Updated 28 October 2020
What is this document?
This document is a Privacy Notice which describes how we collect and use personal information about you during and after your business relationship with us.
Zecca Limited and ESSE MAURITIUS is committed to protecting the privacy and security of your personal information.
We are responsible for deciding how we hold and use personal information. We are required under our local data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Data protection principles
We will comply with the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (“ PDPO”), the associated regulations and guidelines as may from time to time be issued by the Privacy Commissioner for Personal Data, Hong Kong and (where applicable) the General Data Protection Regulation (EU) 2016/679 (“GDPR”) of the European Union.
For the purpose of the GDPR, Zecca Limited and Esse Mauritius, whose address is at 801-2, 8/F Easey Commercial Building, 253-261 Hennessy Road, Wanchai, Hong Kong, are the controllers who determine the purposes and means of processing of your personal data collected through websites owned and/or operated by us or on our behalf (including https://esseskincare.hk/, https://esseskincare.sg/) (collectively, “our websites”).
This means that the personal information we hold about you will be:
Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
Relevant to the purposes we have told you about and limited only to those purposes.
Accurate and kept up to date.
Kept only as long as necessary for the purposes we have told you about.
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, store, and use the following categories of personal information about you:
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Former names.
- Date of birth.
- Place of birth.
- Passport number and country of issue.
- Tax Identification Number.
- Tax Residency.
- Occupation, name of employer, nature of employment.
- Business address.
- Whether you have held a public position or office.
- Source of funds, source of wealth information.
- Copy of driving licence or ID card, where applicable.
How is your personal information collected?
We typically collect personal information about you through our client take-on process, either directly from you as you place your product orders with us or from a third-party advisor.
We may collect additional personal information in the course of our business relationship with you. You will, at all times, remained informed of any additional information stored about you.
You can prevent Google’s collection and use of date by downloading and installing the browser plugin available under https://tools.google.com/dlpage/gaoptout
Data of children
Zecca Limited and Esse Mauritius websites are not intended for children under the age of 13 and we will not knowingly collect data from children from 13 and below except when permitted by the relevant law.
How we will use information about you
We will only ever use your personal information when the law permits or compels us. Most commonly, we will use your personal information in the following circumstances:
To verify your identity and protect ourselves against fraud and to fulfil our Anti-Money Laundering and anti-Terrorist- Financing obligations.
Where it is necessary to execute any condition of the contract we have entered into with you.
Where it is necessary to comply with a legal obligation.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations, which are likely to be rare:
Where we need to protect your interests (or someone else’s interests).
Where it is needed in the public interest (or for official purposes).
Situations in which we will use your personal information
We need all the categories of information in the list above (see The kind of information we hold about you) primarily to allow us to perform the contracted services and to enable us to comply with our legal obligations.
Change of purpose
We will only use your personal information for the purposes necessary for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Our obligations as an employer
Each and every one of our employees is responsible for maintaining the confidentiality of all personal information to which they have access. As an express condition of their contracts of employment, our employees must assume and maintain obligations of confidentiality which endure beyond the cessation of employment.
All employees are required to undertake mandatory data protection training on a regular basis which reinforces their responsibilities and obligations in maintaining the privacy and confidentiality of your personal information.
Do we need your consent?
We do not need your consent if we use special categories of your personal information to carry out our legal obligations. In limited circumstances, we may approach you (or your representative) for written consent to allow us to process certain particularly sensitive data. If we do so, we will provide full details of the information that we would like and the reason we need it, so that you may consider if you wish to consent.
For any international transfer of personal data, you will be informed beforehand, as far as practicable. Such a transfer will also fall under the ambit of this Privacy Notice.
Information about unlawful activity
We may only process information relating to unlawful activity where the law allows us to do so. We will use financial crime or other background check agencies to screen you as part of the client take-on process, or we may be notified of such information directly by you in the course of our business relationship. We will use information about unlawful activity to fulfil our Anti-Money Laundering and Combating the Financing of Terrorism obligations.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if ever this position changes.
Why might you share my personal information with third parties?
We may share your personal information with third parties, where required to do so by law or where it is in connection with the services provided by us.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will retain your personal information for as long as necessary to fulfil the purposes we collected it for. The length of time we retain your personal information depends on:
the purposes for which we process your personal data.
any legal or regulatory requirement we may have to meet.
For example, we must be able to respond to any concerns you may have, even if you are no longer a client. We have retention policies in place that govern the destruction of personal information.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once your business relationship with us has ended we will retain and securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.
Your duty to inform us of changes
We are committed to retaining the accuracy of your personal information for as long as it is being used for the purposes set out in the policy, and provided that you keep us up to date. Prompt notification of any changes, such as your address, email address or telephone number, will help us provide you with the best possible service.
You are entitled to request a record of all information stored regarding you on our servers. We shall attend to your request within 3 days and provide you will all data stored by us. Should you discover, upon review of your personal information, that amendments are required, please advise us immediately. We will make our best efforts to advise others of any important amendments to your personal information that we may have released to them.
Changes to this Privacy Notice
This Notice does not form part of any contract to provide services.
We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.