Privacy Notice Sample Template
Privacy Notice – Supplement to the Personal Information Collection Statement (“PICS”)
This privacy notice supplements the PICS and applies to you if and to the extent that the General Data Protection Regulation of the European Union (“GDPR”) is applicable and relevant.
It is important that you read and understand this privacy notice, together with any other privacy notices/PICSs that you are provided on specific occasions or matters.
The GDPR can be accessed here (https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504).
Information Technology Services (“ITS”) under The University of Hong Kong (“University”) is committed to protecting the privacy and security of your personal data (“personal data”). This privacy notice further explains how the ITS collects, uses, shares, handles and stores your personal data, and outlines your rights in relation to the personal data that we process.
The ITS is the Data Controller for your personal data.
The GDPR Focal Point for this privacy notice is ITS Service Desk (Email: email@example.com).
Personal Data Collected/To Be Collected
The ITS won’t collect, hold and process personal data of you including personal details.
Purposes of Collection
The ITS collects, holds and processes the personal data and special categories of personal data of you in order to provide necessary website functionality, improve your experience and analyze our traffic. The ITS also has the statutory and other obligations to provide personal data to government and other relevant bodies in relation to its activities and operations. Without the personal data, the ITS may not be able to provide necessary website functionality, provide its facilities and services to you or meet its statutory and other obligations. Information is utilised by various offices/work units of the ITS as is necessary and proportionate for our operational purposes (including the performance of academic, education, research and administrative functions).
Use of Data
The ITS will use personal data (including special categories of personal data) to provide necessary website functionality, provide facilities, deliver services, and meet statutory and other obligations including:
- IP Address
- Browser behaviour
- Information of browser Client
We may also use your personal data for other purposes, for example: to undertake statistical analyses, surveys, and researches, carry out compliance audits, promote services, detect, investigate or prevent misconduct and crimes, and to deal with grievances, complaints, enquiries and disciplinary actions.
In some cases, we may undertake automated decision-making using personal data in the processes. When this has a negative impact on you, we will ensure this decision is checked by a member of staff before processing. If necessary, we may also provide more information to you according to the GDPR.
Accessing and Updating the Personal Data
You are able to access and update personal data via [*]. Please advise us promptly of any changes to your details. If you have any questions about the personal data we hold please contact [*] or [*] in the first instance.
Legal Bases for Processing the Personal Data
The legal bases for processing include:
- performance of a contract under which the University provides facilities and services to you or taking steps at the request of you prior to entering into a contract;
- processing activities under a legal obligation (for example, disclosing personal data and special categories of personal data to external parties by compulsion of statutory powers);
- protecting the vital interests of you or another party (for example, disclosures to external parties to ensure the safety, health and wellbeing of individuals);
- performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements); and/or
- pursuing legitimate interests by the University or by a third party.
In some situations, the University may seek consent from you for processing certain kinds of personal data.
Where special categories of personal data are processed the legal bases for doing so will be those provided under the GDPR.
Sharing Personal Data with Third Parties
For purposes referred to in this privacy notice we may share your personal data with certain third parties. You are given the opportunity to opt-out of some data sharing arrangements, but we encourage you to think carefully about the impact of doing so. Where an opt-out is not in place, we will disclose relevant personal data to third parties, including: [*]
Transfer of Personal Data outside of the European Economic Area (“EEA”) and/or to International Organisations
If we need to transfer your personal data outside the EEA and/or to international organisations, any such transfer will comply with the requirements of the GDPR. If necessary, you may be informed and your consent may be obtained.
Retention of Personal Data
Details of retention periods for the personal data can be found in [*].
Rights of Data Subjects
Data subjects have the following rights under the GDPR:
- The right to be informed about which personal data is collected and how it will be used
- The right to request access to personal data held by the University
- The right to have incomplete or inaccurate personal data rectified
- The right to have personal data removed or deleted in certain circumstances
- The right to restrict or object to the processing of personal data – individuals have the right to block the processing of their personal data by the University in specific situations
- The right to personal data portability – the right to request provision of some elements of information in digital form in order to provide it to you or to other organisations
- The right to withdraw a consent given before
In the first instance, please contact the above GDPR Focal Point if you would like to discuss any aspect of your rights in relation to your personal data.
Feedback, Concern and Complaint
If you have any feedback, concern or complaint in relation to the processing of your personal data, please contact the above GDPR Focal Point. If you have a formal complaint, you may contact the Office of the Privacy Commissioner for Personal Data of Hong Kong and/or the relevant supervisory authority.
Last updated: [*]