Contract
客户个人信息保护协议(员工适用)
目录
第 1 条:范围
x协议适用于可直接或间接访问客户个人信息的所有员工,包括但不限于正式员工和非正式员工(如实习生、退休返聘人员、合同工以及兼职员工)。
第 2 条:定义
就本协议而言,下列定义适用:
“客户”指向 LVMH W&J 或其子公司(合称“LVMH W&J”)购买商品或服务以及通过任何渠道留下客户个人信息的人或组织。
“个人信息”(“PI”)指以电子或任何其他方式记录并可单独或与其他信息相结合用于识别特定自然人身份或者反映特定自然人活动情况的各种信息。
注:个人信息包括姓名、出生日期、身份证号码、个人生物特征信息、居住地址、联系方式、通信记录及内容、账户密码、财产信息、信用信息、行踪轨迹、酒店住宿信息、健康及生理信息、交易信息等。
“个人敏感信息”指一旦泄露、非法提供或滥用可能危及人身和财产安全,极易导致个人名誉、身心健康受到损害或导致歧视性待遇等的个人信息。
注:个人敏感信息包括身份证号码、生物识别信息、银行账号、通信记录和内容、财产信息、信用信息、行踪轨迹、酒店住宿信息、健康及生理信息、交易信息、14 岁以下(含)儿童的个人信息等。
“客户个人信息”(“CPI”)指 LVMH W&J 收集、存储、使用、披露或传输的任何客户个人信息和个人敏感信息。
“明示同意”指客户通过口头或书面声明或主动作出肯定性行动,对其客户个人信息进行特定处理作出明确授权的行为。
注:肯定性行动包括客户主动作出声明(电子或纸质形式)、主动勾选、主动点击“同意”、“注册”、“发送”、 “拨打”等。
“收集”指获得对客户个人信息的控制权的行为,包括由客户主动提供、通过与客户互动或记录客户行为等自动采集,以及通过共享、传输、搜集公开信息等方式间接获取。
“处理”指以自动或任何其他方式对客户个人信息进行的任何操作或系列操作,如收集、记录、整理、存储、改编或修改、检索、咨询、使用、通过传输披露、传播或以其他方式提供、调整或组合、封锁、擦除或销毁等。
“删除”指在执行日常业务功能所涉及的系统中移除客户个人信息的行为,以使其保持不可被检索、访问的状态。
“去标识化”指通过对客户个人信息的技术处理,使其在不借助额外信息的情况下,无法识别个人数据主体的过程。
“安全事件”指从可用性、完整性、保密性和可追溯性角度而言,影响或很可能影响客户个人信息安全的任何事件。
“VIC 数字卡”指带有客户个人信息的数字卡片;
“CPIPP”指“客户个人信息保护政策”。
“隐私政策”指法务团队制定的最新版隐私政策。
第 3 条:具体条文
员工在此承认,未经授权收集、处理或传输客户个人信息可能对雇主造成不可挽回的伤害和严重损害。因此,员工同意,雇主有权寻求强制措施即时补救,根据中国国家网络安全法的要求和/或其他适用法律法规之规定强制执行本协议项下的义务并采取法律措施,且雇员将遵守下列具体条件:
1. 在收集客户个人信息之前,应明确告知客户收集和处理客户个人信息的目的、方法、范围和规则,或在取得明示同意之前直接向客户出示隐私政策。因此,员工应:
a) 告知客户核心业务功能(如会员注册、定位最近的专卖店)以及客户拒绝提供明示同意将造成的影响;
b) 告知客户,可能收集客户个人信息用于其他功能(如生日礼物),且拒绝提供客户个人信息用于其他业务功能并不影响核心业务功能;
c) 在无法直接阅读隐私政策时帮助客户访问隐私政策;
d) 始终告知客户最新的隐私政策;
e) 在与第三方分享客户个人信息之前取得客户的明示同意,包括但不限于LVMH W&J 的合作伙伴、供应商、分公司和母公司;
f) 在发生客户个人信息保护协议-员工管理适用所列情况时,重新取得客户的明示同意,并严格按照该政策的规定采取行动;
g) 不得私自代表任何客户同意;
h) 不得出于任何目的违背客户意愿强迫客户同意;
i) 未经未成年人的法定监护人明示同意,不得收集 18 岁以下未成年人的个人信息。
2. 仅限按照隐私政策中规定的最低类型、数量和频率,收集必要的客户个人信息用于业务目的(如会员注册)。此外,禁止员工 :
a) 以任何方式私下收集客户个人信息;
b) 欺骗、哄骗或者强迫客户提供其个人信息;
c) 从非法渠道获得客户个人信息,如非法购买、非法网络爬虫等;
d) 故意收集虚假信息。
3. 应当根据 CPIPP 的规定有效开展客户个人信息存储工作,因此,员工应:
a) 按照 LVMH W&J 发布的信息分类办法存储客户个人信息;
b) 将去标识化的客户个人信息与为识别个人身份而存储的客户个人信息分开存储;
c) 离开电脑时及时锁屏或清理桌面;
d) 确保所有存储介质(如 USB 记忆棒)安全,在任何时候均不得让其处于无人看管的状态;
e) 按照雇主指定的位置和方式存储 VIC 卡或其他载有客户个人信息的纸质文件;
f) 员工一旦发现安全措施或备份策略失效,立即通知上级;
g) 除 LVMH W&J 的设备和系统外,不得在任何其他私人设备和系统(如个人的手机)中存储客户个人信息。
4. 仅限按照隐私政策中规定的最低类型和数量,使用必要的客户个人信息满足业务目的(如会员注册);同时,员工:
a) 不得在工作职责和客户授权范围之外访问和处理客户个人信息,在必要情况下经雇主批准的除外;
b) 应使用去标识化的客户个人信息进行分析工作;
c) 除非 LVMH W&J 出于适当业务目的提出要求,否则不得公开披露客户个人信息。如提出在社交媒体平台、荧幕、印刷品上公开披露或以口头方式等宣布客户个人信息,员工应手动采取去标识化措施;
d) 不得在任何软件开发测试中使用客户个人信息,如用户验收测试、压力测试等,除非经安全部门和上级特别批准使用;
e) 在处理数据时不得私下存储去标识化的客户个人信息;
f) 未经雇主授权,不得批量处理客户个人信息(如修改、复制、下载等);
g) 不得故意篡改或损坏所收集的客户个人信息;
h) 除 LVMH W&J 外,不得为任何其他人、法人团体或实体使用客户个人信息,分别取得客户和雇主同意和批准的或依法使用的除外。
5. 未经 LVMH W&J 批准,不得向为不同目的访问或处理客户个人信息的任何员工或向任何第三方分享或传输客户个人信息,包括但不限于家属、外部人员及其他组织。如分享或传输已获批准,员工应准确记录传输行为,包括传输的日期、数量、目的和审批者以及客户个人信息接收者的基本信息等。员工还应根据 LVMH W&J 的授权,按照数据跨境传输管理流程及适用法律法规的规定,跨境传输客户个人信息。
6. 在满足特定业务目的后,应使用碎纸机销毁临时载有客户个人信息的印刷品,或根据雇主授权,按照
CPIPP 的流程销毁/处置其他形式的客户个人信息。
7. 如收到有关客户个人信息的任何客户请求或投诉,应根据 LVMH W&J 的授权并按照投诉管理流程作
出回应,该等请求包括但不限于:
a) 如果客户个人信息有误或不完整,通过网站、呼叫中心或其他方式变更或纠正其个人信息;
b) 如果在收集和处理客户个人信息的过程中,LVMH W&J 违反法律法规或与客户签订的本协议,删除其个人信息;
c) 撤销收集和处理客户个人信息的同意;
d) 拒绝接收针对其所属群体的商业广告,如邮件订阅、微信通知等;
e) 注销/关闭其账户,如取消会员身份;
f) 通过信息系统的自动决策做出决策时明显影响其合法权益的申诉,如定向微信内容推送。
8. 员工应配合并参加 LVMH W&J 规定的相关培训,如应急响应培训和演习。
9. 如果员工发现发生了客户个人信息安全事件,应立即通知安全团队/CISO,并配合采取相关应急响应程序。
10. 员工应按照手册第 10.2 条的规定,尽快向人力资源总监报告所发现或怀疑的任何不合规行为。
11. 员工还应遵守 LVMH W&J 的其他适用政策和程序。
第 4 条:除外条款
x协议的任何例外情况均应由 LVMH W&J 批准。
如本协议与当地法规之间有任何冲突,员工应遵守法律规定,并立即通知上级。
第 5 条:保护期
在雇佣期内,员工应始终按照本协议规定履行职责。在终止雇佣关系生效前,员工应在十个工作日内向雇主交还全部客户个人信息,包括但不限于全部电子文件、文档、记录及其副本,或向雇主提供一份书面证明,证实全部该等客户个人信息均已销毁。
第 6 条:所有权
各类客户个人信息皆归 LVMH W&J 所有。
第 7 条:完整协议
x协议构成员工就有关客户个人信息签订的完整协议。除本协议明确载明的xx外,任何一方均不得依赖
任何其他xx。未经双方授权代表签署书面协议,不得修改本协议。除非明确书面放弃,否则雇主未能或延迟行使其现有的任何权利,不构成放弃该等权利。
第 8 条:适用法律
x协议适用中华人民共和国的适用法律、法规或国家标准,包括但不限于 :
法律
《中华人民共和国密码法》,第三十五号主席令,2019 年 10 月 26 日
《中华人民共和国刑法修正案(九)》,2015 年 8 月 29 日
《中华人民共和国网络安全法》,2017 年 6 月 1 日
《中华人民共和国电子商务法》,2019 年 1 月 1 日
行政法规
《中华人民共和国计算机信息系统安全保护条例》,1994 年 2 月 18 日
《个人信息出境安全评估办法(征求意见稿)》
《儿童个人信息网络保护规定》,2019 年 10 月 1 号
《互联网个人信息安全保护指南》,2019 年 4 月 10 日
技术规范和标准
《信息安全技术 - 个人信息安全规范》
《信息安全技术 - 网络安全等级保护基本要求》,2019 年 12 月 1 日
因本协议产生的或与之相关的任何争议,均应提交至国家互联网信息办公室或当地法院,根据其届时有效的仲裁规则解决。仲裁裁决具有终局性,对双方具有约束力。
第 9 条:违约责任
未遵守本协议条款,可能导致纪律处分,直至在法律管辖范围内终止雇佣关系。雇主可向任何具有司法管辖权的法院提起法律诉讼,寻求禁令、实际履行或其他衡平救济,强制执行本协议项下的权利或义务。
Customer Information Protection Agreement for
Employee
Contents
Article 1: Scope of Agreement 9
Article 5: Period of Confidentiality for CPI 14
Article 7: Entire Agreement 14
Article 9: Responsibility for Breach of Agreement 15
Article 1: Scope
This agreement applies to every Employee who can have access to CPI directly or indirectly, including but not limited to regular employee and non-regular employee, e.g. intern, people re-employed after retirement, contractors, part-time employee.
Article 2: Definition
The following definitions apply for the purposes of this Agreement:
“Customer” means a person or an organization that buys goods or services from LVMH W&J (collectively “LVMH W&J”) or its subsidiaries as well as leaving CPI through any channels.
“Personal information” (“PI”) means all kinds information that is recorded electronically or by other means and can be used solely or in combination with other information to identify a certain natural person or reflect the activities of a certain natural person.
Note: Personal information includes name, date of birth, ID number, personal biometric information, residential address, contact information, communication records and content, account password, property information, credit information, whereabouts, hotel accommodation information, health and physiological information, transaction information, etc.
“Personal sensitive information” means personal information whose leakage, illegal provision or abuse may endanger personal and property safety and easily lead to damage of personal reputation and physical or mental health, or discriminatory treatment.
Note: Personal sensitive information includes ID number, biometric information, bank account number, communication records and content, property information, credit information, whereabouts, hotel accommodation information, health and physiological information, transaction information, and personal information of children at or under 14 years old.
“Customer Personal Information” (“CPI”) means any personal information and personal sensitive information of Customer collected, stored, used, disclosed or transferred by LVMH W&J.
“Explicit consent” means behavior whereby a Customer grants a clear authorization on certain processing of CPI through oral or written statement, or proactive affirmative action.
Note: Affirmative actions include statement (in electronic or paper form) proactively made by the Customer, and proactively checking or clicking on “Agree”, “Sign up”, “Send”, “Dial”, etc.
“Collect” means the behavior of gaining control right of CPI, including proactively provided by Customer, automatic collection through interacting with Customer or recording the behavior of Customer, and indirect acquisition through sharing, transferring or collecting publicly available information.
“Processing” means any operation or set of operations which is performed upon CPI, whether by automatic means or not, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Delete” means the behavior of removing CPI from the system involved in the fulfillment of daily business functions, to keep it from being retrieved or accessed.
“De-identification” means a technical process adopted for CPI aiming to ensure the personal information cannot be used to identify a personal data subject without using additional information.
“Security Incident” means any event impacting or likely to impact the security of CPI in terms of availability, integrity, confidentiality and traceability.
“VIC digital card” means a digital card with CPI;
“CPIPP” refers to “CPI Protection Policy”.
“Privacy Policy” refers to the latest version issued by Legal Team.
Article 3: Provisions
Employee hereby acknowledges that unauthorized collection, processing or transfer of CPI could cause irreparable harm and significant damage to Employer. Accordingly, Employee agrees that Employer will have the right to seek immediate injunctive relief to enforce obligations under this Agreement and take lawful actions under the requirements of CSL or/and other applicable laws or regulations, and Employee will abide by specific conditions as below:
12. Prior to CPI collection, either Customer shall be informed clearly of the purpose, method, scope and rules of CPI collection and processing or Privacy Policy shall be shown directly to Customer before obtaining explicit consent. Therefore, Employee shall:
a) inform Customer of the core business functions (e.g. registration for membership; locating the nearest boutique)and the impact caused by his/her refusal to provide explicit consent;
b) inform Customer of that CPI might be collected to fulfill additional functions (e.g. birthday gifts), and core business functions shall not be impacted by the refusal of providing CPI for additional business functions;
c) help Customer to access Privacy Policy when it is unavailable to read directly;
d) always inform Customers of the most updated Privacy Policy;
e) obtain explicit consent from Customer before CPI needs to be shared with the third parties, including but not limited to LVMH W&J’s partners, Vendors, branches and parent company;
f) re-obtain explicit consent from Customer when certain situation occurs listed in Customer Personal Information Protection Policy- for Employee Management, and strictly abide by the policy to take actions.
g) not provide consent on behalf of any Customer privately;
h) not force Customer to provide consent against his/her will on any purpose;
i) not collect PI of juveniles under the age of 18 without obtaining explicit consent from his/her legal guardian(s).
13. Only necessary CPI shall be collected to satisfy with business purpose (e.g. registration for membership) in terms of minimum types, volumes and frequency regulated in Privacy Policy. Also, Employee is prohibited from:
a) collecting CPI privately by any means;
b) cheating, tricking or forcing Customer to provide his/her PI;
c) obtaining CPI from illegal sources, such as illegal purchase, illegal web crawler, etc.;
d) collecting fake information knowingly.
14. CPI storage shall be implemented effectively according to CPIPP, hence Employee shall:
a) store CPI in terms of Information Classification Measures issued by LVMH W&J;
b) store de-identified CPI separately from the CPI that can be restored to identify individuals;
c) lock the screen or clear desk as soon as walking away the computer;
d) keep all storage mediums (e.g. USB stick) safe, and not leave them unguarded anytime;
e) store VIC card or other paper containing CPI in specified position and means by Employer;
f) inform supervisor immediately, when Xxxxxxxx discovers the security measure or backup strategy fails;
g) not store CPI in any private devices and systems other than those of LVMH W&J (e.g. personal cell phone).
15. Only necessary CPI shall be used to satisfy with business purpose (e.g. registration for membership) in terms of minimum types and volumes regulated in Privacy Policy, also Employee shall:
i) not access and process CPI which is out of the scope of job duties and Customer’s authorization, unless approved by Employer if needed;
j) use de-identified CPI to conduct analyses;
k) not disclose CPI publicly unless requested by LVMH W&J for appropriate business purposes. If requested, such as on social media platform, screen, printed paper, orally announcing, etc., Employee shall manually adopt de-identification measures;
l) not use CPI in any software development test, such as User Acceptance Test, Pressure Test, etc., unless the use is specially approved by the security department and the supervisor;
m) not restore de-identified CPI privately when processing the data;
n) not process CPI in batch (e.g. modification, copying, downloading etc.) without authorization of Employer;
o) not distort or damage CPI collected on purpose;
p) not use CPI for any other person, corporation or entity, other than LVMH W&J unless consent and approval are obtained from Customer and Employer respectively or required by law.
16. CPI shall not be shared or transferred to any Employee who does not access or process the CPI for the same
business purpose, or any third parties without authorization of LVMH W&J, including but not limited to family members, external persons and other organizations. When sharing or transfer is authorized, Employee shall accurately record the transferring behavior, including the date, volume, purpose, and approver as well as general information of CPI recipient, etc. Employee shall also follow the Data Cross-Border Transfer Management Process and applicable laws or regulations to transfer CPI abroad under authorization of LVMH W&J.
17. Printed paper containing CPI temporarily should be destroyed by shredder immediately after certain business purpose is satisfied or other forms of CPI shall be destroyed/disposed according to the process of CPIPP under authorization of Employer.
18. Any Customer request or complaint related to CPI received shall be responded according to the process of Complaint Management and under the authorization of LVMH W&J, such requests including but not limited to:
g) change or correct his/her PI through websites, call center or other methods, if the CPI is incorrect or incomplete;
h) delete his/her PI if LVMH W&J is in violation of laws and regulations or this agreement with the Customer on the process of collecting and processing CPI;
i) withdraw the consent of collecting and processing CPI;
j) refuse commercial advertisements that are aimed at the group he/she belongs to, such as email subscription, WeChat notification, etc.;
k) deregister/close his/her account, such as cancellation of membership;
l) an appeal of obviously affecting his/her legitimate rights and interests when a decision is made through the automatic decision-making of an information system, such as targeted WeChat content push.
19. Employee shall cooperate and attend relevant training prescribed by LVMH W&J, such as emergency response training and drills.
20. Employee shall notify security team/CISO when he/she notices a CPI security incident occurs and cooperate with relevant Incident Response Procedures.
21. Employee shall report to the HR Director as soon as any noncompliant behavior detected or suspected according to10.2 in Handbook.
22. Employee shall also abide by other applicable policies and procedures of LVMH W&J.
Article 4: Exclusions
Any exception to this agreement shall be authorized by LVMH W&J.
For any conflict between this agreement and local legal requirements, Employee shall abide by the law and inform supervisor immediately.
Article 5: Period of Protection
Employee shall perform duties in terms of this agreement during the whole employment. When the termination of employment goes into effect, Employee shall either return to Employer all CPI, including but not limited to all electronic files, documentation, notes, and copies thereof, or shall provide Employer with written certification that all such CPI has been destroyed, before 10 business days.
Article 6: Ownership
All kinds of CPI are considered as property of LVMH W&J.
Article 7: Entire Agreement
This Agreement constitutes employee’s entire agreement with respect to CPI. Neither party has relied on any other representations, apart from those expressly contained herein. This Agreement may not be amended except by written agreement signed by authorized representatives of both parties. Employer’s failure or delay in existing any of its rights will not constitute a waiver of such rights unless expressly waived in writing.
Article 8: Governing Law
This Agreement shall be governed by applicable laws, regulations or national standards of the People’s Republic of China, including but not limited to:
Laws
Code law of the People's Republic of China (President's Order No. 35), 26th October,2019 Xxxxxxxxx xx Xxxxxxxx Xxx (xx),00xx Xxxxxx,0000
Xxxxx Xxxxxxxxxxxxx Xxx,0xx June,2017
The E-Commerce Law of The People's Republic of China,1st January, 2019
Administrative regulations
Regulations of The People's Republic of China on The Security Protection of Computer Information Systems, 18th February,1994
Measures for Personal Information Cross-Border Transfer Security Assessment (Draft)
Regulations on Children’s Personal Information Network Security Protection,1stOctober, 2019 Guidelines for Internet Personal Information Security Protection,10thApril, 2019
Technical specifications and standards
Information Technology - Personal Information Security Specification
Information Technology – Baseline for Classified Protection of Cybersecurity (MLPS 2.0),1st December,2019 Any disputes arising out of or in connection with this Agreement shall be submitted to Cyberspace Administration of China or local court in accordance with its arbitral rules then in force. The arbitration award shall be final and have binding force upon the Parties.
Article 9: Responsibility for Breach of Agreement
Failure to abide by the terms of this agreement may lead to disciplinary action, up to and including termination of employment, to the extent of jurisdiction by law. Employer could bring court proceedings in any court having jurisdiction to seek an injunction, specific performance, or other equitable relief to enforce any right or obligation under this Agreement.