Rolex Privacy Notice
Personal Information Protection Policy
Date of Update: [2023.06.14]
Effective Date: [2023.06.14]
The Personal Information Protection Policy (“this Policy”) applies to all business conducted by Rolex (Shanghai) Limited and its branches (including Rolex (Shanghai) Ltd. Beijing Branch, Rolex (Shanghai) Ltd. Guangzhou Branch and Rolex (Shanghai) Ltd. Changning Branch) (“Rolex”, “We”, “Us”) established in the Mainland China (referring to herein the People’s Republic of China excluding Hong Kong, China, Macao, China and Taiwan, China for the purposes of this Policy). Through this Policy, we aim to explain to you how we collect, use, store, share and transfer your personal information, and the ways we provide through which you can access, update, delete and protect your personal information.
1 Overview
This Policy will help you understand the following:
How we collect and process your personal information
How we use Cookies and similar technologies
Circumstances we are exempted from obtaining your consent for processing your personal information
How we entrust others to process, share, transfer and publicly disclose your personal information
How we protect your personal information
Your rights as the subject of personal information
How we process minors' personal information
How we store and transfer your personal information
How this Policy is updated
How to contact us
We fully understand the importance of your personal information to you, and we will endeavour to protect the security of your personal information. We have always been committed to maintaining your trust and shall endeavour to protect your personal information based on the principles of consistent rights and responsibilities, expressing the explicit purpose, deliberate consent, minimum necessity, assurance of information security, data subject participation and transparency. We are also committed to taking appropriate security measures in accordance with the mature security standards of the industry to protect your personal information.
Before you provide any personal information to us, please ensure that you have carefully read, understood and agree to the contents of this Policy. If you disagree with any content of this Policy, or have any questions, comments or suggestions, please contact us. Our contact details are available in Clause 12.
This Policy is drafted both in Chinese and English. If there is any discrepancy in the wordings or terms used in the two language versions, those wordings or terms shall be interpreted in accordance with the purpose of this Policy.
2 Definitions
Rolex affiliates: refers to Rolex SA located in Switzerland and Rolex (Hong Kong) Limited and Rolex Watch Service Limited located in Hong Kong, China.
Personal information: refers to various information related to an identified or identifiable natural person recorded electronically or by other means and does not include anonymized information. Personal information involved in this Policy includes name, birthday, nationality, location , gender, telephone number, email address, Identification card (“ID”) number (for foreigners: passport number, for compatriots of Hong Kong, Macao and Taiwan: ID number), identification document, payment account information, working experience, family background, medical report, transaction record, signature, height, weight, shoe size, health proof, education background, facial recognition features, body temperature information, age, address, salary information, salutation, fax, company, position, etc.
Sensitive personal information: refers to personal information that, once leaked or illegally used, may easily lead to the violation of the personal dignity of a natural person or harm of personal and property safety. Sensitive personal information involved in this Policy includes: ID number (for foreigners: passport number, for compatriots of Hong Kong, Macao and Taiwan: ID number), identification document, payment account information, medical report, transaction record, height, weight, health proof, facial recognition features, body temperature information, etc. We will prominently mark sensitive personal information in bold in this Policy.
According to the Personal Information Protection Law of the People's Republic of China, processing personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Unless otherwise stated, the term "include(s)" in this Policy means "including but not limited to".
3 How we collect and process your personal information
3.1 As our customer, special guest and media we may collect and process your personal information in relation to the scenarios set out below:
| Purposes | Scenarios | Information we may collect |
|---|---|---|
| (i) Maintenance and/or repair services for watches and accessories (“Watch Products”) | Drop off Watch Products at our Service Centre | You will need to provide the necessary personal information, including your name, telephone number, email address, ID number (for foreigners: passport number; for compatriots of Hong Kong, Macao and Taiwan: ID number), identification document, salutation, address, fax,transaction record and your signature for registration and verification of your identity. |
| Collect Watch Products from our Service Centre | (1) By yourself: You will need to return the service document receipt and present the identification document provided for registration to verify your identity. (2)By any third party authorized by you: Such third party will need to return the service document receipt and to present a completed Authorization Form signed by you and identification document of the third party to verify his/her identity. | |
| (ii) Payment | Payment | You may pay by using a payment system or application provided by a third-party payment institution or financial institution or pay by credit card or in cash. If you choose to pay by using a payment system or application provided by a third-party payment institution or financial institution, or by credit card, you may need to provide your payment account information and other personal information such third-party institution, system, or application may require. Please be aware that this Policy does not apply to the products and/or services provided to you by those third-party payment institutions or financial institutions, and we suggest that you read their relevant policies on privacy protection or personal information security before providing your personal information to the relevant third-party. |
| Invoicing service | To provide you with invoicing service, we need to collect your transaction record. | |
| (iii) Customer service and dispute handling | After-sales services | When you contact our customer service staff or when our customer service staff contact you, we may ask you to provide your name, telephone number, email address, transaction record and information needed to prove the relevant facts as you claim to verify your identity. |
| Customer service | If you take the initiative to call us, our telephone system will record your incoming telephone number automatically. | |
| (iv) To ensure security of property and personal safety | Respond to the public health incidents | For the protection of public health and safety and to respond to emergencies including the COVID-19 pandemic, body temperature measurement equipment will be deployed to measure your body temperature and collect your facial recognition features and body temperature information when you enter Rolex premises. We will delete the relevant personal information 3 months after collection. |
| Ensure safety of the public and personal properties | To ensure safety of the public and personal properties, we have installed surveillance cameras outside and inside our Rolex premises. The surveillance cameras will collect your facial recognition features. Please note that notices are placed to inform you separately. Therefore, if you continue to enter or remain in our Rolex premises, we will consider that we have obtained your consent. We will delete the relevant personal information 3 months after collection. | |
| (v) Host activities/ events | Organize commercial and/or marketing promotional activities / events | To meet the relevant requirements of the event organizers, when you participate in our commercial and/or marketing promotional activities, we may require you to provide your name, gender, company, position, location, telephone number and email address for contact and identity verification; for specific needs, you will also need to provide your ID number (for foreigners: passport number; for compatriots of Hong Kong, Macao and Taiwan: ID number) for itinerary arrangement; for some events of a sporting nature, we may need you to provide your height, weight, shoe size and health proof, etc. |
The above information is collected to provide you with products or services and to comply with laws, regulations, and regulatory requirements. If you are unable to provide such information (or the information provided is incomplete, inaccurate, or untrue), we may not be able to provide you with the relevant products or services or the products or services available for you will be restricted.
3.2 As a job candidate, we may collect and process your personal information in relation to the scenarios set out below.
| Purposes | Scenarios | Information we may collect |
|---|---|---|
| Candidate selection | Candidate interview | Upon being invited by us for job interview, we will ask you to provide your name, age, address, email address, telephone number, birthday, gender, nationality, family background, salary information, working experience, education background and other relevant information for reference; after the interview, we may ask you to further provide your health proof, medical report and other information for reference. |
The above information is collected to select suitable candidates and to comply with laws, regulations, and regulatory requirements. If you are unable to provide such information (or the information provided is incomplete, inaccurate, or untrue), this may affect the selection process.
4 How we use Cookies and other technologies
A cookie is a small file of letters and numbers that is stored on the hard drive of your device. Cookies are used to distinguish you from other users of our website. This helps us to understand how you are using our website.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see here:
The website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
5 Circumstances under which we are exempted from obtaining your consent for processing your personal information
5.1 You are fully aware of and agree that in the following circumstances, we do not need to obtain your consent to process your personal information:
(1)Circumstances required for our fulfilment of our responsibilities or obligations under laws and regulations, including:
a. Those directly related to national security and national defence.
b. Those directly related to the criminal investigation, prosecution and trial and execution of court decision, or as required by administrative authorities or enforcement authorities in Mainland China.
c. Those directly related to public security, public health, or major public interest.
(2)Circumstances for safeguarding the life, property or other significant legitimate rights and interests of the personal information subject or other individuals, where it is difficult to obtain consent from the personal information subject.
(3)Circumstances where it is necessary to respond to sudden public health incidents or protect the life, health, or property security of you or other natural persons under emergency conditions.
(4)Processing, within a reasonable scope, personal information already disclosed by you or otherwise lawfully disclosed (including from lawful news reports, government disclosures, etc.).
(5)Circumstances where it is necessary for the maintenance of the secure and stable operation of the products or services, such as the detection and disposal of failed products or services.
(6)Necessary for entering and performing a contract with you;
(7)Processing personal information within a reasonable scope to conduct news reporting, public opinion supervision, and other such activities for the public interest.
(8)Other circumstances under the current and amended laws and regulations.
5.2 You understand that if your personal information we collected from you has undergone anonymization or de-identification through technical processing, so that you are not identifiable or not identifiable without the help of additional information, we are no longer required to notify you or obtain your consent for the use of such information.
6 How we entrust others to process, share, transfer and publicly disclose your personal information
6.1 Entrusting the processing and sharing of your personal information
To achieve the business purposes under Clause 3 of this Policy, you understand and agree that we may entrust the processing of your personal information (including your sensitive personal information) to cloud service providers, information technology consultants (“Technical Support Parties”), and/or other payment service providers, collaborators, and agents. With regards to the companies, organisations and individuals to whom we entrust the processing of personal information, including but not limited to Technical Support Parties, we will conclude an entrustment contract with them to confirm the purpose, period, processing method, types of personal information, protection measures, and the rights and obligations of both parties. We will supervise the entrusted party’s personal information processing activities and request them to process your personal information in accordance with our requirements, this Policy and other relevant confidentiality and security measures.
The third parties and/or Technical Support Parties entrusted by us have no authority to use your personal information for any other purposes. If there is any change to the purpose of processing of your personal information, we will ask for your consent again.
Other than the circumstances listed in this Clause, we will generally not provide your personal information to any other company, organisation, or individual except Rolex affiliates. However, you understand and agree that we can provide your personal information in accordance with applicable laws and regulations of the People’s Republic of China. If you do not agree, you may contact us through the channel set out in Clause 12 to withdraw your consent.
6.2 Transfer of your personal information
We will not transfer your personal information to any company, organisation or individual, except under the following circumstances:
(1)Transfer with explicit consent. After obtaining your express consent, we will transfer your personal information to other parties.
(2)When we are involved in a merger, acquisition, or bankruptcy liquidation, if the transfer of personal information is involved, we will request the new company or organization possessing your personal information to agree to be bound by this Policy; otherwise, we will request the company or organisation to ask for consent from you.
(3)We may otherwise transfer your personal information in accordance with applicable laws and regulations, requirements under legal proceedings, compulsory administrative or judicial requirements.
6.3 Public disclosure of your personal information
We will only publicly disclose your personal information in the following circumstances:
(1)Upon your express consent or deliberate choice; or
(2)Disclosure based on the law: upon the compulsory requirements by the laws, legal proceedings, litigation, or competent government departments, we may publicly disclose your personal information.
7 How we protect your personal information
7.1 We have adopted security measures that are compliant with the generally accepted standards in the industry to protect your personal information and to prevent the data from being accessed without authorisation, publicly disclosed, used, amended, damaged or lost. We will adopt all reasonably practicable measures to protect your personal information. For example:
(1)Using HTTPS security protocol to encrypt and protect related network communication, with two factor authentication for identity verification to ensure authorized user access with minimum data access permissions which are granted to subject to a strict internal authorization approval. All users’ system access activity will be recorded for security audit purpose.
(2)Necessary anti-malware protection is in place. We have deployed security protection systems at the network boundary such as firewall, security gateway and traffic monitoring system to protect our internal network from public access, with data transmission channel encrypted with HTTPS protocol for internet to the online cloud system, offline tape storages are protected by encryption for which a backup strategy is in place to protect the business data. Different encryption technologies are leveraged on laptop disk and/or on operating system level for important data.
(3)We implement regular review of system vulnerabilities and patches deployment to ensure timely security update.
(4)We regularly assess the security impact of personal information and conduct regular security awareness training for related employees.
7.2 Unless required by laws or regulations or with your separate authorisation and consent, we will take all practical and reasonable measures to ensure that irrelevant personal information will not be collected. We will only store your personal information for the period required to achieve the purposes of this Policy.
7.3 We will regularly update the contents of reports related to security risks and impacts on personal information security. You may obtain them by contacting us through the channel set out in Clause 12.
7.4 We endeavour to ensure or guarantee the security of any information sent from you to us and to adopt appropriate measures. If you have any question about the security measures implemented by us, please contact us through the channel set out inClause 12.
7.5 If there is a personal information security breach, we will, in accordance with legal and regulatory requirements, promptly inform you the basic facts of the security breach, measures we have adopted or will adopt, suggestions for you to actively prevent or reduce risks, remedies for you, etc. We will promptly inform you of the relevant circumstances via contact information you provided to us. When it is difficult to inform each data subject, we will adopt reasonable and effective means to publish a notice. At the same time, we will follow the requirements of the supervising authorities and proactively report the handling of the personal information security breach.
8 Your rights as the subject of personal information
In accordance with the relevant laws and regulations of the People’s Republic of China, we ensure that you may exercise the following rights over your personal information:
8.1 Inquire your personal information
You have the right to inquire your personal information unless under circumstances excluded by laws or regulations. You will be required to visit our Service Centre with your identification documents to exercise your right. We will reply to you within 15 working days from receiving your request. With regards to other personal information generated in your using of our services, we will endeavour to notify you under reasonable circumstances.
8.2 Correct or supplement your personal information
When you discover that your personal information being processed by us is incorrect or incomplete, you have the right to request us to correct or supplement it. You will be required to visit our Service Centre with your identification documents to exercise your right. We will reply to you within 15 working days from receiving your request.
8.3 Delete your personal information
You may request us to delete your personal information if:
(1)our processing of personal information breaches laws or regulations;
(2)we collect or use your personal information without your consent;
(3)our processing of personal information breaches our agreement with you;
(4)you no longer use our services, or the purposes described in clauses 3.1 and/or 3.2 of this Policy have been achieved or accomplished;
(5)you withdraw your consent;
(6)we no longer provide products and/or services to you.
You are required to visit our Service Centre with your identification documents to exercise your right. We will reply to you within 15 working days from receiving your request. We will decide whether to respond to your request of deletion in accordance with the laws and regulations. At the same time, we will also notify the entities that have obtained your personal information from us and request them to promptly delete your personal information, unless otherwise required by laws or regulations, or those entities have obtained your separate consent.
When you have requested to delete your personal information, we may not be able to immediately delete the corresponding information from our backup systems, but we will securely store your personal information and restrict any further processing of it until deleting or anonymizing the information when the backup is updated.
8.4 Change the scope of your consent
You have the right to change the scope of your consent to the personal information you provided, but you will need to visit our Service Centre with your identification documents to exercise your right. We will reply to you within 15 working days from receiving your request.
Please be aware that our business activities require some basic personal information to be carried out. If you withdraw your consent for such information, we may not be able to continue to provide the services or the scope of services provided may be restricted.
Once you have withdrawn your consent, we will no longer process the corresponding personal information. However, your decision to withdraw consent will not affect the processing of personal information authorized by you previously.
8.5 Obtain a copy of personal information by the personal information subject
You have the right to obtain a copy of your personal information, but you are required to visit our Service Centre with your identification documents to exercise your right. We will reply to you within 15 working days from receiving your request. With regards to other personal information generated in the process of using our services, we will endeavour to provide it to you under reasonable circumstances.
8.6 Respond to your above requests
For security purposes, you may be required to submit a written request or otherwise prove your identity. We may verify your identity first before handling your requests. We will reply to you within 15 working days from receiving your request. If you are not satisfied, you may lodge a complaint through the channel set out in Clause 12 of this Policy.
In principle, we do not charge any administrative fee for your reasonable requests. However, under certain circumstances, we may charge a discretionary amount of basic costs. We may refuse any unduly repetitive requests that require implementing substantial technical measures (for example, requiring the development of a new system or changing fundamental existing rules), bring risks to others’ lawful rights or are very unreasonable (for example, involving the backup information stored on discs).
8.7 In the following circumstances, we may refuse your request:
(1)Circumstances relevant to the fulfilment of our obligations under laws and regulations, including our provision of your personal information (including your sensitive personal information) generated during the transaction between you and us to the Customs, Tax and other governmental departments under the laws and regulations of the People’s Republic of China.
(2)The data retention period required by any law or administrative regulation has not expired, or it is difficult to delete personal information technically (in such cases, we will take necessary security protection measures to ensure the security of your personal information).
(3)Circumstances directly related to national security and defence security.
(4)Circumstances directly related to public security, public health, or significant public interest.
(5)Circumstances directly related to criminal investigation, prosecution and trial, and execution of court decision.
(6)Circumstances where we have sufficient evidence to prove that you have subjective malice, or you are abusing your rights.
(7)Circumstances where protection of your or other individual’s life, property and other important lawful rights is involved.
(8)Circumstances where responding to your request will cause serious harm to the lawful rights and interests of you or other individuals or organisations (including us).
(9)Circumstances where trade secrets are involved.
9 How we process minors’ personal information
Since our services are mainly provided to adults, we generally do not serve minors, unless the minors are accompanied by their parent or other guardian. For the purposes of this Policy, anyone under the age of 14 is considered as a minor.
Generally, we do not collect the personal information of minors, except for their facial recognition features and body temperature information collected for the purposes under Clause 3 of this Policy when they enter Rolex premises with their parent or other guardian. Notices will be posted at and/or in Rolex to notify their parent or other guardian. If their parent or other guardian does not consent to the collection of the minor’s facial recognition features and body temperature information, the minor cannot enter Rolex premises. The collection of minor’s personal information as above will only be used for purposes under Clause 3 of this Policy. We will delete the relevant personal information 3 months after collection.
We will keep strictly confidential minor’s facial recognition features and body temperature information and will generally not provide such information to other parties, unless compulsorily required by laws, regulations, legal proceedings, governmental administrative departments, or with the consent of the minor’s parent or other guardian.
10 How we store and transfer your personal information
In principle, we will store personal information collected and generated within the territories of the People’s Republic of China in accordance with Clause 3 of this Policy in the territories of the People’s Republic of China.
Since Rolex affiliates are located in Switzerland and Hong Kong, China, due to business needs, you understand and consent that, only for achieving business purposes listed under Clauses 3 of this Policy, we may, in circumstances that comply with the requirements of the laws and regulations of the People’s Republic of China, transfer your personal information, which includes name, gender, age, telephone number, address, email address, birthday, salary information, working experience, education background, ID number (for foreigners: passport number; for compatriots of Hong Kong, Macao and Taiwan: ID number), salutation, fax, transaction record, company, position, location and signature to the servers of Rolex affiliates located in Switzerland and/or Hong Kong, China, or that your personal information , which includes name, gender, age, telephone number, address, email address, birthday, salary information, working experience, education background, ID number (for foreigners: passport number; for compatriots of Hong Kong, Macao and Taiwan: ID number), salutation, fax, transaction record, company, position, location and signature may be accessed from Switzerland and/or Hong Kong, China. Switzerland and Hong Kong, China have legal requirements to protect personal information. We will also ensure to provide sufficient protection to your personal information in accordance with this Policy. If you wish to know more about the storage and cross-border transfer of your personal information and/or exercise rights conferred by laws and regulations such as your right to withdraw consent, please contact us through the method listed under Clause 12. We will respond to your request within a reasonable scope.
For the cross-border transfer of your personal information, we have adopted reasonably practicable security measures that are compliant with industry standards to protect the security of the personal information provided by you, to prevent personal information from being accessed without authorisation, publicly disclosed, used, amended, damaged or lost. For example, to ensure the confidentiality of the transmitted data, the data transmission channel is encrypted. In order to ensure the availability of data, we implemented local data backup strategy to tape with encryption.
We have local network and other necessary protections, including but not limited to access logging, protection measures, training and regular audit and emergency response to protect data and system.
We only allow employees, agents, contractors and third parties (if any) with business needs to access your personal information. They will process your personal information according to our instructions and authorization and have the responsibility of confidentiality.
The data stored in Rolex Hong Kong shall strictly comply with the relevant protection measures specified in the personal information protection regulations of Hong Kong, China, and the data stored in Rolex Switzerland shall strictly comply with the relevant protection measures specified in the Swiss personal information protection regulations. Other security controls can be found in Clause 7 of this Policy.
11 How this Policy is updated
11.1 Our personal information protection policy may be updated. We will not impair your rights under this Policy without your express consent. We will post any changes to this Policy in written notice.
11.2 For major updates, we will provide notice now and then in suitable manner.
11.3 Major changes referred to in this Policy include but are not limited to:
(1)Major changes in our service mode, such as changes in the purpose of processing personal information, the types of personal information being processed, and the manners in which personal information is used.
(2)Major changes in our ownership structure, organizational structure, etc., such as changes in ownership as result of business adjustments, bankruptcy, mergers and acquisitions, etc.
(3)Major changes in your rights relating to personal information or in the methods to exercise such rights.
(4)Changes in the responsible department for handling the security of our personal information, contact details and complaint channels.
(5)Personal information security impact assessment reports indicate a high risk.
We will also archive the older versions of this Policy for your reference.
12 How to contact us
If you have any questions, comments or suggestions regarding this Policy, or wish to exercise your rights over your personal information in accordance with this Policy, please feel free to contact us. Our contact information is:
Company name:Rolex (Shanghai) Limited
E-mail address :privacy@rolex.cn
Please note that the aforesaid contact is only for the communication regarding this Policy or the enquiries related to personal information. In normal circumstances, we will reply within 15 working days after receiving your request. If you are not satisfied with our response or believe that our processing of personal information has harmed your lawful rights and interests, you may also seek solutions through other channels, such as filing a lawsuit to the courts or seeking other solutions from the administrative supervision departments.