MTR Corporation Limited ("MTRCL", "we ", "our " or "us") respects your legal rights of privacy when collecting, storing, using, processing and transmitting Personal Data and this PPS explains our privacy practices. We are legally required to comply with the Personal Data (Privacy) Ordinance (Cap. 486) of the Laws of the Hong Kong Special Administrative Region when collecting, holding, using and/or processing your Personal Data. In doing so, we will ensure compliance by our staff to the strictest standards of security and confidentiality.
Please read the following carefully to understand our policy and practices regarding how your Personal Data will be collected, treated and processed. By providing your Personal Data to us, you are consenting to this PPS and the collection, use, transfer, storage and processing of your Personal Data as described in this PPS.
If you are under the age of 18, you must have a legal representative such as a parent or guardian accepting this Policy on your behalf before providing any Personal Data to us.
If there is any inconsistency between the English and Chinese version of this PPS, the English version shall prevail.
Depending on the types of goods and/or services we provide to you, we may collect two basic types of data from you, “Personal Data” and “Non-Personal Data”:
"Personal Data" means any personally identifying data which we may collect from you when you seek product(s) and/or service(s) from us and include without limitation names; email and postal addresses; Octopus numbers; record of trips undertaken using our services such as departing and arriving stations, train and seat number, date and time of departure and type and class of ticket; gender, phone number; date of birth; payment information; type of identification document and full identification document number; occupation; your income; education level, from which it is practicable for the identity of an individual to be directly or indirectly ascertained.
“Non-Personal Data” includes aggregate and/or automatic information, which is data collected about the use of goods and/or services (including without limitation our websites and/or mobile applications), or about a group or category of users from which individual identities or other individually identifiable information has been removed. This PPS does not restrict or limit our collection, use and provision of Non-Personal Data.
2.1 Personal Data
The following are the common situations when we may collect and store your Personal Data, although these situations are not exhaustive:
‧ | registration for a membership, enjoying benefits or otherwise using our services as a member of our programmes, activities and/or other services; |
‧ | using and/or browsing our websites and/or mobile applications; |
‧ | purchasing and/or using our products and/or services, including without limitation to purchasing any travel tickets and/or subscribing to our communication materials; |
‧ | entry and/or participating in any of our promotional, marketing or advertising activities; |
‧ | posting, uploading, creating or otherwise generating any content and/or information, including any artistic, musical, literary, sound recording, film and/or any type of work on our websites and/or mobile applications; and |
‧ | request for customer service or other assistance in connection with our products and/or services. |
2.2 Non-Personal Data
When you use our websites and/or mobile applications, we may keep an activity log that does not identify you individually and cannot be used to identify the identity of any particular user. Generally, we collect and store the following categories of Non-Personal Data:
‧ | information about your device that you use to access our websites and/or mobile applications. This information may include the device name, IP address, operating system and version, the type of network and mobile Internet browser you use, the browser’s type and configuration, the geo-location information and other unique device identifiers of the device, browsing preferences such as language settings and font size etc.; and |
‧ | information about your use of the website and/or mobile application including without limitation the domain names you visit and the specific actions you take on the website and/or mobile application, the number of new or returning visits, statistics on the pages visited and referred, a reading history of the pages and sites you have visited and viewed, search terms used and search results, error and crash statistics, traffic data (such as time, duration and date of access). |
The above Non-Personal Data are collected and used to measure traffic, gauge the popularity of various parts of our websites and/or mobile applications, to gain general knowledge about our audience and market our websites and/or mobile applications to advertisers with whom we may share summarized traffic data. We may also share to third parties (including without limitation to those specified under paragraph 4 below) these Non-Personal Data for customizing, enhancing, optimizing, maintaining and/or improving the quality of our websites and/or mobile applications, such as for determining the optimal screen resolution, language and font settings, etc. This Policy in no way restricts or limits our collection, use, handling and provision of Non-Personal Data.
The purposes for which we may use your Personal Data will vary depending on the type(s) of product(s) and/or service(s) you seek from us. Such purposes will be stated in the Personal Information Collection Statement (“PICS”), application form, terms and conditions, mobile application and/or webpage relevant to your provision of Personal Data to us. If you fail to supply the Personal Data required, we may be unable to provide the specific products / services in full to you.
‧ | tell you (by way of a PICS or by a separate notification) that we are doing so and any purpose of use that we will make of such Personal Data we collect; and |
‧ | where relevant, give you the opportunity to object to particular use of your Personal Data. |
We will to take all practicable steps to keep your Personal Data confidential but we may disclose, transfer and/or assign such data to the following parties:
‧ | if MTRCL decides to sell, merge and/or re-organise any part of its business, to any actual or proposed assignee, transferee or successor of or to MTRCL's rights in respect of your Personal Data; |
‧ | any agent, adviser, auditor, contractor or third party service provider who provides administrative, telecommunications, computer, payment, fraud prevention, insurance, data processing and/or other services to us in connection with the operation of our business and/or the relevant product(s) and/or service(s) that you seek from us, and/or who otherwise processes Personal Data for and on our behalf; and |
‧ | any person (including without limitation government authorities, regulatory or administrative bodies or law enforcement agencies) to whom MTRCL is under an obligation to make disclosure under the requirement of any law binding on MTRCL or for the purposes of any guidelines or codes of practice issued by regulatory or other authorities with which MTRCL is expected to comply, or such parties who are authorized by law to request information from MTRCL. |
We may also disclose and/or transfer your Personal Data in the manner as stated in the Personal Information Collection Statement and/or any terms and conditions relevant to the product(s) and/or service(s) you seek from us.
The parties to whom we disclose and/or transfer your Personal Data may be situated outside of Hong Kong where there may not be in place data protection laws which are substantially similar to, or serve the same purposes as, the Personal Data (Privacy) Ordinance.
If you use our websites or mobile applications, there may be advertisements or hyperlinks linking to another website (e.g. Linked Sites). If you click on any of these advertisements or hyperlinks, you will leave our websites or mobile application for another location. At any other website, the protection of your privacy, Personal Data and your exposure to cookies are not our responsibility and you are advised to refer to the privacy policy of that other location (if any).
Some of our websites and/or mobile applications may allow you to link and/or connect to third party social networking sites. If you choose to link and/or connect to these third party social networking sites, we may be able to collect certain Personal Data from your social networking profile provided to us by the social networking site. In that case, we will collect and use such Personal Data only for the purpose of providing you with the connection to the social networking site.
Some of our websites use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses "cookies” to help our websites analyze how users use those websites. A cookie is a small text file that is stored on your device (e.g. on your computer) when you visit or access a website. A cookie can be used to identify a computer or a mobile device. It, however, is not used to collect any personal information and do not recognize you personally. In other words, it does not have the function of identifying an individual user of our websites.
Within our websites cookies are used to track the use of and monitor traffic on our websites, as well as to improve, customize and enhance your browsing experience, for example:
‧ | Strictly necessary cookies are used to indicate your active using of our websites and remember the information you’ve entered in a form or details about a payment you want to make. Without them, the information would be lost every time you move to a new page; |
‧ | Performance cookies are used to collect anonymous information about how you use our websites, such as which pages you visit on our websites. We use this aggregated information to improve our websites; and |
‧ | Functional cookies are used to record information about choices you’ve made and to recommend contents of our websites that are relevant to you and your interests. |
On some pages, we feature embedded “share” buttons or widgets that enable you to connect to other social networking sites such as Facebook and Twitter. These sites may set cookies which can identify you as an individual when you are logged in to their services. We do not control these cookies and you should check the relevant third-party website to see how your information is used and how to opt-out.
If you use or continue using our websites, we will assume that you are happy for us to set cookies. You may choose to reject all or some cookies at any time by changing the setting of your web browser on your device. Please visit www.allaboutcookies.org to find out how to manage cookies. However, please be aware that if you choose to delete or restrict cookies, you will not be able to use some of the functions of our websites.
Except as mentioned in paragraph 4 above, your Personal Data, however stored, will be accessed only by our employees or contractors who are authorised to do so. Where Personal Data is stored electronically, it will be kept on a secured server and will be encrypted and/or password-protected (or under some equivalent form of protection) and accessible only by authorised personnel of MTRCL or its contractors. The network transmission of Personal Data will also be protected by using the SSL protocol. Personal Data are treated as confidential information by MTRCL and all employees and contractors designated to handle Personal Data will be instructed to do so only in accordance with this PPS.
If it becomes necessary that we have to take action against you for any reason whatsoever including recovering from you any money you owe us, you expressly agree that the Personal Data provided by you can be relied upon in identifying and taking legal action against you.
You may at any time request access to and correct Personal Data relating to you in any of our records. You may also ask us to delete you or your Personal Data from any active mailing or distribution list. To exercise any of your rights, contact us at the address or email below marking your communication "Confidential ". In response, we may ask you to provide certain details about yourself so that we can be sure you are the person to whom the data refers. We are required to respond to your requests within 40 days. We may also charge you a reasonable fee for complying with any data access request.
Any requests (i) for access to data or correction of data; (ii) for general information regarding our policies and practices with respect to Personal Data; and (iii) about the kinds of Personal Data that we hold; and/or general questions and complaints relating to this PPS should be addressed to the person below:
MTR Corporation Limited
Personal Data Privacy Officer
Legal – General Department
(Marked Confidential)
Address: MTR Headquarters Building
Telford Plaza, Kowloon Bay
Kowloon, Hong Kong
email: PDPO@mtr.com.hk
Personal Data provided by you are retained for as long as the purposes and any directly-related purposes for which such data were collected continue. Once it is not necessary to use the Personal Data to fulfil such purposes (and directly-related purposes), they are then destroyed within a reasonable time unless their retention is required to satisfy legal, regulatory or accounting requirements or to protect the MTRCL's interests.
This PPS is subject to change. Any changes will be posted on this page. Your continued use of our websites and/or mobile applications after the posting of such changes indicates your acceptance to the same.
In the event that there is any inconsistency between the English and Chinese version of this PPS, the English version shall prevail.
July 2018