Our registered office is in Hong Kong with operations through our branch offices and representatives worldwide. As such, the personal data you submit to us in one country may be transferred, used, processed, stored and accessed worldwide by our offices and representatives in one or more countries. Expando will be the data controller as we are originally responsible for collecting information about you which may also be collected by our branch officers and representatives elsewhere. You should be aware that although our head office in Hong Kong may be principally responsible for looking after your personal data, information may be held in databases which can be accessed and used by other Expando offices and representatives worldwide
Your personal data is collected by us either directly, for example, when you use our services, enrol or participate in our events or programmes, enter lucky draws or competitions, or sign up for our e-newsletter, download our app, or when you interact with us by contacting us for enquiries or providing feedback. You are under no obligation to provide the personal data when we seek to directly collect it from you. However, if you do not provide us with certain information marked as mandatory or with an asterisk on the relevant forms, we may not be able to process your submission, provide you with our services or respond to your enquiries. We may receive information about you indirectly from other sources and combine that with information we collect through our services where this is necessary to help manage our relationship with you. These other sources may include third party software applications, advertising technologies, and social media platforms such as Facebook, Instagram and Twitter, or by our third party event participating merchants or service providers.
We use your personal data for the following purposes: To create customer profiles, maintain customer records and to communicate with you, fulfil your requests and respond to your enquiries, bookings and feedback; To send you important notices or personalised messages; To administer the operation of our Website to allow you to use the services and functions of our Website, to conduct website maintenance, trouble shoot problems and to continually improve your Website experience and improve our products and services; To provide services, directly or through the third parties identified in Section 5 in connection with bookings or registration with our events and programmes; To identify you for entry into lucky draws or any other promotional activities or events; To facilitate lucky draws, promotional activities or events and notify you of the results of the lucky draws, promotional activities or events, announce winners and arrange for the subsequent presentation or redemption of prizes; To tailor and personalise content and make recommendations (including by sending you push notifications) to suit your tastes, interests and preferences; To suggest nearby places of interest, give you point-to-point navigation through Google Map and enable us to send you location based push notification via GPS technology when you are in Hong Kong; To send you marketing materials, news and information which we think will be of interest to you such as our latest promotional activities and upcoming events; To assist with identification of visitors, and to determine appropriate services; To monitor, evaluate and analyse trends, data, usage and activities in connection with our Website and services; To keep internal records, decision making and facilitate internal purposes such as auditing, data analysis, and research to improve our products and services, in addition, such internal records will be used to maintain opt-in and opt-out lists; To detect, investigate and prevent fraud and other illegal activities and protect our rights and property; and To use your personal data for purposes associated with our legal or regulatory obligations. We also use your personal data to develop, display and track content for the purposes of customising or personalising advertising, offers and content made available to you based on your usage of websites, mobile applications or services, and analysing the performance of those advertisements, offers and content, as well as your interaction with them. We may also recommend content to you based on information we have collected about you and your viewing habits. This may amount to profiling in respect of which more information is provided at Section 8 of this Policy. We have to establish a legal ground to use your personal data for the purposes set out above, so we will make sure that we only use your personal data for the purposes reasonably related thereto as set out above and in Appendix 1, where we are satisfied that: our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to fulfil obligations under the contract signed between you and us); you have provided your consent; it is necessary to comply with a legal obligation; or our use of your personal data is necessary to support the 'legitimate interests' that we have as a business (for example, to improve our products and services, to provide help or support in connection with our services/ websites, to ensure that they operate efficiently and securely, and to carry out analytics across our datasets), provided it is always carried out in a way that is proportionate, and that respects your privacy rights.
We may use your personal data to send you direct marketing communications about products and services in the travel industry or related services including our latest e-newsletter and upcoming events and offers. This may be in the form of email, post, SMS, telephone or targeted online advertisements or in-app notifications. We limit direct marketing to a reasonable and proportionate level, and to send you communications and otherwise share content with you which we think will be interesting and relevant to you, based on the information we have about you. From the effective date of this Policy onwards, where you register for our events, programmes or offers, sign-up for our e-newsletter or entered a lucky draw and have elected to receive direct marketing information by email or SMS, then for the purposes of the General Data Protection Regulations and where required under relevant e-privacy laws, we will ask you for your consent for our processing of your personal data for direct marketing purposes. The above statement does not apply if you have previously provided us with your personal data and opted-in to direct marketing in accordance with relevant laws, in these cases our continued processing of your personal data is based on our legitimate interests as further detailed in the Appendix. You have a right to stop receiving direct marketing at any time. You can do this by following the opt-out links in electronic communications (such as emails), or by contacting us using the details set out in Section 12 below.
Expando World Limited is a limited liability company incorporated in Hong Kong. All Expando offices are branches of this Limited liability corporation, accordingly any personal data which you provide to us via our offices or otherwise will automatically be transferred to Expando in Hong Kong and your personal data may be accessed or used by staff in the Expando head office in Hong Kong as well as Expando offices or representatives outside Hong Kong. We may transfer your personal data to Expando offices and representatives or service providers that are located outside of the EU. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests and is undertaken in accordance with any rules governing such transfers. You have the right to ask us for more information about the safeguards we have put in place. Contact us as set out in Section 12 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
Automated decision making' refers to a decision which is taken through the automated processing of your personal data with or without human involvement. This means processing using, for example, software code or an algorithm, which does not involve human intervention. ‘Profiling’ is defines as the automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals. As profiling must involve automated processing, it is a form of automated decision making. We may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. This does not have any significant effect, or a legal effect on you. In certain circumstances it may be possible to infer certain information about you from the result of profiling, which may include special categories of data. We will not however conduct profiling based on your special categories of data unless we have obtained your explicit consent to do so. Please note that you have certain rights in respect of automated decision making, including profiling where that decision has significant effects on you, including where it produces a legal effect on you. You may find more information in Section 10.
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 above. In some circumstances we may retain your personal data for longer periods of time, for example where we are required to do so to meet legal, regulatory, tax or accounting requirements. In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings.
Subject to applicable laws and regulations, you may have a number of rights in relation to your personal data. For example, under GDPR, you may request access to your data, rectification of any inaccuracies in our records, erase records where no longer required, restrict processing of your data, object to the processing of your data, obtain a copy of your personal data from us for transfer to another someone else who controls and use your personal data and various information in relation to any automated decision making and profiling or the basis for international transfers. You may also have the right to complain to your supervisory authority (further details of which are set out in Section 12 below). Where permitted by applicable laws and regulations, you may have the following rights: Access: you can ask us to provide details of what personal data (if any) we process about you, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, how you can make a complaint, where we got your data from, you can also ask us to provide a copy of it; Rectification: you can ask us to rectify inaccurate personal data; Erasure: you can ask us to erase your personal data in certain circumstances (for example if it is no longer needed for the purposes for which it was collected or you have withdrawn your consent if the data processing was based on consent); Restriction: you can ask us to restrict (i.e. keep but not use) your personal data in certain circumstances (for example where its accuracy is contested); Portability: in certain circumstances you can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller; Objection: you can object to any processing of your personal data which has our 'legitimate interests' as its lawful basis if you believe your fundamental rights and freedoms outweigh our legitimate interests; and Automated Decision Making: you can ask for certain automated decisions made without human involvement to be reconsidered by us. Please contact us as set out in Section 12 if you do wish to exercise these rights.
We endeavour to protect us and you from unauthorised access to or unauthorised alteration, disclosure or destruction of personal data that we hold. In particular: we review our data collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems; we use password protection where appropriate; and we restrict access to personal data to employees and the third parties we described in Sections 5 and 7 who need access to the relevant personal data in order for them to process it for us, use your personal data and who are subject to strict contractual confidentiality obligations.
For enquiries, you may contact us at: Expando World Limited Hong Kong E-mail: firstname.lastname@example.org If you are in the EU, you also have a right to lodge a complaint with your national data protection supervisory authority at any time, or contacting our EU representative. However, we encourage you to first contact us.