Accolade IP Group: Data Protection Policy

 

  1. Introduction

Accolade IP Group (hereafter referred to as "AIP" or "the Group") is committed to safeguarding the privacy and security of all company and personal data entrusted to us. This Data Protection Policy outlines the framework within which AIP complies with Hong Kong's Personal Data (Privacy) Ordinance (PDPO) and Singapore's Personal Data Protection Act (PDPA) (hereinafter collectively referred to as the “Applicable Laws”), ensuring that client data is handled, stored, and processed securely and responsibly.

 

  1. Scope of the Policy

This policy applies to (1) all employees, contractors, and third-party service providers working with or for AIP; (2) all personal and company data collected, processed, stored, or transmitted by AIP; and (3) all offices and operations across jurisdictions where AIP operates.

 

  1. Key Principles of Data Protection

AIP adheres to the following data protection principles:

 

  1. Lawful, Fair, and Transparent Processing

Data is collected and processed only for legitimate purposes clearly communicated to clients upon data collection.

 

  1. Purpose Limitation

Data is used strictly for the purposes stated during collection and will not be further processed in a manner incompatible with those purposes.

 

  1. Data Collection and Minimization

The following data are collected from our clients:

  1. Personal contact information which includes client’s name, address, email address, phone number, or any other information that would allow AIPto contact its clients;
  2. Demographic information which includes client’s gender, date of birth, age, civil status, nationality, etc.;
  3. Non-personal information such as those provided by your device which may include client’s IP address, geolocation, operating system, browser type and version, and other machine identifiers, etc.; and
  4. Other personal data referred to us by clients necessary for the performance of our obligations under our service or engagement agreement.

 

Only the data necessary for the intended purpose shall be collected and retained.

 

  1. Accuracy

Reasonable steps are taken to ensure data is accurate and kept up-to-date.

 

  1. Storage Limitation

Data collected shall be retained only for such period as may be necessary to fulfill the stated purpose or comply with legal obligations. Regular reviews of data retention periods are conducted to ensure compliance. Secure disposal methods, including data wiping for electronic records and shredding for physical documents, shall be employed by AIP.

 

  1. Security

Robust measures are in place to protect data against unauthorized access, alteration, disclosure, or destruction.

 

  1. Accountability

AIP demonstrates accountability by maintaining comprehensive records and ensuring staff understand their data protection obligations.

 

  1. Data Handling and Storage

Organizational, physical and technical security measures are maintained, enforced and implemented at all times to ensure the integrity, confidentiality and security of your personal data. The security measures of DivinaLaw include, but are not limited to the following:

  1. The processing of personal information is limited to the extent necessary to deliver the services offered and/or made available by AIP;
  2. Our server is equipped with firewall, data encryption, anti-virus, and other appropriate security controls to prevent unauthorized access;
  3. Access to personal information is restricted to authorized personnel on a need-to-know basis;
  4. Regular audits are conducted to ensure that personal information is secured and security controls are effective;
  5. Physical documents are stored in locked cabinets, while electronic data is hosted on secure servers with up-to-date security patches;
  6. Regular data backups are conducted and stored in secure, separate locations to ensure recovery in case of data loss; and
  7. The personnel are regularly oriented regarding the appropriate level of data privacy protection.

 

  1. Employee Responsibilities

Employees of AIP have a critical role in ensuring compliance with the Applicable Laws and maintaining the integrity, confidentiality, and security of personal and company data. All employees must adhere to the following responsibilities and obligations:

  1. Compliance with Policies and Regulations
    • Handle all personal and company data in accordance with this policy, the PDPO, the PDPA, and other applicable data protection laws.
    • Follow established procedures for collecting, processing, storing, and transmitting personal data, ensuring that data is used only for its intended purpose.
  2. Incident Reporting
    • Report any suspected or actual data breaches, security incidents, or unauthorized access to personal data immediatelyto the Data Protection Officer (DPO).
    • Cooperate fully in investigations or audits related to data protection incidents.
  3. Mandatory Training
    • Complete all mandatory training sessions on data protection laws, company policies, and best practices.
    • Stay informed about updates to data protection laws and company policies as communicated by the DPO or management.
  4. Confidentiality
    • Ensure that personal data is only accessed and used within the scope of job requirements.
    • Maintain strict confidentiality and security when handling sensitive or personal data, whether in physical or electronic form.
  5. Data Accuracy
    • Verify the accuracy and completeness of personal data handled in the course of work and report any discrepancies for correction.

Employees are strictly prohibited from engaging in the following activities:

  1. Unauthorized Sharing
    • Sharing, disclosing, or distributing personal or company data to unauthorized individuals, both within and outside the organization.
    • Discussing sensitive data in public areas or through unsecured communication channels.
  2. Unnecessary Data Access
    • Accessing personal or company data not directly required for their job responsibilities.
    • Using personal data for purposes unrelated to their work or outside the intended purpose for which it was collected.
  3. Negligent Handling
    • Leaving sensitive data (e.g., physical files, devices, or digital information) unsecured, such as unattended on desks or open on screens.
    • Failing to follow company policies on secure disposal of sensitive information.

Acknowledgment of Accountability

  • Employees acknowledge their accountability by signing a statement of compliance with this policy and undergoing regular evaluations of their data handling practices.
  • Non-compliance with this policy may result in disciplinary actions, up to and including termination of employment, in accordance with company policies and applicable laws.

 

 

  1. Third-Party Processors

AIP collaborates with third-party service providers for various business operations that may involve processing personal data. To ensure compliance with the Applicable Laws and uphold equivalent standards of data protection, AIP has established the following requirements:

  1. Written Agreements
    • All third-party processors engaged by AIPmust sign a written agreement that mandates:
      • Full compliance with the PDPO, PDPA, and other applicable data protection laws.
      • Implementation of security measures that meet or exceed AIP’s data protection standards.
      • Restricted use of personal data solely for purposes specified in the agreement.
      • Immediate reporting of any actual or suspected data breaches involving personal data.
  1. Confidentiality
    • All personal data handled by third-party processors must remain confidential. Processors are prohibited from disclosing or sharing data with unauthorized parties without AIP’s explicit written consent.

 

  1. Client Rights

AIP ensures that its clients have the following rights under the Applicable Laws – the right to access and correct their personal data, withdraw consent for its use (subject to legal obligations), and object to direct marketing. Individuals may also request the deletion of data no longer needed for its original purpose and, where applicable, receive their data in a portable format. AIP is committed to transparency, informing individuals of data collection purposes and disclosures.

 

To exercise these rights, individuals must submit written requests to the Data Protection Officer (DPO). Requests shall be processed promptly, and data access or correction requests shall be addressed within 40 days. If the request cannot be complied within 30 days, the Data Protection Officer (DPO) must inform the requesting party in writing when it will respond. AIP may verify the requester's identity to ensure compliance with this policy.

 

  1. Data Breach Response

AIP has established a robust data breach response protocol to comply with the applicable laws and to minimize harm to affected individuals. In the event of a data breach, the following steps will be taken:

  1. Immediate Reporting
    • Employees, contractors, or third-party service providers must report suspected or actual data breaches to the Data Protection Officer (DPO) immediately upon discovery.
  2. Breach Assessment
    • The DPO will promptly assess the nature, scope, and potential impact of the breach, including:
      • The type and volume of data affected.
      • The risk of harm to affected individuals.
      • The likelihood of further unauthorized access or misuse.
  1. Notification
    • Where appropriate, affected individuals shall be notified promptly, especially if the breach poses a significant risk of harm (e.g., identity theft or financial loss).
    • Regulatory authorities shall be notified if required, in accordance with Applicable Laws and guidelines.
  2. Containment and Mitigation
    • Immediate steps will be taken to contain the breach and mitigate risks, including:
      • Disabling compromised accounts or systems.
      • Implementing additional security measures to prevent recurrence.
  1. Remediation
    • Affected systems will be reviewed and updated to address vulnerabilities.
    • A root cause analysis will be conducted, and measures will be implemented to prevent similar incidents in the future.
  2. Documentation
    • All breaches, regardless of severity, will be documented, including:
      • A summary of the incident.
      • Actions taken to resolve the breach.
      • Lessons learned and measures implemented to strengthen data security.
  1. Regular Training and Drills
    • Employees will receive training on breach response protocols, and regular drills will be conducted to ensure preparedness.

 

  1. Cross-Border Transfers

AIP ensures that personal data transferred outside Singapore or Hong Kong, as the case maybe, complies with the transfer limitation obligations under the Applicable Laws. Before transferring data, AIP shall assess the destination jurisdiction to ensure it provides a comparable standard of data protection. Where necessary, contractual agreements with the recipient organization will enforce these standards.

 

  1. Compliance and Review

The Data Protection Officer (DPO) is responsible for overseeing and ensuring compliance with this policy and the Applicable Laws. The DPO monitors data protection practices, provides guidance on compliance requirements, and acts as the primary point of contact for related inquiries or issues.

 

To uphold data protection standards, AIP conducts regular audits and reviews to assess the effectiveness of its measures, identify potential risks, and ensure adherence to applicable laws and regulations. Findings from these reviews inform updates to the policy, security practices, and employee training programs to continuously improve compliance and safeguard personal data.

 

  1. Contact Information

For any data protection queries, concerns, or requests, please contact:

 

Data Protection Officer (DPO):

Accolade IP Group

dpo@accoladeip.com

+852 3521 2883

 

  1. Updates to the Policy

This policy will be reviewed periodically and updated as necessary to reflect changes in laws, regulations, or company practices. Employees and stakeholders will be informed of significant updates. Acco reserves the right to periodically review and update this Privacy Policy to comply with government and regulatory requirements, to adapt to new technologies, to align with industry practices, or for other legitimate purposes. Rest assured that the clients will be notified if the amendments are significant.