Okcoin Privacy Notice for Candidates in California, New York, Singapore, Hong Kong and Europe (“Privacy Notice”)

A. Introduction

Okcoin USA Inc., Okcoin Europe LTD, Okcoin Pte. Ltd. and Okcoin Technology Company Limited (collectively, as “The Exchange” "we", "our", or "us") have developed this Privacy Notice to help candidates located in California, New York, Singapore, Hong Kong, the European Economic Area (“EEA”), and the United Kingdom (“UK”) understand our policies on collection, processing, transfer and use of personal data we collect about you in your capacity as a candidate for employment. 

This Privacy Notice is intended to meet our duties of transparency under:

• the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any binding regulations promulgated thereunder (collectively, the “CCPA”),

• the Personal Data Protection Act of Singapore ("PDPA”),

• the Personal Data (Privacy) Ordinance, Chapter 486 of the Laws of Hong Kong ("PDPO”),  and

• the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); and the EU GDPR as that regulation is incorporated into the UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “UK GDPR”) (collectively “GDPR”).

The Privacy Notice contains general information for all candidates in the above jurisdictions. For additional jurisdiction-specific information, please refer to the Privacy Notice of the relevant country where you reside.

See our Privacy Notice for information about our practices when you interact with us online in the same manner that a consumer or other non-employee may interact with us. 

B. General Information

a. Your information¹

The Exchange collects and processes certain personal data about you. This includes: 

• Profile data, such as your name, home address, email, phone number, nationality, employee ID number, bank details, national personal ID number (e.g., UK national insurance number, US social security number), government-issued identification information (e.g., driver’s license, passport), and where permitted, immigration status;²

• Qualifications data, such as your resume, information in your company biography, social media profiles and activity, your photo, CV, application letters, employment history, qualifications and skills, references, and background screening if relevant (this may include details of criminal records);³

• Family data, such as beneficiaries’ details in relation to life insurance or other benefits, emergency contacts, marital status, and additional information about you and family members (e.g., name, date of birth, race, photo, gender and national personal ID number) where necessary for the provision of applicable benefits, guarantees or relocation assistance;⁴

• Employment data such as job title, compensation, benefits, professional experience, education, performance history, training records, employment number;⁵

• Performance data, such as career plans, conduct, name of manager, information on hours worked, location of work activity, development goals, and, where permissible, about criminal records contained in a pre-hire background check;⁶

• Compensation data, such as financial information and account information related to salary and benefits information (including information regarding health insurance, retirement savings);⁷

• Expense data, such as details of out of pocket expenses and mobile phone costs;⁸

• Communication data, such as phone, written, and electronic communications where permissible;⁹

• Medical data, such as medical leave information, medical certificates, other documents required to confer special benefit status, such as information concerning pregnancy status and age of children, etc. where applicable;¹⁰

• Systems data, such as email address, usernames, passwords, and keycard number; information about your use of, as well as content and communications you send and receive through, devices, company communications, IT systems and applications (e.g., time of use, files accessed, IP address, device ID, device location); and information about your access to offices and facilities (e.g., onsite office visits, keycard scans and security camera footage);¹¹

• Other data you provide to us, including data such as your feedback and survey responses where you choose to identify yourself.¹²

b. Sources

The Exchange collects personal data from you directly when you apply for a job, and during the application process.  If you are hired for a company position, you will receive a separate OK Coin Privacy Notice for Employees after your employment. 

We may also collect your personal information from various other sources and combine it with the personal data you provide to us. For example, we may collect your personal data from:

• job board websites you may use to apply for a job with us;

• educational institutions;

• prior employers, when they provide us with employment references;

• professional references that you authorize us to contact;

• third-party providers of background check, credit check, or other pre-employment screening services (where permitted by law);

• your public social media profiles or other publicly-available sources;

• employment agencies or recruiters; 

• your related persons who choose to communicate with us directly; 

• Company communications and IT systems/applications that automatically collect information about, and transmitted by, users;

• other Company personnel; and

• members of the public, courts, public authorities, and other public sources.

Please be advised that any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by a candidate with Company personnel or on the Company’s systems, including but not limited to the use of a computer, telephone, wire, radio or other electronic communications systems may be subject to monitoring at any and all times and by any lawful means.

c. Purposes

The Exchange processes this personal data for the following purposes:

• To establish and perform the employment contract, to recruit for and maintain or terminate the employment relationship, to evaluate candidates, and to enable you to be evaluated for potential employment opportunities. This includes recruiting and hiring and administration of payroll and benefits, absence, compensation, pre-employment verification and screening, medical insurance, occupational health, retirement plans, stock plans, expense management and professional travel.

• To enable its business, in particular to provide access to The Exchange’s offices, management of The Exchange’s IT systems and infrastructure, inclusion in company directories and provision of communication services such as e-mail, telephone and internet access. 

• Protecting the security of The Exchange’s premises, assets, systems, and intellectual property and enforcing company policies, including monitoring communications where permitted by local law and in accordance with The Exchange’s code of business conduct, in protection of company property, and for investigations and disciplinary actions.

• Compliance with legal obligations, complying with audit, recordkeeping and reporting requirements, complying with tax requirements, ensuring health and safety, including the personal safety and security of candidates, employees, contractors, vendors, clients and other visitors, verifying identity and eligibility to work, accommodating disabilities or health conditions, complying with lawful requests and legal process, such as responding to subpoenas or requests from government authorities, sharing information with government authorities, law enforcement, courts or private parties for the foregoing purposes.

• Protection of The Exchange’s legitimate business interests and legal rights, including, but not limited to, the operation of our business, for the development and operation of our products and/or services, strategic planning and project management, maintenance of business and audit records, budgeting, financial management and reporting, for talent management, recruitment feedback and complaints and future job opportunities, for the operation and management of our IT systems and premises, use in connection with legal claims, compliance, regulatory, investigative and disciplinary purposes (including disclosure of such information in connection with legal process or litigation) and in accordance with The Exchange’s code of business conduct.

In addition, we may collect your picture for use with your contact details in Our directories, in internal communications with events and updates about The Exchange.  Where permitted by local law and with your consent, we also hold background checks to evaluate eligibility for employment and medical information if a regular or onboarding health check is required or to evaluate eligibility for applicable benefits and/or accommodations.

d. Aggregated Data

We also create, process and / or share “Aggregated Data” such as statistical or demographic data for any purpose. This Aggregated Data may be derived from your personal data, but once in aggregated form it will not constitute considered personal data as this data cannot be linked to you. However, if we combine or connect Aggregated Data with your personal data so that it can be linked to you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

e. Retention of your data 

The Exchange will keep this information, together with data retained from the application, recruitment, and selection process, for the course of the recruitment and employment relationship and, to the extent permitted after the application process or the termination of employment. The Exchange’s retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which it was collected, as set out in this Privacy Notice, and any other permissible, related purposes. For example, we may retain certain information to comply with regulatory requirements regarding the retention of such data, or in the event a litigation hold is imposed. In some cases, we may retain information for review related to other job openings. When personal data is no longer needed, we either de-identify, irreversibly anonymise and aggregate the data or securely destroy the personal data as soon as reasonably practicable.

f. Data Transfers

Personal data may be transferred to our affiliates and third parties, including service providers, in jurisdictions outside of your jurisdiction of recruitment or employment. Please see the below jurisdiction specific notices for further details. 

In case there may be possible transfers of your data from and to other jurisdictions, The Exchange shall, from time to time, update this Privacy Notice by incorporating the provisions governing transfer of personal data in the relevant jurisdictions as addendum to this Privacy Notice.

The Exchange will ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information is in compliance with applicable data protection laws.

g. Disclosure to third parties

Personal data may be shared with: 

• Our corporate parent, subsidiaries, and other affiliates under the control of our corporate parent to operate shared infrastructure, systems and technology or for use consistent with this Privacy Notice. 

• Government authorities, law enforcement officials, applicable regulatory authorities, courts or others for the purposes described in the Purposes section above. 

• Service providers who will process personal data on behalf of The Exchange to provide services to The Exchange, such as payroll administration, benefits and wellness, human resources, occupational health, performance management, training, expense management, travel agencies, transportation and lodging, IT systems and support, information and physical security, equity award administration, corporate banking and credit cards, health care, trade associations, insurance brokers, claims handlers and loss adjusters, and any necessary third party administrators, nominees, registrars or trustees appointed in connection with benefits plans or programs.

• Acquirors and other participants (and their advisors) in transactions and potential transactions whereby The Exchange or all or a portion of its assets are to be sold to or integrated with another business, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. 

• Future employers and their vendors when you ask that we provide references or when we are otherwise required to provide such references by law.

h.  How to contact us

To contact us, you can email us at privacy@okx.com.

 C. Notice to California Candidates

The information provided in this section applies only to individuals who are California residents. For purposes of this Section C., “personal information” and “sensitive personal information” have the respective meanings given in the CCPA.

a. Categories of personal data

For each category of personal data listed above in Section B(a), the CCPA requires us to identify the following statutory categories under Cal. Civ. Code Section 1798.140(v)(1) to which it corresponds:

All of the categories of personal data identified above include or contain information from which it may be possible to infer, sensitive personal information and characteristics of protected classifications under California or federal law if applicable. 

b. Sources and sharing of personal information

Section B generally describes our practices currently and during the preceding 12 months. We have collected each category of personal information described in Section C(a) from each category of sources listed above in Section B(b) and disclosed to each category of other parties listed in Section B(f) in the preceding 12 months.

c. California privacy rights

1. Your California privacy rights

California residents have the rights listed below under the CCPA. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law. 

• Information. You can request the following information about how we have collected and used your personal information during the past 12 months:

  • The categories of personal information that we have collected.

  • The categories of sources from which we collected personal information.

  • The business or commercial purpose for collecting or selling personal information.

  • The categories of third parties with which we share personal information.

  • The categories of personal information that we sold or disclosed for a business purpose.

  • The categories of third parties to whom the personal information was sold or disclosed for a business purpose.

• Access. You can request a copy of the personal information that we have collected about you. 

• Deletion. You can ask us to delete the personal information that we have collected from you.

• Correction. You can ask us to correct inaccurate personal data that we have collected about you.

• Opt-out of sales or sharing of personal information. California residents can opt-out of any “sale” or “sharing” of personal information as such terms are defined under the CCPA. We do not sell or share personal information of candidates or employees and have not done so in the preceding 12 months. However, we encourage you to review our website Privacy Notice for information about the sale or sharing of personal information that may occur when you interact with online in the same manner that a consumer or other non-employee may interact with us.

• Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the CCPA, including exercising such rights without retaliation.   

We use or disclose sensitive personal information only for purposes permitted by the CCPA that do not require us to offer the right to opt-out of processing of sensitive personal information or to limit the use of sensitive personal information. 

2. How to exercise your California privacy rights

You may submit requests to exercise your rights at dpo@okcoin.com, by meeting with a member of Human Resources, or submitting a request through our internal HR management system. Submitting your request through such channels allows us to verify your identity as required by the CCPA. As such, we cannot accept requests through other channels. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. We reserve the right to confirm your current California residency.  

You may designate an authorized agent to submit a request on your behalf. In order to designate an authorized agent to make a request on your behalf, you must provide the agent with signed permission to do so and provide proof of your identity, or the agent must have a valid power of attorney. In order for us to process the request, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with confirmation that you have given the authorized agent permission to submit the request, or the agent must provide proof of valid power of attorney.

D. Notice to Singapore Candidates

Where this Notice to Singapore Candidates applies. The information provided in this “Notice to Singapore Candidates” section supplements sections A and B of this Privacy Notice and applies only to individuals in Singapore. In case of any consistencies between this section and sections A and B of this Privacy Notice with respect to how we collect, process, share, transfer and protect personal data of candidates and employees located in Singapore, this section prevails.

a. Disclosure to third parties

Where we disclose your personal data to third parties, we will require them to ensure the security of your personal data in compliance with the PDPA. 

We may share your personal data with a third party in merger, acquisition, division, or other corporate transactions ("Transaction”). Such data is limited to that is necessary related to the Transaction and we will require the recipient to use your personal data only for the purpose of the transaction. We may also share your personal data with intermediate parties engaged for the Transaction. These intermediate parties will use the data only for the purpose of facilitating the Transaction.

b. Transfers from Singapore to outside Singapore

If your personal data has been processed in Singapore, prior to transferring such personal data from Singapore to a jurisdiction or territory outside Singapore, The Exchange will generally take appropriate steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA (“Comparable Standard”). To this end, The Exchange will ensure that at least one of the following measures is implemented:

• you consented to such transfer after you have been given a reasonable summary in writing of the extent to which your personal data to be transferred will be protected to a Comparable Standard (including but not limited to this Privacy Notice);

• the overseas recipient of such personal data is bound by law, contract, binding corporate rules or any other legally binding instrument to protect the transferred personal data to a Comparable Standard; and/or

• the overseas recipient of such personal data holds a valid certification under the Asia Pacific Economic Cooperation Cross Border Privacy Rules (“APEC CBPR”) System or the Asia Pacific Economic Cooperation Privacy Recognition for Processors (“APEC PRP”) System.

Where the above measures are not feasible, The Exchange may still Proceed with the transfer of your personal data from Singapore to a recipient outside of Singapore if:

• the transfer is necessary for a use or disclosure that is in your vital interests or in the national interest and The Exchange has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose; and/or

• the transfer is reasonably necessary for the conclusion or performance of a contractual obligation between you and The Exchange.

c. Security of your personal data

If we have credible grounds to believe that a data breach has occurred, we will take steps to assess whether the data breach is notifiable under the PDPA. Once we assess that a data breach is a notifiable data breach, we will notify the Personal Data Protection Commission (“PDPC”) and you as soon as it is practicable. If we share your personal data with our third party service providers, we will require them to process it strictly in accordance with our instructions or as otherwise required by the PDPA.

The Exchange is committed to protecting the security of the personal data you share with us. The Exchange uses a variety of technical and organizational methods to secure your personal data in accordance with applicable laws.

d. Your rights

Subject to the exceptions provided under the PDPA, you have the following rights with respect to your personal data:

• Right to access your personal data in our possession or under our control;

• Right to correct any inaccurate data in our possession or under our control;

• Right to withdraw your consent; and 

• Right to data portability. 

Please contact dposg@okcoin.com if you wish to exercise your right. We will respond to your request as soon as reasonably possible in compliance with the PDPA. 

e. Data protection officer

The PDPA requires us to appoint a Data Protection Officer to be responsible for ensuring our compliance with the PDPA. If you want to contact our Data Protection Officer directly, you can email: dposg@okcoin.com. 

E. Notice to Hong Kong Candidates

Where this Notice to Hong Kong Candidates applies. The information provided in this “Notice to Hong Kong Candidates” section supplements sections A and B of this Privacy Notice and applies only to individuals in Hong Kong. In case of any consistencies between this section and sections A and B of this Privacy Notice with respect to how we collect, process, share, transfer and protect personal data of candidates located in Hong Kong, this section prevails.

a. Disclosure to third parties 

Where we disclose your personal data to third parties, we will require them to ensure the security of your personal data. If we share your personal data with our third party service providers, we will require them to process it strictly in accordance with our instructions or as otherwise required by the PDPO. 

We may also share your personal data with a third party in merger, acquisition, division, or other corporate transactions ("Transaction”). Such data is limited to what is necessary related to the Transaction and we will require the recipient to use your personal data only for the purpose of the Transaction. We may also share your personal data with intermediate parties engaged for the Transaction. These intermediate parties will use the data only for the purpose of facilitating the Transaction.

b. Transfer from Hong Kong to outside Hong Kong

Your personal data may be transferred amongst Our entities that make up our international network and accessed by personnel authorized by us, and in limited circumstances to our third-party contacts, outside Hong Kong, where it is originally collected or processed, for the purposes identified in this Privacy Notice. The personal data that we collect from you may also be processed by individuals operating outside Hong Kong who work for us or for one of our suppliers.

Where we transfer your personal data outside Hong Kong, we will take steps to protect it in a manner that is consistent with how your personal data will be protected by us in Hong Kong. We will also require the overseas recipient to process your personal data in compliance with applicable laws and ensure its security. 

c. Your rights

You have the right to make a data access or correction request concerning your personal data. If you would like to exercise your right, please contact us at dpohk@okcoin.com.

F. Notice to European Candidates

Where this Notice to European Candidates applies. The information provided in this “Notice to European Candidates” section applies only to individuals in the EEA, Switzerland, and the UK.

a. Controller

The Exchange is made up of different legal entities. Certain processing operations are centralized and carried out by Okcoin Europe LTD as a controller. 

To contact Okcoin Europe LTD, you can email us at dpoeu@okcoin.com.

Our UK GDPR Representative.  You can email us at: dpogb@okcoin.com.

b. Our Data Protection Officer

The GDPR requires us to appoint a “Data Protection Officer”. This is a person who is responsible for overseeing and advising us in relation to our compliance with the GDPR (including compliance with the practices described in this Privacy Notice). If you want to contact our Data Protection Officer directly, you can email: dpoeu@okcoin.com.

c. The Exchange's legal basis for processing 

• On some occasions, we process your personal data based on contractual necessity, e.g., when we need to do this to establish, perform and fulfill your employment contract (e.g., processing your bank account details in order to pay you or for expense reimbursements).

• On other occasions, we process your personal data to comply with legal obligations to which we are subject (e.g., to comply with record keeping obligations, tax calculation, or salary administration). 

• On other occasions, we may process your personal data when it is in The Exchange's legitimate interests to do this and when these interests are not overridden by your interests or fundamental rights and freedoms (e.g., for the operation of our business, for the development and operation of our products and/or services, for talent management, for the operation and management of our IT systems and premises, or for the creation of Aggregated Data that we use and share to analyze our workforce and business). 

• On other occasions, we may process and share your personal data with third parties where appropriate to do so to protect your vital interests or those of a third party (e.g., the processing and disclosure of your data to relevant health authorities and/or health care providers in the event of a medical emergency while in the application process).

• We may also process your personal data with your consent.

In some cases, the provision of personal data will be a statutory duty, and your failure to provide the personal data in these circumstances could result in The Exchange being unable to complete a candidate recruitment or to fulfill the employment relationship. 

d. Transfers outside of the EEA and the UK

Personal data may be transferred to our affiliates and third parties, including service providers, in countries outside the EEA or the UK and may be stored and processed through global systems and tools for the purposes outlined above.

When transferring personal data to countries outside the EEA or the UK, we try to ensure a similar degree of protection is afforded to it by making sure that at least one of the following mechanisms is implemented: 

• We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the EU Commission and/or the UK Government (as applicable) from time to time.

• We may transfer your personal data to countries that have not been deemed to provide an adequate level of protection for personal data by the EU Commission and/or the UK Government (as applicable) – provided that, in these cases:

  • we may use specific appropriate safeguards approved by the EU Commission and or the UK Government or UK Information Commissioner’s Office (as applicable), which are designed to give personal data the same protection it has in the EEA/UK (for example, requiring the recipient of personal data to enter into the relevant form of the so-called ‘Standard Contractual Clauses’ issued or approved from time to time); or 

  • in very limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your information to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer. 

For more information about the mechanisms we implement, please contact us using the contact details shown above. 

e. Your rights

If you wish to access your personal data, you should contact us via email at dpo@okcoin.com. 

You have the right to ask The Exchange to rectify, block, complete and delete your personal data, to restrict its use. You have the right to request further information about the handling of your personal data. You also have certain rights to data portability.

In addition you can object to the processing of your data by The Exchange in some circumstances and, where we have asked for consent to process your data, to withdraw this consent. 

There are exceptions to these rights, however. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if The Exchange is legally prevented from disclosing such information. In addition, The Exchange may be able to retain data even if you withdraw your consent, where The Exchange can demonstrate that it has a legal requirement to process your data.

If you have unresolved concerns, you should contact us via dpogb@okcoin.com or dpoeu@okcoin.com. You also have the right to lodge a complaint with data protection authorities. The relevant data protection authority will be the Office of the Information Data Protection Commissioner in Malta if you are employed in the EEA and the UK Information Commissioner’s Office if you are located in the UK.

1 For each category listed, the CCPA requires us to identify the statutory category under Cal. Civ. Code Section 1798.140(v)(1) to which it corresponds. These statutory categories are listed in footnotes as “California categories.”

2 Profile California categories: Identifiers, Professional or employment-related information, Protected classification characteristics, Financial information

3 Qualifications California categories: Identifiers, Professional or employment-related information, Education information

4 Family California categories: Identifiers, Professional or employment-related information, Financial information, Medical information, Protected classification characteristics

5 Employment California categories: Identifiers, Professional or employment-related information, Education information

6 Performance California categories: Identifiers, Professional or employment-related information

7 Compensation California categories: Identifiers, Financial information, Medical information, Health insurance information, Professional or employment-related information

8 Expense California categories: Identifiers, Professional or employment-related information

9 Communication California categories: Identifiers, Professional or employment-related information

10 Medical California categories: Identifiers, Medical information, Professional or employment-related information

11 Systems California categories: Identifiers, Internet/electronic network activity information, Professional or employment-related information

12 Other California categories: Identifiers, Professional or employment-related information