Business Practices

Commitment

The Company strives to attain and maintain high standards of corporate governance best suited the needs and interests of the Group as it believes that an effective corporate governance framework is fundamental to promoting and safeguarding the interests of shareholders and other stakeholders and enhancing shareholder value. Accordingly, the Company has adopted and applied corporate governance principles and practices that emphasise a quality Board, effective risk management and internal control systems, stringent disclosure practices, transparency and accountability as well as effective communication and engagement with shareholders and other stakeholders. It is, in addition, committed to continuously enhancing these standards and practices and inculcating a robust culture of compliance and ethical governance underlying the business operations and practices across the Group.

Service & Product Responsibility

Commitment

As the telecommunications industry changes rapidly, it faces significant pressure from technological advances and rising consumer expectations. Operators need to build consumer trust and meet customers’ growing demands for higher speeds and wider coverage. To do this, they need to do more than merely offering the latest handsets and digital devices. They must also provide customers with flexibility and choices in the services they offer, in order to complement and enrich their customers’ lives. Apart from delivering sustainable value to its customers through digital connectivity, the Group endeavours to provide safe, reliable and high-quality products and network services that meet and surpass customer expectations.

Digitalised Customer Engagement and Experience

Customer engagement plays a pivotal role in comprehending customer expectations and fostering brand loyalty. Business, through its proactive engagement with customers in the process, can gain valuable insights, establish stronger connections, and cultivate enduring customer relationships that earn trust and loyalty. To facilitate good accessibility and interactions, the Group proactively engages with its customers through various communication channels, including customer service centres, social networking platforms, service hotlines, live webchat, online enquiries through emails, websites and mobile applications. The Group’s websites at three.com.hk and three.com.mo, along with the My3 application, serve as vital links between the Group and its customers, fostering enduring customer relationships. These platforms provide customers with essential information about the Group’s latest promotions and offerings, while also empowering customers to manage their data and call time usage, make top-ups, pay bills, manage roaming services, purchase handsets and accessories, as well as access the online iChat customer interface. The Group strives to enhance customer satisfaction and engagement by leveraging the diverse digital resources to ensure seamless communications with its customers, regardless of their locations.

The Group welcomes customer feedback, which is useful in improving customer experience and driving positive changes. The Group has established relevant guidelines to facilitate consistency in handling customer enquiries and complaints, and customer service representatives are adequately trained to address customer concerns in a professional manner. All complaints are acknowledged, investigated and duly followed up, and periodic reviews and analyses on customer complaints are conducted for continuous improvements. Details of the Group’s service performance targets and the actual performance of the Group in areas such as service hotline performance and complaints handling are available on respective websites.

Data Privacy and Information Security

Commitment

The rapid development of data privacy and information security regulations are exerting a growing influence on the telecommunications industry and poses an escalating challenge to operators in terms of maintaining customer relationships. As such, ensuring personal data protection and effective control of cyber security risks becomes increasingly important in a bid to uphold the trust of both customers and employees.

Data Privacy Policies and Control Systems

The Group is dedicated to safeguarding and protecting personal data and sensitive information. Related legislative and regulatory requirements associated with personal data processing are embedded in all business activities of the Group. It is imperative for employees to maintain the confidentiality of any sensitive information about the Group and its stakeholders including customers, suppliers, business partners or shareholders, except where disclosures are authorised in accordance with the Information Security Policy.

Employees are expected to handle personal data in strict adherence to the policies, procedures and guidelines set forth by the Group, in compliance with relevant data protection laws pertaining to data privacy and security. The oversight of personal data protection within the Group is among the responsibilities of the Regulatory Advisory Committee, with appropriate support from the Data Protection Committee. Adequate technical and organisational measures have also been implemented to ensure proper compliance.

The Group periodically reviews and updates its policies to facilitate timely communication with employees. To acknowledge and confirm their compliance with all applicable Group policies, employees are required to submit an annual self-declaration. This reinforces employees’ commitment to upholding the Group’s policies and regulatory requirements.

Data Privacy Principles

The Group is committed to ensuring effective customer data management. Legislative and regulatory requirements concerning personal data processing are embedded in all business activities. Appropriate technical and organisational measures have also been designed and adopted to implement data privacy principles effectively.

Data Collection:

• Collect only necessary and relevant personal data for specified, clear and legitimate purposes

Use of Data / Data Access:

• Use personal data in a lawful, fair and transparent manner
• Provide a clear, transparent, understandable and updated Privacy Notice
• Ensure the use of personal data in compliance with applicable data protection laws
• Restrict employee access to personal data on a need-to-know basis only

Data Accuracy:

• Take appropriate steps to ensure personal data held are accurate and up-to-date

Data Security:

• Use encryption techniques to retain, use and transmit personal data
• Maintain stringent and adequate security measures to protect personal data that the Group is entrusted against unauthorised or unlawful access
• Review security measures regularly to ensure their protection level is appropriate

Data Retention:

• Keep only personal data that are necessary for the fulfilment of the purposes for which they are being used, and in accordance with internal guidelines for document retention periods
• Erase personal data from the system that are no longer required for the purpose for which they were collected

Rights of Individuals:

• Process personal data in accordance with the rights of individuals under applicable data protection laws
• Handle requests from individuals to access, amend or delete their personal data in a manner compliant with applicable data protection laws

Data Privacy Guidelines and Awareness Campaign

All employees are required to fully adhere to the Policy on Personal Data Governance, Internal Guidelines on Data Retention and Access to Personal Data, other relevant policies, procedures and guidelines of the Group as well as applicable data protection laws. Access to physical or computer records containing personal data is strictly controlled and requires management approval granted only on a “need-to-know” basis.

To keep employees informed of the latest requirements and advancements in terms of relevant rules and regulations, the Group arranges related training sessions on a regular basis. Operational guidelines, handbooks and periodic internal communications are provided to employees, and workshops are conducted to emphasise the significance of customer data protection in particular for customer-facing employees. Furthermore, the Group conducts routine privacy risk assessments to promptly assess existing privacy risks and to evaluate the effectiveness of risk mitigation measures in place.

Cyber Security Awareness Month

To raise cyber security awareness among employees and protect against fraudulent and phishing emails, the Group implements periodic fraud alerts and workshops. These measures are designed to equip employees with the necessary skills to handle customer and company information securely and to keep abreast of the new developments on relevant cyber security rules. The use of mobile devices and removable drives is restricted to minimise the risk associated with data exfiltration. Overall, the ultimate objective is to ensure that employees are knowledgeable, compliant with relevant rules and vigilant in maintaining cyber security.

Data Security and Incident Management

In recent years, digitalisation resulted in a notable increase in the frequency, scale and severity of Data Security Incidents (“DSIs”) across the globe. The loss or unauthorised disclosure of data, including personal information of customers or employees, as well as technical and trade-related information, can have significant repercussions on the Group’s operations and may trigger legal claims or regulatory investigations.

In the event of a DSI involving personal data, the Group will take prompt actions in accordance with its established procedures to mitigate potential consequences and to safeguard personal data against further unauthorised access, use or damage. The Legal & Regulatory Affairs department and the Information Technology Security team of the Group will be promptly informed, and, if necessary, the audience will further be extended to relevant authorities and affected individuals. The guidance on managing DSIs and the related notification process is regularly reviewed and updated.

Anti-Corruption and Whistleblowing Mechanism

Commitment

The Group has zero-tolerance for bribery, corruption and fraud in any form. Stringent policies, guidelines and procedures are in place to uphold high standards of business ethics and integrity. All business partners, suppliers and third-party representatives are also encouraged to adopt the standards.

Anti-Fraud & Anti-Bribery (“AFAB”) Policy and Code of Ethics (the “Code”)

The AFAB Policy underscores the Group’s firm stance on zero tolerance towards bribery and corruption. It serves as a guide for employees and provides direction in circumstances that may potentially involve or appear to involve corruption or unethical business practices. The policy comprises provisions covering various aspects, including kickbacks, political and charitable contributions, gifts and hospitality, and the procurement of goods and services. Regarding political donations, the AFAB Policy and the Corporate Communications Policy both dictate that the Group generally refrains from making any form of donations to political associations or individual politicians. This aligns with the overall principles and guidelines set forth by the policies involved.

The Code of Ethics, accessible on the Company’s website and intranet, outlines the ethical and professional standards to which employees must adhere in all business transactions. It covers various areas including provisions associated with conflict of interest, fair practices and integrity, corruption, political contributions, confidentiality, personal data protection and privacy, as well as procedures for reporting concerns through the whistleblowing mechanism.

Confidential Whistleblowing Mechanism

The Group has implemented monitoring measures and procedures to proactively identify acts of bribery, fraud or other forms of malpractice. All employees and relevant stakeholders, including customers, suppliers, creditors and debtors, are strongly encouraged to report any suspicions of misconduct, malpractice or fraud via the confidential reporting channels.

Investigations on incidents or suspected incidents of fraud and corruption are conducted in a timely and highly confidential manner. Internal Audit assumes responsibility for reviewing each reported incident and promptly escalating significant incidents to the Audit Committee. A summary of reported incidents, alongside relevant statistics including the outcomes of independent investigations and actions taken, is presented to the Chief Financial Officer on a quarterly basis.

Monitoring Compliance

The Group is committed to ensuring compliance with all applicable local laws, rules and regulations of the jurisdictions in which it operates. Regulatory frameworks within which the Group operates are scrutinised and monitored, whereby and a suite of foundational policies serves as the ultimate guiding principles for practices within the Group.

Supply Chain Management

Commitment

The Group collaborates with a diverse range of business partners and suppliers in support of its operations. The Group is committed to maintaining the integrity of its supply chains to be one of its priorities, as it is crucial to adequately manage complex legal, social, ethical and environmental risks involved. Through constant interaction, communication and cooperation, the Group extends its high standards of business ethics and integrity to its business partners and suppliers. As a responsible industry leader, the Group is a proponent of sound environmental performance, social well-being and sustainable practices.

Sourcing Responsibly and Engaging Suppliers

The Group recognises its far-reaching influence on its supply chain. The Supplier Code of Conduct serves as a guide for the Group’s business partners and suppliers, aiming to foster broader enhancements in sustainability practices and performance for the interests of the stakeholders concerned as well as the communities served by the Group. Together with the Purchasing Policy, Business Partner Evaluation Policy and AFAB Policy, this policy and other controls and procedures provide direction and guidelines on evaluation and engagement with business partners and suppliers. The Group regularly conducts adequate assessments and evaluations for the selected business partners and suppliers involved. Compliance with the Supplier Code of Conduct is mandatory for those falling within the scope of the Business Partner Evaluation Policy.

Supply Chain Management

The Group follows international best practices and employs a fair, unbiased and transparent tendering process. All tenderers are required to declare any conflicts of interest and be vigilant against fault, bribery and misconduct. Supplier relationships will be suspended or terminated if breaches are discovered.

The Group proactively encourages its business partners and suppliers to consider the risks associated with climate change and to take proactive measures to mitigate their environmental impacts. Moreover, the Group strongly invites these partners to adopt the climate-related standards, practices and principles set out in its Environmental Policy. These include reducing energy consumption and carbon footprints, promoting the use of environmentally friendly products and technologies, as well as implementing waste recycling initiatives.

Monitoring Compliance

Group policies including but not limited to the Purchasing Policy, Business Partner Evaluation Policy and AFAB Policy, in conjunction with various controls and procedures, provide clear direction and guidance for evaluation and engagement with its business partners and suppliers. The Group’s procurement teams are properly trained to facilitate their compliance with the policies and procedures concerned when working with the Group’s business partners and suppliers. Business partners who have met the Group’s requirements are expected to acknowledge compliance with the Supplier Code of Conduct. Regular assessments and evaluations are conducted on selected business partners and suppliers.

Key governance and sustainability policies and guidelines of the Group, the Corporate Governance Report and the Sustainability Report are posted on the website of the Company.