Preamble
Shenzhen Comen Medical Instruments Co., Ltd. (hereinafter referred to as "the Company") places the highest importance on the protection of personal information of customers, suppliers, and visitors (hereinafter referred to as "You"). To safeguard the security of Your personal information, this agreement outlines the rules governing the collection and use of personal data. By signing this agreement in writing or confirming acceptance online, You acknowledge that You have read, understood, and agreed to be bound by this agreement.
Scope of Application
This agreement applies to all personal data processing activities involving customers, suppliers, visitors, and job applicants in the course of the Company's business operations.
Types and Purposes of Personal Information Collected
In the course of the Company's business activities, personal information may be collected as detailed in the table below:
| Data Subject | Data Type | Processing Purpose | Storage Location |
|---|---|---|---|
| Suppliers | Name, position, phone number, email, address | Contract signing and execution, order generation | SRM system |
| Business license copy, legal representative ID copy | It is used for the enterprise identification code and tax number authentication of suppliers to complete the supplier import process | ||
| Bank account details | Financial settlement | ||
| Customers | Name, contact details, address | Sales contract execution, after-sales service tracking | OMS system, e-signature system, Fxiaoke system, SAP system |
| Business license copy | Verification of legal representative identity | ||
| Visitors | Name, contact details | Security control, unauthorized access prevention, risk mitigation | Filing cabinet |
| Job Applicants | Name, contact details | Identity verification, recruitment communication | Archives room |
| Residential address | Commute suitability assessment | ||
| Work experience, professional qualifications certificates, educational background | Competency evaluation, academic qualifications verification |
Personal Information Processing Requirements
Personal Information Processing Requirements The Company adheres to the general principles of "Legal, proper, transparent, purpose limited, data minimized, accurate, storage period minimized, integrity and confidentiality, accountable" in processing personal information. Personal data will not be used for purposes beyond those specified in this agreement. The Company is committed to protecting data subjects' rights, including access, correction, and deletion. Your data is stored within China and will not be transferred overseas without Your separate written consent or as required by applicable laws and regulations.
Storage and Deletion of Personal Information
(1) Security Storage Measures: The Company will implement reasonable security measures to protect the personal information of customers, suppliers, and visitors, including but not lim-ited to:
- Encrypted transmission: Strong encryption protocols (e.g., TLS) are used to prevent data being stolen or tampering during transmission.
- Access control: Access to personal information systems is restricted to authorized employees when performing their duties, with access logs maintained.
(2) Personal Information Deletion: Unless required by law or other legitimate reasons (e.g., dispute resolution, exercising legal claims), the Company will promptly delete personal information upon fulfillment of contractual obligations and provide proof of such deletion.
Sharing and Disclosure of Personal Information
(1) Internal Sharing: Within the Company, personal information may be shared only with relevant departments and employees as necessary, with clear purposes and scope, and recipients are required to comply with this agreement.
(2) External Sharing: The Company will not share personal information with external third parties unless:
- Required by law: Disclosure is mandated by judicial, administrative, or customs authorities.
- Explicit consent: Sharing is conducted within the scope and purpose agreed to by the data subject.
(3) Information Disclosure Restrictions: The Company strictly controls disclosures to ensure they are lawful, necessary, and limited to the minimum required information.
Security Safeguards for Personal Information
(1) Technical Measures: The Company employs technical safeguards such as firewalls, intrusion detection systems, data encryption, and antivirus software to ensure the security of personal information and protect against cyber threats.
(2) Administrative Measures: Internal management systems include but are not limited to:
- Employee training: Staff are trained on data protection laws and best practices.
- Access permission management: Role-based access controls are enforced, and regularly review and adjust access permissions. For high-privilege accounts, stricter control measures such as multi-factor authentication will be adopted.
(3) Physical Security measures: Take appropriate physical security measures to protect physical equipment and prevent unauthorized personnel from touching and accessing it.
Rights and Responsibilities of Data Subjects
Customers, suppliers, and visitors may request access, correction, deletion, or withdrawal of their personal information by contacting privacy@szcomen.com. The responsible department will respond within 15 working days. For reasonable requests, we will, in principle, complete the processing at the same time as replying or within the time limit required by laws and regulations. In complex cases, we will explain the reasons to you and complete the handling within the time limit permitted by law.
As a data subject, Customers, suppliers, and visitors are responsible for ensuring the accuracy and completeness of the personal information, and have the legal right to provide such personal information.
Data Breach Response Mechanism
In the event of a personal data breach, the Company will immediately activate emergency response procedures. In accordance with legal requirements and the nature and severity of the incident:Sensitive data breaches: Notification within 24 hours.Other breaches: Notification within 48 hours.Notifications will include:
- A summary of the breach (nature, affected data categories, volume).
- Potential risks and consequences.
- Remedial actions or recommendations.
- Any other relevant details.
The Company will investigate, mitigate impacts, and report to regulatory authorities as required by law.
Dispute Resolution
Any disputes arising from or in connection with this agreement shall first be resolved through amicable negotiation. If unresolved, You may lodge a complaint with the relevant data protection authority. If mediation fails, either party may submit the dispute to the competent court in Shenzhen.
I/We, ________________, have carefully read and fully understood the above Privacy Policy and agree to its terms.
