Business Practices

Commitment

The Group strives to attain and maintain high standards of corporate governance best suited the needs and interests of the Group as it believes that an effective corporate governance framework is fundamental to promoting and safeguarding interests of shareholders and other stakeholders and enhancing shareholder value.

Accordingly, the Group has adopted and applied corporate governance principles and practices that emphasise a quality board, effective risk management and internal control systems, stringent disclosure practices, transparency and accountability. It is committed to continuously enhancing these practices and inculcating an ethical corporate culture.

Service & Product Responsibility

Commitment

As the telecommunications industry changes rapidly, it faces significant pressure from technological advances and rising consumer expectations. Operators need to build consumer trust and meet customers’ growing demands for higher speeds and wider coverage. To do this, they need to do more than merely offering the latest handsets and digital devices. They must also provide customers with flexibility and choices in the services they offer, in order to complement and enrich their customers’ lives. Apart from delivering sustainable value to its customers through digital connectivity, the Group endeavours to provide safe, reliable and high-quality products and network services that meet and surpass customer expectations.

Digitalised Customer Engagement and Experience

Customer engagement is crucial to understanding customer expectations and building brand loyalty. The Group engages with its customers through communication channels such as its customer service centres, social networking platforms, service hotlines, live webchat, online enquiries, emails, websites and mobile applications. The Group’s websites at three.com.hk, three.com.mo and the My3 application connect the Group to customers and help building long-lasting relationships with customers wherever they are. They give access to information about the Group’s latest promotions and offers and allow customers to manage their data and call time usage, top up, pay their bills, manage roaming services, purchase handsets and accessories, and access the online iChat customer interface. The awards that the Group has received in recent years are evidence of its success in delivering quality products and services for excellent customer experience.

The Group welcomes customer feedback, which is used to improve customer experience and drive positive changes in its businesses. The Group has established guidelines to ensure consistency in handling customer enquiries and complaints, and customer service representatives are trained to address customer concerns in a professional manner. All complaints are acknowledged, investigated, and duly followed up, and periodic reviews and analyses of complaints are conducted for continuous improvement. Details of the Group’s service performance targets and actual performance of the Group in areas such as service hotline performance and complaints handling are available on the three.com.hk website.

Data Privacy and Information Security

Commitment

The rapid development of regulations on data privacy and information security is increasingly affecting the telecommunications industry, posing a growing challenge for operators in maintaining customer relationships. As such, the protection of personal data is fundamental to preserving the trust of customers and employees.

The Group is committed to safeguarding and protecting their personal data. Legislative and regulatory requirements concerning personal data processing are embedded in all business activities. Employees must collect and use personal data only in accordance with applicable data protection laws, the Group policies, procedures and guidelines pertaining to data privacy and security. Employees must not disclose any confidential information on the operation of the Group, nor that of its customers, suppliers, business partners or shareholders, except when disclosure is authorised in accordance with the Information Security Policy.

Data Privacy Policies and Control Systems

The Regulatory Advisory Committee, supported by the Data Protection Committee, is responsible for overseeing personal data protection of the Group. The Policy on Personal Data Governance and Information Security Policy together with the Code of Ethics and other related policies, procedures and guidelines of the Group, set out the governance framework for safeguarding employees and customers’ personal data. These policies are reviewed and updated periodically to allow timely communication with employees. Employees are required to submit a self-declaration annually to acknowledge and confirm compliance with all applicable Group policies.

The Group is also committed to ensuring effective customer data management. Legislative and regulatory requirements concerning personal data processing are embedded in all business activities. Appropriate technical and organisational measures have also been implemented. These measures are designed to implement data privacy principles effectively.

Data Privacy Principles

The Group is committed to ensuring effective customer data management. Legislative and regulatory requirements concerning personal data processing are embedded in all business activities. Appropriate technical and organisational measures have also been designed and adopted to implement data privacy principles effectively.

Data Collection:

• Collect only necessary and relevant personal data for specified, clear and legitimate purposes

Use of Data / Data Access:

• Use personal data in a lawful, fair and transparent manner
• Provide a clear, transparent, understandable and updated Privacy Notice
• Ensure the use of personal data in compliance with applicable data protection laws
• Restrict employee access to personal data on a need-to-know basis only

Data Accuracy:

• Take appropriate steps to ensure personal data held are accurate and up-to-date

Data Security:

• Use encryption techniques to retain, use and transmit personal data
• Maintain stringent and adequate security measures to protect personal data that the Group is entrusted against unauthorised or unlawful access
• Review security measures regularly to ensure their protection level is appropriate

Data Retention:

• Keep only personal data that are necessary for the fulfilment of the purposes for which they are being used, and in accordance with internal guidelines for document retention periods
• Erase personal data from the system that are no longer required for the purpose for which they were collected

Rights of Individuals:

• Process personal data in accordance with the rights of individuals under applicable data protection laws
• Handle requests from individuals to access, amend or delete their personal data in a manner compliant with applicable data protection laws

Data Privacy Guidelines and Awareness Campaign

All employees are required to fully adhere to the Policy on Personal Data Governance, Internal Guidelines on Data Retention and Access to Personal Data, other relevant policies, procedures and guidelines of the Group as well as applicable data protection laws. Access to physical or computer records containing personal data is strictly controlled and requires management approval granted only on a “need-to-know” basis.

Regular trainings are organised to ensure that employees are up-to-date on the latest requirements and developments of the relevant rules and regulations. The Group issues operational guidelines, handbooks and periodic internal communications and conducts workshops to reinforce the importance of customer data protection among its customer-facing employees. The Group also conducts regular privacy risk assessments to evaluate prevailing privacy risks and the adequacy of mitigating controls.

Data Security and Incident Management

Data Security Incidents (“DSIs”) have increased in frequency, scale and severity in recent years globally. Loss or leakage of data, including customers’ or employees’ personal data as well as technical and trade information, could have significant consequences on the operations of the Group and could result in third-party claims and regulatory investigations.

The Security Committee, chaired by the Vice President – Digital Innovations & IT Development, comprises relevant technical specialists from the Information Technology department and the Business Assurance & Compliance function. It oversees the Information Technology department and the Corporate Security & Fraud Management function of the Group to ensure that its efforts are effective, coherent and well-coordinated. The Security Committee also monitors the cyber threat landscape to gain insights into emerging and existing attacks and their implications.

In the event of a DSI involving personal data, the Group will respond immediately according to applicable procedures to mitigate the potential consequences and secure personal data from further unauthorised access, use or damage. The Legal & Regulatory Affairs Department and the Corporate Security team of the Group will be alerted and the relevant authorities and affected individuals will be notified if required. Guidance on handling DSIs and the notification process is reviewed and updated periodically.

To raise cyber security awareness among employees, periodic training workshops are held. These equip them with adequate skills in handling customer and company information, as well as knowledge relating to the development of relevant cyber security rules and regulations. Through issuing security alerts, the Group also keeps its employees up-to-date and vigilant against fraudulent and phishing emails. Internal measures and policies are in place to minimise the risks associated with data exfiltration by restricting the use of mobile devices and removable drives.

Anti-Corruption and Whistleblowing Mechanism

Commitment

The Group has zero-tolerance for bribery, corruption and fraud in any form. Stringent policies, guidelines and procedures are in place to uphold high standards of business ethics and integrity. All business partners, suppliers and third-party representatives are also encouraged to adopt the standards.

Anti-Fraud & Anti-Bribery (“AFAB”) Policy and Code of Ethics (the “Code”)

The AFAB Policy outlines the zero-tolerance approach of the Group to bribery and corruption and guides employees in circumstances which may lead to, or give the appearance of, being involved in corruption or unethical business conduct. It includes provisions relating to kickbacks, political and charitable contributions, gifts and hospitality, and procurement of goods and services. For political donations, in accordance with the AFAB Policy as well as the Media, Public Engagement and Donation Policy, it is the general policy of the Group not to make any forms of donations to political associations or individual politicians.

The Code sets out the professional and ethical standards for the employees to observe in all business dealings, including provisions dealing with conflict of interests, fair dealings and integrity, corruption, political contribution, confidentiality, personal data protection and privacy, as well as whistleblowing procedures.

Confidential Whistleblowing Mechanism

The Group has monitoring measures and procedures in place to detect bribery, fraud or other acts of malpractice. Employees and all other relevant stakeholders are encouraged to raise their concerns of suspected acts of misconduct, malpractice or fraud through the whistleblowing mechanisms of the Group. Incidents or suspected incidents of fraud and corruption are immediately investigated in a highly confidential manner. Internal Audit is responsible for reviewing every reported incident, escalating promptly to the Audit Committee if the incident is of a significant nature. A summary of the reported incidents and relevant statistics (including results of independent investigations and actions taken) is presented to the Chief Financial Officer quarterly. For concerns that are substantiated, disciplinary actions including verbal or written warning and termination of employment are taken after due management consideration. Violations of the laws and regulations are reported to the police or other law enforcement organisations.

Monitoring Compliance

The Group is committed to ensuring compliance with all applicable local laws, rules and regulations of the jurisdictions in which it operates. Regulatory frameworks within which the Group operates are scrutinised and monitored, whereby and a suite of foundational policies serves as the ultimate guiding principles for practices within the Group.

Supply Chain Management

Commitment

The Group engages a broad range of business partners and suppliers in its operations. The Group is committed to maintaining the integrity of its supply chain by managing associated complex legal, social, ethical and environmental risks. Through regular dialogue and cooperation, the Group extends its high level of business ethics and integrity standards to its business partners and suppliers. As a responsible industry leader, the Group is a proponent of sound environmental performance, social well-being and sustainable practices.

Sourcing Responsibly and Engaging Suppliers

The Group recognises its far-reaching influence on its supply chain. The Supplier Code of Conduct sets out the standards expected of its business partners and suppliers, encompassing specific criteria and standards in terms of quality, environmental performance, ethics, health and safety, and regulatory compliance. Together with the Purchasing Policy, Business Partner Evaluation Policy and AFAB Policy, this policy and other controls and procedures provide direction and guidelines on evaluation and engagement with business partners and suppliers.

Supply Chain Management

The Group follows international best practices and employs a fair, unbiased and transparent tendering process. All tenderers are required to declare any conflicts of interest and be vigilant against fault, bribery and misconduct. Supplier relationships will be suspended or terminated if breaches are discovered.

The Group encourages business partners and suppliers to consider the risks posed to their operations by climate change, and be proactive in mitigating the environmental impact of their activities. The Group also invites business partners and suppliers to emulate the standards, practices and principles contained in the Environmental Policy of the Group.

Monitoring Compliance

Group policies including but not limited to the Purchasing Policy, Business Partner Evaluation Policy and AFAB Policy, in conjunction with various controls and procedures, provide direction and guidelines on evaluating and engaging with business partners and suppliers. The procurement teams of the Group are trained to apply these policies and procedures with due care and diligence when engaging with business partners and suppliers. Business partners meeting the Group's threshold are required to acknowledge compliance with the Supplier Code of Conduct in the course of their business activities with the Group. Regular assessments and thorough evaluations are also conducted on the selected business partners and suppliers of the Group.

Key governance and sustainability policies and guidelines of the Group, the Corporate Governance Report and the Sustainability Report are posted on the website of the Company.