Respecting and protecting our customers’ privacy and personal data is important to ImagineX Group, LCJG Limited and its related companies (including all holding, subsidiary and affiliate companies) (collectively, we or us). This Policy will help you understand how we collect, use and safeguard your personal data in our interactions with you.
It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the section What rights do I have?
We collect and process personal data about you when you:
2.1 visit and/or register on any websites owned and operated by us (including www.imaginex.com) (our Site);
2.2 place an order with us as a guest or as a registered user on our Site.
2.3 provide us with your personal data via: our physical stores or telephone enquiries number, your application for or use of our services (such as our ICARD);
We process personal data for the following purposes:
3.1 to conduct our business and pursue legitimate interests, in particular:
3.2 when you give us consent (if required):
3.3 for purposes which are required by law:
We have carried out balancing tests for all the data processing we carry out on the basis of our business and legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out later in this Policy.
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. Specifically, in the case of customers from the European Economic Area (EEA), we are able to send you direct marketing without your consent, where we rely on our business or legitimate interests. Irrespective of the legal basis on which we rely to send you direct marketing, you have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by: (a) amending your direct marketing subscription preferences in the “Update Profile” section of the Site, (b) contacting our Privacy Officer at firstname.lastname@example.org or mailing to; Privacy Officer, ImagineX, 23F One Island South, 2 Heung Yip Road Wong Chuk Hang, Hong Kong, or (c) in the case of emails, by clicking the unsubscribe link at the bottom of such emails.
We will share your personal data with the related companies of ImagineX Group and LCJG Limited.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
In the event that our business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
If you are from the EEA, where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data will be adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request to the contact mentioned in the section "How do I get in touch with you" below. Your personal data may be transferred to Hong Kong and Macao Special Administrative Regions, Mainland China, Taiwan Region and Singapore.
Where permitted by law, you have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us in a structured, machine readable format, and to ask us to share (port) this data to another controller.
In addition, if you are from EEA you can object to the processing of your personal data in some circumstances (in particular, where we do not have to process the data for business or other legitimate interests, purposes for which consent has been given (including direct marketing) or other legal requirements).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are available under applicable laws. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests balancing test, you can get in touch with us – or our privacy officer – using the details set out below. (Applicable only if you are from the EEA: If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.)
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of direct marketing, you can get in touch at email@example.com or by writing to Privacy Officer, ImagineX, 23/F, One Island South, 2 Heung Yip Road, Wong Chuk Hang, Hong Kong. You may also access, verify or update your personal data by using the “Update Profile” section of the Site, the ImagineX Mobile App or completing the “Customer Information Form” at one of our stores.
The data controllers are LCJG Limited, and its related companies; contact details can be found in the section How do I get in touch with you above.
Where we process registration data, we do this for as long as you are an active user of our Site and it is required for business and legitimate interests or legal requirement [(applicable if you are from the EEA only for 7 years after any business and legitimate interests or legal requirements no longer exist)].
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.(Applicable if you are from the EEA only) Where we process personal data for site security purposes, we retain it for 7 years after any business and legitimate interests no longer exists, and where we process personal data in connection with performing a contract or for a competition, we keep the data for 7 years from your last interaction with us.
We place conspicuous notices in our stores to inform customers we prohibit any photography, sound and/or video recording in our stores.
If our staff reasonably suspect that a customer is taking photography, sound and/or video recording in our stores, we will ask the customer to refrain from doing so. If a customer continues taking photographs, and recording sound and/or video footage, following our reasonable request, we reserve the right to require that customer to leave our premises.
If a customer has queries in relation to the photography policy, he/she may contact the Store Manager.
This policy outlines the policies and procedures regarding the use of CCTV in our stores undertaken to comply with the requirements of the Personal Data (Privacy) Ordinance (the Ordinance). CCTV is used to procure reasonable security and safety of the monitored area.
In accordance with the Ordinance and relevant guidelines issued by the Office of the Privacy Commissioner for Personal Data (PCPD):
(a) The personal data collected is securely deleted from the CCTV as soon as practicable once the purpose of collection is fulfilled. If no incident is reported, the footage will be securely deleted regularly accordingly.
(b) Upon expiry of the applicable retention period, we permanently destroy all personal data: (i) if in hard copy form, by first shredding and then securely disposing of the personal data; and (ii) if in electronic form, by permanently erasing the personal data from our systems. The CCTV footage/images are removed automatically from the system regularly. All authorized users having access to any copy pf the CCTV footage/images delete such copy once the incident being reported is closed or is no long active.
(c) If an incident occurs in the store, CCTV footage is preserved in a secure way until such time as the incident is fully investigated and the matter is closed. Usual deletion policies in relation to CCTV footage are suspended for the relevant footage during that period.
(d) Security measures are in place to prevent unauthorized access to the CCTV system. Recorded images are kept in safe custody, subject to and in accordance with the following measures:
(e) Proper records of the staff members taking charge of and keeping the recorded images are maintained by authorized users.
(f) Transfer and movements of the recorded images are clearly documented and only made in accordance with clause I(d)(3).
(g) The hard disks or any devices storing the recorded images are securely protected from unauthorized access (e.g. an encryption function is used) and only viewed, retrieved or handled upon proper authorization for the intended purpose (e.g. police investigation). Once there is no valid reason to retain the recorded images, they are securely deleted. Safeguards are in place to protect wireless transmission systems from interception should they be used for transmission of data recorded by CCTV.
(a) Personal data is only used for the purposes for which it was collected or a directly related purpose, unless the data subject has given express voluntary consent or when any applicable exemptions under the Ordinance apply.
(b) Disclosure of CCTV records to any third party (e.g. a customer) subject to provisions of the Ordinance is generally prohibited to protect the privacy of personal data.
(c) If we are requested to provide CCTV records to a law enforcement agency e.g. the Police for criminal investigation purposes, we will cooperate only with a written request provided by the relevant law enforcement agency.
(d) Please refer to clause 3 for detail of handling.
III. Misuse or abuse of CCTV system or the recorded images is reported to Natalie Da Gama-Rose,General Counsel of the Group Legal Department (email: firstname.lastname@example.org;Telephone:+852 2118 2280).
IV. Compliance checks and audits are carried out annually to review the effectiveness of the safeguards and procedures of the CCTV system.
I. If a customer has queries in relation to the operation of the CCTV and the purpose or in relation to privacy issues of his/her personal data, he/she may contact our Privacy Officer at email@example.com or mail to: Privacy Officer, ImagineX, 23F, One Island South, 2 Heung Yip Road Wong Chuk Hang, Hong Kong.
II. We do not accept requests from customers to view of CCTV footage because CCTV footage contains personal data and we are not allowed to share it with third parties by law.
III. We will accept requests from the police or other enforcement agent to view the CCTV footage and/or have a copy of the same upon receipt of formal written application.