Privacy Notice

Purpose and Scope

Ashon Shanghai International Trading Co., Ltd. (the ‘Company’ or ‘we’), a legally registered entity in the People’s Republic of China (the ‘PRC’), operates in full compliance with both local regulatory requirements and the Group standards. For this purpose, the Company has developed and introduced a privacy notice, detailed within this document.

This Privacy Notice (the ‘Notice’) serves as a guiding document, specifically designed to articulate the key principles, objectives and programs adopted within the Company. The Notice is developed in order to implement the requirements of applicable legislation in the field of processing and ensuring the security of Personal Data (hereinafter referred to as ‘PD’), including but not limited to: Personal Information Protection Law of the PRC (the ‘PIPL’), Data Security Law of the PRC, Cybersecurity Law of the PRC, Civil Code of the PRC, and other relevant laws, regulations, regulatory requirements and national standards(hereinafter collectively referred to as the ‘Applicable Laws and Regulations’), and is aimed at ensuring the protection of the rights and freedoms of data subjects when processing their PD within the framework of PD processing activities in the Company.

This Notice applies to PD obtained both before and after the adoption of this Notice in the framework of any of the Company’s PD processing activities. In this Notice, the Company and the Headquarter act as the joint Controllers of the PD in the Company’s PD processing activities specified in this Notice.

If you have any questions or need to clarify information relating to the processing of your PD, please contact us using the contact details specified in the “Contact Information” section of this Notice.

Policy Requirements

1. Principles of the personal data processing
The Company is responsible for the compliance of its PD processing activities with the principles indicated below within the framework of the applicable legislation in the field of processing and security of PD.
2. Information about the processing of personal data
2.1 Categories of data subjects

As part of our business, we can process PD of the following categories of data subjects:

  • for vacant positions: applicants for a vacant position at the Company.
  • Representatives of counterparties and prospective counterparties: staff members of the current and prospective companies-counterparties, acting in the name of their company.
2.2 The purposes and categories of personal data processing

As part of our business, we can process PD of the following categories of data subjects:

We do not process the following categories of PD:

  • sensitive PD on:
    • ideological, political or trade union-related views or activities;
    • the intimate sphere or the racial origin.

We do not offer information society services to children (up to the age of 14 years).

We process PD of the indicated categories of data subjects for predefined purposes. See more information about categories of PD processing in Annex I.

2.4. Automated processing of personal data

We do not rely solely on automated processing of PD to make decisions that may have legal consequences for the data subject or impact their rights and legitimate interests.

3. Receipt and transfer of personal data to third parties

3.1 Personal data processing by third parties
Controller-processor relationships

We have the right to entrust the processing of PD to a third party (a processor of PD) based on a contract concluded with the processor (an instruction for the processing of PD). At the same time, we ensure that the processor complies with the principles of the processing of PD.

Controller-controller relationships

When we transfer PD to an independent third party (controller), we transmit data for our purposes and to the extent that we have determined. At the same time, the receiving party independently or jointly with us determined the goals and amount of data. We define our statuses and obligations for the purposes of the applicable legislation.

3.2 Third parties that receive data from the Company

When we transfer PD to third parties, we make sure that they have sufficient guarantees to implement the appropriate technical and organizational measures.

We may transfer PD to third parties in other jurisdictions out of the PRC in compliance with a mechanism recognized by Applicable Laws and Regulations. We will take necessary measures to ensure that the activities of personal data processing by the overseas recipient meet the standards for protection of personal information as prescribed in the PIPL.

Information about third parties involved in data sharing and cross-border transfer is provided in Annex II.

4. Data subject’s rights

We guarantee free of charge the following rights under the PIPL regarding data subjects’ PD (see Table 2), based on a request data subjects submitted to the Company.

Table 1. Data subjects’ rights
Rights Article of the PIPL
Right to know and make decisions on the PD processing Article 44
Right to restrict or refuse the processing Article 44
Right to access and copy their PD Article 45
Right to request access, copy and transfer to a designated Controller Article 45
Right to request personal information processors to correct or supplement relevant information Article 46
Right to request to delete their PD under any of the following circumstances: (i) the purpose of processing has been achieved, is impossible to achieve, or the PD is no longer necessary to achieve the purpose of processing; (ii) Controllers cease the provision of products or services, or the retention period has expired; (iii) the individuals withdraw consent; (iv) where Controllers have processed PD in violation of laws, administrative regulations, or agreements; or (v) other circumstances provided by laws or administrative regulations Article 47
Right to request personal information processors to explain their personal information processing rules Article 48
Right to withdraw consent Article 15
In the following cases, it is allowed not to respond to the request made by data subjects:
(i) in connection with the fulfilment of obligations under laws and regulations by the Company;
(ii) directly related to national security or national defense;
(iii) directly related to public security, public health or major public interests;
(iv) directly related to criminal investigations, prosecutions, trials or execution of court decisions;
(v) where the Company has ample evidence to show that a data subject has malicious intent or abuses his/her rights;
(vi) for the purpose of protecting the life, property or other significant legal rights and interests of a data subject or other individuals, and it is difficult to obtain consent from the data subject;
(vii) where responding to a data subject’s request will bring about grave harm to the legitimate rights and interests of the data subject, other individuals or organizations; or
(viii) where trade secrets are involved.
Information about third parties Country of establishment Purpose of transfer Categories of personal data subjects Role of the service provider Legal basis
Web-site Administrator Services Provider USA, UAE Processor Contract
Site analytics Site visitors
Site administration
Processing of information from the forms on the site Representatives of prospective counterparties

We can enforce these rights only if requested person are expressly identified as a data subject. We ensure the functioning of the process of receiving and controlling the handling of data subjects’ requests and inquiries of the data subjects.

To exercise these rights, the data subjects need to contact the personal data processing manager at: privacy@ashon.ae.

We process and respond to requests from the data subjects within 15 working days. Considering the complexity and the number of requests, the term for the preparation of an answer to the request can be extended by 2 months, where permitted by Applicable Laws and Regulations. In this case we will notify the data subject about the reasons for the delay within one month.

5. Measures to ensure the security of personal data processed

When processing PD, we take the necessary organizational and technical measures to protect PD from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of PD, as well as from other illegal actions in relation to PD.

The security of PD is ensured by the following:
  • we have assigned the responsibility for the organization of PD processing to a specific employee;
  • we have implemented data protection policies to ensure that our PD processing activities comply with the PIPL (internal policies, internal allocation of responsibilities, trainings);
  • we have implemented the necessary measures to protect PD (access control, encryption, antivirus protection);
  • we keep up to date the records of processing activities;
  • we have organized a process of receiving and controlling the processing of data subjects’ requests;
  • we carry out an assessment of PD protection impact for PD processing activities that involve a systematic and comprehensive assessment of the personal aspects of the data subject based on automated processing, including profiling, which would have legal consequences or would seriously affect the data subject, or if the processing will be made on a large amount of sensitive PD;
  • we ensure data protection by design and data protection by default;
  • we ensure security of third parties (controllers, processors);
  • we control the transfers of PD outside the PRC;
  • we document PD reaches (if any) and their consequences, investigating them, notifying the relevant parties about leaks immediately after discovering the PD breach, and taking measures to eliminate the consequences of PD breaches.
6. Storage of personal data

The storage of PD of the data subjects is centralized in the information systems and databases on the Company’s servers located in the datacenter in the UAE, and other countries and regions outside of the PRC. See more information about the data storage period in Annex I.

PD is deleted in the following cases:
  • if the processing purposes set out in this Notice are met;
  • if the processing purposes set out in this Notice are dropped;
  • at the request of data subject (see section 4).

In some cases, we must store PD as long as it is required in accordance with applicable law. The retention period may be required by the specific nature of the organization’s activities, such as long-term projects or contractual obligations, as well as by the requirements of external entities, including audit reviews or government regulators. In the event of potential legal proceedings or other judicial processes, this retention period may be required to ensure the proper preservation of data and evidence.

7. Policy change, entry into force

This Notice is approved and enforced by the Company and is valid until a decision is made to cancel it or approve a new version of the Notice.

When making changes in the Notice, the date of the last update of the revision is indicated in the heading of the Notice. The new version of the Notice comes into force from the moment of its approval, unless otherwise provided by the new version of the Notice.

8. Contact information

Our contact information is specified below.

Contact details of the Data Protection Officer

Our contact information is specified below.

Ashon Shanghai International Trading Co., Ltd.

Postal address: [Room 801, Century Link Tower 1, No.1198 Century Avenue, Pudong New District, Shanghai, 200122, P.R. China]

Email: privacy@ashon.ae 

Annex I. Information about the processing of personal data
Purposes of PD processing Data Subjects List of processed PD Storage Period Legal basis
Recruitment of candidates for vacant positions (candidate search, resume collection, conducting interviews) Candidates for vacant positions Full name, position, salary details, general information (date of birth, desirable department, sex), information about education (level of education, enrolment and graduation date, name of the educational institution, location of the educational institution, department, major), information about completion educational courses, information on language proficiency, information about professional skills, contact details (phone number (main and additional), email address), work experience information (work experience in state or municipal service, place of work, types of employment, start and termination, name of the organization, organization address and phone number, job duties) 1 year after the decision on employment has been made Data subject's consent form for counterparties
Communication with representatives of potential counterparties (presales) Representatives of prospective counterparties Full name, company's name, job position, work email, phone number, messenger user number / name, power of attorney 1 year after the last registration Data subject's consent form obtained by the counterparty
Conducting a KYC check Representatives of prospective counterparties; Prospective buyers Name, Chinese ID or passport of legal representative, authorized person, or Ultimate Beneficial Owner For individual shareholders and beneficiary owners: name, % of the proprietary rights of an entity (directly or indirectly) 1 year after the date of consent signing Data subject's consent form obtained by the counterparty
Counterparty risk assessment Signatories; Heads of companies- counterparties; Beneficiaries of companies- counterparties Full name, ownership share, position, company's name 2 years after the end of contract with the counterparty / 1 year after the risk assessment in case a contract hasn’t been concluded Data subject's consent form obtained by the counterparty
Conclusion and execution of contracts (third parties) Representatives of counterparties Full name, signature, position, company's name, power of attorney, ID details (citizenship, ID number, passport number, by whom (including the personal code) and when the document was issued, place of birth, address of registered residence), phone number, email 7 years Data subject's consent form obtained by the counterparty
Settlement with counterparties (third parties) Representatives of counterparties Full name, company's name, position, phone number, email, signature, ID details (citizenship, ID number, passport number, by whom (including the personal code) and when the document was issued, place of birth, address of registered residence), KYC details 10 years Data subject's consent form obtained by the counterparty
Preparation of a response to the request of the authorized body in relation to counterparties Representatives of counterparties Full name, company's name, position, signature, phone number, email, power of attorney 2 years after the end of contract with the counterparty Data subject's consent form obtained by the counterparty
Internal and external audit (third parties) Representatives of counterparties Full name, position, phone number, email, department, company's name, signature 10 years Data subject's consent form for personal data processing; Necessary for the implementation of human resources management in accordance with the labor rules and regulations legally established
Annex II. Transfer of personal data to third parties
Please refer to the corresponding consent forms for the details of sharing of personal data (where the third party acts as the Controller) and cross-border transfer of personal data (where the third party is located outside of China), as listed in the table below.
Information about third parties Country of establishment Purpose of transfer Category of data subjects Concerned The role of the service provider
Recruitment agency China Candidates search Candidates Processor Candidates
Ashon International DMCC UAE Recruitment of candidates for vacant positions Candidates Controller
IT Support Providers China Mobile network service Representatives of counterparties Processor
Auditors Audit Representatives of counterparties Processor
Ashon International DMCC UAE Communication with potential counterparties Representatives of prospective counterparties Processor
Provision of information necessary for the audit Representatives of counterparties Processor
KYC verification, risk assessment, regulatory compliance, and the evaluation of a potential business relationship Representatives of counterparties Controller

Our site uses cookies and other technologies so that we, and our partners, can remember you and understand how you and other visitors use our site and to provide you with tailored advertisements. If you have any questions and for more information on our digital advertising practices, 'Cookies' sections of our privacy policy.