Privacy Policy

as of December 1, 2021

This Privacy Policy explains how and why the personal information of customers and other individuals obtained by OCS Hong Kong Co.,Ltd. (“OCS”, “we”, “our” or “us”) is used. Please read this Privacy Policy carefully before providing personal information to OCS or using our products or services.

Chapter 1 of this Privacy Policy provides an overview of how we use your personal information. Chapters 2, 3 and 4 provide territory-specific information for customers in the European Economic Area /United Kingdom, the　People’s Republic of China and the State of California (U.S.A), respectively.

Additional policies may apply to certain OCS products or services, details of which will be provided alongside the terms of such service.

The Privacy Policy will apply when customers and other individuals provide personal information to OCS or use OCS’s services and products.

OCS utilizes personal information obtained from its customers for the following purposes:

*In addition to the above-mentioned purposes, personal information will be utilized for the purposes described in Chapter 1 Article 7 (Data sharing) below.

OCS will obtain the following personal information by fair and appropriate means for the purpose of achieving the previously mentioned purposes.

OCS will never obtain and use information of a sensitive nature to the customer (hereinafter, “sensitive information”), such as information on race, beliefs, social standing, history of illness, crime records, and history of having been afflicted by crime, unless required by laws and regulations or by the consent of the customer.

As a rule, OCS obtains personal information by the volition of the customer. Customers may experience disadvantages if they refuse to provide their personal information, such as being unable to make use of the various services provided by OCS, or being unable to receive campaign notices and other OCS information because a part of the functions of OCS’s system become inoperable and thereby unavailable. Please note that customers may change their contact information as well as their decision on whether or not they wish to receive email magazines at any time they wish, in a manner designated separately by OCS.

OCS will not disclose or provide personal customer information to any third parties except under the following circumstances. Also, customers’ personal information including sensitive information will not be disclosed or provided to third parties under any circumstances, unless allowed by laws and regulations or by consent of the customer. Note that provision of information to data sharing partners and business entrusted companies are not deemed to constitute disclosure or provision to third parties.

OCS may share customer information as follows.

Scope of entities that data can be shared

ANA Group companies

Purpose of using data by the user

Items of personal information to be shared

The customer’s Customer number, the customer’s name, address, telephone number, fax number, email address, employment information (company name, division/department the customer belongs to, title, address, telephone number, fax number), mailing address, content of transactions, ANA Mileage Club membership number, payment information including details of credit/debit card and other payment methods, details of enquiries, requests and complaints contained in correspondence with customers, information on the use of OCS website and mobile application, including cookie and and action log on the website, etc.

Party responsible for management of personal information

ANA Holdings Inc.

In providing products and services to customers, OCS may entrust a part of its business operations to third parties to which personal information may also be disclosed to the extent required to achieve the purpose of the entrustment. In these cases, OCS will implement appropriate measures in managing and supervising such third parties to safeguard the handling of customers’ personal information, including establishing agreements on the handling of such personal information.

If OCS provides customers’ personal information to third-party business operators outside of Hong Kong, including business entrusted companies and data sharing partners, OCS will take necessary and appropriate measures to comply with laws and regulations.

In receiving customers’ personal information, OCS will manage such information according to the strictest standards and take the utmost care to prevent leaks, loss, or alterations. OCS ensures that the board members and employees are properly trained regarding appropriate handling to safeguard the security of information identifying individual customers. An appropriate retention period for personal information will be established in accordance with the purpose for which such information is used. After the purpose of the information has been achieved, OCS will dispose of the information in question by appropriate methods.

If OCS receives a request from a customer, submitted in the manner specified, for the disclosure, correction, deletion, addition, discontinuance, or erasure (“disclosure, etc.”) of the customer’s personal information stored in a database held by OCS, the request will be handled according to the laws and regulations as follows, within a reasonable timeframe and scope, after confirming that the request was submitted by the customer themselves.

OCS may not be able to fulfill the customers’ requests if compliance with such requests would seriously impact OCS’s business operations, or result in a violation of laws and regulations.

OCS may make modifications to this Privacy Policy. If modifications are made, details will be posted on the OCS website (www.ocs.com.hk) .

This Chapter 2 provides additional information about the handling of personal information of customers and other individuals in the European Economic Area (“EEA”) and/or the United Kingdom (“UK”) in accordance with EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”) and other national and international data protection and privacy laws (together, “Data Protection Laws”).

Please note that the UK’s laws are similar to those in the EEA, and customers from both jurisdictions have very similar rights.  Accordingly, references to the GDPR in this Chapter should also be read as references to corresponding UK law.

A guardian’s consent or permission must be obtained in the event that a customer under the age of 16 uses OCS’s service and consents to this Privacy Policy. The data subject’s consent to this Privacy Policy must be obtained in the event that a person such as family member apply for OCS’s service on behalf of the data subject.

In the event that any provisions of this Chapter 2 contradict those of Chapter 1, the provisions of this Chapter 2 shall prevail.

The controller of your personal information is OCS.

OCS protects personal information which is collected and used by controllers (who make decisions about how and why your personal information is used) and processors (who act on the controller’s written instructions) on the basis of Data Protection Laws.

OCS protects your personal information by ensuring that it can only be used to the extent necessary for specific purposes (as set out in Part 3 of Chapter 1 of this Privacy Policy) and by requiring that there is a lawful basis for each processing activity on the basis of Data Protection Laws.

OCS may process customer personal data on one or more of the following lawful bases:

(1) Data Protection Laws provide you with the following legal rights:

Please note, the rights set out above are not absolute and do not apply in every situation. There are also legal exemptions which apply in some situations and mean a request may be refused. Of course, if a request is refused we will inform you of the reasons for this when we respond.

Records of requests made to us will be retained so that we can ensure we have complied with our legal obligations.

(2) Method for submitting request

You can exercise your rights free of charge (except in the case of unreasonable, excessive or repeated requests in which case we may charge a fee or refuse the request). The method for submitting request and contact information are as follows.

Please send the required documents by postal mail to the address below.

Address:
OCS Hong Kong Company Limited
HR & Administration　Division
Shop 1 & 2, G/F., Freder Centre, 3 Mok Cheong Street, Tokwawan,

Kowloon, Hong Kong SAR

(Required documents)
Please describe your request and details.

 

(3) Responding to a request

We will respond without delay and usually within one month.  We may, in some cases, ask for identification or (if you are making the request on behalf of a third party) proof of your authority to submit a request.  If your request is particularly complex or you have made a number of requests, it may take longer to provide a detailed response.  Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

If you are not satisfied with our response to a data protection request or if you think your personal information has been mishandled, then you have the right to complain to a supervisory authority. Please see Part 9 of this Chapter 2 (“Lodging a complaint with an authority”) for further details.

OCS’s products and services are provided with the assistance of other companies and organizations and often OCS will need to share personal information with third parties in order to run its business. These third parties include:

Where OCS instructs companies, contractors or service providers to process data on its behalf, then it will ensure that it does so pursuant to a contract which meets the requirements of applicable Data Protection Laws.

OCS sends out marketing communications from time to time to notify interested persons of news and provide details of products and services which may be of interest to them. OCS will only do this if the recipient has consented to receive marketing or if they are an existing customer who purchased products or services from OCS and were given the opportunity to opt-out from marketing at the time but chose not to do so.

OCS is located in United States of America and many of the service providers and other organizations with whom we share your personal information will be located in jurisdictions outside the EEA and UK.

When transferring personal information to third parties OCS will ensure that it complies with the requirements of Data Protection Laws. However, you should be aware that recipients outside the EEA and UK may be subject to national laws which do not necessarily provide equivalent protection for your personal data. If you would like more information regarding where your personal information is stored and transferred please contact OCS using the details set out in Part 12 of this Chapter 1 (“Submission of request for disclosure, etc.”).

OCS retains customers’ personal information until the purpose of use is achieved. Particularly, OCS has set the retention period for personal information as follows.

Customers have the right to lodge a complaint on the processing of their personal information with the data protection authority having jurisdiction over their residence.　

Besides Chapter 1, Chapter 3 also shall be applied to the handling of personal information of persons residing in the People's Republic of China (hereinafter, "China") based on China Cyber Security Law and related regulations. In the event that any provisions of this chapter contradict those of chapter 1, the provisions of this chapter shall prevail.

A guardian's consent or permission must be obtained in the event that a customer under the age of 18 uses OCS's service and consents to this Privacy Policy. The data subject's consent to this Privacy Policy must be obtained in the event that a person such as a family member applies for OCS's service on behalf of the data subject.

OCS will retain the customer's personal information until the purpose of use is achieved. In particular, OCS sets the retention period for personal information as follows.　

• OCS develops website with https and sets SSL encryption to secure important customers' data (credit card information, etc.) communication between the customers' web browser and the server.
• OCS uses encryption technology for protecting personal information.
• OCS sets access control for protecting unauthorized person from accessing personal information.
• In order to raise employee awareness of the importance of protecting personal information, OCS provides education and training on security and privacy protection.

In the event that OCS receives a request of the customer's personal information held by OCS from a resident of China, the request will be handled according to the related laws and regulations within a reasonable timeframe and manners besides Chapter 1 Article 11 (Request about handling of Personal Information), after confirming that the request was submitted by the customer himself/herself.　

When OCS share personal information of customers or entrust it to third parties within the scope of the purposes of use, OCS may transfer personal information to companies that can share data or entrustee(s) and such third parties will handle it. Third parties to whom OCS will disclose the personal information of the customers include those located outside China, the customers shall be deemed as having consented to the following matters by consenting to the Privacy Policy:　

In the case of a change to the purposes of use of personal information, OCS will announce the revised Privacy Policy in advance on OCS website (www.ocs.com.hk) and OCS will use personal information in accordance with the new purposes of use of personal information after obtaining consent from customers.

OCS Hong Kong Company Limited
Address: Shop 1 & 2, G/F., Freder Centre, 3 Mok Cheong Street, Tokwawan, Kowloon, Hong Kong SAR

Last updated on December 1, 2021

Besides Chapter 1, Chapter 4 also shall be applied to the handling of personal information of persons residing in California, United States of America based on the California Consumer Privacy Act of 2018 (hereinafter “CCPA”). In the event that any provisions of this chapter contradict those of chapter 1, the provisions of this chapter shall prevail.

The terms used in this chapter are based on the definitions provided in CCPA. For example, the term “sale”, among others, means OCS’s selling, lending, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration. However, if OCS concludes an appropriate agreement concerning the handling of personal information with another business or a third party, the activities mentioned above are not regarded as “sale” from the perspective of CCPA.

Personal information collected by OCS in the preceding 12 months or likely to be collected in the future is classified as defined in the following table. OCS uses such information for the purposes set forth in Chapter 1, Article 3 (Purpose of using personal information). It will acquire such personal information directly from customers.

Type of personal information collected	Example of personal information
Identifiers (name or symbol, etc. used to uniquely identify a particular subject)	The customer’s name, address, telephone number, fax number, mailing address, email address, passport information, and ANA Mileage Club membership number, etc.
Additional data subject to the California Customer Records statute (personal information categories in Cal. Civ. Code Sec. 1798.80(e))	Credit card number and payment information including details of credit/debit card and other payment methods, etc.
Commercial information	Credit card expiration date, usage history of credit card and related information, usage history of OCS services, details of purchase from OCS, details of enquiries, requests and complaints contained in correspondence with customers, etc.
Internet or other electronic network activity information.	Information on the use of OCS website and mobile application including cookie and action log on the website, etc.
Professional or employment-related information	Employment information (company name, division/department the customer belongs to, title, address, telephone number, fax number) and related information

Type of personal information collected	Example of personal information	Third party to which the personal information has been disclosed in the past 12 months
Identifiers (name or symbol, etc. used to uniquely identify a particular subject)	The customer’s name, address, telephone number, fax number, mailing address, email address, passport information, and ANA Mileage Club membership number, etc.	Other companies in the ANA Group, subcontractor handling ANA flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Additional data subject to the California Customer Records statute (personal information categories in Cal. Civ. Code Sec. 1798.80(e))	The customer’s physical and medical information relating to flying, credit card number, and payment information including details of credit/debit card and other payment methods, etc.	Other companies in the ANA Group, subcontractor handling ANA flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Characteristics of protected classifications under California or federal law	The customer’s dietary restrictions, etc.	Other companies in the ANA Group, subcontractor handling ANA flights,
Commercial information	The type of customer’s ANA Mileage Club membership card, membership status, membership area, mileage status, credit card expiration date, usage history of credit card and related information, need for wheelchair or other special arrangement, flight reservation and cancellation information, usage history of flights and other services, details of travel plans and arrangements, including flights with ANA and other airlines, accomodations, and other transportation arrangements, details of enquiries, requests and complaints contained in correspondence with customers, etc.	Other companies in the ANA Group, subcontractor handling ANA flights, airports and airlines who we partner with, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Internet or other electronic network activity information.	Information on the use of ANA website and mobile application including cookie and action log on the website, etc.	Other companies in the ANA Group, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.
Professional or employment-related information	Employment information (company name, division/department the customer belongs to, title, address, telephone number, fax number) and related information	Other companies in the ANA Group, various service providers, providers with whom we have a marketing partnership, government organizations, regulatory and law enforcement authorities, judicial, customs and immigration authorities, third-party organization, etc.

Customers living in California have the following rights concerning their personal information:

• Type of the customer’s personal information collected by OCS
• Source of the collection of such personal information
• Business or commercial purposes for the collection of such personal information
• Type of third party with which such personal information has been shared
• The customer’s specific personal information collected by OCS
• Type of the customer’s personal information disclosed by OCS for a business purpose
• Type of third parties to which each type of such personal information has been disclosed

As a rule, OCS will not treat customers who have submitted such requests in a discriminatory manner, such as changing their services. Even so, please note that deletion requests may prevent customers from receiving services which they have been provided with, or may impede the provision of services that are in accordance with their needs.

The following describes how we treat personal information gathered via the OCS website. If you wish to know more about our general policy on privacy protection, please refer to the OCS Privacy Policy document.

This document defines how we deal with information gathered via the OCS website and is based on the OCS Privacy Policy. OCS makes every effort to protect your privacy so that you can use the ANA website with confidence and peace of mind.
By using the OCS website you are deemed to have understood and agreed to the following content:

[Scope]

This processing shall be applied when customers use this website (ocs.com.hk domain) and shall not be applied to sites operated by other companies. This website provides links to other websites in order to provide useful information and services for customers. The privacy policy shall not be applied to linked sites. When browsing a site, we recommend that customers check the content of its statement on privacy protection.

[Security technology which protects personal information]

Protection of personal information is secured using SSL (Secure Sockets Layer) encryption technology. This means that any information you provided when using this site cannot be accessed by an unauthorised third person. Furthermore, a firewall and anti-virus measures have been installed to prevent disclosure, appropriation, alteration, etc, of personal information.

* Secure sockets layer (SSL) mechanism

Before customers send their personal information, SSL performs electronic communication concerning security (digital authentication and digital signature) between OCS and customers, and transmits data after mutual authentication. At that time, communication between OCS and a customer is disturbed by random numbers and erroneous transmissions, which are sent to a third party, preventing attempts to steal data by impersonating the customer.

In addition, information transmitted by SSL is encrypted concurrently using two types of cryptographic scheme: public key cryptosystem (RSA) and common key cryptosystem (secret key cryptosystem). An electronic "key" is required to decrypt this information. Even if the information is intercepted by a third party, it is impossible to decrypt the encrypted information without the correct key. Types of key are limited, however, it is extremely difficult for a third party to decipher the information because it takes an unrealistically long time to try all keys in order and reach the correct key, even if the third party uses electronic means with a personal computer, etc.

[Site access]
We collect the following information to help customers use our services with confidence when they browse our website. In addition, we may analyze customers’ browsing histories, etc. on our website and use the same to improve the website, enhance information, and offer services and promotions.

*1Cookies

1. A cookie is a function for storing information that a user has used this website through that user's computer. Information collected through cookies does not include any information that can identify individuals such as e-mail addresses and names.The Help button on the tool-bar of almost all browsers explains how to refuse the registration of new Cookies, how to switch off the Cookie function, and can also be used to alert you to a new Cookie.
2. We shall be able to provide information collected through cookies to a third party to the extent necessary for achieving the purpose set forth in "(1) Use of Cookies/Individual Identification Number of Mobile Device" through this processing.
3. The user shall be able to select whether or not to use cookies specified for each purpose himself/herself, and shall set cookies according to the setting method of the web browser he/she uses. If the user uses this website using cookies, he/she is deemed to have agreed that we use, etc. the information that he/she had used this website.

*2Individual identification number
Based on the mobile phone calling in.

*3Web beacon
Minute pictures invisible to the naked eye (1x1 pixel GIF) that are embedded into webpages or HTML e-mails and used to record the following data: opening/ previewing of e-mails, and access to websites using links in e-mails. OCS uses Web beacons when distributing HTML e-mail (except reservation related e-mails).

*4IP address
This comprises numbers automatically assigned to a customer’s computer when the customer browses various websites. The web server (the computer that provides the homepage) automatically recognizes the customer’s computer from the IP address and communicates.