PRIVACY POLICY – IRON MOUNTAIN HONG KONG

We respect your privacy, Iron Mountain Hong Kong Limited (referred to as “Iron Mountain” or “We” or “Our” in this Privacy Policy) have developed this Privacy Policy to inform you of how We process and protect the Personal Data that We Collect, Use, or share with third parties. It also covers how Iron Mountain makes the Personal Data it holds available for access to and correction by you.

This Privacy Policy has been drafted having regard to Iron Mountain's obligations under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“PDPO”) which includes the Privacy Principles (collectively, the Ordinance). This Privacy Policy is a public document and has been prepared in light of Data Protection Principle (“DPP”)1 (purpose and manner of collection of personal data) and DPP5 (information to be generally available) under the Ordinance.

Please read this Privacy Policy. By using the Iron Mountain Website, or by receiving notification from Iron Mountain of how you may access this Privacy Policy, whether by phone, email or otherwise, you are consenting to the Collection, Use and Disclosure of your Personal Data as set forth in this Privacy Policy.’

1. COLLECTION OF YOUR PERSONAL DATA

1.1 Iron Mountain Collects Personal Data about customers, prospective customers, vendors, prospective vendors, contractors, job candidates, the general public (via Our CCTVs) and Website users which is reasonably necessary for, or directly related to, one or more of Our functions or activities. The Personal Data may be collected through Our Website, over the phone, or otherwise.

1.2 At or before the time, or, if that is not practicable, as soon as practicable after, We Collect your Personal Data, We will notify you of the matters required pursuant to DPP1 – by providing you with this Privacy Policy, or by notifying you of how you may access this Privacy Policy.

1.3 Iron Mountain will not Collect Personal Data secretly or in an underhanded way and will not sell your Personal Data to any third party (except in the course of a sale of the business, etc.).

2. HOW WE USE YOUR INFORMATION AND WHEN WE MAY SHARE IT

2.1 Iron Mountain holds Personal Data which it has Collected for its Primary Purposes, including but not limited to:

  • (a) providing you with the products and services ordered from us or in relation to products or services We order from you;
  • (b) answering your inquiry or job application;
  • (c) sending you additional materials relating to Iron Mountain and services that may be of interest to you;
  • (d) providing you with effective customer service; and
  • (e) for security measures relating to Our services.

2.2 Iron Mountain also holds Personal Data for purposes other than its Primary Purposes (Secondary Purposes). You provide your consent to us using your Personal Data for the following Secondary Purposes:

  • (a) billing and account management;
  • (b) business planning and product development;
  • (c) providing you with relevant information, including promotions, about the products and services of Iron Mountain and its affiliates;
  • (d) enabling us to better understand your needs and interests;
  • (e) improving the content, functionality and usability of Our Website;
  • (f) improving Our marketing and promotional efforts;
  • (g) displaying personalised advertising when you visit Our Website;
  • (h) for any other purpose identified in any other agreement between you and Iron Mountain;
  • (i) issues, news or other information relevant to your dealings with Iron Mountain, or about Iron Mountain generally, or the industries in which you or Iron Mountain operates; and
  • (j) as otherwise described in this Privacy Policy.

2.3 Iron Mountain may Use and/or Share your Personal Data for any Secondary Purposes not included in this Privacy Policy if:

  • (a) the Secondary Purpose is related to a Primary Purpose; and
  • (b) you would have a Reasonable Expectation that We would Use the information for that Secondary Purpose.

2.4 From time to time We may Share your Personal Data with organisations outside of Iron Mountain in order to deliver the services you require or if required for other legal reasons. Your Personal Data is Shared with these organisations in relation to us providing Our services to you or to meet such other legal requirements. These organisations carry out, amongst other services, Our:

  • (a) billing and debt- recovery functions;
  • (b) customer inquiries;
  • (c) information technology services;
  • (d) marketing and communication services (including market research);
  • (e) website usage analysis;
  • (f) to support or facilitate any of those activities described in Points 2.1 and 2.2 herein; and
  • (g) advisers and insurers.

Iron Mountain adopts contractual or other means to prevent:

  • (a) your Personal Data transferred to above organisations from being kept longer than is necessary for the purpose;
  • (b)unauthorized or accidental access, processing, erasure, loss or use of your Personal Data transferred to organisation for the provision of the above services.

Furthermore We will take reasonable practicable steps to ensure that these organisations are bound by confidentiality obligations in relation to the protection of your Personal Data.

3. DIRECT MARKETING

3.1 Iron Mountain only targets businesses with its services. Although Personal Data may be collected from any individual through Our website or otherwise for various purposes (i.e., to download a document, respond to a query or a job application), with respect to direct marketing purposes, We intend to use Personal Data that is collected from individuals in their official capacities and Our promoted services are clearly meant for the use of the targeted business. If these requirements are met, Iron Mountain does not need to obtain consent from this individual and the other provisions of the Act neither apply to Iron Mountain.

3.2 Should We have doubts that the collected Personal Data relates to individuals in their official capacities, We ask for consent for Using and/or Sharing any Personal Data Collected from you for Direct Marketing purposes in accordance with the Act, whether Collected via telephone, the Website, or otherwise, but subject to the terms of this Privacy Policy.

3.3 In each Direct Marketing communication, We will include a:

  • (a) prominent statement appearing on the relevant piece of marketing material notifying you of your right to Opt Out from further Direct Marketing; and
  • (b) simple means for you to Opt Out of receiving further Direct Marketing communications of that kind.

3.4 Should you Opt Out, We will stop Using and/or Disclosing your Personal Data for Direct Marketing purposes.

4. ENSURING INFORMATION IS ACCURATE AND UP-TO-DATE

We take reasonable precautions to ensure that the Personal Data We Collect, Use and Share is complete, relevant and up-to-date.

However, the accuracy of that information depends to a large extent on the information you provide. That's why We recommend that you:

  • let us know if there are any errors in your Personal Data; and
  • keep us up-to-date with changes to your Personal Data. You may change your personal details by using the relevant facility on Our Website or by contacting Iron Mountain via contact details described in Point 12.

5. HOW WE PROTECT YOUR INFORMATION

5.1 Iron Mountain will take reasonable steps to protect your Personal Data from misuse, interference, loss and unauthorised access or disclosure. This may include taking reasonable steps to destroy or permanently de-identify Personal Data once it is no longer needed for any purpose for which it may be Used or Shared in accordance with DPP 2 (accuracy and duration of retention of personal data).

5.2 Iron Mountain will not attempt to match de-identified or anonymous data Collected through surveys or such online devices as "cookies", with information identifying an individual, without notifying the relevant individual.

5.3 Iron Mountain requires employees and contractors to perform their duties in a manner that is consistent with Iron Mountain' legal responsibilities in relation to privacy, including those in this Privacy Policy.

5.4 Iron Mountain will take reasonable steps to ensure that Personal Data is only accessible by people who have a genuine "need to know" as well as "right to know."

6. HOW YOU CAN ACCESS OR CORRECT YOUR INFORMATION

6.1 Iron Mountain will permit Our records containing your Personal Data to be accessed by you when required by the Ordinance. We may, however, refuse to provide you with access to your Personal Data if one or more of those matters contained in the Ordinance -circumstances in which data user shall or may refuse to comply with data access request)– applies, including but not limited to instances in which:

  • giving access to the information would have an unreasonable impact on the privacy of any other individual;
  • insufficient information was provided to locate the personal data to which the request relates;
  • the request is not in writing in the Chinese or English language;
  • giving such access will be unlawful for other reasons.

6.2 If Iron Mountain is satisfied that:

  • (a) having regard to the purpose for which the information is held, the information is inaccurate, out of date, incomplete or irrelevant or misleading; or
  • (b) you (as the person to whom the Personal Data relates) request that We correct the information. We will take reasonable steps to correct Our records containing your Personal Data as soon as practically possible in accordance with the Ordinance.

6.3 If We have refused to grant you access to your Personal Data in accordance with Point 6.1 above, We will still take all reasonable steps to provide you with access to your Personal Data in a way that meets both your needs and our needs.

6.4 If you:

  • (a) wish to lodge a request to access and/or correct your Personal Data; or
  • (b) have been refused access to your Personal Data by us for any reason described in this Privacy Policy and you wish to challenge that refusal; you may do so by contacting the Privacy & Compliance Team as per the details in Point 12.

6.5 Iron Mountain will not charge a fee for processing an access request unless the request is complex or is resource intensive. Iron Mountain does, however, reserve the right to charge an administration fee if an individual requests access to their Personal Data more than once in a three month period.

6.6 Where Iron Mountain offers online account management facilities, customers can use this capability to control aspects of their account, including amending or updating certain Personal Data.

7. OPENNESS

7.1 Iron Mountain’s Data Protection Officer will be the first point of contact for inquiries about privacy issues. If you wish to make an inquiry or complaint regarding your privacy, you should contact this person as per the details in Point 12.

7.2 You will find that the Iron Mountain’s Website contains a copy of this Privacy Policy.

8. STAYING ANONYMOUS

8.1 Iron Mountain will not make it mandatory for visitors to Our Website to provide Personal Data unless such Personal Data is required to answer an inquiry or provide a service. Iron Mountain may however request visitors to provide Personal Data voluntarily to Iron Mountain (for example, as part of a competition or questionnaire).

8.2 Iron Mountain will allow you to transact with us anonymously or by using a pseudonym wherever that is reasonable and practicable.

9. TRANSFERRING PERSONAL DATA

9.1 If we send Personal Data out of Hong Kong, Iron Mountain will take steps which are both reasonable and practicable to ensure that the recipient handles such information in accordance with the Ordinance.

9.2 Iron Mountain may Share Personal Data with a recipient without complying with 9.1 if:

  • (a) you are Expressly Informed of the intended disclosure of your Personal Data to the recipient, and you consent in writing; or
  • (b) we reasonably believe that the recipient is subject to a law or a binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Ordinance seeks to protect same and you can access mechanisms to enforce the protection of your Personal Data under that law or that scheme; or
  • (c) we exercised due diligence to ensure that the Personal Data will not be treated in a manner which will contravene the Ordinance.

10. CHANGES TO THE PRIVACY POLICY

Iron Mountain may, in its sole discretion, update this Privacy Policy at any time and from time to time. Any changes will be effective when posted on Our Website. Your continued use of Our Website will indicate your acceptance of any changes to the Privacy Policy. All Personal Data, Collected both before and after any changes take effect, will be subject to the terms of the then current policy, for which you will be taken to have provided consent, unless you indicate otherwise by contacting the Privacy & Compliance Team as per the details in in Point 12. We encourage you to refer back to this page and especially prior to providing us with any Personal Data.

11. GLOSSARY

Collect means gather, acquire or obtain by a lawful and fair means, information in circumstances where the individual is identifiable or identified.

Direct Marketing involves the Use and/ or Sharing of Personal Data to communicate directly with an individual to promote goods or services through written, verbal or electronic means of communication for the company that the individual is acting for and behalf of. The goods or services which are marketed may be those of Iron Mountain or those of an independent third party organisation on behalf of Iron Mountain.

Sharing generally means the release of information outside Iron Mountain, including under a contract to carry out an "outsourced function."

Expressly Informed means the circumstance where we have provided you with a clear statement (either verbal or in writing) of the fact that that we will not be accountable under the Ordinance and you will not be able to seek redress under the Ordinance in the event that you provide consent to the disclosure of your Personal Data by us to a recipient outside of Hong Kong and this recipient handles your Personal Data in breach of the Ordinance.

Opt Out means an individual's expressed request not to receive Direct Marketing communications.

Iron Mountain means Iron Mountain Hong Kong Limited

Personal Data means any data (a) relating directly or indirectly to a living individual;(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable. This includes, but is not limited to, an individual’s name, address, telephone number and email address.

Primary Purpose is the main reason for the Collection of any Personal Data.

Reasonable Expectation means an individual's reasonable expectation that their Personal Data might be Used or Shared for the relevant purpose.

Secondary Purpose means a purpose of Use or Disclosure other than a Primary Purpose.

Use means the handling of Personal Data within Iron Mountain.

Website means the website of Iron Mountain and related webpages.

12. CONTACTING IRON MOUNTAIN

If you have questions concerning this Privacy Policy, please contact the Privacy & Compliance Team via email at www.compliance@ironmountain.com.

You can obtain further information about your privacy rights and the Ordinance from the Office of the Privacy Commissioner for Personal Data by visiting their web site at www.pcpd.org.hk.

This Privacy Policy was last updated on 23 December 2014.