Menu
Your Cart
0
0

Privacy Policy

EU Privacy Policy
1. Introduction
In the digital age, the protection of personal privacy is paramount. The EU attaches great importance to the protection of personal data and has established a series of strict and comprehensive privacy policies designed to ensure that the personal information of EU citizens and residents is properly protected in all scenarios and prevented from inappropriate collection, use, disclosure, or misuse.

2. Scope of Application
This Privacy Policy applies to all organizations and businesses operating in the EU and to any activities involving the processing of personal data of EU citizens, whether conducted through online digital platforms or through offline business processes. It also covers third parties providing data processing services to these organizations and businesses.

3. Definition and Scope of Personal Information
Definition: Personal information means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified directly or indirectly, including by name, identification number, location data, online identifiers, and other means. Scope: This includes, but is not limited to, an individual's name, contact information (such as address, phone number, email address), date of birth, ID or passport number, financial information (such as bank account and credit card information), health data, biometric data (such as fingerprints and facial recognition data), education background, work experience, and various types of internet browsing and search history.

4. Collection of Personal Information
Collection Principles: All organizations must adhere to the principles of lawfulness, legitimacy, and necessity when collecting personal information. Lawfulness means that the collection must have a clear legal basis; legitimacy requires that the collection process adheres to ethical and fair trading standards; and necessity ensures that the information collected is only necessary to achieve specific, clear, and legitimate purposes and is not excessive.
Methods of Collection: This can be collected directly from the data subject, such as when registering for a service, completing a questionnaire, or signing a contract. It may also be obtained from third-party sources, provided that the third party's collection and provision of personal information complies with the privacy policy and the data subject has been informed of and consented to the relevant circumstances. Duty to Inform: Before collecting personal information, organizations must clearly and understandably inform data subjects of important information, including the purpose of collection, the type of information collected, how the information will be used, the storage period, whether it will be shared with third parties, and the rights of the data subject. This information is typically provided in the form of a privacy policy statement, pop-up notifications, or information forms.

5. Use of Personal Information
Purpose Limitation: Personal information may only be used for the purpose explicitly disclosed to the data subject at the time of collection. Any use for other purposes requires the prior explicit consent of the data subject, and the new purpose must be reasonably related to the original purpose. Common purposes include providing products or services, fulfilling contractual obligations, conducting customer relationship management, conducting market research and analysis, and ensuring information system security.
Data Processing: When processing personal information, organizations must employ secure and reliable technologies and methods to ensure the accuracy, integrity, and confidentiality of the data. This processing includes, but is not limited to, data storage, retrieval, modification, deletion, analysis, and transmission. All operations must comply with relevant data protection regulations.

6. Storage of Personal Information

Storage Period: Personal information should be stored for the minimum period necessary to achieve the purpose for which it was collected, unless otherwise required by law or the data subject explicitly consents to a longer storage period. Once the storage period expires or the relevant information is no longer necessary for the intended purpose, organizations must promptly delete or anonymize the data.

Storage Security: Organizations are responsible for implementing appropriate technical and organizational measures to protect stored personal information from unauthorized access, destruction, alteration, or disclosure. This includes using encryption to store sensitive data, establishing strict access control mechanisms to restrict data access to authorized personnel, regularly backing up data and testing recovery processes, and deploying network security measures such as firewalls and intrusion detection systems.

7. Sharing and Disclosure of Personal Information

Internal Sharing: Within an organization, personal information may only be shared between departments and personnel necessary to achieve the intended business purpose. These internal recipients are also bound by this Privacy Policy and must strictly adhere to the personal information protection obligations.

Third-Party Sharing: Before sharing personal information with third parties (such as partners, suppliers, and service providers), organizations must obtain the data subject's explicit consent, unless law permits sharing without consent in specific circumstances. Before sharing, organizations should enter into a legally binding data protection agreement with third parties, clearly defining the third party's purpose of use, processing methods, protection obligations, and liability for breach of contract, to ensure that the third party's level of protection for personal information is no less stringent than that required by this Privacy Policy.

Disclosure: Organizations may disclose personal information in specific circumstances, such as when required by law (e.g., in response to a court subpoena, law enforcement investigation, etc.), to protect the public interest, or to protect the legitimate rights and interests of the organization or others from significant harm. However, they should limit the scope and content of such disclosure to the extent permitted by law and, where possible, provide advance notice to the data subject.

8. Data Subject Rights

Right to Know: Data subjects have the right to be informed of the collection, use, storage, and sharing of their personal information. Organizations should provide relevant information to data subjects in a timely and accurate manner in accordance with regulations.

Right of Access: Data subjects have the right to access their personal information processed by the organization, including obtaining a copy of the information and detailed information such as the source, purpose of use, and third parties with which the information has been shared.

Right to Correction: If a data subject discovers that their personal information is inaccurate or incomplete, they have the right to request that the organization correct it. The organization should verify and make the appropriate corrections within a reasonable timeframe. Right to Erasure: Under legally mandated circumstances, such as when personal information is no longer necessary for the purpose for which it was intended, when the data subject withdraws consent, or when personal information is unlawfully processed, data subjects have the right to request that an organization delete their personal information. The organization should promptly delete the information unless legally required to retain it.
Right to Restrict Processing: Data subjects have the right to request that an organization restrict the processing of their personal information in certain circumstances. For example, if there is a dispute regarding the accuracy of the information, the organization should suspend all processing activities other than storage until the dispute is resolved.
Right to Data Portability: Where technically feasible, data subjects have the right to access their personal information stored in a structured, commonly used, machine-readable format and to transmit it to another data controller. Organizations should provide necessary assistance to fulfill this right.
Right to Object: Data subjects have the right, based on their specific personal situation, to object to processing of their personal information based on legitimate interests or the public interest, unless the organization can demonstrate compelling legitimate grounds for continuing the processing that override the interests of the data subject.

9. Privacy Policy Updates and Notifications
Update Mechanism: The EU Privacy Policy may be updated from time to time in response to changes in laws and regulations, business developments, and technological advancements. Organizations have a responsibility to closely monitor policy changes and promptly adjust their privacy policies and data processing practices to ensure ongoing compliance.

Notification Obligation: When significant changes to privacy policies occur, organizations must promptly notify data subjects. Notification methods include prominently posting notices on websites, sending email notifications, and in-app push notifications to ensure data subjects are promptly informed of policy changes and, if necessary, obtaining new consent.

10. Supervision and Enforcement
Regulatory Authorities: Each EU member state has a dedicated data protection regulator responsible for overseeing and enforcing privacy policies. These authorities have the authority to inspect and investigate organizations' data processing activities and impose penalties for violations of privacy policies, including fines, orders to rectify violations, and restrictions on data processing activities.

Complaints and Remedies: If a data subject believes their personal information rights have been infringed, they may file a complaint with the relevant data protection regulator or seek legal redress, demanding that the organization assume appropriate legal liability, such as compensation for losses or cessation of infringing activities. Organizations should also establish internal complaint handling mechanisms to promptly respond to and address complaints and inquiries from data subjects.