Enterprise Privacy Policy Reference Template

——Learn about the enterprise privacy policy reference template through this article to improve enterprise service compliance

Role of Enterprise Privacy Policy

Applicable scenarios of Enterprise Privacy Policy:

● Relevant functions are located in the Admin Center > Info Security Management > User Info Authorization > Sobot Channel > Inquiry Sending Authorization. You need to complete the function configuration and editing before presenting the specific enterprise privacy policy to your customers;

● User shall agree to the Enterprise Privacy Policy and authorize to enter the chat when initiating an inquiry.

Principles for Personal Information Protection Policy

The release of Personal Information Protection Policy is an important embodiment of the compliance with principles of openness and transparency by personal information controllers, a critical means to ensure the right of personal information subjects to know, and a vital mechanism to restrict their own behaviors and cooperate with supervision and management. The Personal Information Protection Policy shall describe the personal information processing behavior of the personal information controller clearly, accurately and completely.

Source of Personal Information Protection Policy Template

Example table of Personal Information Protection Policy Template in National Standard of the People's Republic of China: Personal Information Security Specification (GB/T 35273-2020):

Source of Personal Information Protection Policy Template	Preparation Requirements
This policy only applies to XXXX product(s) or service(s) of XXXX, including... Latest update: XX, XXXX (Month/Year). Please contact us using the details below if you have any doubt, comment or suggestion: Email: Tel: Fax:	This section is the scope of application, including the scope of products, services and the PI Subjects that the PI Protection Policy applies to, period of effectiveness, and time of update.
This Policy will help you better understand the following: ◼ Rules for the collection and use of PI for business function 1 ◼ Rules for the collection and use of PI for business function 2 ◼ How we protect your PI ◼ Your Rights ◼ How we process children’s PI ◼ How your PI is transferred worldwide ◼ How this Policy will be updated ◼ How to contact us XXXX understands the importance of PI to you and will do our best to ensure the security and reliability of your PI. We are committed to maintaining your trust in us and sticking to the following principles to protect your PI: principle of consistency between rights and responsibilities, principle of clear purpose, principle of optional consent, principle of minimum necessary, principle of security assurance, principle of subject participation, and principle of openness and transparency. In the meantime, XXXX hereby promises that we will take security measures to protect your PI according to mature standards of the industry. Please read carefully and understand this PI Protection Policy before using our product/service.	This section lists the key points of the PI Protection Policy. The objective is to enable PI Subjects to quickly get hold of the main components of the PI Protection Policy and the core ideas of the Controller's statement.
Rules for the collection and use of PI for business function 1. What kind of PI we collect about you ◼The business functions we provide require some information to run. If you choose to use this business function, you will need to provide us with or allow us to collect the essential information including: ...A total of XX types of PI. ◼ You may choose, at your discretion, whether to provide us with or allow us to collect the following information: ... A total of XX types of PI. Such information is not essential for the delivery of the business function, but it is important to improve the quality of service, develop new products or services, etc. We will not force you to provide this information, and your refusal will not adversely affect the use of the business functions. ◼ When you use this business function, our APP will request the following permissions to access PI in the system: ... A total of XX permissions. If you do not authorize, we will be unable to provide this business function. Except the permissions above, you can choose whether to grant additional system permissions to our APP. 2. How we use your PI ◼For essential PI, we will use it to provide the business functions including ... We also use such information to maintain and improve this business function and develop new business functions, etc. ◼ For non-essential PI, we will use it for the following purposes, including … 3. How we entrust the processing, sharing, transfer and publicly disclosure of your PI (1) Entrustment of processing Certain specific modules or sub-functions of this business function are provided by external vendors. For example, we engage external service providers to assist us in providing customer support. We will sign strict confidential agreements with the companies, organizations and individuals to whom we entrust the processing of PI, which will bind them to processing the PI in accordance with our requirements, this PI Protection Policy and other relevant confidentiality and security measures. (2) Sharing We will not share your PI with any company, organization or individual other than our Company, unless with your explicit consent. At present, we will seek your consent to the sharing of your PI in the following scenarios: a)…… To learn about the companies, organizations, and individuals currently involved in this scenario, click here 【Provide a hyperlink】. b)…… To learn about the companies, organizations, and individuals currently involved in this scenario, click here 【Provide a hyperlink】 c)…… To learn about the companies, organizations, and individuals currently involved in this scenario, click here 【Provide a hyperlink】 We might share your information as stipulated by laws, regulations or the mandatory requirements of government agencies. (3) Transfer We will not transfer your PI to any company, organization, or individual except under the following circumstances: a) Transfer with explicit consent: after acquiring your explicit consent, we will transfer your PI to other parties; b) When the transfer of PI is involved in a(n) merger, acquisition or bankruptcy liquidation, we will require the new company or organization to which your PI is transferred to continue to be bound by this PI Protection Policy, otherwise we will require the new company or organization to seek your consent again. (4) Public Disclosure We will only publicly disclose your PI under the following circumstances: a) After we obtain your explicit consent;	1. List the purposes for collecting and using PI in detail; do not use generalized language. 2. List the types of PI in detail for different business functions. 3. Clearly state the types of PI that are essential to specific business functions. 4. When collecting information of legal documents such as ID card, passport, driver's license and personal biometric information, the specific information involved in the collection shall be brought to the notice of the PI Subjects, and the purposes and rules of processing such information shall be explained. 5. Do not use ambiguous language to describe the information to be collected, for instance, "we will collect your identity related information". Instead, it shall be clearly stated that "we will collect the information of your name, telephone number and address." 6. State the geographic areas involved in the use of PI, e.g. storage and backup locations of PI, areas involved in the transmission of PI; if cross-border transmission of PI is involved, it shall be separately listed or highlighted. 7. State the estimated retention time (e.g. 5 years from the date of collection) and the date of data deletion or destruction (e.g. Dec.31st 2019 or when the PI Subject de-registers) for different types of PI based on use conditions. 8. Promise to re-seek the consent of the PI Subjects when it is indeed necessary to change the purpose for collection and use of the information. 9. PI Controllers shall state whether the PI needs to be shared or transferred, and if so, clearly state the types of the PI to be shared or transferred, the reasons of such sharing and transfer, the recipient of the PI, the restrictions and administration rules for the recipient, the recipient’s use purpose of the PI, the security measures adopted during the sharing and transfer of the PI, and whether the sharing and transfer of PI could bring high risks to the PI Subjects. 10. State whether the PI needs to be publicly disclosed, and describe the types of PI to be publicly disclosed, the reason for such public disclosure, and whether such disclosure could bring high risks to the PI Subjects. 11. State the circumstances under which the PI Controller can share, transfer and publicly disclose data without PI Subjects’ prior consent. For example, responding to requirements of law reinforcement authorities and government agencies, conducting PI security audits, and protecting PI Subjects from fraud and severe personal injuries.
Rules for the collection and use of PI for business function 2 Omitted
How we protect your PI (I) We have employed security protection measures according to industry standards to protect your PI, prevent unauthorized access to, disclosure, use, modification, damage or loss of data. We will take every practical measure to protect your PI. For instance, … (II) We have acquired the following certificates: ... (III) Our data security capability includes: (IV) We will take all reasonable and practical measures to ensure that unnecessary PI are not collected. We will only retain your PI for the period necessary to deliver the purposes stated in this Policy, unless the extended retention is required or allowed by laws. (V) We will regularly update and publicize reports on security risks, PI impact assessment, etc. You can access these by ... (VI) The network environment is not 100% secure. We will do our utmost to ensure or guarantee the security of any information you send to us. If your legal rights and benefits are adversely affected due to the unauthorized access to, disclosure, tampering or damage of your PI resulting from the damage of our physical, technical or management protection facilities, we will assume legal liabilities accordingly. (VII) In the case of an unfortunate PI security incident, we will, in a timely manner and in accordance with laws and regulations, inform you of the basic conditions and possible impacts of the security incident, response measures that are already taken or to be taken by us, suggestions for you regarding self-prevention and risk mitigation, our remedial measures for you, etc. We will inform you of such information by email, fax, telephone, push notification, etc., and when it is difficult to notify each PI Subject individually, we will properly and effectively issue a public notice. At the same time, we will also take the initiative to report the handling of PI security incidents in accordance with regulatory requirements.	1. Clearly state the PI Controller’s security measures for PI, including but not limited to measures to protect the integrity of PI, encryption measures during transmission, storage and backup of PI, authorization and audit mechanism for access and use of PI, and retention and deletion mechanism for PI. 2. The PI security agreements that the PI Controller is complying with and certifications it has obtained, including international or domestic laws, regulations, standards and agreements on PI security that are proactively observed by the PI Controller, as well as PI security certifications the PI Controller has obtained from independent and competent certification agencies. 3. State possible security risks after providing PI. 4. State that the PI Controller will assume legal liabilities in case of a PI security incident. 5. State that PI Subjects will be informed without delay in case of a PI security incident.
Your rights According to relevant laws, regulations and standards in China, as well as common practices in other countries and regions, we will ensure your following rights to your PI: (1) Access your PI You have the right to access your PI, unless laws and regulations specify otherwise. If you wish to access your data, you can do so by: ... If you cannot access the PI via the links above, you can use our Web form or send an email to XXXX at any time. We will respond to your access request in 30 days. As for other PI generated during your use of our products or services, we will provide you with access to such information as long as no excessive input is required. If you wish to access such data, please send an email to XXXX. (II) Rectify your PI When you find a mistake in your information that we are processing, you have the right to ask us to rectify it. You can submit a rectification request through the channels listed in “(1) Access your PI”. If you cannot rectify the PI via the links above, you can use our Web form or send an email to XXXX at any time. We will respond to your rectification request within 30 days. (3) Delete your PI You can submit a request to delete your PI to us under the following circumstances: 1. If our processing of PI violates laws or regulations; 2. If we collected and used your PI without your consent; 3. If our processing of PI breaches our agreement with you; 4. If you no longer use our products or services or you have cancelled your account; 5. If we no longer provide you with products or services. When we decide to respond to your deletion request, we will also inform the entity that acquires your PI from us and ask it to delete your PI without delay, unless otherwise specified in laws and regulations, or the entity has acquired specific authorization from you. When you delete the information from our services, we might not immediately delete the corresponding information from our backup system, but will delete it when the backup system is updated. (4) Change the scope of your consent Each business function needs some basic PI to be completed. As to the collection and use of additional PI, you can give or withdraw your consent at any time. You can do so by:...... When you withdraw your consent, we will stop processing the corresponding PI. However, your withdrawal of consent will not affect the processing of PI carried out based on your prior consent. If you do not wish to receive our business promotion ads, you can unsubscribe at any time by: …… (5) De-register You can de-register at any time by: …… After de-registration, we will stop providing you with any product and service and delete your PI according to you request, unless laws and regulations specify otherwise. (6) Acquisition of a copy of PI by PI Subjects You have the right to obtain a copy of your PI by: …… When it is technologically feasible, e.g. with matched data interface, we can directly transmit the copy of your PI to the third party designated by you according to your request.. (7) Restrict automated decision-making by information system For some business functions, decisions are made solely based on an automated decision-making mechanism such as information system and algorithm. If these decisions significantly affect your legal rights and interests, you have the right to ask for our explanation and we will make proper remedies. (8) Respond to your above-mentioned requests For security, you might be required to submit written requests or prove your identity by other means. We might ask you to verify your identity before handling your request. We will respond in 30 days. If you are not satisfied, you can file a complaint by: …… We will not charge you for your reasonable requests in principle. However, a fee to reflect the cost will be imposed as appropriate on repeated requests beyond reasonable scope. As for repeated requests that are groundless and need excessive technological means (e.g. developing a new system or fundamentally changing the current practices) to fulfill, bring about risks to others' legitimate rights and interests or are downright impractical (e.g. involving information stored on a backup disk), we might reject. We will not be able to respond to your request under the following circumstances: 1. Related to our compliance with the obligations under the laws and regulations; 2. Directly related to national security or defense security; 3. Directly related to public security, public health or major public interests; 4. Directly related to criminal investigations, prosecutions, trials and enforcement of court decisions, etc.; 5. We have sufficient proof that you have subjective malice or abuse of rights; 6. For the purpose of safeguarding your life, property and other important legal rights and interests or those of other individuals but it is difficult to obtain consent; 7. Responding to your request will cause serious harm to your legitimate rights and interests, or those of other individuals or organizations. 8. Involving trade secrets.	1. State PI Subjects’ rights in terms of their PI, including but not limited to: the range of PI over which a PI Subject has a choice in the collection, use and public disclosure, the PI Subject’s control of access to, rectification, deletion, acquirement of PI, the PI Subject’s privacy preference settings, communication and advertisement preferences the PI Subject can choose, channels for the PI Subject to deactivate services and de-register, effective channels for the PI Subject to safeguard legal rights. 2. When self-configuration or operation (e.g. configuration and operation of software, browser, and mobile terminal) is required in order to access, rectify, delete PI or withdraw consent, the PI Controller shall clearly state the configuration and operation process in detail. The statement should be easy for PI Subjects to understand, and channels for technical support (such as customer service hotline and online customer service) should be provided when necessary. 3. If expense is incurred during a PI Subject's exercise of his/her rights, the reason and basis for charging should be clearly stated. 4. If it takes long to respond to the request of a PI Subject exercising his/her rights, the response time and the reason for not being able to respond within a short time should be clearly stated. 5. If re-authentication is needed during a PI Subject's exercise of his/her rights, the reason for such authentication should be clearly stated, and proper control measures should be taken to prevent leakage of PI during the authentication. 6. If the PI Controller rejects a PI Subject’s request to access, rectify, delete the PI or withdraw consent, the reason and basis of such rejection should be clearly stated.
How we process children’s PI Our products, websites and services are mainly adult oriented. A child should not create his/her own account without consent of his/her parents or guardians. Children’s PI that is collected with their parents’ consent will only be used or publicly disclosed when it is permitted by laws, explicitly consented to by their parents or guardians, or is essential to protecting the children. Although the definition of children varies in local laws and customs, we regard anyone below 14 years old as a child. If we find that a child’s PI has been collected without his/her parents’ prior consent, we will delete relevant data as soon as possible.
How your PI is transmitted worldwide In principle, the PI we collect and generate in the territory of the People’s Republic of China will be stored within the People’s Republic of China. We provide products or services based on our resources and servers worldwide, that is to say, with your consent, your PI might be transmitted to or accessed from a jurisdiction outside of the country/region where your products or services are located. Such jurisdiction might have a different data protection law, or even no relevant laws. Under such circumstances, we will ensure that your PI will enjoy the same level of protection as it does in the People’s Republic of China. For instance, we will ask you for your consent to the cross-border transmission of your PI, or employ data de identification and other security measures before the cross-border transmission of data.	If cross-border transmission of information is required by business needs or government or judicial supervisions, the PI Controller needs to clearly state the types of data to be transmitted across border and the standards, agreements and legal instruments (such as contracts) the cross-border transmission shall be bound by.
How this Policy will be updated Our PI Protection Policy might be changed. We will not reduce any of your rights under this PI Protection Policy without your explicit consent. We will release any change to the Policy on this page. For major changes, we will provide a more conspicuous notice (including, for certain services, notices via email that explains the details of the changes to the PI Protection Policy). The major changes to this Policy include but are not limited to: 1. Major changes in our service mode, e.g. the purpose of processing PI, the type of processed PI, and how PI is used; 2. Major changes in our ownership structure, organizational structure, e.g. the change of owners due to business adjustments, a(n) bankruptcy, merger and acquisition. 3. Changes of the main object which PI is publicly disclosed to, shared with, or transferred to; 4. Changes in your rights involved in PI processing and in how you exercise such rights; 5. Changes of our responsible department, contacts and complaint channels for PI protection; 6. When a PI impact assessment report indicates high risks. We will also archive the old versions of this Policy for your reference.	When there is a major change to the PI protection policy, the PI Controller needs to update the PI protection policy in time and state the means to inform PI Subjects without delay. Generally, the followings means can be used to inform the PI Subjects: notifying the PI Subjects when they log into the information system, updating the information system and notifying the PI Subjects with a pop-out window during their use of the information system, directly sending a push notification to the PI Subjects when they are using the information system, sending an email or a text message to the PI Subjects, etc.
How to contact us If you have any doubt, comment or suggestion regarding this Policy, please contact us via: ...... We have set up a dedicated department for PI protection (or a PI protection officer) that you can contact via: ...... Generally, we will reply to you in 30 days. If you are not satisfied with our reply, especially if our processing of PI hurts your legal rights and interests, you can seek solutions through the following external channels: ......	1. PI Controllers need to clearly state the channels for PI security related feedbacks and complaints, e.g. contacts, address and email address of the department responsible for PI security, the form for PI Subjects to report problems, and clearly state the time frame within which the PI Subjects can expect a reply. 2. PI Controllers need to state the external dispute resolution body and its contacts in case of any dispute or conflict that cannot be resolved through negotiation with a PI Subject. The external dispute resolution body usually can be courts in the jurisdiction where the PI Controller is located, independent institutions that certify the PI protection policy of the PI Controller, and industry self-regulation associations and relevant government agencies.