Privacy Addendum for mainland China

1.
General
This Privacy Addendum (“Addendum”) may apply to you if you are located in mainland China when you submit personal information to Blue Insurance Limited (“we”, “us” or “our”). This Addendum forms part of our Personal Information Collection Statement (“PICS”). If any conflict or inconsistency exists between the PICS and this Addendum, this Addendum shall prevail.
2.
Personal Information We Possess
For the purposes stated in PICS and other legally permissible reasons:
 
2.1
We may process the following of your personal information:

  • [Personal and contact details, such as title, full name, contact details and contact details history;

  • Travel document information;

  • Payment information including but not limited to credit card details and bank account information;

  • Date of birth, gender and / or age;

  • Nationality, identity document copies and details (if relevant to the product or service);

  • Details of policyholders, joint policy holders, insureds, beneficiaries, including minor beneficiaries, assignees, trustees and claimants of our products or services;

  • Family members (if relevant to the product or service);

  • Records of your contact with us such as via the phone number of our customer service centre and, if you get in touch with us online using our online services or via our smartphone app, details such as your mobile phone location data, IP address;

  • The usage of our products and services, any claims and whether those claims were paid out or not (and details related to this);

  • Information about your health / medical records;

  • Your residency and /or citizenship status; and

  • Marital status, family, lifestyle or social circumstances (if relevant to the product or service). For example, the number of dependents you have or if you are a widow or widower.]

 
We may not collect all your personal information in one go; instead, we collect it as necessary when you engage in different business activities.
 
When we receive personal information of a third party indirectly from you, you must confirm the legality of their sources and fully disclose the origins of the personal information. Additionally, you are required to have obtained all necessary consents from the data subjects for their processing activities, which include but are not limited to the use, transfer, sharing, disclosure or deletion of the personal information, and provide us with such consent upon request. If our intended processing activities exceed the scope of these consents, you are obliged to secure explicit additional consent from the data subjects before transferring the personal information to us or do so within a reasonable timeframe thereafter (unless this Addendum sets out otherwise).
 
2.2
Sensitive Personal Information
 
2.2.1 We process the sensitive personal information only for specific purposes, such as assessing your application for the issuance of an insurance policy to you, investigation on any claims applications submitted to us, or when necessary to provide you with our products and services. We will obtain your separate consent before processing sensitive personal information. Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. We may collect sensitive personal information of minors under 14 years old from the guardian of the child. We may not be able to provide you with the product or service you have requested or to comply with statutory or contractual requirements if we fail to process such personal information.
3.
Sharing your personal information with third parties
In addition to the ‘Classes of Transferees’ described in PICS, we may transmit your personal information to such third-party service providers to process such information for us in accordance with our instructions and in compliance with the PICS and this Addendum as well as any other appropriate confidentiality and security measures. We may not be able to provide you with the product or service you have requested or to comply with statutory or contractual requirements if we fail to process such personal information in this manner. The types of personal information that we provide to the recipients include without limitation personally-identifiable information, your medical information, your past health records/information, and your financial information. We may deliver your personal information through electronic means or other mode of dispatch to the recipients. The recipients are listed on Exhibit 1. We will share with you the recipient’s name, contact information, purpose and method of processing, and type of personal information involved, and obtain your separate consent before we share your personal information with third parties. We may share or publicly disclose your personal information in accordance with applicable laws or as required, investigated, or advised by regulatory authorities.
4.
Cross-border data transfer
We may be considered as an overseas recipient when processing your personal information. We will comply with relevant PRC laws and regulations, including those on cross-border data transfer.
5.
Retention
We will retain your personal information for the period necessary to fulfil the purposes outlined in our PICS and this Addendum. The criteria used to determine our retention periods may include one or more of the following: as long as we have an ongoing relationship with you; as required by a legal obligation to which we are subject; and as advisable in light of our legal position (such as in regard of the applicable statute of limitation, litigation, audits or regulatory investigation).
6.
Your Rights
 
6.1
Right to be informed and make decisions
You are entitled to be informed of, make decisions on, and restrict or decline our processing activities, unless otherwise specified by applicable law or administrative regulations.
 
6.2
Right to access your personal information
You have the right to access and obtain a copy of your personal information barring specific exceptions. We may reject your requests in cases involving state secrets, execution of state functions or other legally permissible grounds.
 
6.3
Right to portability
You can transfer your personal information to another personal information processor upon the satisfaction with the prescribed conditions or applicable laws.
 
6.4
Right to rectification
You can ask us to correct wrong or incomplete personal information. We will verify and update your personal information.
 
6.5
Right to be forgotten
You can request deletion of your personal information if:
 
(i) the processing purpose is achieved or no longer achievable, or is deemed unnecessary;
(ii) the service or product ends, or the retention period expires;
(iii)you revoke your consent;
(iv) we have violated applicable laws, regulations, or contractual obligations; or
(v) other legal provisions mandate the deletion.
 
If we agree to delete your personal information, we will also instruct any third parties who received your data from us to delete it, unless laws require otherwise, or they have your separate consent. Deleted information may persist in backups until the next update cycle.
 
Should deletion be impractical due to mandatory retention periods or technical constraints, we will restrict the processing of your personal information to storage only and ensure that your personal information continues to be protected and secure.
 
6.6
Right to modify or withdraw previously granted consent
You can modify or withdraw previously granted consent, although this will not impact the processing of your personal information that occurred prior to such modification or revocation. If you modify or withdraw your consent to our processing of your personal information, we may not be able to provide the relevant products and/or services to you.
 
6.7
Right of de-registration
You can cancel your previously registered account. After your account is canceled, we may have to cease to provide products or services to you and, upon your request, delete your personal information, except where otherwise required by law.
 
6.8
You also have the right to: (i) request an explanation of our processing rules; (ii) inquire about the rationale behind our automated decision-making that significantly affects you and opt-out of such decisions; and (iii) initiate legal action against us for non-compliance.
 
6.9
Response to your requests
We can require you to submit a written request or otherwise prove your identity. We aim to respond to your requests within thirty calendar days. No fee is typically charged for reasonable requests. Fees may apply for repetitive, excessive, or technically burdensome requests. We reserve the right to refuse such requests. We may not be able to fulfill your requests in certain cases, such as: our legal obligations; matters of national, defense or public security; issues concerning public health or the public interest; criminal investigations or legal proceedings; evidence of malicious intent or rights abuse by the data subject; situations where obtaining consent is difficult, yet vital interests are at stake; requests that could harm the rights of the data subject or others; and cases involving confidential trade secrets.
7.
Protecting Your Personal Information
We protect your personal information with robust security measures to prevent unauthorized access, disclosure, use, modification, damage or loss. In the unfortunate event of a security incident, we will notify you as mandated by laws and regulations via email, letter, telephone, push notifications, announcements or other reasonable means. We will also report the personal information security incident to regulatory authorities as required.
8.
Update of this Addendum
We may update this Addendum from time to time and will notify you of our updates by sending you email, posting it on our website or application platforms (as the case may be). We will also archive previous versions of this Addendum for your reference. This Addendum is governed by the laws of the People’s Republic of China; however, if the content or context of this Addendum explicitly or implicitly indicates that laws other than those of the People's Republic of China should apply, the relevant provisions will be governed by the laws of our place of registration, the Hong Kong Special Administrative Region.
9.
Contact Us
If you wish to exercise any of your rights under this Addendum or have any queries or suggestions, you may make your request, complaint or recommendations to us at:
 
Blue Insurance Limited
30/F, One Kowloon, 1 Wang Yuen Street, Kowloon Bay, Hong Kong
Attn: The Data Protection Officer
This Addendum is last updated on 19 April 2024.