CHINA PERSONAL INFORMATION PROTECTION POLICY
1.1 This is the Personal Information Protection Policy (the "Policy") of Alliance One (Beijing) Enterprise Management Consulting Service Co., Ltd. (联一（北京）企业管理咨询服务有限公司) ("AO Beijing", "we" or "us"). This Policy applies to the data processing activities of AO Beijing and its branch offices within the People's Republic of China ("China" or the "PRC", which for only the purposes of this Policy, does not include Hong Kong, Macau or Taiwan).
1.2 AO Beijing is committed to protecting and respecting the privacy of individuals. The specific purpose of this Policy is to ensure that AO Beijing complies with the PRC data protection laws regulating the use of information concerning individuals. In particular, AO Beijing is obliged to comply with the requirements and restrictions of the PRC Personal Information Protection Law (2021) (the "PIPL"). This Policy may be supplemented from time to time by policies or guidelines designed to ensure that AO Beijing meets additional requirements applicable to it.
2.1 "Consent" means, for the purposes of this Policy, a freely given, specific, informed and unambiguous indication of the Data Subjects' wishes by which he or she, by a statement or a clear affirmative action (such as ticking a box), signifies agreement to the Processing of their Personal Information. For the avoidance of doubt, mere silence or failure to respond does not amount to Consent in many cases, and Consent can be withdrawn at any time.
2.2 "Country Manager" means the country manager of AO Beijing, or any person with equivalent responsibilities from time to time.
2.3 "Data Subjects" means, the identified or identifiable individuals that AO Beijing may Process Personal Information in relation to during the course of its business, including, without limitation, business contacts, employees, representatives from counterparties, third party vendors and other individuals.
2.4 "Personal Information" means information that is held either in an electronic or other form that relates to an identified or identifiable living individual. It should be noted that:
(a) this Policy does not apply to information relating to companies and other legal persons (e.g., governmental agencies) unless it also relates to individuals;
(b) information does not have to be particularly "personal" or "private" in nature to be Personal Information. Relatively trivial information, and information relating to individuals in their professional rather than their personal capacity, may be regulated by the PIPL and therefore by this Policy; and
(c) truly anonymised information is not Personal Information. However, this does not mean that, for example, removing the names of the Data Subjects is sufficient to exempt such information from being within the scope of Personal Information – if AO Beijing can identify the individuals to whom the information relates, including by taking into account other information in its possession or to which it could reasonably get access, the information will nevertheless be Personal Information.
2.5 "PRC Data Laws" means the PRC Cybersecurity Law (2017), the PRC Data Security Law (2021), the PIPL and the respective implementation rules in force from time to time.
2.6 "Processing" means collecting, storing, analysing, using, disclosing, archiving, deleting or any other related or similar activities involving Personal Information (and "Process", "Processed" and "Processable"should be construed accordingly).
2.7 "Pyxus Group" means Pyxus International, Inc. and its subsidiaries, including AO Beijing.
2.8 "Sensitive Personal Information" means Personal Information, the leakage or illegal use of which could cause harm to human dignity or personal or property security.
2.9 "Transfer" means any transfer of Personal Information. This includes the situation where a person outside China remotely accesses Personal Information stored within China.
3.1 AO Beijing, including employees, contingent workers as well as secondees, must comply with this Policy – references in this Policy to an "employee" or "employees" should be read accordingly. Failure to comply with this Policy is a serious matter which may give rise to disciplinary actions. Exceptions to this Policy can be made only with the written approval of the Country Manager.
3.2 If an employee believes that AO Beijing has breached this Policy, the PIPL or another applicable data privacy law (for example, if a complaint alleging breach is received), they should inform the Country Manager and the Chief Compliance Officer for the Pyxus Group as soon as practicable. If employees are in doubt, concerned or have queries as to the requirements of the Policy in any particular case (or data privacy issues generally), they should consult the Country Manager or the Pyxus Group Chief Compliance Officer.
4.1 The Country Manager or its designee is responsible for the supervision and oversight of AO Beijing's compliance with respect to this Policy and the PRC Data Laws.
4.2 The Country Manager or its designee is responsible for ensuring that appropriate steps are taken to implement compliance requirements under the PRC Data Laws.
5.1 Under the PRC Data Laws, AO Beijing is required to carry out a data protection impact assessment ("DPIA") prior to carrying out any of the following activities (each, a "DPIA Trigger Event"):
5.1.1 Processing Sensitive Personal Information;
5.1.2 using Personal Information for automated decision making;
5.1.3 entrusting another entity for Personal Information Processing, providing Personal Information to other Personal Information Processors or publishing Personal Information;
5.1.4 transferring Personal Information outside of China; or
5.1.5 Processing Personal Information in any other way that significantly affects the rights and interest of Data Subjects.
5.2 In order to determine whether a full DPIA is warranted, AO Beijing will implement the following process for deciding whether a particular processing activity warrants a DPIA. Where a project that involves the Processing of Personal Information is intended to be developed, updated or reviewed, or any existing practice concerning the Processing of Personal Information is intended to be changed, the person with overall responsibility for that project or change should conduct an assessment (the "Pre-DPIA Assessment") of the Processing activity under the guidance of the Country Manager, or its designee.
5.3 The Country Manager decides on whether a full DPIA should be arranged based on the evaluation of the Pre-DPIA Assessment result received by it and is authorised to request for further information as it deems appropriate. Records of DPIA and the supporting materials, including the Pre-DPIA Assessment results, will be kept by AO Beijing for no less than 3 years.
5.4 A new project that involves the Processing of Personal Information and concerns a DPIA Trigger Event may not be implemented within or on behalf of AO Beijing, and no significant change may be made to the existing practice of any Processing of Personal Information, unless the assessment referred to in section 5.2 and 5.3 has been carried out and either:
5.4.1 the Country Manager has concluded that, following the implementation or change, the Processing of Personal Information will comply with the principles of this Policy in all respects and, generally, that the implementation will not result in the occurrence of any DPIA Trigger Event; or
5.4.2 a DPIA has been conducted in respect of the proposed new or changed Processing of Personal Information and the Country Manager has concluded that its implementation can go ahead.
6.1 AO Beijing will only Process Personal Information if it is legal, justified and necessary for it to Process Personal Information and will Process Personal Information in good faith. AO Beijing will not Process Personal Information through any means that is misleading, fraudulent or coercive.
6.2 AO Beijing will only Process Personal Information for specified and reasonable purposes and limit its Processing to those directly relevant to the purposes. Reasonable efforts should be used when Processing so that potential risks and impacts on the Data Subject from such Processing are appropriately reduced. AO Beijing will not Process Personal Information which is irrelevant to the purposes of the Processing. Employees, when collecting Personal Information for and on behalf of AO Beijing, should only collect the minimum amount of Personal Information necessary for the purposes of the Processing. In this context, "necessary" means the specified Processing purpose cannot be reasonably achieved without such Personal Information.
6.3 AO Beijing implements appropriate organisational and technical measures to avoid adverse impacts that may be caused for Data Subjects due to the inaccuracy or incompleteness of the Personal Information Processed by AO Beijing.
6.4 AO Beijing follows the principle of transparency and makes available to Data Subjects the Processing rules, purposes, methods and scope, as further discussed under section 8 (Transparency) below.
6.5 AO Beijing is responsible for the Processing activities and takes necessary measures to safeguard the security of Personal Information, as further discussed under section 14 (Data Security) below.
6.6 AO Beijing will not Process Personal Information unless the Processing is:
6.6.1 under the informed consent of the Data Subject;
6.6.2 necessary for (x) the conclusion or performance of any contract to which the relevant Data Subject is a party; or (y) human resource administration in accordance with the employment policies formulated in accordance with laws and regulations or lawfully concluded collective employment contracts;
6.6.3 necessary for the performance of AO Beijing's statutory duties or obligations;
6.6.4 necessary for AO Beijing to respond to public health incidents or for the protection of personal and property security in the case of an emergency;
6.6.5 conducted for media reporting and whistleblowing for public interests, subject to a reasonable scope;
6.6.6 in respect of Personal Information that has been disclosed publicly by the Data Subject or through other legal channels, subject to a reasonable scope; or
6.6.7 conducted under other scenarios provided by laws and administrative regulations.
6.7 Having collected Personal Information for a particular purpose, AO Beijing will not then Process such Personal Information in a way which is incompatible with that purpose unless it first obtains the Data Subject's Consent.
7.1 AO Beijing will establish and follow procedures to ensure that, except as provided in section 8.2, Data Subjects are provided with the information set out in Annex 1 (Information to be Provided to Data Subjects) to this Policy, if they do not already have it, before the Processing of their Personal Information begins (or, if later, as soon as practicable after this Policy takes effect). The information should be authenticated, accurate and complete, and be provided in writing and easily accessible form, using clear and plain language.
7.2 Note the following points:
7.2.1 Employees are provided with information about the Processing of their or their family member(s)' Personal Information upon commencement of their employment with AO Beijing and/or during the course of their employment. Provision of such information does not need to be repeated through separate notices and communications, but employees should be provided with the relevant information if the Processing of their Personal Information is later changed in any respect compared to what they have been previously provided.
7.2.2 AO Beijing has a privacy statement, published on the Pyxus Group website (www.pyuxsintl.com) and available from the Country Manager on request, which makes available information about AO Beijing's Processing of Personal Information. AO Beijing takes the view that it is not necessary to provide each individual directly with a full statement of the information set out in Annex 1 (Information to be Provided to Data Subjects), in relation to routine Processing of their Personal Information for business purposes, but where practicable their attention (or, at least, the attention of the organisations that they represent) should be drawn to the privacy statement. Note further, however, that Processing of Sensitive Personal Information, or of Personal Information (other than names) relating to individuals in their personal rather than their business or professional capacity, is not to be regarded as routine for these purposes.
7.2.3 Data Subjects do not need to be provided with information as otherwise required by section 7.2.1 in the following circumstances:
(a) if the laws or administrative regulations require that the relevant Processing information should be kept in confidence;
(b) if the laws or administrative regulations otherwise permit that the provision of the relevant Processing information is not needed;
(c) under an emergency situation that requires immediate action in order to protect the life, health and property safety of individuals and notification of the relevant Processing information is not practicable for this purpose. In this case, the relevant Processing information must be provided to the Data Subjects concerned promptly after the elimination of such emergency situation and the Country Manager must be informed as soon as possible upon occurrence of such situation; and
(d) otherwise, if the Pyxus Group Chief Compliance Officer or Legal Department has concluded in writing that the PIPL and other applicable laws do not require the information to be provided.
8.1 Personal Information can in some circumstances be Processed on the basis of Data Subject Consent. AO Beijing generally relies on Consent for its Processing of Personal Information under the PIPL, unless an alternative lawful basis to Process the relevant Personal Information is applicable (see, in particular, sections 7.6.2 to 7.6.7 above). Sensitive Personal Information can sometimes be Processed, and Personal Information can sometimes be Transferred internationally, on the basis of separate Data Subject Consent.
8.2 When obtaining the Consent of a Data Subject for the purposes of this Policy, AO Beijing will:
8.2.1 request the Consent in an intelligible and easily accessible form, using clear and plain language;
8.2.2 make sure that the Data Subjects understand, when they Consent, that they are free to withhold the requested Consent without suffering any adverse consequence, and that the Consent can be withdrawn at any time, with information provided in a straightforward way explaining how the Data Subject can withdraw the Consent, as appropriate in the context;
8.2.3 if the Consent is obtained in written form, and the relevant document also concerns other matters, make sure that the Consent is clearly distinguishable from the other matters; and
8.2.4 make sure that AO Beijing has an appropriate record of the Consent having been given.
8.3 Where separate Consent is required, AO Beijing will need to explain in specific terms the nature of the Processing to be carried out and the Personal Information to be Processed, as well as providing all the information set out in Annex 1 (Information to be Provided to Data Subjects), and the Data Subject will then need to make a separate written statement or agree to a separate statement provided by AO Beijing agreeing that the Processing can go ahead.
9.1 Data Subjects have the right:
9.1.1 to be informed of the Processing, to determine whether AO Beijing can Process, and refuse or restrict the Processing of their Personal Information;
9.1.2 to access their Personal Information Processed by AO Beijing and to be provided with a copy of any Personal Information that AO Beijing holds about them;
9.1.3 in circumstances identified by the Country Manager pursuant to the PIPL and further implementing guidance from PRC regulators, to require Personal Information which they have provided to AO Beijing to be "ported" to another Personal Information Processor;
9.1.4 to require AO Beijing to update or correct any inaccurate Personal Information, or complete any incomplete Personal Information, concerning them;
9.1.5 under certain circumstances, to delete their Personal Information; and
9.1.6 to request for explanation of how AO Beijing Processes their Personal Information.
9.2 If AO Beijing receives a communication from any Data Subjects who are not employees, in which they seek to exercise any of these rights, that communication shall be handled with prudence and care, and reported to the Country Manager without delay for instructions. Employees must comply with the Country Manager's instructions and standard communications that may be issued by the Country Manager from time to time when responding to the exercise of these rights.
10.1 AO Beijing will take particular care in relation to the Processing of Sensitive Personal Information and Process in accordance with the PIPL.
10.2 AO Beijing does not intend to knowingly collect Personal Information from children under 14 years of age, unless express consent from the parent or guardian of that child is obtained. Generally, collecting Personal Information from children under 14 years of age will only be required for the purpose of providing medical insurance to employees. If an employee believes that it is necessary to Process Personal Information of children or any Processing of Personal Information of children is conducted without the express consent from the parent or guardian, he or she should contact the Country Manager.
AO Beijing should not Transfer Personal Information outside China, unless:
11.1.1 the relevant Data Subjects have given their Consent to the Transfer taking place; or
11.1.2 the Country Manager or the Pyxus Group Chief Compliance Officer has approved the Transfer (or categories of Transfer); or
11.1.3 the Transfer is pre-approved by this Policy, on the basis that it is compliant with the PIPL and other applicable laws.
AO Beijing will delete or anonymise (as applicable) Personal Information to the extent required by the PIPL, in accordance with global information security and data retention policies of AO Beijing and the Pyxus Group, where applicable. It should be noted that AO Beijing also needs to comply with the record-keeping requirements provided under the PRC Data Laws and other applicable PRC laws and regulations (including the relevant provisions under the PRC Archives Law (2020 Amendment) and its relevant implementation ruleswhich impose different retention periods depending on the category of documents/information). For further information, please refer to the AO Beijing privacy statement as mentioned in section 7.2.2 above.
13.1 AO Beijing will have technical and organisational security measures in place to protect all Personal Information that it Processes in accordance with policies of Pyxus Group, as applicable to AO Beijing.
13.2 Where AO Beijing outsources the Processing of Personal Information to any third-party service provider it will:
13.2.1 conduct appropriate due diligence on the technical and organisational security arrangements that the service provider will have in place to protect those Personal Information;
13.2.2 ensure that the arrangement is governed by a written agreement imposing obligations on the service provider, where required by the PRC Data Laws; and
13.2.3 take reasonable steps (for example by making enquiries of the service provider) to ensure that the security measures required of the service provider are in place in practice over time during the life of the relevant Processing arrangement.
13.3 Employees responsible for the negotiation of agreements with third party service providers should consult the Country Manager if in doubt as to the requirements of this section.
13.4 Any breaches or potential breaches of personal information should be reported to the Country Manager and the IT Department of the Pyxus Group. AO Beijing is obliged to report certain breaches of security affecting Personal Information to competent data protection authorities, and in some circumstances it is obliged to inform affected Data Subjects.
AO Beijing will not use Processing Systems to take decisions producing legal effects concerning living individuals, or otherwise significantly affecting them, based solely on automated Processing of Personal Information, unless the Country Manager has considered the proposed Processing System in a particular case and concluded in writing that it meets the requirements of the PIPL and other applicable laws.
AO Beijing and the Pyxus Group may periodically audit and test its compliance with PRC Data Laws and this Policy. It is recognised that periodic data compliance audits allow AO Beijing to form an accurate understanding of the Processing activities undertaken by AO Beijing, assess the effectiveness of the technical and organisational measures implemented by AO Beijing for the protection of Personal Information, and identify changes that need to be made and to achieve overall compliance with the PRC Data Laws.
16.1 Any communication received by any employee of AO Beijing from a competent data protection authority should be immediately passed to the Country Manager upon receiving such communication.
16.2 Any request received by any employee of AO Beijing which originates from any foreign regulatory or judicial authority that involves the provision of data or any type of Personal Information to such authority shall be immediately reported to the Country Manager with a copy to Legal Department of the Pyxus Group. Employees may not provide data or Personal Information stored in China to foreign regulatory or judicial authorities without the approval of the Country Manager.
information to be provided to Data Subjects
The information referred to in section 8.1 of this Policy is: