1.Introduction
1.1This policy contains important information on the following aspects:
1.1.1Required compliance with data protection principles of the West Air Co. Ltd. (hereinafter referred to as “the Company”, “we” or “our”);
1.1.2Definitions of personal information (or data) or sensitive personal information (or data);
1.1.3How we collect and use personal information and sensitive personal information according to the General Data Protection Regulation (EU) 2016/679, “GDPR” for short;
1.1.4Rights and obligations of a data subject relating to data protection.
1.2This policy is applicable to all personal information collected by or on behalf of the Company, which may include personal information of customers, potential customers, website visitors and job applicants of the Company.
1.3We will review and update this policy when necessary or following our data protection obligations.
1.4The Company may, for multiple legal reasons, acquire, retain and use personal information from its customers, potential customers, website visitors and job applicants.
1.5This policy illustrates how we fulfill our data protection obligations and attempt to protect personal information. It also aims to ensure our employees’ awareness of and compliance with provisions used to supervise collection, use and deletion of personal information that could be accessed by employees in their work.
1.6We endeavor to fulfill our data protection obligations, and illustrate in a simple, clear and transparent manner how we acquire and use personal information, and how (and when) to delete such information when it becomes unnecessary.
1.7If you have any question about or objection to any content herein, or if you need more information, please contact westair_et@hnair.com.
 
2.Definitions
  • Criminal record information
  • Personal information relating to criminal conviction and offence, accusation, litigation and relevant safety measures;
  • “Data leakage”
  • Exposure of personal information to safety problems such as undesired or illegal damage, loss, alteration, unauthorized disclosure or access;
  • “Data subject”
  • Person to whom personal information relates;
  • “Personal information”
  • Information relating to a person, according to which the person is identified (directly or indirectly);
  • “Processing”
  • Acquisition, recording, collation, storage, modification, retrieval, disclosure and/or destruction of information, or use of information or any operation performed by using information;
  •  
  • A kind of personal information processing procedure, through which personal information cannot be used to determine the identity of a person without reliance on additional information (separately saved and protected by technical and organizational measures), so as to ensure no association of personal information with any identifiable person;
  • “Sensitive personal information”
  • (Sometimes called “personal data of special types”) Information relating to the race, ethnic group, political opinion, religious or philosophic belief, trading alliance membership (or non-membership) of a person, as well as genetic information, biological characteristics (for personal identification), personal health status, sexual life and sexual orientation of a person.
  • “Website”
  • Any website owned or operated by the Company
3.Principles of data protection
3.1Upon processing of personal information, the Company will follow the data protection principles below:
3.1.1We will process personal information in a legal, fair and transparent manner;
3.1.2We will collect personal information for specified, expressly indicated and legal purposes, and will not process such personal information against these legal purposes;
3.1.3We will only process personal information that is proper, relevant and necessary to relevant purposes;
3.1.4We will reserve accurate and latest personal information, and take proper measures to ensure timely deletion or correction of inaccurate personal information;
3.1.5We will retain personal information in such a manner that allows identification of the data subject for a period no longer than that necessary for specific information processing purpose;
3.1.6We will take proper techniques and organizational measures to protect the safety of personal information, and secure personal information against any unauthorized or illegal processing, undesired loss, destruction or damage.
4.Privacy
4.1The Company may release privacy statements from time to time to notify you of your personal information we have collected and retained, as well as the way and purpose by and for which your personal information is intended to be used.
4.2We will take proper measures and use a simple, transparent, readily understandable and accessible format to provide information clarified in the privacy statement.
4.3Timing of personal data collection
4.3.1We will collect personal information as necessary for daily activities or work.
4.3.2We will collect your personal information when
  • you register an account with our website, application or retail outlet;
  • you complete an order, request or application relating to our product, service and/or facilities (by way of telephone or email, face-to-face, by using a form, visiting our website or otherwise);
  • you directly communicate with us relating to our product, service and/or facilities (by way of telephone or email, face-to-face, by using a form, visiting our website or otherwise);
  • you use services and/or facilities provided on our website or physical sites;
  • you conduct certain types of transactions, such as requesting a refund;
  • you participate in any of our promotions, contests, competitions, lucky draws or other special activities, and interact with us during that period;
  • you participate in any of our membership programs;
  • you participate in our opinion survey or any other type of survey;
  • you apply to us for a job.
4.4Which personal data to be collected
4.4.1Personal information is provided based on free will, unless otherwise provided. If you fail to provide any required personal information, we may be unable to offer you products and/or services that you require.
4.4.2We may collect personal information of the following types:
  • Contact information, such as name, address, telephone number, email address and user’s name;
  • Billing information, such as billing address and credit card information;
  • roprietary information such as ID card number, passport number, photo and date of birth;
  • Contact and marketing preferences;
  • Particulars about any membership with us;
  • Details of visits to our website, such as data traffic, location data and access to resources on our website;
  • Online identifiers, such as IP address, cookie identifier or other identifiers (including RFID tag);
  • Transaction records with us;
  • n the case of a job candidate, personal information provided to us during job applications, including resumes submitted to us and any personal details provided in any application form. Such personal information may include historical employment and qualifications for the job.
4.4.3In some circumstances, you may provide us with personal information relating to a third party (such as your close relative, travelling companion or a referee when you are a job candidate). In such cases, it will be deemed that you have acted on behalf of us and represented to us you have obtained permission of such third party to provide the personal information of such third party to use for the purpose illustrated in this policy.
 
4.5Purpose, use and processing of personal data
4.5.1We will collect, use, disclose and/or process your personal information for various purposes, depending on the actual conditions and your permission, such as
  • evaluating, dealing with and providing our products, services and/or facilities to your request;
  • providing any assistance to your request;
  • maintaining and improving our customer relationship;
  • establishing your identity;
  • managing and dealing with any payment (including refunds) relating to products, services and/or facilities, or other business transactions you request;
  • performing credit investigation and verifying your credit standing as necessary upon provision of products, services and/or facilities to you;
  • responding to your inquiry or complaint, and solving any problem or dispute that may arise out of any transaction between us;
  • , with your permission, information and news relating to products, services, facilities, loyalty plans, promotions, product launch activities, publicity activities, competitions and/or events offered or organized by us and our affiliated partners from time to time;
  • direct marketing as you permit by means of short messages, telephone, emails, fax, mail, instant messaging, social media and/or any other appropriate communication method;
  • managing our loyalty or incentive plans;
  • internal management and record maintenance;
  • sending seasonal greetings to you;
  • monitoring, reviewing and improving our products, services, facilities, promotions and/or activities;
  • market research or surveys, internal marketing analysis, analysis of customer’s characteristics, analysis of customer’s behavioral patterns and selection, planning and statistical analysis of our products, services and/or facilities;
  • processing, combination and/or analysis of your personal information out of the purposes above;
  • identifying, investigating and preventing fraud, forbidden or illegal activities;
  • audit, risk control and security purposes;
  • assisting us in fulfilling and exercising our obligations and rights specified in any agreement or deed we have entered into;
  • transferring or assigning our rights, interests and obligations according to any agreement we have reached;
  • disclosure as required by any applicable law or regulatory requirement and according to any applicable law, act, regulation, direction, court order, ordinance, guiding principle, announcement or principles binding us from time to time (“applicable law”);
  • exercising or defending our or your rights according to any applicable law, and performing our obligations.
4.5.2We will notify you in advance if we intend to use your information for any other purpose, and when necessary, seek for your permission, unless we may process your personal information without your permission according to GDPR or any other applicable law.
4.6Transmission of personal data
4.6.1For smooth business operation and/or fulfillment of our obligations to you, we may disclose personal information collected from you to a third party for one or more purposes specified in Article 4.5 hereof. Third parties that may receive your personal information so disclosed include, for example,
  • Third-party service providers, agencies, affiliated organizations or relevant companies providing operating services relating to our business; the foregoing services include data entry, telecommunication, information technology, logistics, storage and warehousing, shipping, assembly, mounting, printing and postal services, credit standing check, credit instrument or service relating to marketing and promotional activities;
  • Our professional consultants, advisers and/or auditors;
  • Relevant government regulators or authorities (according to the applicable law).
4.6.2Any third party with which we conduct business may only use your information for provision of services it is engaged for. The third party shall comply with GDPR and/or any policy specified by us and shall take proper measures to ensure security of your personal information, which will be incorporated as a part of the agreement we enter into with such third party.
4.6.3Personal information we may have collected from you may be transmitted to the European Union or any jurisdiction beyond the EU, the People’s Republic of China and any other region we may advise you of from time to time for purposes specified in Article 4.5 hereof and subject to the information security provision in Article 11 hereof.No personal information of a data subject within the European Union will be transmitted to any other place out of the EU without express permission of the data subject.
 
5.Basis for personal data processing
5.1Relating to any processing activity we are to carry out, before the initial processing and during subsequent processing process, it is required to regularly
5.1.1review the purpose of the specific processing activity, and select the most appropriate legal basis (or bases) for the activity:
  • The data subject has agreed upon processing of the data;
  • The data must be processed for any of the following reasons: to implement relevant measures requested by the data subject relating to any contact signed by the data subject or before signing of the contract by the data subject;
  • The company is required to process the data as a legal obligation;
  • Data must be processed to protect the personal interests of the data subject or any other natural person;
  • Data must be processed in line with the legal rights of the Company or a third party, provided no damage is incurred to the basic rights and freedom of the data subject– refer to Paragraph 5.2 in this policy.
5.1.2unless otherwise permitted, perform necessary processing only for purposes in conformity to the relevant legal basis (when there is no other proper means for such purposes);
5.1.3record legal bases of our decisions to evidence our compliance with the data protection principle;
5.1.4include relevant processing purpose and its legal basis in our relevant privacy statement;
5.1.5upon processing sensitive personal information, determine and record legal special conditions for processing of such information (refer to paragraph 6.2.2 hereof);
5.1.6upon processing of information relating to a criminal offence, determine and legal special conditions for processing of such information;
5.2When determining whether legal interests of the Company are the most appropriate basis for legal processing, we will
5.2.1perform legal interest assessment (“LIA”) and make records of the same to ensure our decisions are proper;
5.2.2when the LIA result shows significant impact on privacy, consider whether we need to perform data protection impact assessment (“DPIA”);
5.2.3observe the LIA, and repeat the assessment procedure in case of any change;
5.2.4incorporate information relating to our legal interests in our relevant privacy statement.
6.Sensitive personal data
6.1Sensitive personal information is sometimes known as “special personal data” or “sensitive personal data”.
6.2The Company may need to process sensitive personal information. We will process sensitive personal information only in the following circumstances:
6.2.1We have a legal basis for processing sensitive personal information according to paragraph 5.1.1, for example, for fulfillment of the Company’s legal obligations or for the legal interests of the Company;
6.2.2Any of the special conditions applicable to processing of sensitive personal information applies, such as
  • Express permission of the data subject;
  • processing required for exercising or performing the rights or obligations of the Company or of the data subject according to the labor law;
  • processing of data required to protect the personal interests of the data subject when granting of permission by the data subject is impossible;
  • personal data involved in the processing activity is information about the data subject in the public domain;
  • processing required for determining, exercise or defending legal requirements;
  • processing required for any major public interest.
6.3Before processing of any sensitive personal information, our staff will evaluate whether the processing process conforms to the criteria above.
6.4Sensitive personal information will be processed only when the following conditions are satisfied:
6.4.1Assessment specified in paragraph 6.3 has been completed;
6.4.2Relevant person has been properly notified (by means of a privacy statement or otherwise) to know the nature, purpose and legal basis of the processing activity.
6.5During recruitment, the HR Department shall make sure (unless otherwise specified by law):
6.5.1no question will involve any sensitive personal information (such as race, trade union membership or health status) upon determining the list of final candidates, interview and decision making;
6.5.2if sensitive personal information is received (for example, such sensitive personal information is provided in the resume or interview  by the applicant without being requested), such information will not be recorded but immediately deleted or subject to reference removal by means of revision;
6.5.3any completed equal opportunities monitoring form shall be kept separately with corresponding personal application and out of sight to the person who finally determines the winning candidate, interview or employment;
6.5.4“Work right” will be checked prior to issue of an unconditional job offer other than at the earlier stages when determination of the final candidate, interview or decision-making occurs;
6.5.5After issue of an offer, we will only ask questions relating to health.
7.Data protection impact assessment (DPIA)
7.1If any processing activity threatens the entitlement of any individual to data protection, we will execute DPIA before processing, so as to evaluate
7.1.1whether the processing activity is necessary or proper for the specified purpose;
7.1.2risks relating to the individual,
7.1.3which measures can be taken to cope with these risks and protect personal information.
8.Documents and records
8.1We will keep written records of highly risky processing activities (which may incur risks in aspects of rights and freedom, or involve sensitive personal information or criminal records), including:
8.1.1name and details of the employer (its controller, representative and DPO, as the case may be);
8.1.2purpose of the processing activity;
8.1.3description of personal type and personal data type;
8.1.4type of personal data recipients;
8.1.5details of cross-board transmission, including documents for securing relevant transmission mechanism;
8.1.6(if possible) retention timetable;
8.1.7(if possible) description of technical and organizational safety measures.
8.2The records on or document link to our processing activity may include any:
8.2.1information required for privacy statement;
8.2.2consent record;
8.2.3contact between the controlling party and the dealing party;
8.2.4location of personal information;
8.2.5DPIA;
8.2.6Data leakage records.
8.3Upon dealing with sensitive personal information or criminal records, we will keep written records of the following aspects:
8.3.1relevance of the processing activity, including (if necessary) why the processing activity is performed to satisfy the purpose;
8.3.2legal basis of the processing activity;
8.3.2our compliance with our policy documents (including this policy) regarding retention and deletion of personal information; in case of non-compliance, reasons for such non-compliance shall be recorded.
8.4We will regularly review personal information we process and update our documents correspondingly. This may include:
8.4.1information audit to know personal information held by the Company;
8.4.2distribution of investigation questionnaires and exchange with employees of the Company to better know our processing activity;
8.4.3review of our policies, procedures, contracts and agreements, so as to solve problems in aspects of data retention, security and sharing.
9.Entitlements relatingto personal data
9.1A data subject is entitled to the following rights regarding his personal information:
9.1.1To know the way, reason and basis of information processing– refer to paragraph 4 hereof and privacy statement of the Company;
9.1.2To request confirmation of your information being processed and acquire authorized access to the information and some other information – refer to paragraph 10.3 below;
9.1.3To correct the data in case of inaccuracy or incompleteness;
9.1.4To delete the data when they are no longer needed for purposes which they have been originally collected/processed for or when the processing activity is not supported by sound legal basis (which is sometimes known as “right to be forgotten”);
9.1.5To limit processing of personal information when the information has disputable accuracy or is illegally processed (but the data subject hopes the data will not be deleted);
9.1.6To suspend processing of personal information if in the data subject’s opinion the information is incorrect or he rejects such processing.
9.2If you intend to exercise the rights provided in paragraph9.1 above, please call 95373 as provided in paragraph 1.7 hereof.
9.3Subjects access request
9.3.1The Company will do as it can to comply with the data subject’s request, and provide proper data within one month after such request is proposed. As to how to comply with any request, the Company may adopt professional suggestions, so as to ensure provision of proper information. Information is generally provided by the Company on a free basis.
9.3.2In case of an obviously unreasonable request or repeated request (which is unlikely to happen), the Company may decide not to provide any information. However, in such cases, the Company will refer to professional opinions.
10Data security
10.1The Company will take proper techniques and organizational measures to ensure security of personal information and particularly to prevent unauthorized or illegal processing and undesired loss, destroy or damage of such information. The measures may include:
10.1.1pseudonymity or encryption of personal information where possible;
10.1.2maintaining constant confidentiality, integrity, availability and recoverability of the processing system and service;
10.1.3timely recovery of availability of and access to personal information in case of a physical or technical event;
10.1.4establishing effective procedures for regular testing, appraisal and evaluation techniques and organizational measures, so as to secure the processing process.
10.2If the Company engages any external organization to process personal information on behalf, it shall include additional security provision in the contract made with such organization to protect the security of the personal information. The contract with the external organization shall specifically ensure that:
10.2.1The organization may only act as directed by the Company in writing;
10.2.2The organization responsible for data processing is liable for the confidentiality of the data;
10.2.3Proper measures are adopted to ensure security during processing;
10.2.4A subcontractor may can be engaged only after prior consent from the Company is obtained with written contract signed;
10.2.5The organization shall assist the Company in providing the data subject with access and allowing the data subject to exercise rights relating to data protection;
10.2.6The organization shall assist the Company in performing its obligations relating to data security, data leakage notification and data protection impact evaluation during data processing;
10.2.7The organization shall delete or return all personal information upon the end of the contract;
10.2.8The organization shall agree to accept audit and inspection, provide the Company with any information required to ensure performance of respective data protection obligation, and immediately notify the Company if it is required to act against the data protection law.
11.Reservation of personal data
11.1Personal information (and sensitive personal information) shall be retained for a period not exceeding the specified limit. The retention time of personal information depends on specific conditions, including reasons for acquisition of the personal data. Commonly, personal information shall be retained within a required period or within 7 years after it was last used, whichever is shorter.
11.2Personal information (and sensitive personal information) that is no longer needed will be permanently deleted from our information system, and any record of the information in writing, shall be safely destroyed.
12.Data leakage
12.1Data leakage may occur in multiple forms, including
12.1.1Loss or theft of data or devices containing personal information;
12.1.2Access to or use of personal information by authorized employees or any third party;
12.1.3Data loss caused by equipment or system (including hardware and software failure);
12.1.4Personal mistakes, such as unintentional deletion or change of data;
12.1.5Unforeseeable conditions, such as fire or flood;
12.1.6Deliberate attack on the IT system, such as hacker attack, virus or phishing fraud;
12.1.7“Cheating” crime, i.e. to acquire information by cheating an organization holding the information.
12.2In case of a data leakage event, the Company will immediately act following its data leakage and disclosure plan.
13.CONTACT US
13.1If you have any complaint, dissatisfaction or objection to or about how we process your personal information and whether we are compliant with GDPR or any other applicable data protection law, please feel free to contact us by the means provided in paragraph 1.7 hereof. We will try our best to resolve any complaint, dissatisfaction or objection in a fast and fair manner.
14.MODIFICATION OF PROVISION ON PRIVACY
The rights to revise and update this privacy provision reside with the West Air Co. Ltd. We may revise or update this privacy provision from time to time, and will publish the latest version on the website. You are recommended to regularly view this page upon visiting our website to verify whether any change has occurred to the privacy provision.