Statement of Policy
1. Savills Property Services (Shanghai) Company Limited (“Savills”) respects personal data privacy and is committed to implement and comply with the data protection principles and provisions under Personal Information Protection Law of the PRC (“PIPL”) and other relevant laws and regulations, hereinafter referred to as “the Laws” .
Statement of Practices
Categories of Personal Data Held
2. Savills holds the following categories of personal data –
The personal data mentioned in this policy refers to various information related to an identified or identifiable natural person recorded electronically or by other means. Some personal information is classified as “sensitive” data under the PIPL, which includes information relating to health, racial or ethnic origin, biometrics, specific identities, financial accounts, whereabouts, religious beliefs or political opinions, sexual orientation, and personal information of minors under the age of 14.
Employment-related records which include data on job applications, personal particulars, education and qualifications, employment history, salary and allowances, terms and conditions of service, housing and medical benefits, leave records, training and development, appraisal reports, conduct and discipline, etc. This involves the information you provide when applying for a position at or accepting a job offer from Savills, such as but not limited to, phone number, email address, bank account information, health status, family situation, and emergency contacts.
General administrative records which include personal data collected in connection with the office administration functions, records containing information supplied by data subjects and collected in connection with the handling of enquiries and complaints made to Savills, etc.; for example, the information of your relatives or close connections, phone number, email address, postal address and facial features collected through a facial recognition system.
Customers records which include personal data collected in the course of handling customers’ membership applications, transactions, property management, complaints and enquiries, etc.; such as phone number, email address, postal address, financial information, certificates of property ownership, your image captured through security cameras, information of your residence and vehicles.
Other records which include administrative and programme records containing personal data.
To avoid any confusion, the personal data listed above are not exhaustive. The specific categories of personal data Savills holds are limited to the information that data subjects provide with express prior consent.
Main Purposes of Keeping Personal Data
3. The main purposes of keeping the personal data are as follows:
Employment-related records are kept for a range of appointments and human resource management purposes, including postings and transfers, training and career development, performance appraisal and promotion, discipline, offer of benefits, etc. Such information consists of your personnel files, based on which Savills may conduct background checks, verify suitability for positions, arrange business trips, provide commercial insurances, and perform file management.
General administrative records are kept for the purposes of carrying out various office administration functions, responding to and taking follow-up actions on enquiries and complaints, etc.; such as but not limited to, confirming if there is any conflict of interest, installing access control system for offices, and carrying out internal investigations when necessary.
Customer records are kept for the purposes of handling customers’ membership applications, transactions, property management, complaints and enquiries, etc.; for example, buying, selling or letting a property through Savills, renting a property that Savills is listing, and becoming a landlord or tenant in a building managed by Savills.
Other records are kept for various purposes, which vary according to the nature of the records, such as subscription to receive research, new or other market updates from Savills, procurement of stores and equipment, organization of activities, etc.
Practices of Personal Data Handling
4. The practices at (a) to (f) below are implemented to ensure that personal data held by Savills is handled in accordance with the data protection principles enshrined in the Laws.
(a) Collection of personal data
5. When collecting personal data, Savills will satisfy the following:
i the purposes for which the data is collected are lawful and directly related to a function or activity of Savills;
ii the manner of collection is lawful and fair in the circumstances of the case; and
iii the personal data collected is necessary but not excessive for the purpose(s) for which it is collected.
6. When Savills collects personal data from an individual, the individual will be provided with a Personal Information Collection Statement on or before the collection in an appropriate format and manner. For minors of the age under 14, a Personal Information Collection Statement will be provided to their parents or other guardians. Separate consent will be sought from an individual where his/her personal data is categorized as sensitive or is to be provided for any party outside the territory of the PRC. Practicable steps will be taken to ensure that –
i the data subject is informed of whether it is obligatory or voluntary for him/her to supply the data and, if obligatory, the consequences for him/her if he/she fails to do so; and
ii the data subject is explicitly informed of the purpose for which his/her personal data is to be used, the categories of the data, the name and contract details of the data processor, the means that the data is to be processed, the classes of persons to whom the data may be transferred, entrusted, shared or disclosed, the retention period of the data, the rights of the data subject to request access to and correction of the data, and the contact details of the individual to whom any such request may be made.
7. Please be informed that in the following circumstances, Savills is not required to obtain prior consent from data subject to process his/her personal data:
i The processing is necessary for the conclusion or performance of a contract to which the data subject is a party, or for the implementation of human resources management in accordance with labor regulations established in accordance with law and collective contracts signed in accordance with law.
ii The processing is necessary for the performance of statutory duties or obligations.
iii The processing is necessary for the response to public health emergencies, or for the protection of life, health, and property safety of natural persons in emergencies.
iv The personal data is reasonably processed for news reporting, media supervision, and other activities conducted in the public interest.
v The personal data disclosed by the individual himself / herself or other legally disclosed personal data of the data subject is reasonably processed in accordance with the PIPL.
vi Other circumstances as provided by laws or administrative regulations.
(b) Accuracy and retention of personal data
8. Personal data collected and maintained by Savills shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.
9. Savills maintains a personal data inventory, which contains the kinds of personal data that Savills holds; the purposes for which the personal data is collected, used and disclosed; and how the personal data is stored. The personal data inventory will be reviewed on an annual basis to ensure that it is accurate and up-to-date.
10. Personal data will not be kept longer than necessary for the fulfilment of the purpose for which the data is collected or used. Personal data that is no longer required should be erased unless such erasure of personal data is prohibited under any law or it is in the public interest for the data not to be erased. Should there be a need to retain the personal data for statistical purposes, such data will be anonymized so that the individuals concerned can no longer be identified.
11. A destruction exercise on records containing personal data will be conducted as and when necessary and in accordance with Savills records management guidelines and procedures. Destruction of paper records would be carried out by irreversible means and electronic records would be cleared or destroyed from storage media before disposal by means of sanitization or physical destruction.
(c) Use of personal data
12. All personal data collected will be used only for purposes, which are directly related to the discharge of Savills’ duties and responsibilities. Personal data collected may be transferred to, entrusted to, or shared with or disclosed to third parties during the discharge of Savills’ functions when necessary and in compliance with Article 21 of the PIPL. Relevant personal data may also be disclosed to other entities which are authorised to receive information for the purposes of law enforcement, prosecution or review of decisions. Data subjects would be informed of the possible transferees of their personal data when their personal data is collected. Sensitive personal data shall be processed by Savills in compliance with Articles 28, 29 and 30 of the PIPL. Savills also has developed specific rules for processing personal data of minors under the age of 14.
13. If personal data is to be used for a purpose other than the purposes for which the data is collected, express prior consent preferred in writing would be sought from the data subject concerned. In seeking the data subject’s consent, all practicable steps would be taken to ensure that (i) information provided to the data subject is clearly understandable and readable; and (ii) the data subject is informed that he/she is entitled to withhold his/her consent or withdraw his/her consent subsequently by giving notice in writing.
(d) Security of personal data
14. Savills observes strictly relevant security standards and regulations. Security arrangements will also be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements adopted include but not limited to the following:
i restriction of access to personal data on a “need-to-know” basis;
ii regular review and enhancement of security measures for protection of personal data in the servers, user computers, transmission of electronic messages, etc.;
iii regular change of passwords for IT facilities, accounting and personnel systems, etc.;
iv encryption of all backup storage devices that are to be transported to offsite storage;
v limited staff access rights to office areas storing confidential information;
vi provision of clear guidelines to staff as to the types of data that may or may not be disclosed to a phone enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity; and
vii other measures required by Article 51 of the PIPL.
(e) Transparency of the personal data policy and practices
15. Privacy policy and practices can be found on Savills website, mini-program, application, and system.
(f) Privacy rights at Savills
16. Savills recognises an individual’s rights to know, access, correct, transfer, restrict the processing of and delete his/her own personal data in accordance with the PIPL. To exercise these privacy rights, an individual should submit to Savills in writing in the following way – –
[China Data Protection Officer]
By post or in person: 25/F, Two ICC, No.288 South Shaanxi Road, Shanghai, 200031, China
17. When handling a privacy right request, Savills will check the identity of the requester to ensure that he/she is the person legally entitled to make the request.
18. Savills may impose a fee for the direct and necessary cost of complying with a privacy right request. Savills will clearly inform the requestor the amount to be charged.
19. Savills maintains a Register on Requests for accessing, correcting, transferring, restricting the processing of and deleting Personal Data recording the privacy right requests received.
International Data Transfer
20. Your Personal Data may be transferred to, and processed in, countries other than the country in which you are a resident when any of the conditions listed in Article 38 of the PIPL is met. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not offer the same protection).
21. Our Website servers are located at Amazon Web Services all over the world, and our group companies, affiliated companies and third-party service providers operate globally. This means that when we collect your Personal Data, we may process it in any of these countries.
22. However, we take steps to safeguard your Personal Data in accordance with Articles 39 and 40 of the PIPL and other relevant laws and regulations. Further details about the protection given to your Personal Data can be provided upon request by contacting us using the details herein.
Incident Reporting and Breach Handling
23. A mechanism is set up for incident reporting and breach handling in case there is loss or leakage of personal data, or there is a reason to believe that the personal data held by Savills has been compromised.
Ongoing Monitoring and Review
24. Savills will keep the Privacy Policy and Practices under regular review. Officers responsible for handling personal data will attend relevant training courses and keep up to date with personal data policies.
Cookies and Similar Technologies
Cookies and similar technologies are small text files that are downloaded onto your computer when you visit certain websites and allows a website to recognise a user's computer.
When browsing Savills website, cookies that are strictly necessary for the performance and function of the website are automatically utilised. Savills will only utilise non-essential cookies if you have provided consent to do so by selecting ‘Allow all cookies’ in the cookies banner.
Language
This Privacy Policy is written in both Chinese and English. In case of any conflict between the two versions, the Chinese version shall prevail.