Personal Data Protection Policy and Practices
Personal Data Protection Policy and Practices (“the Policy”)
Last updated on 12 Nov 2020
MediConCen Limited (“the Company”) is committed to implementation and compliance with the provisions in regard to the collection, holding, processing, use and/ or transfer of personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) Personal data will be collected only for lawful and relevant purposes. The Company will take all practicable steps to ensure security of the personal data and to avoid unauthorised or accidental access, erasure or other use.
When you sign up for or use MediConCen's mobile applications ("mobile applications") and/or MediConCen’s website (“website”), you need to confirm that you have read and agreed to the Policy. By doing so, you consent to the collection, use and disclosure of Your Personal Data and other information as set out in this Policy.
This Policy applies to all products and services provided by the Company and sets out how the Company may collect, use and disclose your personal information.
The Company reserves the right, at any time effective upon notice to you, to add to, change, update or modify the Policy.
PERSONAL INFORMATION COLLECTION STATEMENT (“PICS”)
1. Collection of Personal Data
1.1 From time to time, it is necessary for you to supply the Company or agents and representatives acting on its behalf with personal information and particulars in connection with our services and products. If you do not provide us the necessary information and particulars, we may not be able to provide these services and products to you or process your request.
1.2 The Company may collect information about the mobile applications, browsers, and devices you use to access our services, which helps the Company provide features like automatic service updates.
1.3 The Company may also generate and compile additional personal data using the information and particulars provided by you. All personal data collected, generated and compiled by the Company about you from time to time is collectively referred as "Your Personal Data".
1.4 As detailed in the Policy, Your Personal Data may also be processed by the Company's subsidiaries, holding companies, associated or affiliated companies and companies controlled by or under common control with the Company (collectively, "the Group").
2. Types of Personal Data Held
2.1 “Your Personal Data ” means any information that you provide to us which identifies or can reasonably be used to identify you, including but not limited to your name, email address or other data that can be reasonably linked to such information by MediConCen, such as information we associate with your account.
2.2 "Your Personal Data" will also include personal data relating to your dependents, beneficiaries, authorized representatives and other individuals in relation to which you have provided information. If you provide personal data on behalf of any person you confirm that you are either their parent or guardian or you have obtained that person's consent to provide that personal data for use by the Company for the purposes set out in the Policy.
2.3 The Company may also collect information including unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and application version number. The Company may also collect information about the interaction of your mobile applications, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.
2.4 The Company may collect information about you from publicly accessible sources.
2.5 The Company may record and keep record(s) of user number, date, type of medical service received and other relevant data fields related to the medical consultation.
2.6 The Company may request medical service providers to provide relevant certificate or other document to ensure that they are duly qualified.
3. Purpose of Personal Data Collection
3.1 The Company will use Your Personal Data only for the purpose for which it was provided, as well as other purposes for which you have given consent. This includes, but is not limited to, the following purposes:
i. providing our services and products to you, including administering, maintaining, managing and operating such services and products, which may include, without limitation, insurance, pension, financial and wealth management services and products;
ii. processing, assessing and determining any applications or requests made by you in connection with our services or products and maintaining your account with the Company;
iii. underwriting of insurance products;
iv. providing health related advices;
v. developing insurance and other financial services and products;
vi. developing and maintaining credit and risk related models;
vii. processing payment instructions;
viii. determining any indebtedness owing to or from you, and collecting and recovering any amount owing from you or any person who has provided any security or other undertakings for your liabilities;
ix. exercising any rights that the Company may have in connection with our services and/or products;
x. carrying out and/or verifying any eligibility, credit, physical, medical, security, underwriting and/or identity checks in connection with our services and products
xi. any purposes in connection with any claims made by or against or otherwise involving you in respect of any of our services or products, including making, defending, analysing, investigating, processing, assessing, determining, responding to, resolving or settling such claims;
xii. performing policy reviews and needs analysis (whether or not on a regular basis);
xiii. meeting disclosure obligations and other requirements imposed by or for the purposes of any laws, rules, regulations, codes of practice or guidelines (whether applicable in or outside Hong Kong) binding on the Company or any other member of the Group, including making disclosure to any legal, regulatory, governmental, tax, law enforcement or other authorities (including compliance with sanctions laws, the prevention or detection of money laundering, terrorist financing or other unlawful activities) or to any self-regulatory or industry bodies such as federations or associations of insurers;
xiv. for statistical or actuarial research undertaken by the Company or any member of the Group, including matching of any data held which relates to you from time to time for any of the purposes listed herein;
xv. for recruitment purposes (in connection with job applications); and
xvi. fulfilling any other purposes directly related to i to xv above.
4. Transfer of Your Personal Data
4.1 Your Personal Data will be kept confidential, but to facilitate the purposes set out in section 3.1 above, the Company may transfer, disclose, grant access to or share Your Personal Data with the following:
i. other members of the Group;
ii. any person or company carrying on insurance-related and/or reinsurance-related business which is engaged by the Company in connection with the Company's business;
iii. any physicians, hospitals, clinics, medical practitioners, loss adjustors, risk intelligence providers, claims investigators, legal advisors and/or other professional advisors engaged in connection with the Company's business;
iv. any person (including private investigators) in connection with any claims made by or against or otherwise involving you in respect of any products/ services provided by the Company and/or our affiliates;
v. any agent, contractor, service provider or third party providing administrative, distribution, credit reference, debt collection, telecommunications, call centre, computer, call centre, data processing, payment processing, printing, redemption or other services in connection with the Company's business;
vi. credit reference agencies or, in the event of default, debt collection agencies; and/or
any official, regulator, ministry, law enforcement agent or other person (whether within or
outside Hong Kong) to whom the Company or another member of the Group is under an obligation or otherwise required
or expected to make disclosures under the requirements of any law, rules, regulations, codes of practice or
guidelines (whether applicable in or outside Hong Kong).
4.2 Your Personal Data may be transferred or disclosed to any assignee, transferee, participant or sub-participant of all or any substantial part of the Company's business.
4.3 To facilitate the purposes set out in section 3.1 the Company may transfer, disclose, grant access to or share Your Personal Data with the parties set out in sections 4.1 and 4.2 and you acknowledge that those parties may be based outside Hong Kong and that Your Personal Data may be transferred to places where there may not be in place data protection laws which are substantially similar to, or serve the same purposes as, the Ordinance.
4.4 The Company may only transfer Your Personal Data as mentioned above if you consent or do not object in writing or by digital signoff.
5. Use of Personal Data in Direct Marketing
5.1 In connection with direct marketing, the Company intends to use your name, contact details, services and products portfolio information, financial background and demographic data held by the Company from time to time in direct marketing to market the following classes of services and products offered by the Company, other members of the Group and/or Our Business Partners (being providers of the product and services described below) from time to time:
i. insurance services and products;
ii. wealth management services and products;
iii. pensions, investments, brokering, financial advisory, credit and other financial services and products;
iv. health-check, medical and wellness services and products;
v. media, entertainment and telecommunications services;
vi. reward, loyalty or privileges programmes and related services and products; and
vii. donations and contributions for charitable and/or non-profit making purposes.
5.2 The Company may only use Your Personal Data in direct marketing as mentioned above if you consent or do not object in writing or by digital signoff.
5.3 If you do not wish the Company to use Your Personal Data in direct marketing, you may inform the Chief Executive Officer of the Company in writing to the address below. We will withdraw you from future direct marketing activities.
5.4 In addition to marketing the medical services and products directly, the Company intends to provide Your Personal Data to any members of the Group and/or Our Business Partners for their use in direct marketing the classes of services and products described in section 5.1 above (including, in the case of Our Business Partners, for money or other commercial benefit).
5.5 If you do not wish the Company to provide Your Personal Data to other members of the Group and/or Our Business Partners for their use in direct marketing, you may write to the Chief Executive Officer of the Company at the address below to opt out from direct marketing at any time.
6. Data Access/ Correction Requests
6.1 Under the Ordinance:
i. you have the right to request access to Your Personal Data held by the Company and correction of any of Your Personal Data which is inaccurate; and
the Company has the right to charge you a reasonable fee for processing and complying with your
data access request.
6.2 Requests for access to or correction of Your Personal Data should be made in writing to the Chief Executive Officer of the Company at the address below.
7. Accuracy of Personal Information
7.1 The Company will ensure the accuracy of all personal data collected and processed by the Company. Appropriate procedures are implemented so that all personal data is regularly checked and updated to ensure that it is reasonably accurate having regard to the purposes for which that data is used.
7.2 In so far as personal data held by the Company consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.
7.3 The Company will at all times endeavour to ensure the accuracy of personal data held by the Company, and if such personal data is transferred to third parties, it will notify that third party of any correction to be made.
8. Retention of Personal Information
8.1 No personal data is kept for longer than is necessary and that the Company will comply with all statutory and regulatory requirements in the Hong Kong Special Administrative Region concerning the retention of personally identifiable information.
8.2 For the Company’s mobile applications, membership registration data of data subject will be deleted within 2 years after termination of membership of the App.
9. Location Information
9.1 We collect information about your location when you use our services, which helps us offer features such as searching clinics near you. Your location can be determined with varying degree of accuracy by GPS. The types of location data that we collect depend in part on your device and account setting.
10. Data Security
10.1 The Company will ensure an appropriate level of protection for personal data in order to prevent unauthorized access, processing or other use of that data, commensurate with the sensitivity of the data and the harm that would be caused by unauthorized access to that data. It is the practice of the Company to achieve appropriate levels of security by restricting physical access to data, providing secure storage facilities and incorporating security measures into equipment in which data is held.
10.2 Measures are taken to ensure the integrity, prudence, and competence of persons having access to personal data and personal data is only transmitted by secure means.
10.3 In addition, the Company takes prudent security measures to ensure personal data collected via the mobile applications are stored and transmitted under protection:
i. For mobile app development, the mobile applications is developed by secure coding and penetration testing is conducted;
ii. The personal data collected via the mobile applications is stored in an database with strict access control;
iii. Data transfers between the Company and the mobile applications are made in SSL secured connection and valid session key management is in place to ensure unauthorized access is restricted and prevented; and
iv. A multi-layered defense system is used in the Company’s data centre to secure transmission and ensure effective data protection is in place.
11.1 The Company’s website may include hyperlinks to third party websites. The Company has no control over the content, accuracy, opinion expressed, and other links provided at these third -party websites or how these third-party websites deal with Your Personal Data. You should investigate the privacy policies on these third-party sites.
11.2 The Company may use "cookies" to improve our internet service to you. Cookies are small data files that are automatically stored on your web browser in your computer that can be retrieved by the Company’s website. Cookies enable the Company’s website to remember you and your preferences when you visit the website and enable us to tailor the website to your needs. The information collected by cookies is anonymous visitor’s personalized settings information and contains no name or address information or any information that will enable anyone to contact you via telephone, e-mail or any other means. No customer personal data is stored in cookies. However, you can disable cookies by changing the settings of your web browser.
11.3 In relation to the service of our website and mobile application, we may employ third party companies and individuals to facilitate such service, provide on our behalf, perform related service or/and to assist the analysis of usage, of such service. The said third party have access to your personal information only to perform such task on our behalf and are obligated not to disclose or use it for any other purpose. The said third party companies and individuals we employed include but not limited to Google Analytics.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: http://www.google.com/intl/en/policies/privacy/
12. Online Job Applications
12.1 Making an online application to a job advertisement on the Company's website is a free and optional service that requires user to complete mandatory fields (including but not limited to the applicant's first name, last name, email and resume) so that the Company can identify and contact the applicant. When you apply for a job application on our website, the application, including the attachments and cover letters are stored in the Company's database to allow easy and effective management of the recruitment process.
12.2 Any personal information retained by the Company as part of your application will only be used in accordance with this Policy.
13.1 In case of discrepancies between the English and Chinese versions, the English version shall apply and prevail.
13.2 By accepting this Policy, you consent to the transfer of Your Personal Data outside Hong Kong and you understand Your Personal Data may not be protected to the same or similar level in Hong Kong.
13.3 Further enquiries regarding the Company's Personal Data Protection Policy and Practices may be directed to:
Chief Executive Officer
Room A-C, 10/F, Infotech Centre, 21 Hung To Road, Kwun Tong, Hong Kong