telephone, or in-person at any of our retail locations.
本项政策适用于本公司自行或委托他方收集的所有个人信息,其中可包括有关本公司客户、潜在客户、网站用户和求职者的个人信息。本项政策可通过多种方式向您提供,包括通过访问本公司的任何网站、使用本公司推出的任何一种移动应用程序、打电话或在本公司任何一家实体门店与服务人员面对面沟通。
1.3 We will review and update this Policy as we deem necessary or in accordance with our data protection obligations.
我们将在必要的情况下或依据我们承担的数据保护义务,对本项政策进行审查和更新。
1.4 The Company may obtain, keep and use personal information (also referred to as personal data) about its customers, potential customers, website visitors and job applicants for a number of specific lawful purposes.
本公司可为多个特定的合法目的而取得、保存并使用有关其客户、潜在客户、网站用户和求职者的个人信息(也称为“个人数据”)。
1.5 This Policy sets out how we comply with our data protection obligations and seek to protect personal information. Its purpose is also to ensure that our staff understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.
本项政策对我司具体如何履行我们承担的数据保护义务,以及采取何种措施来保护个人信息作出了规定。起草本项政策的另一个目的是为确保我们的员工了解并遵守适用于收集、使用和删除其在履行工作职责的过程中可能接触到的个人信息的相关规则。
1.6 We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal information, and how (and when) we delete that information once it is no longer required.
我们承诺将遵守我们所承担的数据保护义务,并对我们如何取得并使用个人信息,以及当不再需要时我们如何(以及何时)删除该等数据保持简明、清晰和透明的态度。
1.7 The Company’s Data Protection Officer has overall responsibility for addressing all issues relating to the protection of your personal information, and is responsible for assisting us in monitoring internal compliance, informing and advising on our data protection obligations and acting as a contact point for you and any supervisory authority. If you have any questions or comments about the content of this Policy or if you need further information, you can contact the following persons:
1.7.1 The Company's Data Protection Officer: [HNA-DPO@hnair.com]; or
本公司的数据保障负责人:[HNA-DPO@hnair.com];
1.7.2 The Company's EU representative: [HNA-DPO@hnair.com].
本公司的欧盟代表:[HNA-DPO@hnair.com]。
定义
"criminal records information" | means personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures; |
"data breach" | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information; |
"data subject" | means the individual to whom the personal information relates; |
"personal information" or "personal data" | means information relating to an individual who can be identified (directly or indirectly) from that information; |
"processing" | means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it; |
"pseudonymised" | means the process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual; |
"sensitive personal information" | (sometimes known as "special categories of personal data" or "sensitive personal data") means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation. |
"Websites" | means any website(s) owned or operated by the Company. |
指涉及刑事定罪和犯罪、指控、法律程序和相关安保措施的个人信息; | |
“数据违规”或“数据泄露” | 指违反安保措施,导致个人信息被意外或非法损毁、丢失、更改、未经授权地披露或获取的情形; |
“数据主体” | 指个人信息所涉及的个人; |
“个人信息” 或“个人数据” | 指与某一个人相关的、从中可(直接或间接)识别此人身份的信息; |
“处理” | 指获取、记录、组织、储存、修改、检索、披露及/或销毁信息、使用信息或利用信息实施任何一种行为; |
“假名化” | 指对个人信息采取的一种处理方式,经处理后,不利用额外信息将无法识别相关个人的身份,而上述额外信息被单独存放,受制于技术和组织管理手段,以确保有关的个人信息无法与一名可识别的个人相关联; |
“敏感个人信息” | (也称作“特殊类别个人数据”或“敏感个人数据”)指有关个人的人种、种族、政治倾向、宗教或哲学信仰、工会会员(或非会员)的个人信息、遗传信息、(用于识别个人身份的)生物信息以及有关个人健康、性生活或性取向方面的信息; |
“网站” | 指本公司拥有或运营的任何一个网站。 |
3. DATA PROTECTION PRINCIPLES
数据保护原则
3.1 The Company will comply with the following data protection principles when processing personal information:
在处理个人信息时,本公司将遵守下列数据保护原则:
3.1.1 we will process personal information lawfully, fairly and in a transparent manner;
我们将以合法、公平和透明的方式来处理个人信息;
3.1.2 we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
我们仅为指定、明确及合法的目的收集个人信息,不会以和该等合法目的不相符的方式来处理个人信息;
3.1.3 we will only process the personal information that is adequate, relevant and necessary for the relevant purposes;
我们仅在针对相关目的而言适当、有关及必要的情况下才会处理个人信息;
3.1.4 we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information are deleted or corrected without delay;
我们将保持个人信息的准确和更新,并采取合理行动确保及时删除或更正不准确的个人信息;
3.1.5 we will keep personal information in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
我们将以恰当的形式来保存个人信息,确保就识别数据主体之身份而言,信息的保存时间不长于处理信息之目的所需;
3.1.6 we will take appropriate technical and organisational measures to ensure that personal information are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
我们将采取适当的技术和组织管理手段,以确保个人信息的安全,并保障信息不会受到未经授权或非法的处理,或遭受意外丢失、损毁或破坏。
隐私通知
4.1 The Company may supplement this Policy by issuing privacy notices from time to time, informing you about the personal information that we collect and hold relating to you, how you can expect your personal information to be used and for what purposes.
本公司可能不时对本项政策作出补充,告知您有关本公司收集和持有的有关您的个人信息,以及本公司将会以何种方式以及为何种目的使用您的个人信息。
4.2 We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
我们将采取适当措施以简洁、透明、易于理解和阅读的形式,并采用清晰直白的语言通过隐私通知向您传达信息。
4.3 When personal information is collected
何时收集个人信息
4.3.1 We collect personal information where it is necessary for us to conduct our everyday activities or functions.
我们在开展日常经营活动或履行日常职责所需时收集个人信息。
4.3.2 Here are some examples of situations where we collect personal information:
以下列举了一些我们收集个人信息的情形:
(a) when you register for an account on our Websites, apps or kiosks;
当您在本公司网站、应用程序或柜台注册账户时;
(b) when you complete purchase orders, requests or applications for our products, services and/or facilities (by telephone, in person, by post, on forms, through our Websites or by any other means);
当您(通过电话、亲自、通过邮件、表格,或通过本公司网站或任何其他方式)针对本公司产品、服务及/或设施填写采购订单、书面要求或申请时;
(c) when you communicate with us directly in relation to our products, services and/or facilities (by telephone, in person, by post, on forms, through our Websites or by any other means);
当您(通过电话、亲自、通过邮件、表格,或通过本公司网站或任何其他方式)就与本公司产品、服务及/或设施有关的问题直接与我们沟通时;
(d) when you use services and/or facilities that are made available on our Websites or at our physical locations;
当您使用我们通过本公司网站或实体门店提供的服务及/或设施时;
(e) when you conduct certain types of transactions such as booking tickets, redeeming points for tickets, purchasing points, or refunds;
当您实施某一类交易(如购票、兑换机票、购买积分、退款)时;
(f) when you enter, and when you interact with us during, any of our promotions, competitions, contests, lucky draws or special events;
当您参加我们组织的任何一项促销、比赛、竞赛、抽奖或特别活动,并在活动期间与我们进行互动时;
(g) when you subscribe to any of our membership programmes;
当您注册参与我们组织的任何一个会员项目时;
(h) when you participate in our surveys and other types of research; or
当您参与我们发起的意见调查及其他类型的调研时;
(i) when you apply for employment with us.
当您向本公司提出就职申请时。
4.3.3 We do not collect personal information from persons under the age of 16 without prior permission from a parent or a guardian. If you believe that we have accidentally collected personal information from a person under the age of 16 without the prior permission of a parent or guardian, please contact our Data Protection Officer at once under paragraph 1.7 of this Policy in order to have the relevant personal information erased. If you are under the age of 16, please do not proceed to provide us with any of your personal information through any means whatsoever unless you have first procured permission from your parent or your guardian.
未经父母或监护人事先许可,我们不会向未成年人(根据适用法律)收集其个人信息。如果您认为我们在未经父母或监护人事先许可的情况下不慎收集了未成年人(根据适用法律)的个人信息,请立即通过本项政策第1.7条下所述的联系方式与本公司的数据保障负责人联系,从而确保将相关的个人信息删除。如果您是未成年人(根据适用法律),请不要通过任何方式向本公司提供您的个人信息,除非您已事先取得您父母或监护人的许可。
4.4 What personal information is collected
何种个人信息将被收集
4.4.1 The provision of your personal information is voluntary unless otherwise indicated as mandatory. If you do not provide any personal information to us which is mandatory, we may not be able to provide the products and/or services that you require of us.
除非指明是强制性要求,否则提供您的个人信息均是自愿性质的。如果您不向我们提供我们强制要求您提供的信息,我们可能无法向您提供所要求的产品及/或服务。
4.4.2 The types of personal information which we may collect include the following:
我们可能收集的个人信息的种类包括:
(a) contact information such as names, addresses, telephone numbers, email addresses, delivery addresses and usernames;
联络信息,例如姓名、地址、电话号码、电子邮箱地址、收货地址、用户名;
(b) billing information such as billing address, bank card information and credit card information;
收费信息,例如账单地址、银行卡信息和信用卡信息;
(c) unique information such as nationality and identity document information (including but not limited to identity card numbers, passport numbers, photographs and date of birth), occupational duties, health status and meal preferences;
独特信息,例如国籍、证件信息(包括但不限于身份证号码、护照号码、照片和出生日期)、职业职务、健康状况、餐食偏好;
(d) contact and marketing preferences;
偏好接受的联系方式和营销资料;
(e) details of any membership that you have with us;
您在本公司的会员资料;
(f) details of your visits to our Websites, such as traffic data, location data, and the resources that you access on our Websites;
您访问本公司网站的详情,例如流量数据、地点数据以及您进入本公司网站所访问的资源;
(g) details of your online identifiers, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags;
您网上标识符的详情,例如IP地址、cookie标识符或诸如射频识别标签等其他标识符;
(h) your transaction history with us; and
您在本公司的交易记录;
(i) if you are a candidate for employment, any personal information that you provide to us during the recruitment process including personal details from your resume and any application form that you submit to us. Such personal information may include your employment history and working eligibility rights.
如果您是求职者,您在招聘过程中向我们提供的任何个人信息,包括您提交给本公司的简历和入职申请表中包含的个人详情。该等个人信息可能包括您的工作经历和就业权信息。
4.4.3 You may, in certain circumstances, provide us with personal information relating to third parties (for example, your designated Fortune Wings Club beneficiaries, next-of-kin, traveling companion or, if you are a candidate for employment, any person whom you have nominated as your referee). When this happens, you are deemed to have represented and confirmed to us that you have obtained the consent of such third party to provide his/her personal information to us for processing in the manner set out in this Policy.
在特定情况下,您可能向我们提供涉及第三方(比如,您的指定金鹏受益人、直系亲属、旅伴或者(若您是求职者)您的推荐人)的个人信息。在此情况下,您被视为已向本公司声明并确认,您已取得该等第三方的同意,向本公司提供其个人信息并且本公司可按照本项政策规定的方式处理该等信息。
4.5 Purposes for collection, use and processing of personal information
4.5.1 The personal information which we collect from you may be collected, used, disclosed and/or processed for various purposes, depending on the circumstances at hand and your consent, including for example:
取决于当下的情形以及您的同意,我们向您收集的个人信息可能是为各种目的而采集、使用、披露及/或处理,包括(举例而言):
(a) to assess, process and provide our products, services and/or facilities requested by you; including but not limited to:
l selling flight tickets, flight ticket and hotel packages, in-flight merchandise, etc.
l sending you product or service booking confirmations
l providing you with flight-related services, such as check-in, meals, seat selection, luggage services, transit accommodation, irregular flight guarantees and special passenger services
l providing notifications and instructions related to products or services during your journey, such as instructions about boarding gates and baggage collection
评估、处理和提供您要求的本公司的产品、服务及/或设施。包括但不限于:
l 销售机票、机票加酒店、机上商品等
l 向您发送产品或服务的预订确认
l 为您提供与航班相关服务,例如值机、餐食、选座、行李服务、中转住宿、不正常航班保障、特殊旅客服务等
l 在您的旅途中提供与产品或服务相关的通知与提示,例如登机口提示、行李转盘提示等
(b) to provide you with any assistance that you have requested; including but not limited to:
l related enquiries or information confirmation operations that you have authorized us to carry out
l responding to your enquiries
l assisting you with transaction operations
l providing you with technical assistance
向您提供您所要求的任何协助。包括但不限于:
l 您授权我们进行相关的查询或者信息确认操作
l 解答您的疑问咨询
l 协助您进行交易操作
l 为您提供技术援助
(c) to maintain and improve our customer relationship with you; including but not limited to:
l inviting you to join the Fortune Wings Club
l inviting you to participate in various satisfaction surveys
维护并提升您与本公司之间的客户关系。包括但不限于:
l 邀请您加入金鹏俱乐部
l 邀请您参与形式多样的满意度调研
(d) to establish your identity; including but not limited to:
l requesting that you present the relevant documents during check-in, boarding, baggage inspection and other procedures
l informing you about login activity on your online account
l requesting that you present the relevant documents when proceed with membership affair
确定您的身份。包括但不限于:
l 在值机、登机、行李检查等环节要求您出示相关证件
l 向您告知网络账号的登录行为
l 在办理会员业务时要求您提供相关证件
(e) to administer and process any payments (including refunds) related to products, services and/or facilities or other commercial transactions requested by you; including but not limited to:
l making order payments
l handling your refund requests
l fulfilling our compensation obligations
管理并处理与您要求的产品、服务及/或设施或其他商业交易有关的任何付款(包括退款)。包括但不限于:
l 进行订单支付
l 处理您提出的退款要求
l 履行我们的补偿义务
(f) to respond to your enquiries or complaints and resolve any issues and disputes which may arise in connection with any dealings between us;
对与你我之间的任何交易有关您所提出的问询或投诉作出回复,并解决出现的任何问题和争议;
(g) to provide you with information and updates on products, services, facilities, loyalty programmes, promotions, launches, campaigns, contests and/or events offered or organised by us and our affiliated partners from time to time, in accordance with your consent; including but not limited to
l sending you event invitations
l delivering or distributing prizes to you
在取得您同意的情况下,向您提供有关本公司及我们的关联合作方不时提供或组织的产品、服务、设施、客户忠诚计划、促销、产品投放、专项营销、比赛及/或会展活动的相关信息和最新资讯。包括但不限于:
l 向您发送活动邀请
l 向您交付或分发奖品
(h) for direct marketing purposes via SMS, phone, email, fax, mail, instant messaging, social media and/or any other appropriate communication channels, in accordance with your consent;
在取得您同意的情况下,通过短信、电话、电子邮件、传真、邮件、即时通讯、社交媒体及/或任何其他适当的通讯手段达到直接营销的目的;
管理我们的客户忠诚或奖励计划,包括使用机场贵宾休息室和管理金鹏俱乐部事务;
(j) to engage in codesharing or similar business arrangements with other airlines;
实施航班代码共享或与其他航空公司之间的类似商业安排;
(k) to cater to your dietary requirements when using our products, services and/or facilities;
满足您在使用我们的产品、服务及/或设施时提出的餐饮要求;
(l) for internal administrative purposes and record-keeping;
满足内部管理和记录存档要求;
(m) to send you seasonal greetings messages from time to time;
不时向您发送节日祝福讯息;
(n) to send you service or account change notifications and information when necessary;
必要时向您发送服务、账户变动通知消息;
(o) to monitor, review and improve our products, services, facilities, promotions and/or events; including but not limited to:
l cookies used by our websites and apps
l traffic analysis and performance monitoring tools used by our websites and apps
监控、审查并改进我们的产品、服务、设施、促销方案及/或展会活动。包括但不限于:
l 我们的网站、APP使用cookie
l 我们的网站、APP使用流量分析与性能监控工具
(p) to conduct market research or surveys, internal marketing analysis, customer profiling activities, analysis of customer patterns and choices, planning and statistical and trend analysis in relation to our products, services and/or facilities;
针对我们的产品、服务及/或设施开展市场调查或调研、内部营销分析、客户资料管理、客户模式和选择分析、规划/统计/趋势分析;
(q) to process, combine and/or analyse your personal information for the above purposes;
为上述目的处理、整合及/或分析您的个人信息;
(r) for detecting, investigating and preventing fraudulent, prohibited or illegal activities;
发现、调查及防止欺诈、禁止或非法的活动;
(s) for our audit, risk management and security purposes;
满足本公司审计、风险管理及安保目的;
(t) for enabling us to perform our obligations and enforce our rights under any agreements or documents that we are a party to;
使本公司能够履行我们作为当事方的任何协议或文件下应承担的义务,并行使我们在该等协议或文件下享有的权利;
(u) to transfer or assign our rights, interests and obligations under any agreements entered into with us;
转让或出让我们所订立的任何协议下所享有的权利、权益及承担的义务;
(v) for meeting any applicable legal or regulatory requirements and making disclosure under the requirements of any applicable law, legislation, regulation, direction, court order, by-law, guideline, circular or code applicable to us from time to time ("Applicable Law");
遵循任何适用的法律或监管要求,根据不时适用于本公司的任何法律、立法、法规、指令、法庭命令、规章、指南、通知或法典(“适用法律”)的规定作出信息披露;
(w) to enforce or defend our rights and your rights under, and to comply with, our obligations under any Applicable Law.
行使或保障你我双方于任何适用法律项下享有的权利,及履行本公司于任何适用法律项下应承担的义务。
4.5.2 We will notify you in advance of any other purpose(s) for which we intend to use your data and obtain your consent where necessary, unless we are permitted by the GDPR or any other Applicable Law to process your personal information without your consent.
如果本公司意图将您的数据用于任何其他目的,我们将事先向您告知并取得您的同意,除非根据GDPR或任何其他适用法律,我们获准在未取得您同意的情况下处理您的个人信息。
4.5.3 Please note that you have the right to object to the processing of your personal data for direct marketing purposes and the right to opt-out of any direct marketing from us and to unsubscribe from any SMS, phone, email, fax, mail, instant messaging, social media and/or other communication channels we use to engage in direct marketing with you. We will endeavour to provide instructions in all such communications on how to opt-out, but you may also contact our Data Protection Officer under paragraph 1.7 of this Policy if you wish to exercise your right to opt-out and are not clear how to exercise such right accordingly.
敬请注意,您有权拒绝为达到直接营销的目的而处理您的个人数据,并有权退出本公司的任何直接营销计划,从我们将您纳入其中展开直接营销的任何短信、电话、电子邮件、传真、邮件、即时通讯、社交媒体及/或其他通讯系统中进行退订。我们将尽力在上述各种通讯系统中提供如何退订系统的说明,但如果您想行使退订系统的权利并且不清楚如何行使该权利,您也可参见本项政策第1.7条,与本公司的数据保障负责人联系。
4.6 Transfer of personal information
个人信息的传输
4.6.1 In order to smoothly conduct our business operations and/or to fulfil our obligations to you, we may disclose the personal information that we have collected from you to third parties, for one or more of the purposes set out at paragraph 4.5 of this Policy. Examples of third parties to whom we may disclose your personal information include:
为顺利开展我们的业务运作,及/或为履行我们对您承担的义务,我们可能会为了达成本项政策第4.5条所述的一个或多个目的,而将我们向您收集的个人信息披露给第三方。举例而言,我们可能会向其披露您个人信息的第三方包括:
(a) other companies in our group, such as our sister airlines, for the purposes of paragraphs 4.5.1(a), 4.5.1(b), 4.5.1(i), 4.5.1(j) and 4.5.1(k).
就4.5.1(a)、4.5.1(b)、4.5.1(i)、4.5.1(j)和4.5.1(k)所述之目的而言,我司集团旗下的其他公司,比如我们的姐妹航空公司;
(b) third party service providers, agents, affiliates or related companies who provide operational services in connection with our business such as data entry, telecommunications, information technology, logistics, storage and warehousing, catering, delivery, assembly, installation, printing and postal services, credit checks, credit facilities or services relating to marketing and promotional activity; including but not limited to:
l providers of related supplementary services, such as hotels, insurance companies, logistics companies, food supply companies and sales product suppliers
l other airlines, such as codesharing partners and mutual sales partners. Please note: Other airlines have their own privacy policies. If your travel plan includes traveling with other airlines, we recommend that you check the other policies, as they may differ from this Privacy Policy
l information technology providers, such as TravelSky, Amadeus and Google
提供与本公司业务相关的运营服务(如数据录入、通讯、信息技术、物流、仓储、餐饮、送货、装配、安装、打印和邮递服务、信用调查、融资或与营销推广活动有关的服务)的第三方服务提供商、代理商、关联方或关联企业。包括但不限于:
l 相关附加服务的提供商,例如酒店、保险公司、物流公司、餐食供应公司、销售产品供应商等
l 其他航空公司。例如代码共享合作伙伴、互售合作伙伴等。请注意:其他航空公司有其自己的隐私政策。如果您的旅行计划包含其他航空公司的旅行,我们建议您查看其他政策,因为这些政策可能与本隐私声明有所不同。
l 信息技术提供商,例如中国民航信息集团、Amadeus、Google等
(c) our professional advisors, consultants and/or auditors; and
我们的专业顾问及/或审计师;
(d) relevant government regulators or authorities (in accordance with any Applicable Law). Including but not limited to:
l public security agencies (such as the National Civil Aviation Public Security Big Data Operation & Training Center) to which we submit personal information for screening in the interests of public safety and anti-terrorism
(根据任何适用法律行使职权的)相关政府监管机构或政府机关。包括但不限于:
l 提交至公安机关(例如全国民航公安大数据战训中心)进行筛查,用于维护公共安全和反恐。
4.6.2 The third parties with whom we conduct business are only authorised to use your personal information to perform the service for which they were hired. As part of our agreement with them, they may be required to adhere to the GDPR and/or any policies that we provide, and to take reasonable measures to ensure your personal information is secure.
与我们有业务往来的第三方仅有权将您的个人信息用于履行受委托的服务职责。作为我们与之订立的协议的一部分,这些第三方可能被要求遵守GDPR及/或我们提供的任何方针,并采取合理措施确保您个人信息的安全。
4.7 Transfer of personal information of EEA data subjects out of the EEA
将欧洲经济区数据主体的个人信息转移出欧洲经济区
4.7.1 Due to the global nature of the services that we provide, it is sometimes necessary for us to share the personal information of data subjects in the EEA with parties outside the EEA, for example:
由于我们提供的服务具有全球性,有时我们有必要与欧洲经济区以外的各方共享欧洲经济区数据主体的个人信息,例如:
(a) with our offices outside the EEA;
与我们在欧洲经济区之外的办事处共享;
(b) with our service providers located outside the EEA;
与位于欧洲经济区以外的服务提供商分享;
(c) if the data subject is based outside the EEA; or
当数据主体在欧洲经济区工作生活;
(d) where there is an international dimension to the services we are providing to the data subject.
我们正在向数据主体提供的服务具有国际性元素。
4.7.2 These transfers are subject to special rules under European data protection law.
这些转移受欧洲数据保护法下的特殊规定约束。
4.7.3 The Company may transfer personal information outside the EEA to:
公司可将个人信息转移出欧洲经济区至:
(a) a country, territory or organisation that is designated as having an adequate level of protection; or
被指定的具有适当保护水平的国家、地区或组织;
(b) an organisation receiving the information that has provided adequate safeguards by way of binding corporate rules, standard data protection clauses or compliance with an approved code of conduct.
一个已通过有约束力的公司规则、标准数据保护条款或遵守已批准的行为规范的方式来提供适当保障措施的组织。
4.7.4 In the absence of a European Commission adequacy decision, or of appropriate safeguards, we may need to transfer personal information of an EEA data subject to non-EEA countries where this is necessary for the performance of a contract or the implementation of pre-contractual measures.
在没有欧盟委员会适当性决定(指拟将个人数据转移至的国家、地区或组织是否具有适当保护水平的决定)或适当保障措施的情况下,我们可能需要将欧洲经济区数据主体的个人信息转移至履行合同或执行合同前措施所必需的非欧洲经济区国家。
4.7.5 There may also be circumstances where we ask for the explicit consent of an EEA data subject to the transfer of personal information to a non-EEA country for purposes other than the performance of a contract or the implementation of pre-contractual measures. In such circumstances, we will inform the data subject of the increased risks of such transfer due to the absence of safeguards and the fact that these non-EEA countries (for example, the People's Republic of China) do not have the same data protection laws as the EEA.
在某些情况下,为了一些并不是履行合同或实施合同前措施的其他目的,我们也可能会寻求欧洲经济区数据主体的明确同意,将人信息转移给非欧洲经济区国家。在这种情况下,我们将通知数据主体,由于缺乏保障措施以及这些非欧洲经济区国家(例如中华人民共和国)没有与欧洲经济区相同的数据保护法,这些转移可能会有增加的风险。
4.7.6 We will, however, ensure that all transfers of personal information of EEA data subjects out of the EEA comply with the GDPR. Our practice is, wherever possible and applicable, to use standard data protection contract clauses that have been approved by the European Commission. Those clauses are available on the following website of the European Commission:
但是,我们将确保所有将欧洲经济区数据主体的个人信息转移出欧洲经济区的转移符合GDPR。我们的做法为,在可能和适用的情况下,使用经欧盟委员会批准的标准数据保护合同条款,这些条款可在欧盟委员会的以下网站上找到:
4.7.7 If you would like further information please contact the Data Protection Officer as shown at paragraph 1.7 of this Policy.
如果您想了解更多信息,请与本政策第1.7条中所述的数据保护主管联系。
5. Basis for processing personal information
处理个人信息的基础
5.1 In relation to any processing activity we will, before the processing starts for the first time, and then regularly while it continues:
对于任何处理活动,我们会在处理活动开始之前,以及处理活动进行的过程中定期执行以下的操作:
5.1.1 review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing, i.e.:
审查特定处理活动的目的,并为该处理选择最适合的合法基础,即:
(a) that the data subject has consented to the processing;
数据主体已经同意该处理;
(b) that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
该处理为履行数据主体所订立的合同所必需的,或者该处理是为了在订立合同前根据数据主体的要求采取措施所必需的;
(c) that the processing is necessary for compliance with a legal obligation to which the Company is subject;
为了遵守公司所承担的法律义务,该处理是必需的;
(d) that the processing is necessary for the protection of the vital interests of the data subject or another natural person; or
(e) that the processing is necessary for the purposes of legitimate interests of the Company or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject – see paragraph 5.2 of this Policy.
为了公司或者第三方正当利益,该处理是必需的,除非这些利益被数据主体的基本权利和自由利益所凌驾—参见本政策第5.2条。
5.1.2 except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose);
除基于同意所进行的处理外,确保处理是为了相关的合法基础的目的所必需的(即没有其他合理的方法来达到此目的);
5.1.3 document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;
记录我们关于适用何种合法基础的决定,以帮助证明我们遵守数据保护原则;
5.1.4 include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);
在我们的相关隐私通知中包含有关处理的目的及其合法基础的信息;
5.1.5 where sensitive personal information is processed, also identify a lawful special condition for processing that information (see paragraph 6.2.2 of this Policy), and document it; and
在处理敏感个人信息的情况下,还应确定处理该信息的合法特殊条件(见本政策的第6.2.2条)并予以记录;
5.1.6 where criminal offence information is processed, also identify a lawful condition for processing that information, and document it.
在处理刑事犯罪信息的情况下,还应确定处理该信息的合法条件并予以记录。
5.2 When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will:
当确定公司的正当利益是否为合法化处理最合适的基础时,我们将:
5.2.1 conduct a legitimate interests assessment ("LIA") and keep a record of it, to ensure that we can justify our decision;
进行正当利益评估(“LIA”)并记录下来,以确保我们能够证明我们的决定是合理的;
5.2.2 if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment ("DPIA");
如果LIA确定有重大的隐私影响,我们会考虑我们是否还需要进行数据保护影响评估(“DPIA”)
5.2.3 keep the LIA under review, and repeat it if circumstances change; and
保持对LIA的审查,并在情况发生变化时重复进行;
5.2.4 include information about our legitimate interests in our relevant privacy notice(s).
在我们的相关隐私通知中包含有关我们正当利益的信息。
6. Sensitive personal information
敏感个人信息
6.1 Sensitive personal information is sometimes referred to as ‘special categories of personal data’ or ‘sensitive personal data’ (e.g. information about your health status).
敏感个人信息有时候又被称为“特殊类别的个人数据”或者“敏感个人数据”(如您的健康状况信息)。
6.2 The Company may from time to time need to process sensitive personal information. We will only process sensitive personal information if:
公司可能时不时需要处理敏感个人信息。我们只会在以下情况下处理敏感个人信息:
6.2.1 we have a lawful basis for doing so as set out in paragraph 5.1.1 above, for example, it is necessary to comply with the Company’s legal obligations or for the purposes of the Company’s legitimate interests; and
我们有上述第5.1.1条所述的合法基础,比如,为遵守公司的法律义务或者为公司的正当利益所必需;
6.2.2 one of the special conditions for processing sensitive personal information applies, for example:
处理敏感个人信息的特殊条件之一适用,如:
(a) the data subject has given explicit consent; including but not limited to:
l when you request special passenger services from us, such as for passengers with wheelchairs or passengers requiring a stretcher
l when you request refunds from us
数据主体已经给予明确同意。包括但不限于:
l 当您向我们申请了特殊旅客服务,例如轮椅旅客、担架旅客等
l 当您向我们申请因病退款时
(b) the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject;
处理是为行使公司或者数据主体的劳动法律权利或者义务之目的所必需的;
(c) the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent;
处理是为保护数据主体的切身利益所必需,并且数据主体在身体上无法给予同意;
(d) processing relates to personal data which are manifestly made public by the data subject;
处理涉及数据主体明显公开的个人资料;
(e) the processing is necessary for the establishment, exercise or defence of legal claims; or
处理对于建立、行使或者辩护法律索赔所必需;
(f) the processing is necessary for reasons of substantial public interest.
处理是为了重大公共利益所必需的。
6.3 Before processing any sensitive personal information, our staff shall notify the Data Protection Officer of the proposed processing, in order that the Data Protection Officer may assess whether the processing complies with the criteria noted above.
在处理任何敏感个人信息之前,我们的员工应当将拟进行的处理通知予数据保护主管以便其可以评估该处理是否符合上述标准。
6.4 Sensitive personal information will not be processed until:
敏感个人信息不会被处理直到:
6.4.1 the assessment referred to in paragraph 6.3 has taken place; and
已进行第6.3条所述的评估;
6.4.2 the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
相关人士已经被适当通知了处理的性质(通过隐私通知或者其他方式),进行处理的目的以及其法律基础。
6.5 During the recruitment process: the HR department, with guidance from the Data Protection Officer as necessary, will ensure that (except where the law permits otherwise):
在招聘的过程中:人力资源部门会根据来自于数据保护主管的指引来确保(除法律另有规定外):
6.5.1 during the short-listing, interview and decision-making stages, no questions are asked relating to sensitive personal information, such as race or ethnic origin, trade union membership or health;
在筛选,面试和做出决定阶段,不会询问有关个人敏感信息的问题,比如种族或族裔、工会会员身份或者健康状况;
6.5.2 if sensitive personal information is received, for example, the applicant provides it without being asked for it within his or her resume or during the interview, no record is kept of it and any reference to it is immediately deleted or redacted;
如果收到敏感个人信息,例如申请人在他或她的简历或者面试过程中在未被询问的情况下提及敏感个人信息,则对于所提供的敏感个人信息不保留任何记录,并立即删除或者修改任何对其的引用;
6.5.3 any completed equal opportunities monitoring form is kept separate from the individual’s application form, and not be seen by the person shortlisting, interviewing or making the recruitment decision;
任何完成的平等机会监测表和个人申请表会分开放置并且不会被筛选、面试和做出招聘决定的人所看到;
6.5.4 ‘right to work’ checks are carried out before an offer of employment is made unconditional, and not during the earlier short-listing, interview or decision-making stages;
“就业权”检查在提供无条件聘用之前进行,而不是在较早的筛选、面试或做出决定阶段进行;
6.5.5 we will only ask health questions once an offer of employment has been made.
一旦聘用决定做出,我们只会询问健康状况问题。
7. Criminal records information
犯罪记录信息
7.1 We do not process criminal records information unless required to do so by relevant government authorities (for example, for immigration and security purposes) and under the control of the relevant official authority or authorities.
我们不会处理犯罪记录信息,除非有关政府机构这样要求(例如,为了移民或者安全目的)以及在有关官方机构的控制下。
8. Data protection impact assessments (DPIA)
数据保护影响评估(DPIA)
8.1 Where processing is likely to result in a high risk to an individual’s data protection rights, we will, before commencing the processing, carry out a DPIA to assess:
在处理可能会对个人的数据保护权造成高风险的情况下,我们会在开始处理之前,进行DPIA以评估:
8.1.1 whether the processing is necessary and proportionate in relation to its purpose;
就其目的而言,处理是否必需以及适当;
8.1.2 the risks to individuals; and
对个人造成的风险;
8.1.3 what measures can be put in place to address those risks and protect personal information.
能够采取什么样的措施来解决这些风险和保护个人信息。
文件和记录
9.1 We will keep written records of processing activities which are high risk (for example, which may result in a risk to individuals’ rights and freedoms or involve sensitive personal information or criminal records information), including:
我们会保存高风险处理活动(比如,可能会对个人权利和自由造成风险或者涉及敏感个人信息或者犯罪纪录信息)的书面记录,包括:
9.1.1 the name and details of the employer’s organisation (and where applicable, of other controllers, the employer's representative and Data Protection Officer);
雇佣机构(如适用,以及其他控制人、雇主代表和数据保护主管)的名称和详细信息;
9.1.2 the purposes of the processing;
处理的目的;
9.1.3 a description of the categories of individuals and categories of personal data;
个人类别和个人数据类别的描述;
9.1.4 categories of recipients of personal data;
个人数据接收方的类别;
9.1.5 details of cross-border transfers, including documentation of the transfer mechanism safeguards in place;
跨境数据转移的细节,包括已制定转移机制保障措施的文件;
9.1.6 where possible, retention schedules; and
如果可能,数据保留时间表;
9.1.7 where possible, a description of technical and organisational security measures.
如果可能,技术和组织安全措施的描述。
9.2 As part of our record of processing activities we document, or link to documentation, on:
作为我们记录处理活动的一部分,我们会以文档记录,或者链接到文档,如下内容:
9.2.1 information required for privacy notices;
隐私通知所需要的信息;
同意记录;
9.2.3 controller-processor contracts;
控制人—处理人合同;
9.2.4 the location of personal information;
个人信息的位置;
数据保护影响评估(DPIAs);
9.2.6 records of data breaches.
数据泄露/数据违规的记录。
9.3 If we process sensitive personal information or criminal records information, we will keep written records of:
如果我们处理敏感个人信息或者犯罪记录信息,我们会对以下内容保持书面记录:
9.3.1 the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;
进行处理的相关目的,包括(如有需要)为何必须进行处理;
9.3.2 the lawful basis for our processing; and
我们处理的合法基础;
9.3.3 whether we retain and erase the personal information in accordance with our policy documents (including this Policy) and, if not, the reasons for not following our policy.
我们是否根据我们的政策文件(包括本政策)保留和删除个人信息,如果不遵守的话,提供不遵守我们的政策的原因。
9.4 We will conduct regular reviews of the personal information we process and update our documentation accordingly. This may include:
我们将定期审查我们处理的个人信息并且相应地更新我们的文档记录。这可能包括:
9.4.1 carrying out information audits to find out what personal information the Company holds;
进行信息审查以查明公司所持有的个人信息;
9.4.2 distributing questionnaires and talking to staff across the Company to get a more complete picture of our processing activities; and
分发问卷并与全公司员工交谈,以更全面的了解我们的处理活动;
9.4.3 reviewing our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.
审查我们的政策、程序、合同和协议以处理数据保留、安全以及数据共享等方面的问题。
10. rights IN RELATION TO PERSONAL INFORMATION
与个人信息有关的权利
10.1 All data subjects have the following rights in relation to their personal information:
所有的数据主体对其个人信息拥有下列权利:
10.1.1 to be informed about how, why and on what basis that information is processed – see paragraph 4 of this Policy regarding the Company’s privacy notices;
被告知如何、为什么以及以什么为基础处理信息—参见本政策第4条关于公司隐私通知;
10.1.2 to obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request – see paragraph 10.3 below;
通过提出主体访问请求,以确认您信息正在被处理并且获取您信息及其他相关信息的访问权限—参见下文的10.3条;
10.1.3 to have data corrected if it is inaccurate or incomplete;
若数据不准确或者不完整,可要求更正;
10.1.4 to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’);
如果数据对于其最初被收集/处理的目的而言已不再必需,或者处理没有可凌驾性的正当理由,可要求将数据删除(这有时被称为“被遗忘权”);
10.1.5 to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but the data subject does not want the data to be erased); and
当信息的准确性有争议时,或者处理不合法时(但数据主体不希望删除数据),可要求限制该个人信息的处理;
10.1.6 to restrict the processing of personal information temporarily where you do not think it is accurate, or where you have objected to the processing.
当您认为数据不准确时,或者您拒绝处理时,可要求临时限制个人信息的处理。
10.2 If you wish to exercise any of the rights in paragraph 10.1 above, please contact the Data Protection Officer as shown at paragraph 1.7 of this Policy.
如果你想行使上述10.1条中的任何权利时,请联系本政策1.7条所述的数据保护主管。
主体访问请求
10.3.1 The Company will seek to comply with subject access requests and to provide the appropriate data within one month of a request being made. Where this isn't possible, the data subject will be kept informed. The Company may take professional advice about how to comply with any request, to ensure that appropriate information is provided. Usually there will be no charge for providing the information.
公司将尽力遵守主体访问请求并且在请求后的一个月内提供适当的数据。如果不可能做到,数据主体将被知会。公司可能会就如何遵守请求接受专业建议以确保提供适当的信息。通常情况下提供信息是免费的。
10.3.2 In the unlikely event of manifestly unfounded or repetitive requests, the Company may decide not to provide information. However professional advice will be taken in those circumstances.
虽然不太可能发生,但如果发生明显无理或重复的要求的情况,公司可能决定不提供信息。然而在这些情况下公司将会接受专业意见。
信息安全
11.1 The Company will use appropriate technical and organisational measures to keep personal information secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:
公司将会采取适当的技术和组织措施来确保个人信息的安全,特别是防止未经授权或者非法地处理以及意外丢失、破坏或损坏。这些措施可能包括:
11.1.1 making sure that, where possible, personal information is pseudonymised or encrypted;
可能的话,确保个人信息被假名化或者加密;
11.1.2 ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
确保处理系统和服务持续的保密性、完整性、可用性以及灵活性;
11.1.3 ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a timely manner; and
确保在发生实地或者技术事件时及时恢复个人信息的可访问性和访问权限;
11.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
定期测试、评估和评价技术和组织措施的有效性以确保处理的安全性。
11.2 Where the Company uses external organisations to process personal information on its behalf, additional security arrangements will need to be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations will provide that:
如果公司使用外部组织代表其处理个人信息,则需要在与这些外部组织签订的合同中实施额外的安全措施以保护个人信息的安全。尤其是,与外部组织的合同将规定:
11.2.1 the organisation may act only on the written instructions of the Company;
该组织只能按照公司的书面指示行事;
11.2.2 those processing the data are subject to a duty of confidence;
处理数据的该组织有保密义务;
11.2.3 appropriate measures are taken to ensure the security of processing;
需采取适当的措施以确保处理的安全性;
11.2.4 sub-contractors are only engaged with the prior consent of the Company and under a written contract;
只有在获得公司的事先同意并且有书面合同的情况下才能聘请分包商;
11.2.5 the organisation will assist the Company in providing subject access and allowing individuals to exercise their rights in relation to data protection;
该组织将协助公司提供主体访问,并协助公司允许个人行使其在数据保护方面的权利;
11.2.6 the organisation will assist the Company in meeting its obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;
该组织将协助公司履行其在处理安全、数据泄露通知和数据保护影响评估方面的义务;
11.2.7 the organisation will delete or return all personal information to the Company as requested at the end of the contract; and
该组织将删除或者按照合同结束时要求的那样向公司返还所有个人信息;
11.2.8 the organisation will submit to audits and inspections, provide the Company with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Company immediately if it is asked to do something infringing data protection law.
该组织同意被审计和检查,向公司提供所需的任何信息以确保双方都履行了其数据保护的义务,并且在被要求做一些侵犯数据保护法的事情时及时通知公司。
12. retention of personal information
个人信息的保留
12.1 Personal information (and sensitive personal information) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. In general, personal information will be retained as long as is necessary, or for 7 years after it is no longer in use, whichever is earlier.
个人信息(和敏感个人信息)不应保留超过必要的时间。数据应该保留的时间长短取决于具体情况,包括获取个人信息的原因。一般而言,个人信息将在必要时保留,或者在不再使用后7年内保留,以先发生者为准。
12.2 Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.
不再需要的个人信息(和敏感个人信息)将永久的从我们的信息系统中删除,且任何硬拷贝副本将会被安全销毁。
数据泄露
13.1 A data breach may take many different forms, for example:
数据泄露可能有多种不同的形式,例如:
13.1.1 loss or theft of data or equipment on which personal information is stored;
储存个人信息的数据或者设备的丢失或者失窃;
13.1.2 unauthorised access to or use of personal information either by a member of staff or third party;
员工或者第三方未经授权访问或者使用个人信息;
13.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure;
设备或者系统故障(包括硬件和软件)所造成的数据丢失;
13.1.4 human error, such as accidental deletion or alteration of data;
人为错误,如意外删除或者更改数据;
13.1.5 unforeseen circumstances, such as a fire or flood;
不可预见的情形,比如火灾或者洪水;
13.1.6 deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
针对IT系统的蓄意攻击,如黑客攻击、病毒或者网络钓鱼诈骗;
13.1.7 ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
“欺诈”罪行,其中信息是通过欺诈持有它的组织而获得的。
13.2 In the event of a data breach, the Company will act in accordance with its Data Breach Notification Plan without undue delay.
如果发生数据泄露事件,公司将毫不延迟地按照其个人数据泄露通知计划行事。
14. CONTACT US
联系我们
14.1 At any time, if you
在任何时候,如果您
14.1.1 have any complaints, grievances or comments regarding how we are handling your personal information or about our compliance with the GDPR or any other applicable data protection law; or
对于我们如何处理您的个人信息或者对我们遵守GDPR或者其他适用的数据保护法有任何的投诉、不满或意见;
14.1.2 wish to revoke any consent you have previously given to us to use your personal information;
希望撤销您之前向我们做出的关于使用您个人信息的任何同意;
we welcome you to contact our Data Protection Officer and/or our EU Representative using the contact details provided under paragraph 1.7 of this Policy. We will strive to deal with any complaints, grievances or comments that you may have speedily and fairly.
我们欢迎您通过本政策第1.7条的联系方式与我们的数据保护主管和/或我们的欧盟代表联系。我们将竭尽全力迅速且公平的处理您可能提出的任何投诉、不满或意见。
15. Privacy Policy amendment
隐私条款修改
Hainan Airlines may amend this Privacy Policy from time to time. Use of the website, mobile site and mobile applications after the effective date of the amendments constitutes acceptance of the amended terms and conditions. We reserve the right to apply the amended terms to the information we have already collected, subject to any legal constraints. You should read and review this page regularly to see if there have been any changes.
本隐私条款的修改权、更新权均属中国海南航空控股股份有限公司。我们可能会不定期修订、更新本隐私条款,并在网站上公布最新版本。我们建议您在使用我们的网站时,定期查阅这一页面,以便您能了解隐私条款是否有任何的变动。
Last updated: June 2018
最近更新时间:2018年6月
账户概况
海南航空
天津航空
香港航空
祥鹏航空
首都航空
福州航空
金鹏航空
北部湾航空
乌鲁木齐航空
长安航空
桂林航空
西部航空
