CTM Privacy Policy

1. Our commitment to privacy and personal data protection

Companhia de Telecomunicacoes de Macau, S.A.R.L. and the relevant CTM group companies (“CTM”, “we” or “us”) are committed to safeguarding your privacy and the confidentiality, integrity and security of your personal data. “Personal data” in this Policy is any information that identifies you as an individual. It includes information that you provide to us or that we collect through the methods and from the different sources described below. Personal data may include, but is not limited to, your name, postal address, e-mail address, age, gender, family status, ID number, telephone number.

It is important that you read this Policy carefully so that you are aware of how and why we are using your personal data, and understand our policies and practices in this regard. This Policy should be read alongside ourPersonal Data Collection and Processing Statement . Moreover, this Policy complements the provisions for protection and processing of personal data contained in the various terms and conditions for the supply of our services and products.

2. Scope of this Policy

This Policy outlines how we collect, store, use and disclose your personal data, and sets out the legal basis on which we do this. It also tells you how you can access and update your personal data and make certain choices or objections about how your personal data are used.

This Policy covers both our online and offline data collection activities, including personal data that we collect through our different channels, such as websites, apps, social networks, retail stores, contact centers, and other points of sales. Please note that we may combine personal data that we collect via one channel (e.g., a CTM website) with personal data we collect via another channel (e.g. a CTM retail store).

3. Legal basis

We collect, store, use and disclose personal information always in strict compliance with the laws of the Macau Special Administrative Region of the People’s Republic of China (“Macau”), in particular the Personal Data Protection Law (Law no. 8/2005), and any other applicable laws and regulations relating to privacy and protection of personal data, including binding orders or guidelines issued by courts or government agencies of competent jurisdiction, such as the Office for Personal Data Protection (GPDP), and the relevant international principles and rules on protection of natural persons with regard to the processing of their personal data (taken together, “applicable laws”).

4. Personal information we collect and how we collect it

Generally, we only collect and use your personal information to the extent necessary for us to pursue our legitimate interests (where your interests and fundamental rights do not override those interests), in particular where the personal data is necessary for us to provide our products and services to you. The onus is on us to collect only the personal data that is directly related to, and necessary for, providing our products and services. We do not collect information in advance or for potential future purposes, unless required by the applicable laws.

Depending on how you interact with us (online, offline, over the phone, etc.), we may collect different types of information from you, as follows:

(i) Information to allow us to contact you, such as your name, postal address, e-mail address, social network details, or phone number.

(ii) Information required to give you access to your specific account profile, such as login ID/email address, user name, password in unrecoverable form, and/or security question and answer.

(iii) Information on your demographic or behavioural characteristics, including date of birth, age, gender, geographic location, favorite products, hobbies or interests and other lifestyle information.

(iv) Information about the computer system or mobile device you use to access our services, websites or apps, such as internet protocol (IP) address used to connect your computer or mobile device to the internet, operating system, and web browser. If you access a CTM website or app via a mobile device such as a smartphone or tablet, the collected information may also include, where allowed, the unique device ID, geo-location, and other similar mobile device data.

(v) Information our websites may use automatic technologies to capture certain information about your actions. This information is captured using automated technologies such as cookies (please refer to Section 5 below).

(vi) Information you voluntarily share with us about your experience of using our products and services.

(vii) Content you create and then share with us on a social network or by uploading it to one of our websites or apps, including the use of social network apps.

(viii) Information you share publicly on a social network or information that is part of your profile on a third party social network and that you allow the third party social network to share with us.

(ix) Information we require in order to bill you, or that you use to subscribe a service or purchase a product, such as your debit or credit card details or other accepted forms of payment. Refusal to provide such information may render us unable to handle your application, or may prevent your access to certain parts of our websites. We handle payment and financial information always in strict compliance with applicable laws and the highest security standards within the industry.

(x) Information you provide to our Contact Centre. Calls with our Contact Centre may be recorded, in accordance with applicable laws, for operational needs (including for monitoring quality or training purposes) and, in certain cases, to archive proof of consent for direct marketing and profiling. We will inform you about such recording at the beginning of your call.

5. Cookies

Cookies are small text files that are placed on your computer, mobile phone or other web enabled device when you visit a website. They are not harmful and do not contain any confidential information such as your home address, date of birth or credit card details. To find out more about the cookies we use and the purposes for which we use them, please see ourCookies Policy .

6. Purposes for which we process your personal data

We process your personal data to the extent permitted or required under the applicable laws, for the following purposes (not all of the purposes may be relevant to you):

(i) Process your application and activate or deactivate services, facilitate interconnection and inter-operability with other telecommunications operators, including number portability.

(ii) Administer your account, carry out credit checks and fraud detection, in general provide you with products and services you subscribe and process your bills and payments.

(iii) Respond to your enquiries or complaints to our customer service. This typically requires the use of your contact details and information regarding the reason for your inquiry (e.g., order status, technical and service or product issues, etc.).

(iv) Include your contact details in telephone directories or directory enquiry services provided or operated by us or a contracted third party (subject to any preference or objection you may have expressed to us).

(v) Offer you rewards, discounts or other benefits and fulfil your requests or requirements in respect of our loyalty and reward programs and other similar activities.

(vi) Inform you about products or services that may be of interest to you (with your consent, where required). Typically, we may carry out these activities via email and postal mail, ads, SMS, social networks or phone calls, to the extent permitted by applicable laws. You can opt-out at any time or object to the processing of your personal data for this purpose. Please note that, even if you opt-out from receiving marketing communications, you may still receive administrative communications from us, such as application or other transaction confirmations, notifications about your account, and other important announcements.

(vii) Inform you of service and security issues, prevent and detect fraud or other crimes and recover debts, conduct internal audits and determine your creditworthiness, ensure the safety and security of our properties and systems, conduct checks against money laundering, terrorism financing and related risks.

(viii) Carry out network monitoring, testing and maintenance of computers, mobile devices and other systems.

(ix) Develop new products and services, and personalise services we offer you, improve our services, for example by looking at usage and mobility patterns to improve your user experience.

(x) Other general purposes relevant to our business, such as analytics, internal research, security and risk management. In accordance with applicable laws, we may use your personal data for other general business purposes, such as perform market analyses and research and measuring the effectiveness of advertising campaigns.

(xi) Comply with legal and regulatory requirements, and provide assistance to courts, law enforcement and other government agencies.

7. Sharing your personal data

For the purposes mentioned above, there are instances where we may share your personal data with the following third party organisations.

(i) Third parties service providers. As part of our normal business operations, to provide the products and services you subscribe we contract third parties service providers and agents (including telecommunications operators), such as sales agents, business partners, vendors, banks and financial institutions. Our contractors, service providers and agents are only allowed to access and use your personal data on our behalf for the specific tasks that they may have been requested to perform, based on our instructions, and are required to keep your personal data confidential and secure.

(ii) Other CTM group companies or our parent company (CITIC Telecom International Holdings Limited), as permitted under the applicable laws.

(iii) Courts of competent jurisdiction, government and regulatory authorities and law enforcement agencies, to the extent permitted or as required by the applicable laws.

Except where you have given your explicit consent, we do not license your personal data to third party organisations for their own marketing purposes.

8. Where is your personal data processed

In general, your personal data is processed in Macau.

If, by way of exception, your data is also required to be processed in locations outside Macau, we will scrupulously observe the applicable laws, including the statutory requirements for cross-border exchanges of personal data, being it between us and our parent company, subsidiaries and other third party organisations. In any case, we only engage in transferring personal data to places outside Macau if the recipients provide an adequate level of protection for your data, and provided that appropriate technical and organisational security measures are in place to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure or access, and against all other unlawful forms of processing.

9. Retention period of your personal data

We will store and keep your personal data for as long as necessary for the purposes for which it have been collected. Such period of time varies depending on the purpose for which the information is processed, or to comply with applicable laws.

In the absence of specific legal requirements, we will retain your personal data only for the minimum period necessary for the purposes for which it was collected or further processing.

When your personal data is no longer needed for the purposes it was collected or no longer legally required to be kept, we will remove it from our systems and/or take steps to anonymise it so that you can no longer be identified from it.

10. How do we protect your personal data

We have implemented appropriate measures to safeguard the confidentiality and security of the personal data you entrust to us, in full compliance with the applicable laws and the relevant international principles and rules on privacy and protection of natural persons with regard to the processing of personal data.

We maintain physical, technical and security measures of the highest standards, with respect to our offices and data storage facilities, to prevent unauthorised or unlawful access, use, disclosure, or accidental loss, destruction or damage to your personal data. Physical records containing personal data are securely stored in locked areas when not in use. Access to such physical and/or computer records is strictly controlled and requires management approval.

Apart from the statutory obligations of confidentiality, as a condition of employment our employees are required to sign a stringent confidentiality oath binding them to this responsibility, which governs their actions even after we no longer employ them.

Nonetheless, employees have access to personal data on a need-to-know basis only, in the sense that certain employees have access to personal data only to the extent necessary to accomplish the specific purpose for which the personal data have been collected.

Each employee who accesses personal data has the responsibility to use such data appropriately. Appropriate use of personal information means using it to in accordance with the relevant internal policies, such as our Personal Data Protection Policy, and only as necessary to accomplish the purposes for which it was collected (e.g., to provide a service or to determine your eligibility for a benefit).

11. Your statutory rights

Subject to the limitations under the applicable laws, you have the following rights with regard to the processing of your personal data.

(i) You may obtain from us information as to the categories of personal data relating to you that have been stored or are being processed, how the data were collected, and for what purposes, and the recipients to whom the data have been or will be disclosed, and the envisaged storage period.

(ii) If personal data are inaccurate or incomplete, you may request for the data to be rectified or supplemented.

(iii) You may request the erasure of your data if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons.

(iv) You may object or withdraw your consent at any time to your personal data being used for purposes of direct marketing, market research, or opinion research or any other form of sales prospecting.

(v) You have the right to object, on grounds of your legitimate interests, for reasons relating to your particular situation, at any time to the processing of your personal data by us and we may be required to no longer process your personal data. If your objection is justified we will no longer process your personal data for such purposes.

You may exercise the above rights by written request to contacts indicated in Section 13 below.

12. Changes to this Policy

If we change the way we handle your personal data, we will update this Policy. We reserve the right to make changes to our practices and this Policy at any time, and we invite you to please check back frequently to see any updates or changes to our Policy.

13. Contact information

We take our responsibility to respect your privacy and protect your personal data very seriously.

We will review our commitment regularly to ensure that it continues to meet your expectations and our responsibilities to you.

For information about any of the policies and practices described above, please contact our Data Protection Officer at:

Mr. Komix Hui

Tel: 8891 2986

E-mail: Komix.KM.Hui@ctm.com.mo