DATA PROTECTION AND PRIVACY POLICY

Royal Amparo respects the privacy of Personal Data and are committed to protecting Personal Data for which Royal Amparo is a Controller. This Data Protection and Privacy Policy (this “Policy”) describes the policies and procedures Royal Amparo has implemented to protect Personal Data Processed by Royal Amparo in accordance with applicable Data Protection Laws.

 

Royal Amparo has voluntarily opted to apply the protections and obligations outlined in this Policy to all Data Subjects. However, such protections and obligations may be beyond the legal requirements of the jurisdiction of certain Data Subjects. Data Protection Laws vary widely across jurisdictions and while Royal Amparo will strive to meet this Policy for all Data Subjects, the Data Protection Laws for the Data Subject ultimately govern the protections conferred in the specific jurisdiction applicable to that Data Subject, and this Policy does not confer any rights beyond those granted by the relevant Data Protection Laws.

 

This Policy describes how Royal Amparo collects and uses Personal Data, the circumstances under which Royal Amparo may share Personal Data, the applicable rights of Data Subjects, and Royal Amparo’s technical and physical safeguards to protect the security of Personal Data.

DEFINITIONS

“Controller” means a natural or legal person, public authority, agency, or other body that, independently or jointly with others, determines the purpose and means of Processing Personal Data, as defined in Data Protection Laws. Controller shall refer to Royal Amparo, and with regard to certain Processes, Royal Amparo may act as joint Controller with a third-party.

 

“Data Protection Laws” refer primarily to the Regulation (EU) 2016/679 (GDPR), the Singapore Personal Data Protection Act 2012 (PDPA), and the Chinese Cyber Security Law (the CS Law), but may extend to other applicable privacy legislations, regulations, or codes issued by data protection regulators in jurisdictions in which Royal Amparo has a physical presence.

 

“Data Subject” means a natural person who can be identified, directly or indirectly, by reference to their Personal Data. In this section, Data Subjects shall include “Personnel,” meaning all employees and interns, contract-based, and part-time Royal Amparo employees.

 

“Personal Data” means any information attributable to an identified or identifiable natural person (a Data Subject), as defined in Data Protection Laws. Personal Data does not include data where the identity has been removed (anonymous data). Personal Data shall encompass Special Category Data.

 

“Process” or “Processing” or “Processed” or “Processes” means, as applicable, any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collecting, recording, using, organizing, structuring, storing, adapting or altering, retrieving, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or purging.

 

“Processor” means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller, as defined in Data Protection Laws. A Processors’ activities are limited to the more “technical” aspects of a Process and do not include the exercise of professional judgment or significant decision-making in relation to Personal Data. Processors may include third-party service providers, applications, or agencies utilized by Royal Amparo in the course of business.

 

“Special Category Data” means Personal Data revealing racial or ethnic origin, criminal history, political opinions, religious or philosophical beliefs, sexual orientation, trade union membership, or health, genetic, or biometric data, or data pertaining to a child or minor.

GROUNDS FOR PROCESSING PERSONAL DATA

Royal Amparo will only use Personal Data when Data Protection Laws allow Royal Amparo to do so. Personal Data shall be Processed in a manner that is adequate, relevant, and not excessive in relation to the intended business purpose(s) of such Processing. Royal Amparo’s bases for Processing Personal Data may include:

 

  • Data Subject giving consent to the Processing of his or her Personal Data for a specific purpose(s);
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which Royal Amparo is subject;
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; or
  • Processing is necessary for the purposes of the legitimate interests pursued by Royal Amparo or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.

RIGHTS OF DATA SUBJECTS

When applicable, Royal Amparo shall honor Data Subject rights, as described herein. In accordance with Data Protection Laws and in certain circumstances, a Data Subject may possess the right to:

  • Request access to his or her Personal Data that Royal Amparo holds to check that it is accurately and lawfully being Processed.
  • Request correction of his or her Personal Data that Royal Amparo holds. This enables Personnel to have any incomplete or inaccurate Personal Data be corrected, though Royal Amparo may need to verify the accuracy of any new Personal Data provided.
  • Request erasure of his or her Personal Data. This enables Personnel to ask Royal Amparo to delete or remove Personal Data where there is no legitimate purpose for the Processing of such Personal Data by Royal Amparo. Royal Amparo may not always be able to comply with the request of erasure for specific legal reasons or other legitimate grounds, which will be notified to Personnel, if applicable, at the time of the request.
  • Object to Processing of his or her Personal Data where Royal Amparo is relying on a legitimate interest (or those of a third party) and he or she would like to object to the Processing because it impacts his or her fundamental rights and freedoms.
  • Request restriction of Processing of his or her Personal Data. This enables Data Subjects to ask Royal Amparo to suspend Processing Personal Data in the following scenarios: (a) establishing the accuracy of Personal Data; (b) where Royal Amparo’s use of Personal Data is unlawful, but there is no request of erasure; (c) where a Data Subject needs Royal Amparo to hold Personal Data even if retention is no longer required and it is needed to establish, exercise, or defend a legal claim; or (d) a Data Subject objects to Royal Amparo’s use of Personal Data, but Royal Amparo needs to verify whether there are overriding legitimate grounds to use it.
  • Request the transfer of his or her Personal Data. Royal Amparo will provide to Personnel, or a third party, his or her Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information.
  • Withdraw consent at any time where Royal Amparo is relying on consent to Process Personal Data. This will not affect the lawfulness of any Processing carried out before consent is withdrawn.
  • Be notified of a data breach involving a Data Subject’s Personal Data.

Royal Amparo shall accept, when applicable, any written requests through the appropriate channels from a Data Subject to exercise his or her rights and freedoms pursuant to Data Protection Laws. Royal Amparo shall use reasonable means to verify the identity of the requester. If Personnel receive a request from a Data Subject in relation to his or her Personal Data, such request shall be promptly escalated to that jurisdiction’s designated Data Protection Officer, or his or her designee, or sent to datarequests@Royal Amparoandco.com

ROYAL AMPARO DATA PROTECTION OBLIGATIONS

Royal Amparo and its Personnel have implemented appropriate technical and organizational measures to provide adequate protection regarding Data Subjects’ rights and the lawful, fair, and transparent Processing of Personal Data, as described herein. Royal Amparo data protection obligations include the following:

 

  • Consent: When consent is the lawful basis for Processing, Royal Amparo shall obtain the affirmative consent of a Data Subject prior to such Processing. Consent shall be written in clear and plain language by Royal Amparo and the Data Subject must give consent freely. Prior to providing consent, a Data Subject shall be notified by Royal Amparo that consent may be withdrawn at any time. Consent may not be permanently binding on Data Subjects, as such Data Subjects may withdraw consent at any time.
  • Purpose Limitation: Royal Amparo shall restrict the Processing of Personal Data to the intended business purpose(s).
  • Notification: Royal Amparo shall provide notification in clear language to a Data Subject at the outset of Processing, which may include: name of Controller and contact information; purpose of Processing; type(s) of Personal Data Processed; whom has access to Personal Data; Processing location(s); retention period; Data Subject’s rights and instructions for exercising such rights; and protections against data breaches.
  • Access: Upon request by a Data Subject, Royal Amparo shall provide such Data Subject with access to his or her Personal Data in the possession or under the control of Royal Amparo and information about the ways in which Personal Data may have been previously Processed.
  • Correction: Upon request by a Data Subject, Royal Amparo shall correct any error or omission in a Data Subject’s Personal Data in the possession or under the control of Royal Amparo. If Personal Data is corrected, Royal Amparo must inform (i) third-parties to whom data has been disclosed of correction and (ii) Data Subjects that his or her Personal Data has been disclosed to third-parties.
  • Erasure: Upon request by a Data Subject, Royal Amparo shall erase such Data Subject’s Personal Data in the possession or under the control of Royal Amparo, if: (i) Personal Data is no longer necessary for the intended business purpose for which it was Processed; (ii) the Data Subject withdraws consent and there is no other legitimate basis for the Processing; (iii) the Data Subject objects to Processing based solely on Royal Amparo’s legitimate interest; (iv) the Processing of Personal Data is unlawful; or (v) Personal Data is related to the offer of information society services to a child.” This is not an absolute right, as Personal Data may be retained to the extent required or permitted under applicable law. If Royal Amparo discloses Personal Data to a third-party, Royal Amparo shall notify such third-parties of any fulfilled request to erase, unless unreasonable or would result in a disproportionate effort.
  • Accuracy: Royal Amparo shall make a reasonable effort to verify that Personal Data Processed by or on behalf of Royal Amparo is accurate and complete. Generally, Personal Data is obtained directly from the Data Subject.
  • Protection: Royal Amparo shall protect Personal Data in its possession or under its control by securing against unauthorized Processing, as further described in the “Security Measures Taken to Protect Personal Data” Section.
  • Retention: Royal Amparo shall cease to retain documentation containing Personal Data or remove the means by which Personal Data can be associated with a particular Data Subject, when (i) the intended purpose for which Personal Data was Processed is no longer applicable and (ii) the retention is no longer necessary for legal or business purposes.
  • Breach Notification: In the case of a data breach involving any loss, misuse, or alteration of Personal Data that is likely to result in (i) a risk to Data Subjects’ rights and freedoms, Royal Amparo shall notify the supervisory or data protection authorities within seventy-two (72) hours; or (ii) a high risk to Data Subjects’ rights and freedoms, Royal Amparo shall notify Data Subjects without undue delay.

SHARING OF PERSONAL DATA

Royal Amparo has executed appropriate documentation to protect the privacy and fundamental rights and freedoms of Data Subjects and has taken appropriate measures to ensure data protection during the sharing of Personal Data.

 

Royal Amparo may share Personal Data with third-parties to Process (maintain, store, use) on Royal Amparo’s behalf. Royal Amparo requires all such Processors to take appropriate security measures to protect Personal Data in accordance with Royal Amparo’s policies. Royal Amparo does not allow Processors to Process Personal Data for their own purposes and only permits them to Process Personal Data for specified purposes and in accordance with Royal Amparo’s instructions. Please email datarequests@Royal Amparoandco.com for a current list of third-parties Processing Personal Data.

 

Royal Amparo may share Personal Data with third parties to Process on their own behalf. Such third parties will be considered joint-Controllers of such Personal Data. While joint-Controllers have shared discretion over the purposes of Processing, all such Controllers agree to Process such shared Personal Data in accordance with Data Protection Laws.

 

Royal Amparo may Process Personal Data in the United States, United Kingdom, European Union, or Singapore. Regarding transfers from the European Economic Area, Royal Amparo has taken steps to provide an adequate level of protection for Personal Data in accordance with Data Protection Laws.

 

  • Third-Parties

 

Royal Amparo may, from time to time, engage with Processors or joint Controllers, such as third-party service providers, applications, or agencies, to Process Personal Data. Prior to the Processing of Royal Amparo-controlled Personal Data by a Processor or joint Controller, Royal Amparo will work with such third-parties to verify that adequate documentation and security safeguards are in place to Process Personal Data in accordance with Data Protection Laws. The Processor or joint Controller shall restrict Processing to the intended business purpose.

 

  • Royal Amparo Entities

 

Royal Amparo shall not transfer Personal Data to a country or territory outside the jurisdiction in which it was Processed, except in accordance with the requirements prescribed under Data Protection Laws. Royal Amparo may transfer or provide access to Personal Data across jurisdictions and entities in accordance with its Data Protection Agreements and Intercompany Agreements, which are aligned with Data Protection Laws.

SECURITY MEASURES TAKEN TO PROTECT PERSONAL DATA

Royal Amparo has implemented appropriate elements of privacy by design in conjunction with technical and physical safeguards to protect the security of Personal Data from unauthorized or unlawful Processing. As more fully described in the Network Protection and Monitoring Policy, Royal Amparo uses a number of systems and applications to protect Personal Data at all times, which also allow for the following capabilities: (i) the anonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing Personal Data; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing, and evaluating, at least annually, the effectiveness of such security measures.

 

In assessing the appropriate level of security as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, Royal Amparo assesses the risks presented by the Processing of Personal Data. Such risks may include, but are not limited to, any accidental, unlawful, or unauthorized destruction, loss, disclosure, alteration, or access to Personal Data Processed by or on behalf of Royal Amparo, or other factors that may impact Data Subject rights and freedoms. Royal Amparo shall make reasonable attempts to ensure that any risks presented by the Processing of Personal Data are sufficiently mitigated by technological and/or organizational controls, including limited access of Personal Data utilizing access controls and password protections.

THIRD PARTY WEBSITES AND SOCIAL MEDIA

This website may contain content and links to third-party websites that are not owned, operated, or controlled by Royal Amparo. Royal Amparo is not responsible for the privacy practices of or the content displayed on such third-party websites.

When engaging with Royal Amparo’s content on or through a third-party social networking website, plug-in, or application, Royal Amparo may Process Personal Data associated with your social media account.

COOKIES, SCRIPTS, AND RELATED TECHNOLOGIES

When you visit our website, we and our third-party service providers receive and record Personal Information that you may have provided and your digital signature, such as your IP address. The technologies we use to track your movements around our website include cookies, tracking scripts and pixels, and tagging technologies, which we may employ to understand your preferences, improve your experience on our website, etc. You can control the use of cookies at the individual browser level. If you want to learn more about cookies, or how to control, disable, or delete them, please visit http://www.aboutcookies.org for detailed guidance.

REVIEW AND UPDATES TO POLICY

Royal Amparo will review and may update this Policy to reflect changes to Royal Amparo’s privacy practices or security measures as needed. If a review is not satisfactory, Royal Amparo will take immediate steps to remedy any noted deficiencies. Please periodically review this Policy for the latest on Royal Amparo’s privacy practices. The use of Royal Amparo’s website after any updates constitutes an acknowledgement of having read and understood the Policy.

CONTACT

Please contact Royal Amparo by email at [email protected] should you have any questions or comments about this Policy or your Personal Data.