1. ABOUT THIS PRIVACY NOTICE
Médecins Sans Frontières Hong Kong (“MSFHK”, “we”, “our”, “us”) respects your personal data privacy when collecting, using, processing, storing, transferring and destructing personal data. This Privacy Notice (“Notice”) explains our policies and practices, and applies to information collection and use, including but not limited to, while you are visiting and using our websites and other offline channels.
It is written in accordance with relevant data protection laws in force including but not limited to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) and European Union General Data Protection Regulations. “Personal Data” means information directly or indirectly relating to you or other identifiable individual. When we collect personal data from individuals, we will provide them with a Personal Information Collection Statement ("PICS"), or by a separate notification, on or before the collection in an appropriate format and manner.
Please read the following carefully to understand our policy and practices on how your Personal Data will be collected and processed. By providing your Personal Data to us, you are consenting to this Notice, and the collection, use, transfer, storage and processing of your Personal Data as mentioned in this Notice.
If you are under the age of 18, you must have a representative, e.g. parent or guardian, accepting this Notice on your behalf before providing any Personal Data to us.
If you’ve any questions please contact us at firstname.lastname@example.org
2. When do we collect information about you?
We collect your personal data and other information:
- when you give it to us directly
- when you give it to us indirectly
- when you give it to us via social media/social networking sites
- when you use our websites, apps or web forms, through cookies
You may give us personal information directly when you donate, sign up for one of our events, apply for employment or volunteer opportunities, communicate with us, sign up for email newsletters and leave a comment/message on our social media accounts etc. Typically, we collect your Personal Data in the following ways. Please note that the ways below are indicative only and non- exhaustive:
- when you contact MSFHK through our website, telephone call or in person;
- when you email us your comments, feedback, opinion or suggestions;
- when you update your information by post, fax, email, phone or through our website;
- from your physical form for application of association member;
- when you apply for volunteer recruitment through our website, physical form, or by invitation letter or email;
- from your completion of donation forms;
- from your completion of our donor surveys or other survey, organized by MSFHK;
- during our street fundraising activities;
- during our fundraising telemarketing calls;
- when you make a donation;
- when you enroll to our fundraising and public events;
- in the course of your establishing or maintaining a donor/supporter relationship with us;
- when you register an account for set-up of a fundraising web page for MSFHK;
Communications and Events Related
- when you register to participate in a discussion on our bulletin boards, forum or social media on our website; and/or
- when you subscribe to MSFHK newsletter and publication;
- from any public petitions organized by MSFHK and/or MSF International office;
- when you register to participate in MSFHK activity through our website or on-site;
Human Resources Related
- when you apply for any positions in the MSFHK or MSF missions;
We may get your personal information via a fundraising organization or platform if you’ve told them that you’re supporting MSFHK and with your consent. Please check their privacy policies when you give them your information.
We may get information about you from your social media accounts or networking sites. Facebook and Twitter are examples. We can do this if you’ve set your account settings to give us permission. Please check your settings and their privacy policies for more details.
PLUGINS OF SOCIAL MEDIA
If you use any social media platforms, either via our website, or otherwise through a social media provider, we may access and collect information about you via that social media provider according to their policies. Such information may include that you have chosen to disclose in your social media profile or account. You may change your privacy settings of the social media account to limit or block our access to the aforesaid information.
Like most websites, we use “cookies” to identify you when you visit our website. Our websites may contain links to other sites that may use cookie technology. We do not have access to, or control over, these cookies.
What are cookies?
Cookies are small text files that are transferred from the website to your computer, phone or tablet. Websites store cookies on your internet browser (Chrome, Firefox or Internet Explorer, for example) when you visit. Every time you return to the site and navigate around it picks up these bits of information. There are several types of cookie and they each have different functions and uses. Some cookies can be really helpful and most websites rely on them in order to work properly and to understand what their users do when they visit.
Types of cookies
The four categories, from the least to the most intrusive, are:
a) Strictly necessary. These cookies let you move around the website and use areas like the donate form, log in and e-news sign up. They don't gather information about you that could be used for marketing or remember where you've been on the internet. These cookies only last until you close your browser.
b) Performance. These cookies help us understand how you use our website and if users have had any problems. They also let us know if you see one of our adverts online or click on our banners.
The information they gather is anonymous. We only use the information to improve the way the Website works.
c) Functionality. These cookies remember any choices you've made on a website. This could be changing the text size, preferences or colour. They can also remember if you've already completed a survey. They can’t track you on other websites.
d) Targeting. These cookies collect info for third parties and remember what you looked at on a website. They’re used for things including ‘Like’ and ‘Share’ buttons, as well as online advertising. Do you see ads for things you've looked at online appear on random websites? It's because of targeting cookies.
What cookies do we use?
- Google Analytics
We use Google analytics to see how our site is performing e.g. what articles are read, how many donations we receive and where visitors come from. The full list of Google Analytics cookies are below.
- Google Optimize
We use Google Optimize to help us understand how visitors engage with our website, e.g. which page designs work or what routes visitors take to apply for a job.
- Google Adwords
We use Google Adwords to help us create more targeted adword campaigns, these are the adverts you see in search results.
We use Facebook to see if our paid Facebook campaigns are effective. It also helps us find out if we’re talking to the right people. This is done in accordance with Facebook’s policies. Please check your settings and their privacy policies for more details.
You can control and/or delete cookies at any time. You can also get rid of all the cookies already on your computer. Most web browsers automatically accept cookies, but you should be able to change your browser to prevent that. If you want to know how to do this please look at the help menu on your web browser. Instructions on how to do so will vary from browser to browser but you can find out more information at www.aboutcookies.org.
3. What information do we collect?
Personal data that we may collect from you:
- Date of birth
- Email address
- Phone/ Fax number
- Hong Kong ID card number ("HKID")
- Passport number
- Organization's name (if applicable)
- Credit card or other payment information
- IP Address
When you donate, we may also collect your bank or credit card details in compliance with the PCI Compliance Regulations.
We may also collect Sensitive Personal Data when you apply for field work in MSF missions.
4. How do we use your information?
As a general rule, your personal data will not be used for any other purpose than that for which they were voluntarily provided to us. Your personal data are shared or transferred to third parties if such sharing or transfer is authorized by you, required by any applicable laws or necessary to achieve the purposes for which you have provided them to us. It means that we may share your personal data with service providers, co-organizers, statutory, governmental or regulatory bodies who help assist us in fulfilling our purposes. For instance, by registering to our newsletter, you consent that your personal data (including but not limited to your name and email) will be processed for the purpose of sending you emails. Personal data may also be shared with third parties when required by any applicable laws or by a court order.
Your Personal Data may be used in the following ways, although these situations are not exhaustive:
- conduct fundraising activities;
- process any donations made by you;
- conduct donor surveys;
- conduct market research and for direct marketing purposes, described in more detail under the "Direct Marketing" section below;
- issue receipts for your donation;
- foster communications between you and MSFHK;
- for any purposes in connection with any claims made by or against or otherwise involving you in respect of any fundraising activities organised or held by us including, without limitation, to make, defend, analyse, investigate, process, assess, determine or respond to such claims;
- exercise any rights we may have in connection with our fundraising activities from time to time;
- comply, where reasonably necessary, with any court orders, law, rules, regulations, codes of practice, guidelines or requests binding on us, including without limitation to make disclosures of your Personal Data to regulators, governmental bodies, tax authorities or industry recognized bodies, all of which may be within or outside the HKSAR; and/or
- for any purposes relating to the above or any other purposes in accordance with this Notice and other policies in relation to our fundraising activities as set out in any notices or other terms and conditions made available by us to you from time to time.
- Collect information and contact details with crowd-sourced information to support ERSU’s needs for improved information management in emergencies or during disasters.
Save for the aforementioned ways, we will only use your personal information where the law allows us to. We use your personal information only where:
a. we need to perform the contract we have entered into (or are about to enter into) with you, including to operate our services, to provide customer support and personalised features, and to protect the safety and security of our websites;
b. it satisfies a legitimate interest which is not overridden by your fundamental rights or data protection interests, for example for research and development, and in order to protect our legal rights and interests
c. you've given us consent to do so for other specific purposes; or
d. we need to comply with a legal or regulatory obligation.
If you have given us consent to use your personal information for a specific purpose, you have the right to withdraw your consent any time by contacting us, but please note this will not affect any use of your information that has already taken place.
How we use your data depends on why you are providing it
ONLINE/OFFLINE FORMS AND FEEDBACK
We’ll use your personal information to respond to your questions, requests and register you for events.
We use surveys to understand who visits our websites and how they use it, helping us to create better content for you and make our websites easier to use.
We may ask for your email address if you’re happy to be involved in future surveys or testing. We’ll only use this to ask you to help us with these types of requests.
We use your information to process and keep a record of your donation, in accordance with the relevant legislation on data retention. We also use your data to provide you with the tax documentation you need.
From time to time, we may use your Personal Data (including your name, contact details, demographic information, information collected from donor survey, and donation history to provide you with emails, updates, invitations, newsletters, phone calls or text messages about our fundraising events and initiatives, to invite you to make a donation and/or to invite you to participate in donor survey, but only if you consent to our doing so when we collect your Personal Data.
Even if you have given us your consent to use your Personal Data for direct marketing purposes, you may withdraw your consent at any time free of charge by emailing to email@example.com or following the instructions on how to unsubscribe which are contained in all of our email newsletters. The withdrawal of your consent will be processed and will take effect as soon as possible.
We may use publicly available information from your profile to target you with specific posts that may interest you. We’ll never ask for personal or sensitive information on social media. We may repost or share your posts on social media if it relates to MSFHK and our work. We may respond to questions, queries or comments left on our social media channels. We may use information found on your profile to help us answer these.
Check your social media accounts if you want to change the information you make public. Our websites use sharing buttons which share our web pages to social media platforms. Use these buttons at your own discretion. Social media platforms may track these shares through your accounts.
RECRUITMENT & EMPLOYMENT
When you apply for employment or volunteer position in MSFHK or MSF missions, personal data submitted will be used solely for recruitment purposes include identifying job applicants, evaluating applications, making employment/appointment decisions, background or integrity checks, employer references, and contacting you by phone, email or in writing). If application is successful, your personal data will be stored in our personnel records wherever the applicable laws allow.
5. Who has access to your data?
Your information is only accessible by trained personnel, including employees and volunteers. We regularly review who has access to your information. As a general rule, your personal data will only be accessible insofar as it is necessary to fulfill the purpose for which it was collected. For instance, the data you provided for donations will be accessible to our donations department, our fundraising and marketing team and to service providers, if any, for the purpose of processing your donation or related matters. We do comprehensive checks on any contractors before we work with them. We always put a contract in place that sets out how they manage the personal data they collect or have access to.
We may use other service providers or companies to help us manage and store personal data and to carry out certain activities on our behalf. Our main data processors' services are listed below, but we may enlist the services of others from time to time:
- Data input companies: Input the physical forms into the system
- Fundraising service companies: Perform face to face, phone call and web fundraising
- Marketing mailing service companies: Send out direct marketing mails to our supporters
- Database service companies: Store and process the data of our data subjects
- Transaction and donation processing companies: Process the donation transaction payment for fundraising
We operate globally and may have a need to transfer certain data with countries outside Hong Kong Special Administrative Region. In the event the country where the data is transferred does not provide an adequate level of protection, we shall use our best endeavor to implement technical and organizational measures to protect your data.
If you are located in the European Economic Area (“EEA”) or EU citizen, your personal data may be transferred to countries located outside the EEA which do not provide a similar or adequate level of protection to that provided by countries in the EEA. Such transfers will only be made in accordance with applicable laws including where necessary for us to comply with our legal or contractual obligations with you. We will take all steps reasonably necessary to ensure that any personal data are treated securely and in accordance with this Notice.
Should you have any questions in this respect we please contact us at firstname.lastname@example.org.
6. HOW WE SHARE INFORMATION WE COLLECT
We may share personal information with third parties (including social media) for research, donation analysis, marketing, profiling and/or other similar purposes to help us improve our services.
If you use any third-party software in connection with our services, for example any third-party software that our website integrates with, you might give the third-party software provider access to your account and information. Policies and procedures of third-party software providers are not controlled by us, and this policy does not cover how your information is collected or used by third-party software providers. We encourage you to review the privacy policies of third-party software providers before you use the third-party software.
Our website may contain links to third-party websites over which we have no control. If you follow a link to any of these websites or submit information to them, your information will be governed by their policies. We encourage you to review the privacy policies of third-party websites before you submit information to them.
We may share your information with government and law enforcement officials to comply with applicable laws or regulations, for example when we respond to claims, legal proceedings, law enforcement, or national security requests.
7. How do we keep your information safe?
We use appropriate technical and organizational measures and precautions in order to protect your personal data and to prevent the loss, misuse or alteration of your personal data. For example, we use industry standard SSL certificates in our websites, it is a global standard security technology that enables encrypted communication between the web browser and the web server.
We have adopted the following measures to protect the security and integrity of your personal information:
(a) access to your personal information is restricted to personnel or service providers on a strictly need-to-know basis, who will only process your information on our instructions and who are subject to a duty of confidentiality; and
(b) our information collection, storage, and processing practices are reviewed regularly.
We have put in place procedures to deal with any suspected privacy breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
While we implement safeguards designed to protect your information, please note that no transmission of information on the Internet is completely secure. We cannot guarantee that your information, during transmission through the Internet or while stored on our systems or processed by us, is absolutely safe and secure.
We only retain personal information for so long as it is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We periodically review the basis and appropriateness of our data retention policy.
8. How long do we keep your information?
We keep your information for as long as it’s necessary in connection with the purposes defined above in “How do we use your information?” and for the purpose of providing you with your tax receipt. For instance and as a general rule, we keep your email for the purpose of sending you a newsletter until you unsubscribe.
If you request to receive no further contact from us, we'll keep the basic information about you on our suppression list in order to avoid sending you unwanted materials in the future, for the duration allowed by the applicable legislation.
9. Our legal basis for processing personal data
We need a lawful basis to collect and use personal data under data protection law. The law allows ways to process personal data (and additional ways for sensitive personal data). Below are relevant to the types of processing that MSFHK carries out:
- A person’s consent (e.g. to send you direct marketing by e-mail or SMS);
- Necessary for the performance of a contract
- Processing that is necessary for compliance with a legal obligation; and
- Our legitimate interests (please see below for more information).
Our legitimate interests include:
- Charity Governance; including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes.
- Administration and operational management; including responding to solicited enquires, providing information and services, research, events management, the administration of volunteers and employment and recruitment requirements.
- Fundraising and Campaigning; including administering campaigns and donations, and sending direct marketing and thank you letters by post.
10. YOUR DATA PRIVACY rights?
Visiting our websites, you acknowledge the collection and use of your personal data by us as outlined in this Notice. If you do not agree with the use of your personal data as set out in this Notice, please do not provide any personal information or use our websites.
Under the Hong Kong Personal Data (Privacy) Ordinance (Cap.486), subject to certain limitations and/or restrictions as stipulated by the laws, you may have the right:
- To check whether we hold personal data about you and to access such data;
- To require us to correct any inaccurate data;
- To ascertain our policies and practices in relation to personal data and the kind of personal data held by us.
If you are in an EU Member State or EU citizen, subject to certain limitations and/or restrictions, you may have the following rights under the data protection laws in the EU:
- To request access/rectification/erasure of your personal data;
- To obtain restriction of processing or to object to processing of your personal data;
- To obtain the right of data portability;
- To be informed of what we do with your personal information;
- To request a copy of personal information we hold about you;
- To require us to correct any inaccuracy or error in any personal information we hold about you;
- To request erasure of your personal information (note, however, that we may not always be able to comply with your request of erasure for record keeping purposes, to complete transactions, or to comply with our legal obligations);
- To object to or restrict the processing by us of your personal information (including for marketing purposes);
- To request to receive some of your personal information in a structured, commonly used, and machine-readable format, and request that we transfer such information to another party; and
- To withdraw your consent at any time where we are relying on consent to process your personal information (although this will not affect the lawfulness of any processing carried out before you withdraw your consent).
You may opt out of receiving marketing materials from us. Please note, however, that even if you opt out from receiving marketing materials from us, you will continue to receive notifications or information from us that are necessary for the use of our services.
As a security measure, we may need specific information from you to help us confirm your identity when processing your privacy requests or when you exercise your rights.
Any request as mentioned hereinabove will normally be addressed free of charge. However, we may charge a reasonable administration fee if your request is repetitive, or excessive.
We will use our best endeavor to respond to all legitimate requests within one (1) month. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests.
Please contact us in the first instance if you have any questions or concerns. If you wish to exercise one of the above rights, please contact us through 22/F Pacific Plaza, 410-418 Des Voeux Road West, Sai Wan, Hong Kong or email@example.com.
Where permitted by law to do so, we may charge a reasonable fee for processing a data access request.
11. When do we update this notice?
We change this Privacy Notice when it is necessary or we need to. If we make any significant changes in the way we treat your personal information we’ll make this clear on our websites. By continuing to use our website or other platform after the changes come into effect, you agree to be bound by the revised Privacy Notice.
Last updated on [4/2021]