Privacy Policy
- Definitions
1.1 Unless otherwise defined in this Privacy Policy, all capitalized terms have the meaning given in the General Terms. The interpretation rules set forth in the General Terms apply unless the context requires otherwise.
“Company” means NTT Com Asia Limited. For the purposes of the PDPO, the principal data user responsible for Personal Data processed under this Privacy Policy is ABC Limited. Where an affiliate independently processes Personal Data as a separate data user or data controller, that affiliate’s own privacy notice applies.
“General Terms” means the Company’s General Terms and Conditions governing access to and use of the Website, as amended from time to time.
“PDPO” means the Personal Data (Privacy) Ordinance (Cap. 486 of the laws of Hong Kong), as amended or re-enacted from time to time.
“Personal Data” means any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and in a form in which access to or processing of the data is practicable.
“User” means an individual who accesses or uses the Website, obtains or enquires about a product or service, participates in a Company programme or activity, communicates or otherwise deals with the Company, or whose Personal Data is otherwise processed by the Company under this Privacy Policy.
“Website” means the Company’s public-facing website located at www.ntt.com.hk and www.oceanintels.ai, including any subdomains thereof.
1.2 The headings in this Privacy Policy are for convenience only and do not affect its interpretation.
1.3 This Privacy Policy governs the collection, use, disclosure and other processing of Personal Data in connection with the Website, the Company’s products, services, programmes, activities, business relationships and other interactions with Users. It also applies to Personal Data retained or otherwise processed after any relevant product, service, system or platform has been modified, migrated, suspended or discontinued. This Privacy Policy shall be read with the General Terms. In the event of any inconsistency between this Privacy Policy and the General Terms, this Privacy Policy shall prevail in relation to the collection, use, disclosure or other processing of Personal Data. - Collection of Personal Data
2.1 The Company collects and process Personal Data in accordance with the PDPO, other applicable data protection laws and this Privacy Policy, primarily to facilitate a User’s access to or use of the Website, products, services or support.
2.2 The Personal Data collected depends on the User’s interaction with the Company and may include identity and contact details, business or professional information, service and product preferences, transaction information, technical and usage information, and information necessary for service provision and support.
2.3 The Company may collect, use, disclose and otherwise process Personal Data for the following purposes:
a) providing products, services, and support requested or subscribed for;
b) improving user experience, Website content and functionality, including through aggregated or anonymised data;
c) engaging third-party service providers offering administrative, payment gateway, financing, professional, or other services;
d) dealing with banking, financial or other institutions with which a User has or propose to have dealings;
e) debt collection, credit referencing and related services;
f) an actual or proposed transfer of the Company’s interests or obligations under a contract, arrangement, transaction, product or service;
g) complying with applicable laws, court orders and requests from governmental, regulatory or law-enforcement authorities;
h) system administration, cybersecurity, troubleshooting and technical logging;
i) marketing and promotional activities, subject to applicable consent and opt-out requirements;
j) transferring Personal Data to its affiliates and business partners in Hong Kong or other jurisdictions where reasonably necessary to provide member support, process transactions, make product or service recommendations, administer projects, contests and promotions, perform administrative functions, facilitate registration or account creation on platforms operated by such entities, or facilitate attendance at e-learning sessions or other activities;;
k) retaining, administering, securing, retrieving, reviewing, disclosing or otherwise processing Personal Data collected through or in connection with any product, service, system or platform that has subsequently been modified, migrated, suspended or discontinued to respond to enquiries or requests, maintain business and compliance records, investigate security incidents, resolve disputes, establish, exercise or defend legal claims, and protect or enforce the rights and interests of the Company or any other person;; and
l) processing by artificial intelligence, machine learning, and automated analytical systems for service optimisation, anomaly detection, predictive analytics, automated report generation and other disclosed purposes, subject to Clause 4 and applicable law.
2.4 The Company may collect through the Website:
(a) identity and contact information, including name, job title, telephone number and email address;
(b) business and professional information, including employer, organisation and position;
(c) enquiries, requests, form submissions and other information voluntarily provided;
(d) product, service and communication preferences;
(e) technical and usage information, including IP address, browser type, operating system, pages visited, features used, access times, cookies and similar technologies; and
(f) other Personal Data collected with appropriate notice or as otherwise permitted by applicable law.
2.5 Data from Modified or Discontinued Services: The modification, migration, suspension or discontinuation of a product, service, system or platform does not necessarily result in the immediate deletion of Personal Data previously collected through or in connection with it. The Company may continue to retain and otherwise process that Personal Data in accordance with this Privacy Policy and applicable law. Such Personal Data may include account, identity, contact and authentication information; organisation and professional information; preferences and settings; usage, access and security logs; enquiries, questionnaire responses, feedback and documents; device and technical information; and other Personal Data previously provided to or collected by the Company.
2.6 Direct Marketing: The Company may use certain Personal Data collected from Users to send updates, announcements, and recommendations relating to its products and services (the "Marketing Communications") in accordance with Part 6A of the PDPO. The Company will not use Personal Data for direct marketing unless it has provided the information required by applicable law and obtained the relevant User’s consent or indication of no objection. The Company will not provide, transfer or make available Personal Data collected for direct marketing to any third party for that third party’s own direct marketing purposes.
(a) The Personal Data used may include name, job title, business email address, and business telephone number.
(b) The products, services and subjects marketed may include s telecommunications services, data centre and colocation services, managed network services, cloud connectivity, cybersecurity services, AI solutions, and related products and services offered by the Company or its affiliates.
(c) A User may require the Company to cease using Personal Data for direct marketing at any time and without charge by contacting the Data Protection Manager under Clause 14.
2.7 Corporate Contact Data: Where a corporate customer or organisation provides Personal Data relating to its personnel or contacts, it represents that it is authorised to provide that Personal Data and has taken the steps required under applicable law for the purposes described in this Privacy Policy.
2.8 Where permitted by applicable law, the Company may process Personal Data provided under Clause 2.7 on the basis of its legitimate interests in delivering services, maintaining customer relationships, and communicating relevant product and service updates, having assessed that those interests are not overridden by the rights and freedoms of the individuals concerned. An individual may object to or opt out of such processing by contacting the Data Protection Manager under Clause 14. - Use and Disclosure of Personal Data
3.1 The Company will access, store, use, disclose and otherwise processed Personal Data for the purposes described in this Privacy Policy and in accordance with the PDPO and other applicable laws.
3.2 The Company may disclose Personal Data to:
a) a person to whom a User requests or authorises disclosure;
b) the Company’s affiliates, agents, contractors, telecommunication network providers, professional advisors and other service providers necessary for business operations and service delivery;
c) business partners involved in providing products or services;
d) an actual or proposed purchaser, assignee, transferee or successor in connection with the Company’s business, assets, products, services, rights or obligations; and
e) law enforcement agencies, regulatory bodies, courts and other competent authorities as required or permitted by applicable law.
3.3 Cross-Border Transfer: Personal Data may be transferred to, and stored or processed in jurisdictions outside Hong Kong, including in connection with cloud-based artificial intelligence services and third-party processors. The Company will take reasonable steps to require an appropriate level of protection having regard to the nature of the Personal Data, the processing purposes and applicable law. Where the General Regulation (EU) 2016/679 or corresponding United Kingdom data protection legislation applies, transfers will be subject to appropriate safeguards, including standard contractual clauses or other approved mechanisms, including standard contractual clauses or other approved mechanisms.
3.4 The Company may continue to use, collect and process Personal Data retained following the modification, migration, suspension or discontinuation of a product, service, system or platform for the purposes described in Clause 2.3(k), compliance with applicable requirements, and other purposes directly related to the purposes for which it was originally collected or otherwise permitted by law.
3.5 Personal Data may be integrated with other Company systems for service provision, customer relationship management, record-keeping, security, compliance and internal analytics. The Company will apply appropriate technical and organisational measures to protect its security and confidentiality.
3.6 The Company may engage third-party service providers to operate the Website, manage Company systems or process Personal Data on the Company’s behalf. Their access will be limited to what is reasonably necessary for authorised functions and subject to appropriate contractual or other measures concerning confidentiality and security. - Artificial Intelligence and Automated Processing
4.1 The Company may use artificial intelligence, machine learning models, and automated analytical tools to process Personal Data for the purposes described in Clause 2.3(l). Processing may use systems operated locally or cloud-based AI service providers outside Hong Kong. Cross-border transfers are subject to Clause 3.3.
4.2 Where the Company relies on a User’s consent under applicable law for AI-related processing, that consent will be sought separately and specifically, be voluntary and capable of withdrawal, and be obtained through a dedicated notice or mechanism presented through the Website, email or another appropriate channel. Withdrawal may affect an optional feature or service that necessarily depends on the processing. Consent may be withdrawn by contacting the Company under Clause 14 and does not affect processing conducted before withdrawal.
4.3 Where applicable law requires a lawful basis and the Company does not rely on consent, the Company may rely on performance of a contract or pre-contractual steps, compliance with a legal obligation, legitimate interests not overridden by fundamental rights and freedoms, or another basis permitted by applicable law.
4.4 Where a third-party service provider process Personal Data on the Company’s behalf, the Company will having regard to the nature and risk of processing, undertake appropriate due diligence, implement appropriate contractual or other measures, limit access and use to authorised purposes, and not authorise independent model training or other independent use unless separately disclosed and permitted by law.
4.5 The Company may use AI tools to assist in drafting, tailoring, and optimising communications. Personal Data may include account information, service history, and communication preferences. AI-assisted communications may be subject to human review where appropriate having regard to the nature, purpose and risk of the communication. Processing will be based on consent or, where applicable, legitimate interests. Applicable objection and opt-out rights are described in Clause 5.3.
4.6 The Company will not process Personal Data for a new AI-related purpose incompatible with the original collection purpose unless it obtains any consent required by applicable law or the processing is otherwise permitted by law. - User Rights under PDPO
5.1 Under the PDPO, a data subject may:
(a) request access to Personal Data held by the Company;
(b) request correction of inaccurate or incomplete Personal Data;
(c) ascertain the Company’s policies and practices concerning Personal Data and the kinds of Personal Data held; and
(d) require the Company to cease using Personal Data for direct marketing.
5.2 A Data Subject should submit a written request to the Data Protection Manager, using any prescribed form required by law. The Company may charge a fee that is not excessive for a data access request as permitted by the PDPO and will respond within the period required by applicable law.
5.3 Where available under applicable law, a data subject may also have the right to be informed about processing purposes, request erasure subject to applicable retention requirements, object to direct marketing, withdraw consent, and object to AI-driven profiling or analysis based on legitimate interests. A request should follow Clause 5.2. - Data Security
6.1 The Company will take reasonable and practicable technical and organizational measures to protect Personal Data against unauthorized or accidental access, processing, erasure, loss or use, having regard to its nature, the potential harm from a security incident and applicable law.
6.2 Measures may include appropriate access controls and authentication protocols, internal data-access policies and procedures, and regular cybersecurity and data-protection training for relevant personnel.
6.3 No electronic transmission, information storage system or security measure can be guaranteed to be completely secure. The Company does not warrant absolute security against unauthorized access, disclosure, loss or misuse.
6.4 To the maximum extent permitted by applicable law, the Company shall not be liable for unauthorised access, disclosure, loss, alteration or misuse of Personal Data resulting from circumstances beyond its reasonable control. Nothing in this Clause 6 excludes or limits liability that cannot lawfully be excluded or limited. - Data Retention
7.1 The Company retains Personal Data only for so long as reasonably necessary for the purposes for which it was collected or otherwise processed, taking account of applicable legal, regulatory and contractual requirements, the nature and sensitivity of the Personal Data, operational requirements and legal claims.
7.2 The Company may retain Personal Data despite a deletion, restriction or objection request to comply with legal, regulatory or contractual obligations; maintain business records; prevent fraud or misuse; resolve disputes; or establish, exercise or defend legal claims.
7.3 Retention periods depend on the relevant data and purpose. In particular:
(a) Website enquiries, forms and service requests will be retained for so long as reasonably necessary to address the matter and related requirements;
(b) direct-marketing data will be retained until withdrawal or opt-out, subject to a limited suppression record;
(c) technical, security and usage records will be retained as reasonably necessary for administration, cybersecurity, fraud prevention, investigation and compliance; and
(d) Personal Data collected through or in connection with a product, service, system or platform that has subsequently been modified, migrated, suspended or discontinued will be retained only for so long as reasonably necessary for the purposes described in this Privacy Policy.
7.4 When Personal Data is no longer required, the Company will take reasonable steps to delete, destroy or anonymise it unless continued retention is required or permitted by law.
7.5 Residual copies may remain in secure backup or archival systems until deleted or overwritten through normal procedures. Such copies will not be used for active business purposes except where reasonably necessary for recovery, security, compliance or legal purposes. - Cookies and Local Storage
8.1 The Company uses cookies, local storage and similar technologies on the Website for necessary functionality and security, usage analysis, service improvement, and remembering User preferences. Further information is in the Company’s Cookies Policy.
8.2 Users may manage preferences through any mechanism made available on the Website and through browser or device settings. Where required by law, the Company will request consent before using non-essential technologies. Disabling certain technologies may affect Website functionality. - Third-Party Service Providers
9.1 The Company may engage third-party service providers to operate the Website, host or maintain Company systems, process Personal Data on the Company’s behalf and support business operations. Access to Personal Data will be limited to what is reasonably necessary and subject to appropriate contractual or other measures.
9.2 Where a provider processes Personal Data on the Company’s behalf, the Company will take reasonable and practicable steps to require the provider to:
(a) maintain appropriate confidentiality and security measures;
(b) process Personal Data only for authorised purposes and in accordance with the Company’s instructions;
(c) maintain safeguards against unauthorised or accidental access, processing, erasure, loss or use; and
(d) comply with applicable contractual and legal requirements.
Providers may include administrative, hosting, IT, telecommunications, payment, financing, professional, analytics, security and archival providers.
9.3 Where a third party independently processes Personal Data for its own purposes, that third party is responsible under applicable law and its privacy notice. The Company will disclose Personal Data only where permitted by this Privacy Policy and applicable law. - Modifications
10.1 The Company may amend this Privacy Policy at any time to reflect changes in processing practices, services or applicable law. Unless otherwise stated or required by law, an amendment takes effect upon posting on the Website.
10.2 The Company will take reasonable steps to notify affected Users of a significant change affecting processing purposes, Personal Data categories or data-subject rights. Notice may be provided through the website and, where reasonably practicable, by email or other direct communication. Where law requires consent for new processing, the Company will obtain it before commencing that processing.
10.3 Users should review this Privacy Policy regularly. The date at the beginning indicates when it was most recently updated. - Relationship to General Terms
11.1 The General Terms govern access to and use of the Website and should be read with this Privacy Policy.. Relevant provisions of the General Terms apply to the extent permitted by law. Nothing in the General Terms excludes, restricts or overrides a Company obligation or data-subject right that cannot lawfully be excluded, restricted or overridden.
11.2 If the General Terms conflict with this Privacy Policy, this Privacy Policy prevails for the collection, use, disclosure and other processing of Personal Data. The General Terms prevail for all other purposes. - Language
12.1 This Privacy Policy is written in English. If a translation is made available, it is provided for convenience only. If there is any inconsistency, the English language version prevails to the extent permitted by applicable law. - Governing Law and Jurisdiction
13.1 This Privacy Policy is governed by the laws of Hong Kong.
13.2 Subject to Clause 13.3 and any applicable mandatory law, any dispute or claim arising out of or in connection with this Privacy Policy is subject to the exclusive jurisdiction of the courts of Hong Kong.
13.3 Nothing in this Clause 13 limits a data subject’s right to complain to the Privacy Commissioner for Personal Data or another competent data protection authority, or limits the powers of such authority. - Contact Us
14.1 For a request to exercise a right under Clause 5, a complaint concerning the collection, use, disclosure or other processing of Personal Data, or an inquiry about this Privacy Policy, please contact:
By Post
NTT Com Asia Limited
6 Chun Kwong Street, Tseung Kwan O Industrial Estate, Tseung Kwan O, New Territories, Hong Kong
Attn.: Data Protection Manager
By Email
Data Protection Manager at dpm@ntt.com.hk