1.BACKGROUND

GP Batteries International Limited (“the Company”) strives to ensure compliance with the strictest standards of security and confidentiality in protection of its employees’ and job applicants’ personal data.  The Company is therefore adopting a strict confidentiality policy in accordance with current regulations, and will ensure that it is enforced.

In the context of this Data Protection Charter for Human Resources (hereinafter the “Charter”), “we” and “our” refer to any company of GP Batteries International Limited, to the entity by which you are employed on the date of receipt of this document, or to the entity offering the position to which you are applying. The Company is subject to applicable rules governing data protection, and particularly General Data Protection Regulation no. 2016/679 of 27 April 2016 (known as “GDPR”) and, on a subsidiary basis, all the national legal rules enacted pursuant to that regulation. For this reason, we have developed and introduced this Charter, which clearly, simply and fully describes the way in which the Company, in its capacity as Data Controller, collects and uses your personal data in accordance with the GP Batteries’ Data Protection Principles (which are the core principles of the Company) serving as the tools to monitor such use and exercise your rights in that regard.

Regarding the personal data collected for hiring, through Human Resources Department and its respective recruitment channels (including third party recruitment agencies), the Data Controller is GP Batteries International Limited, with its head office located at 7/F, Building 16W, 16 Science Park West Avenue, Hong Kong Science Park, New Territories, Hong Kong.

“Personal Data” (hereinafter “Data”) means any information collected and recorded in a format allowing you to be identified personally and as an individual, whether directly (including but not limited to name, Identification Number, Passport Number, mobile number, e-mail addresses, etc.), or indirectly (e.g. your home / work telephone number).

“Data Subject” refers to any identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Data Controller” means GP Batteries International Limited which determines the purposes and means of the processing of your Data.

“Data Processor” means the entity which performs any operation on your Data, from the point of collection up to and including the final destruction or deletion of the data.

“Special Category of Personal Data” is a category of personal information of data subjects that is especially sensitive, the exposure of which may significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination. It includes the following information:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic and biometric data (processed for the purpose of uniquely identifying a person)
  • data concerning health
  • data concerning a person's sex life or sexual orientation
  • any criminal conviction data


2. ACCEPTANCE OF THIS DATA PROTECTION CHARTER FOR HUMAN RESOURCES

You must read this Charter carefully to ensure that you are properly informed as to the nature of the personal data that GP Batteries International Limited holds on its employees and on applicants for positions within the Company, and regarding the way in which such information is used.

By agreeing to apply any position within the Company, or by agreeing to enter into your employment contract with the Company, you expressly agree to this Charter, which will provide you with Data rights according to the applicable legal provisions.  



3. GP BATTERIES' DATA PROTECTION PRINCIPLES

GP Batteries’ Data Protection Principles, which apply to the Company, are set out below.

  1. Legality, Fairness and Transparency: When your Data is collected and processed, the Company will inform you of the purpose of the processing, of the addressees of the data, of any data transfers, of the period of retention of your Data and of your data rights.
  2. Legitimacy: Data are only collected and processed for the purposes described in this Charter. No subsequent processing will take place which is incompatible with the purposes expressly described.
  3. Minimization, Relevance and Accuracy: Only Data required to be processed are collected. The Company will take all reasonable steps to keep Data up-to-date and to ensure that inaccurate Data are deleted or corrected.
  4. Retention: We will keep your Data for the time necessary for the purposes of data processing, in accordance with the provisions of this Charter and the requirements of local laws.
  5. Access and Correction: You have the rights of accessing, amending, correcting or deleting your Data. Details of the department to contact for this purpose are provided below.
  6. Confidentiality and Security: We will put reasonable technical and organizational measures in place to protect your Data against tampering, accidental or unlawful loss or unauthorized disclosure or access.
  7. International Sharing and Transfers: We may share your Data within the Company or with third parties (such as business partners and service providers) for the purposes set out in this Charter. We will take appropriate steps to guarantee the security of such sharing and transfers.

 

4. SCOPE

This Charter applies to:

      1. All personnel working for the Company, namely:
        1. Full-time / Part-time employees of the Company; or
        2. Any person engaged (directly or indirectly) in a mission for the Company including temporary, contract or agency staff and contractors, consultants, interns, suppliers and data processors working for, or on behalf of the Company; and
          1. Job applicants for a position with the Company.


        5. DATA COLLECTED BY THE COMPANY

        To the extent allowed by local laws, we collect, process and keep the data concerning you and your family and relations, such as:

        In the Context of the Recruitment Process:

        Full name, date of birth, photos, contact details (personal e-mail address, personal telephone number), Identification Number, Passport Number, nationality, residential address, professional & academic qualifications, employment records, language abilities, criminal records, referee contact details (full name, contact number), and resume (detailing your professional experience and, if applicable, continuing education).

        In the Context of Human Resources Management:

        Identifying Information: Full name, date and place of birth, nationality, Identification Number, Passport Number, country of issue of passport, contact details (residential address, personal telephone number, e-mail address and the full name and telephone number of the emergency contact), copy of an identity document, bank account details, copy of bank passbook or ATM card.

        Family Situation: Marital status, copy of supporting document for marital status which may contain: full name, date of birth and Identification Number of your spouse or partner; full name, sex, Identification Number / Birth Certificate Number and date of birth of any children.

        Transport / Business Travel: Any information relating to the means of transport used by an employee, for the purposes of reimbursement of travelling expenses or the arrangement of business travel.

        Copy of the driving license and annual solemn declaration of driving license validity (for employees benefiting from a company car).

        Training: Period of training and number of connections to online training tools.

        Training and Career Development: Academic and training certificates, foreign languages spoken, curriculum vitae (detailing your professional experience and, if applicable, continuing education), situation in terms of mobility and career planning, monitoring of the annual performance assessment.

        Professional Life: Part-time or full-time employment contract, commencement date, contract termination date, directorate, immediate superiors, employee identification number, job title, telephone number and e-mail address, job description, absences (for example, sick leave, maternity leave, paternity leave) and paid leave (if applicable), evidence for authorized absences (e.g. marriage certificate, medical certificate), medical records for specific roles (e.g. Drivers, Cleaners, Café Staff), etc.

        Salary Records: Records of salary income, compensation and benefits information, provident fund contributions, bank account details, job grade, tax deductions and withholding taxes, etc.

        Any Data for the Company’s Local Law Compliance: Any Data that the Company must collect with its obligations as employer pursuant to local laws.

        Video Surveillance and Access Badge Monitoring Data: For the sake of security, the Company has set up video surveillance and access control systems at open office areas of our premises which enable it to collect and process Data about you such as video recordings, access details and information on the time of collection.

        Your Use of the Company’s IT System: The manner in which your Data are collected and processed in the context of your use of the Company’s IT system is set out in the Data Process and Storage Security Policy upon joining of the Company.

        Any Other Additional Data: Data that the Company needs to manage the employment relationship or that you provided to the Company when you applied for a position at the Company (e.g. curriculum vitae or application letter, assessment report by third party recruitment consultants or reference check by former employers).



        6. SPECIAL CATEGORY OF PERSONAL DATA COLLECTED BY THE COMPANY

        1. The Company may collect and process particular category of Data about you.

        2. The Company must not disclose their employees’ employment-related data to a third party without first obtaining the employees’ consent, unless such disclosure is for purposes directly related to their employment, or such disclosure is required by law or by statutory authorities (e.g. for tax assessment / collection purposes or criminal investigation).

        3. The Data Protection Officer (“DPO”) should be notified (whose details are set out below) if any of the following sensitive data is collected:
          • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
          • trade union membership
          • genetic data and / or biometric data for the purpose of uniquely identifying a natural person 
          • data concerning health or data concerning a natural person’s sex life or sexual orientation
          • data relating to criminal convictions and offences of related security measures


        7. CHANNELS OF DATA COLLECTION

        Your Data may be collected via various means, including but not limited to:-

        1. In the Context of the Recruitment Process:
          1. Career Section on the Company’s website;
          2. Job advertisement or recruitment portal;
          3. Any other means of recruitment, including third party recruitment consultants, referrals from employees, job interviews, contacts with former employers;

        2. In the Context of Human Resources Management:
          1. Interview with Human Resources personnel in person or electronically
          2. Assessment made in person or electronically 
          3. Evidence relating to travelling expenses
          4. Data relating to welfare benefits, health, pension and retirement plans, etc. 
          5. Internal and international mobility at the Company 
          6. Security measures (e.g. CCTV installed at the Company’s premises, information collected by door access systems if applicable)
          7. Information provided by third-party service providers (e.g. recruitment service providers) 
          8. Other relevant human resources activities 


        8. PURPOSE OF DATA COLLECTION

        Your Data are collected, processed and kept by the Company for the following purposes, in particular:

        1. In the Context of the Recruitment Process
          1. To perform job applicants screening process;
          2. To enable us to assess their suitability to carry out the job duties 
          3. Other relevant human resources recruitment activities 

        2. In the Context of Human Resources Management
          1. Compliance with applicable local laws and internal policies and procedures (e.g. for the management of obligation in terms of maternity leave, sick leave, payroll) 
          2. Employee’s foreign mobility management (e.g. work visa application) 
          3. Employee compensation and benefits 
          4. Performance and talent management
          5. Training and development
          6. Security and control 
          7. General management (e.g. resource management, budget planning)
          8. Disclosure to relevant authorities (e.g. judicial authorities requests in the context of a judicial investigation) 
          9. Other relevant human resources management activities 


        9. DATA SHARING

        The Company may share your Data with internal or external addressees in the following ways:

        1. Within the Company 
          We may share your Data, where appropriate, with relevant staff within the Company requiring access to them in the context of their tasks at the Company, for the purposes described above in Section 8. For example, relevant staff may refer to your managers and superiors, Human Resources Managers, the staff of IT and Legal Departments, the statutory auditors and accounting managers, the relevant managers of other companies in the Group or in the context of pre-litigation proceedings or litigation.

          We may transfer your Data to addressees internal to the Company, who may be located in countries offering different levels of Data protection. Consequently, the Company is taking appropriate steps, including by means of certain legal clauses and mechanisms, to secure the transfer of your Data outside of the Company or addressees located in countries offering a level of protection that differs from that offered in the country in which the Data are collected.

        2. Third Party Service Providers

          We may share your Data, where necessary, with third party service providers only for the purposes described above in Section 8. We will ask the third party service providers to preserve the confidentiality of your Data and use it only in the context of the task they are performing for the Company.

        3. Local Authorities

          We may share information with local authorities and / or enforcement agents in accordance with the applicable regulations or in the context of internal investigations within the Company.


        10. DATA SECURITY

        The Company has taken appropriate steps, in accordance with the applicable laws, to protect your Data against accidental or deliberate loss or accidental alternation, and against unauthorized disclosure or access. Therefore, technical measures and organizational measures have been put in place to safeguard Data security.



        11. DATA RETENTION

        The Company will only retain your Data for the period necessary for the purposes as set out in this Charter, or as provided by applicable laws. For this purpose, Data Retention Policy have been put in place to set forth the required retention periods for specified categories of personal data and the minimum standards to be applied when retaining and destroying certain data records within the Company.



        12. YOUR DATA RIGHTS

        You have the right to access your Data collected by the Company and to amend them, subject to the applicable legal provisions.

        These rights include:

        1. Right of Access by the Data Subject: You shall have the right to obtain from the Company confirmation as to whether or not your Data are being processed, and, where that is the case, access to your Data and the following information, including but not limited to:-

          1. the purpose of the processing; 
          2. the categories of personal data concerned; 
          3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in other countries or international organizations;

        2. Right to Withdraw Consent: The provision of your consent shall give the Company a lawful basis to process your Data based on consent, until you exercise the right to withdraw your consent to the processing of your Data. Your right of withdrawing the consent could be exercised at any time and the procedure for withdrawing a consent shall be as easy as that for giving it.

        3. Right to Rectification: You shall have the right to obtain from the controller without undue delay the rectification of inaccurate Data concerning you;

        4. Right to Erasure: You shall have the right to ask for your Data to be deleted in certain circumstances;

        5. Right to Restriction on Processing: You shall have the right to object to and ask for restrictions on the processing of your Data in certain circumstances;

        6. Right to Data Portability: You shall have the right to receive the Data you have provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those Data from the Company to another controller without hindrance from the Company to which the Data have been provided, where:-
            1. the processing is based on your consent; and 
            2. the processing is carried out by automated means;

          • Right to Objection: You shall have the right to object, on grounds relating to your particular situation, at any time to processing of your Data which is based on point (e) or (f) of GDPR Article 6(1), including profiling based on those provisions.  

            The Company shall no longer process the Data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;

          • Right to Complaint – You shall have the right to file a complaint with the DPO (details of which are provided below) if you think that one or more of your rights have been infringed by the Company;

          • You can exercise your rights by contacting us at the email address appearing in the section headed “For more information” below.


          13. UPDATE OF THE CHARTER

          This Charter is subject to changes or amendments. You shall review this Charter regularly as published on the corporate website, or for employees, on the intranet or as displayed on the staff notice board of your establishment.



          14. FOR MORE INFORMATION

          If you have any questions about this Charter, you may send an e-mail to dataoffice@goldpeak.com or contact our DPO as follows:

                   Name                   : Mr. Brian CH Wong
                   Phone Number    : (852) 2484 3470