Great Place To Work China Privacy & Security Notice


This Privacy & Security Notice describes Great Place To Work Hong Kong (hereafter the “GPTW”) privacy practices in connection with:

This Privacy & Security Notice does not cover GPTW’s privacy practices for:

  • GPTW employees, contractors, or job applicants
  • Children and/or Minors. Our Site is neither designed nor intended for any visitors under 18 years of age. If you have any reason to believe that a visitor to our Site is under 18 years old, please contact us at and we will endeavor to delete the information from our databases.

What is Personal Information?

For purposes of this Privacy & Security Notice, personal information means information collected by GPTW relating to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information.

Links to Third-party Websites

For your convenience, the Site may contain links to third-party websites and/or information. When you access those links, you leave GPTW’s Site and are redirected to a third-party website. GPTW does not control third-party websites, and the privacy practices of third parties might differ from GPTW’s privacy practices. We do not endorse or make any representations about third-party websites. When you share personal information with third-party websites, the third-party processing is not covered by this Privacy & Security Notice. We encourage you to review the privacy policy of any website or company before sharing personal information.

GPTW’s Privacy Practices Affecting Users of Our Site

Sources of Personal Information We Collect From Site Visitors:

GPTW collects personal information from individuals who access our Site:

  • Directly from a website visitor
  • From service providers or other third parties; and
  • Automatically from a web visitor’s visit or activity on our site.

Information Collected Directly From Website Visitors

GPTW collects personal information when you visit our Site and when you choose to provide personal information. For example, we collect information when you contact us via our Site, provide your email, phone number or other similar contact information, such as the information that you provide when you sign up for a webinar.

What We Collect

The personal information collected from a visitor to our Site may include:

  • Name
  • Company
  • Job Title
  • Address
  • Phone Number
  • Email Address

If you register to attend a GPTW sponsored Event, we may require certain data in some instances, including:

  • Emergency contact
  • Dietary preferences
  • Health and safety information
  • Billing information (such as billing name, billing address, and credit card number)

Information Provided by Third Parties or Publicly Available Sources

We may receive information about you from other sources and combine that information with the information we collect directly. Examples of information we may receive from other sources include: purchased business contact information and from publicly accessible websites, such as your company’s website, professional network services, or press releases. Business contact information may include:

  • First name
  • Last name
  • Business email
  • Telephone number
  • Company name
  • Job level
  • Functional role
  • Business street address
  • Online identifier
  • Employment history

We use this data for our internal customer analytics, to identify prospective customer marketing opportunities, and to improve the relevance of our Site content and our advertising.

Information Collected by Cookies

Like many websites, GPTW uses cookies and similar tracking technologies (including for analytics, functionality, advertising, and other purposes).

You can set your Internet browser or operating system settings to stop accepting new cookies, to receive notice when you receive a new cookie, to disable existing cookies, to omit images (which will disable pixel tags) or adjust your tracking preferences. Note that the opt-out will apply only to the browser that you are using when you elect to opt out of advertising cookies. Without cookies or pixel tags though, you may not be able to take full advantage of our sites’ features.

Information Collected for Analytics

Our Site may record information concerning how often you use the application, the events that occur within the application, aggregated usage, performance data, your IP address. We do not link the information we store within the analytics software to any personal information you submit within the Site.

If you use certain systems provided by GPTW, we will collect data from you to enable multifactor authentication, such as mobile number, email address, or unique verification identifier.

Information Collected Directly From Social Media Features

Our website may host various blogs, forums, wikis, and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Any personal information or other information that you contribute to any Social Media Application can be read, collected, and used by other users of that Social Media Application over whom we have little or no control. Therefore, we are not responsible for any other user’s use, misuse, or misappropriation of any personal information or other information that you contribute to any Social Media Application.

Other Information

If GPTW collects any other personal information from you, we will explain which personal information is collected and the purpose for its collection.

Why We Use Your Personal Information

Our purposes of processing personal information include:

  • To fulfill the purpose(s) for which the information was collected or provided, including to communicate with you and respond to your inquiries and requests;
  • To improve our site, products and services, through testing, research, analysis and product development;
  • To market, advertise, and promote our products and services, such as to make suggestions and recommendations to you about products or services that may be of interest to you;
  • To provide training related to the products and services, such as making available training materials or events (whether in-person or online) for which we may use your personal information to provide notices and information regarding such training and events;
  • For security, audit, internal investigation, and fraud prevention purposes, such as to prevent unauthorized access or disclosure, to maintain data accuracy, to protect the confidentiality, integrity, and availability of your personal information; to allow only the appropriate use of your personal information; to identify any fraudulent, harmful, unauthorized, unethical or illegal activity;
  • To manage litigation, such as in connection with establishing, exercising, or defending our legal rights where it is necessary for our legitimate interests or the legitimate interests of others;
  • To improve the content and format of our Site by using cookies and other similar technologies, such as to measure the preferences of our Site visitors, analyze trends, administer the Site, analyze use of the Site, and to gather demographic information about visitors to the Site;
  • For other purposes for you have provided consent;
  • To aggregate or deidentify your personal information so that the information can no longer be linked to you or your device and use and share such data for any business purpose in accordance with applicable law; and
  • To comply with all applicable legal obligations, such as to comply with subpoenas and other court orders to process data where we have determined there is a legal requirement to do so.

Site Security

GPTW utilizes physical, technical, and administrative controls and procedures designed to safeguard the information we collect, prevent unauthorized access or disclosure, to maintain data accuracy of your personal information, and to restrict the processing of your personal information as set forth in this Privacy & Security Notice.

We utilize a variety of physical and logical access controls, firewalls, anti-virus, and backup systems. We use encrypted sessions when collecting or transferring sensitive data through our Site.

We limit access to your personal information and data to those persons who have a specific business purpose for maintaining and processing such information. Our employees who have been granted access to your personal information are made aware of their responsibilities to protect the confidentiality, integrity, and availability of that information and have been provided training and instruction on how to do so.

GPTW’s Privacy Practices Affecting Users of Our Product

We generally market and sell our Product to businesses, not consumers.  Our commitments regarding the personal information we collect, use, and disclose about the end users of the Product are largely driven by our contracts with business customers.  The information provided below is intended to help our business customers understand our privacy practices.  If you are an end user of one of our products or services, you are encouraged to contact your employer with questions about how your personal information is being collected, used, and disclosed.

Information we Collect

In most instances, GPTW customers are the controllers of the personal information they collect, create, communicate, and store in our Product.  The types of personal information that can be stored in our Product may include, but is not limited to:

  • End User Names
  • Company Names
  • Job Titles
  • Business Addresses
  • Email Addresses
  • Any personal information provided to us by Users of our Product, and which is required for us to execute our agreements with our Customers.

Use of Information We Collect

When we act as a processor, the personal information we collect is used to deliver our products and services to Customers.  Any personal information we use is done in accordance with our contracts with our Customers.

Because our business clients are data controllers, it is primarily them who must undertake efforts regarding how information is collected and processed in accordance with data-protection laws.  Therefore, if you have questions or concerns about the processing of your information as an end user, you should contact your employer directly or refer to its separate privacy policies. 

GPTW does not give anyone access to the personal information maintained in the Product unless:

  • It is permitted to do so in its contract with the Customer.
  • The Customer instructs GPTW to do so;
  • The Customer consents (e.g., subprocessors used by GPTW);
  • If GPTW is legally obligated to do so; or
  • If GPTW has a legitimate interest (as defined under PIPL, GDPR and other applicable laws) to do so.

Data Retention

GPTW will only retain personal information for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, (including the resolution of disputes) and in accordance with our customer contracts.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require your personal information, we will either delete or deidentify (anonymize) it or, if this is not possible, we will securely store it in accordance with this policy and cease use of the personal information until deletion is possible. If we deidentify (anonymize) your personal information (so that it is no longer associated with you), we may retain this information for longer periods. To support our research and enable historical comparisons, we retain deidentified data indefinitely.

Disclosure of Personal Information

We do not sell your personal information to third parties.  We may, however, share your information with:

  • Affiliates, Licensees, and Subsidiaries.  We might share personal information with our affiliates, licensees, and subsidiaries in order to deliver a product or service or to complete a task requested by our customer. 
  • Third Party Suppliers or Service Providers.  We might engage with third parties (suppliers and/or service providers) in order to deliver a product or service, perform certain functions such as enhancing the Product, or complete a task requested by our customer. We have contracts with our Third Party Suppliers or Service Providers to perform certain functions on our behalf, and only at our direction.  Our third parties are bound by confidentiality agreements, only have access to personal information to the extent necessary to provide these contracted services, and are only permitted to process personal information in accordance with our instructions (and for the purposes we disclose). 

In addition, GPTW might disclose personal information if we in good faith believe that it is necessary:

  • To comply with the law or with a legal process
  • To protect or defend our rights and property
  • To protect against misuse or unauthorized use of our website
  • To protect the personal safety or property of our users or the public (among other things, this means that, if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).
  • In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose of personal information consistent with our Privacy & Security Notice or gains your consent for other uses of disclosures). 

We will not cross-reference your personal information with that of any other customer or entity.  GPTW does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party.  GPTW does not share its encryption keys or provide the ability to break our encryption keys with any government or third party. 

Protecting Your Information

GPTW has many dedicated policies, practices, and protocols to protect our IT infrastructure, networks, devices, and data from unauthorized access, collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data, including personal information.  These policies, practices, and protocols include, but are not limited to:

Product Security

Engineering and development access to the components that comprise the Product is restricted using methods including, but not limited to, Single Sign-On, two factor authentication, network segmentation, and IP restriction. Access to servers and services inside the primary Product boundary is controlled using centralized accounts, two-factor authentication, and bastion hosts. We employ separation of duties between developers and operations staff to limit access to the Product environment to those with a legitimate business need. The Product is protected by a web application gateway and an outbound firewall with IdP. Data is encrypted in transit and at rest using encryption that meets the current NIST standard.

Access Provisioning and Review

We have a policy and process for creating new accounts, adding and removing permissions from existing accounts, and deprovisioning access upon separation. Required approvals are collected from supervisors and application / group owners to ensure that requests are reviewed for appropriateness by multiple leaders before permissions are granted. In addition, we conduct a quarterly two-phase access review that engages both supervisors and group owners. GPTW employee permissions related to the Product that grant access to customer data are included in this access provisioning and review process. The Product provides customers with real-time information about the user accounts they have created and gives them the ability to change or revoke access at any time. Customers are responsible for managing access to the platform by creating and revoking user accounts.

Endpoint Security

Our employee endpoints (laptops and mobile devices) are connected to endpoint management software. In order to sign on to any GPTW SSO protected resource (including the Product), an employee must be using a device registered in our endpoint management software that meets our compliance policy. The compliance policy is designed to ensure that a device meets our standards for minimum operating system version, hard drive encryption, secure boot/anti-rooting, firewall enablement, anti-virus, etc. Users and administrators are notified when a device is out of compliance. Non-compliant devices are automatically blocked from accessing company resources once the compliance grace period expires.

Vulnerability Management

Our employee endpoints (laptops and mobile devices) as well as servers in the Product environment are connected to vulnerability management software. We actively scan for vulnerabilities and have a vulnerability management policy and procedure designed to limit the number of known vulnerabilities and number of exposed devices, according to the severity of the vulnerability. We have periodic vulnerability management meetings to review current remediation status, plan future remediations, manage exceptions and accepted risk, and review aged vulnerabilities as time passes and the technical landscape evolves. On laptops and mobile devices, we automatically update critical software (operating systems, browsers, productivity software). Inside the Product environment, we periodically update minor versions of operating systems, databases, and other critical software through our change management process following validation in pre-production environments.

Backup and Disaster Recovery

The Product environment is periodically backed up. All persistent data is backed up with at least a 24 hour recovery point objective. Data that changes frequently is backed up more frequently (up to and including continuous backup). Backups are persisted to geo-redundant online storage at least every 24 hours to protect against the catastrophic failure of a given data center. The majority of our infrastructure is implemented using infrastructure as code. We have documentation and code allowing us to build a new Product environment in the event of a major disaster. We test our disaster recovery procedure annually.

Data Classification, Handling, and Labeling

We have a data classification, handling, and labeling policy. Data is classified according to its risk. Employees receive training on the policy and its practical implementation. We have a detailed list of all data artifacts related to or produced by the Product that explains their classification in detail.

Global Laws and Regulations

We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.

  • Personal Information Protection Law of the People’s Republic of China
  • General Data Protection Regulation (GDPR) European Union (EU) 

The PIPL/GDPR is not limited to the Chinese/EU. It applies to all organizations that target, collect, or use the personal data of any China/EU resident and mandates organizations to:

  • Know what data they hold and have appropriate rights to use the data.
  • Be accountable and able to answer questions about what type of data they hold, and in some cases, delete data they no longer need.
  • Notify supervisory authorities of data breaches.
  • Use vendors that comply with the principles of the PIPL/GDPR

GPTW is committed to compliance with the PIPL/GDPR and all applicable laws.  

International Transfers of Personal Information

GPTW operates globally and, as such, may process personal data worldwide to provide customer support; in connection with GPTW sub-processors, a list of which is available below and their own sub-processors, where applicable; and in connection with GPTW professional services. 

The transfer of personal data from China to other countries is governed by the Personal Data Protection Law of the People’s Republic of China.

If you require an amendment to include any new control or requirement, please contact

Data Processing

As part of providing the Product to you, we currently engage the following sub-processors:





Provides the hosting environment and software development tools for the Product.

Integral Tech for Business Management

Provides software engineering and operational support services for the Product.


Data Subject Rights

If you have a question or request concerning personal information held by GPTW, including your personal information collected through the use of the Product please email  To protect your privacy and security, we may take reasonable steps to verify your identity before responding to your request.  We will respond to your request within a reasonable timeframe and as otherwise required by applicable law in your location.

Updates To Our Global Privacy & Security Notice

GPTW reserves the right to update or change portions of this statement at any time and without prior notice. If we change or update this statement in a material way, we will process new personal information received under this Global Privacy & Security Notice according to the terms of this Notice, unless you consent otherwise.

How To Contact GPTW

If you have any questions or comments about this Global Privacy & Security Notice, GPTW’s  privacy practices or if you would like us to update information or preferences you provided to us, please e-mail us at:

Written responses may also be submitted to:

General Counsel
Great Place To Work® Shanghai
(Add Address )

Ready to explore endless opportunities?

Share your details, and let’s embark on a journey together. Earn Certification™, open doors to success, and connect with a friendly team that’s here to support your growth.
Your privacy is our priority – no spam, just valuable insights. Join our community now