PRIVACY NOTICE – IRON MOUNTAIN HONG KONG
YOUR PRIVACY IS IMPORTANT TO IRON MOUNTAIN
Iron Mountain Hong Kong Limited (referred to as “Iron Mountain” or “We” or “Our” or “Us” in this Privacy Notice) has developed this Privacy Notice to inform you of how We process and protect the Personal Data that We Collect, Use or Share within Iron Mountain and with third parties. It also covers how Iron Mountain makes the Personal Data it holds available for access to and correction by you as a data subject.
This Privacy Notice has been drafted having regard to Iron Mountain's obligations under relevant and applicable laws, including the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong S.A.R.) (“PDPO”) which includes the Data Protection Principles (collectively, the “Ordinance”). This Privacy Notice is a public document and has been prepared in light of Data Protection Principle (“DPP”) 1 (purpose and manner of collection of personal data) and DPP5 (information to be generally available) under the Ordinance.
Please read this Privacy Notice. By using Our Website, accessing Our services or by receiving notification from Iron Mountain on how you may access this Privacy Notice, whether by phone, email or otherwise, you are consenting to the Collection, Use and disclosure of your Personal Data as set forth in this Privacy Notice. If you are an Iron Mountain customer, there may be additional terms and conditions within your Service Agreement which may take precedence over the terms and conditions of this Privacy Notice.
We may Collect, store and process Personal Data of customers of Iron Mountain’s customers, solely on our customer's behalf and at their direction. For such purposes, We serve as and shall be considered as a data processor and not as a data controller of such Personal Data. Iron Mountain’s customers shall be considered as the data controllers of such Personal Data and are responsible for complying with all laws and regulations that may apply to the collection, use and control of such Personal Data. Iron Mountain’s customers who use Our services in this way are responsible for obtaining any necessary consents and permissions and for providing any privacy notices required for the collection and usage of such information.
1. COLLECTION OF YOUR PERSONAL DATA
1.1 Iron Mountain Collects Personal Data of its individual customers, individual prospective customers, representatives of corporate customers and prospective corporate customers, vendors, prospective vendors, the general public (via Our CCTVs) and Website users which is reasonably necessary for, or directly related to, one or more of Our functions or activities. Iron Mountain may collect information from job candidates as well whom will be provided with a recruitment privacy notice.
1.2 Personal Data may be Collected through Our Website, over the phone, in a customer-facing application or otherwise. On our Website, Personal Data (such as your name, address, telephone number or email address) is collected when you voluntarily submit it through a web form, such as during a request for product information or a download of a study or whitepaper. Other information that may also constitute Personal Data (such as your browser type, operating system, IP address, domain name, number of times you visited the Website, dates you visited the Website and the amount of time you spent viewing the Website) may be collected via cookies and other tracking technologies (such as transparent GIF files). Outside of the Website, Personal Data may also be collected directly by Us or by Our representative when you enter into a contract with Us or contact Us to make enquiries or complaints via telephone, email or by post. We or an Iron Mountain representative may Collect your business contact details and information about your profession or your employees, as well as information about you if you attend meetings, events or conferences that We organise or when you sign up to Our newsletters.
1.3 At or before the time, or, if that is not practicable, as soon as practicable after, We Collect your Personal Data, We will notify you by providing you with access to this Privacy Notice.
1.4 Iron Mountain will not Collect Personal Data secretly or in an underhanded way and will not sell your Personal Data to any third party (except in the course of a sale of the business, etc.).
2. HOW WE USE YOUR INFORMATION AND WHEN WE MAY SHARE IT
2.1 Your Personal Information will not be used for any other purpose than provided by this Privacy Notice. We will use the information you supply:
(a) to answer your specific inquiry or respond to your complaints. For example, if you contact Us with a technical question, We will use your contact information and technical information to resolve the issue;
(b) to administer and enhance the Website;
(c) for Our general business purposes, such as the administration of your customer account, to invite you to events, deal with your queries or for marketing or sales purposes;
(d) in connection with a proposed or actual sale, merger or transfer of all or a portion of a business or division;
(e) to satisfy legal or regulatory requirements;
(f) as otherwise described in this Privacy Notice; and
(g) at your option, to send you additional marketing materials relating to Iron Mountain.
2.2 From time to time We may Share your Personal Data with organisations outside of Iron Mountain or with other Iron Mountain entities (including in countries outside of Hong Kong) in order to fulfill a purpose described in this Privacy Notice or, if required, for other legal purposes. These entities carry out, amongst other services, Our:
(a) billing and debt- recovery functions;
(b) customer inquiries;
(c) information technology services and cloud services;
(d) marketing and communication services (including market research);
(e) website usage analysis;
(f) to support or facilitate any of those activities described in paragraph 2 herein; and
(g) advisers and insurers.
2.3 We may also Share your Personal Data with entities in connection with a proposed or actual sale, merger, or transfer of all or a portion of a business or division. Additionally, We may be under a legal obligation to disclose your Personal Information to other persons, and only as permitted or required by applicable laws or regulation. Such disclosure could be made to courts, to respond to lawful requests by public authorities, regulators and law enforcement agencies in Hong Kong and around the world or to protect and defend Our rights or property.
2.4 Additionally, Iron Mountain adopts contractual or other means to prevent:
(a) your Personal Data transferred to the above organisations and entities from being kept longer than is necessary for the intended purpose;
(b) unauthorized or accidental access, processing, erasure, loss or use of your Personal Data transferred to the organisations and entities for the provision of the above services.
2.5 Furthermore, We will take reasonable practicable steps to ensure that these organisations and entities are bound by confidentiality obligations in relation to the protection of your Personal Data.
3. TRANSFERRING PERSONAL DATA
3.1 If we send Personal Data out of Hong Kong (either to third parties or to other Iron Mountain entities), even to countries which have different levels of data protection laws than Hong Kong, to fulfill a purpose described in this Privacy Notice, Iron Mountain will take reasonable and practicable steps to help ensure that the recipient handles such information in accordance with applicable laws, including the Ordinance. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, further assurances.
3.2 Iron Mountain may Share Personal Data with a recipient without complying with paragraph 3.1 if:
(a) you are Expressly Informed of the intended disclosure of your Personal Data to the recipient and you consent in writing; or
(b) We reasonably believe that the recipient is subject to a law or a binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Ordinance seeks to protect the same and you can access mechanisms to enforce the protection of your Personal Data under that law or that scheme.
4. DIRECT MARKETING
4.1 We would like to use your Personal Data to provide you with information about products and services which We think may be of interest to you or your employer. We intend to Use Personal Data that is collected from individuals in their official capacities and Our promoted services are clearly meant for the use of the targeted business. If these requirements are met, Iron Mountain does not need to obtain consent from this individual and the other provisions of the Ordinance do not apply to Iron Mountain.
4.2 Should We have doubts that the collected Personal Data relates to individuals in their official capacities, We shall ask for consent for Using and/or Sharing any Personal Data Collected from you for Direct Marketing purposes in accordance with the Ordinance, whether Collected via telephone, the Website or otherwise, but subject to the terms of this Privacy Notice and applicable contractual obligations.
4.3 In each Direct Marketing communication, We will include a:
(a) prominent statement appearing on the relevant piece of marketing material notifying you of your right to Opt Out from further Direct Marketing; and
(b) simple means for you to Opt Out of receiving further Direct Marketing communications of that kind.
4.4 Should you Opt Out, We will stop Using and/or disclosing your Personal Data for Direct Marketing purposes.
5. ENSURING INFORMATION IS ACCURATE AND UP-TO-DATE
5.1 We take reasonable precautions to ensure that the Personal Data We Collect, Use and Share is complete, relevant and up-to-date.
5.2 However, the accuracy of that information depends to a large extent on the information you provide. Therefore We recommend that you:
(a) let Us know if there are any errors in your Personal Data; and
(b )keep Us up-to-date with changes to your Personal Data. You may change your personal details by using the relevant facility on Our Website or by contacting Iron Mountain via contact details described in paragraph 12 or in your Service Agreement.
6. HOW WE PROTECT YOUR INFORMATION
6.1 Iron Mountain takes reasonable steps to protect your Personal Data from misuse, interference, loss and unauthorised access or disclosure. This includes taking reasonable steps to destroy or permanently de-identify Personal Data once it is no longer needed for any purpose for which it may be Used or Shared in accordance with applicable law.
6.2 Iron Mountain will not attempt to match de-identified or anonymous data Collected through surveys or such online devices as "cookies", with information identifying an individual, without notifying the relevant individual.
6.3 Iron Mountain requires its employees and contractors to perform their duties in a manner that is consistent with Iron Mountain's legal responsibilities in relation to privacy, including those in this Privacy Notice.
6.4 Iron Mountain takes reasonable steps to ensure that Personal Data is only accessible by people who have a genuine "need to know" as well as "right to know”.
7. HOW YOU CAN ACCESS OR CORRECT YOUR INFORMATION
7.1 Iron Mountain will permit Our records containing your Personal Data to be accessed by you when required by the Ordinance or by your Service Agreement, as applicable. We may, however, refuse to provide you with access to your Personal Data in accordance with the Ordinance if one or more of those conditions contained in the Ordinance - circumstances in which data user shall or may refuse to comply with data access request - applies, including but not limited to instances in which:
(a) giving access to the information would have an unreasonable impact on the privacy of any other individual;
(b) insufficient information was provided to locate the Personal Data to which the request relates;
(c) the request is not in writing in the Chinese or English language; or
(d) giving such access will be unlawful for other reasons.
7.2 If Iron Mountain is satisfied that:
(a) having regard to the purpose for which the information is held, the information is inaccurate, out-of-date, incomplete or irrelevant or misleading; or
(b) you (as the person to whom the Personal Data relates) request that We correct the information,
We will take reasonable steps to correct Our records containing your Personal Data as soon as practically possible in accordance with the Ordinance.
7.3 If We have refused to grant you access to your Personal Data in accordance with paragraph 7.1 above, We will still take all reasonable steps to provide you with access to your Personal Data in a way that meets both your and our needs. If the Personal Data is stored with Iron Mountain pursuant to a Service Agreement, Iron Mountain may refer you to the relevant company (i.e. Our customer) to exercise your rights under the Ordinance.
7.4 If you:
(a) wish to lodge a request to access and/or correct your Personal Data; or
(b) have been refused access to your Personal Data by Us for any reason described in this Privacy Notice and you wish to challenge that refusal, you may do so by contacting the Privacy & Compliance Team as per the details in paragraph 12.
7.5 Iron Mountain will not charge a fee for processing an access request unless the request is complex or is resource intensive. Iron Mountain does, however, reserve the right to charge an administration fee if an individual requests access to their Personal Data more than once in a three-month period.
7.6 Where Iron Mountain offers online account management facilities, customers can use this capability to control aspects of their account, including amending or updating certain Personal Data.
8.1 Iron Mountain’s Privacy & Compliance Team will be the first point of contact for inquiries about privacy issues. If you wish to make an inquiry or complaint regarding your privacy, you should contact this team as per the details in paragraph 12.
8.2 You will find that the Iron Mountain’s Website contains a copy of this Privacy Notice.
9. STAYING ANONYMOUS
9.1 Iron Mountain will not make it mandatory for visitors of Our Website to provide their Personal Data unless such Personal Data is required to answer an inquiry or provide a service. Iron Mountain may however request visitors to provide their Personal Data voluntarily to Iron Mountain (for example, as part of a competition or questionnaire).
9.2 Iron Mountain will allow you to transact with Us anonymously or by using a pseudonym wherever that is reasonable and practicable.
10. CHANGES TO THE PRIVACY NOTICE
Iron Mountain may, in its sole reasonable discretion, update this Privacy Notice at any time and from time to time. Any changes will be effective when posted on Our Website. Your continued use of Our Website and services will indicate your awareness of any changes to this Privacy Notice. All Personal Data Collected both before and after any changes take effect will be subject to the terms of the then current policy for which you will be taken to have been provided with notice, unless you indicate otherwise by contacting the Privacy & Compliance Team as per the details in paragraph 12 or unless there are additional privacy terms and conditions within your Service Agreement. We encourage you to refer back to this page and especially prior to providing Us with any Personal Data.
Collect means gather, acquire or obtain by a lawful and fair means, information in circumstances where the individual is identifiable or identified.
Direct Marketing involves the Use and/or Sharing of Personal Data to communicate directly with an individual to promote goods or services through written, verbal or electronic means of communication for the company that the individual is acting for and behalf of. The goods or services which are marketed may be those of Iron Mountain or those of an independent third party organisation on behalf of Iron Mountain.
Expressly Informed means the circumstance where We have provided you with a clear statement (either verbal or in writing) of the fact that that We will not be accountable under applicable law, including the Ordinance.
Iron Mountain means Iron Mountain Hong Kong Limited
Opt Out means an individual's expressed request not to receive Direct Marketing communications.
Personal Data means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable. This includes, but is not limited to, an individual’s name, address, telephone number and email address.
Service Agreement means any service agreement entered into between Iron Mountain and an Iron Mountain customer.
Share or Sharing generally means the release of information outside Iron Mountain to third parties or other Iron Mountain entities.
Use means the handling of Personal Data within Iron Mountain.
Website means the website of Iron Mountain and related webpages.
12. CONTACTING IRON MOUNTAIN
If you have questions concerning this Privacy Notice, please contact the Privacy & Compliance Team via email at firstname.lastname@example.org.
You can obtain further information about your privacy rights and the Ordinance from the Office of the Privacy Commissioner for Personal Data by visiting their website at www.pcpd.org.hk.
This Privacy Notice was last updated on 31 March 2021.