- STATEMENT OF POLICY.Industrial Bank Co., Ltd. (A joint stock company incorporated in P.R.C with limited liability) (興業銀行股份有限公司), acting through its Hong Kong Branch (“Branch” or “Bank” as appropriate) is committed to protect the privacy of data subjects and to act in compliance with the provisions of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) ("Ordinance") and the implementation of the guidelines thereon issued by the Office of the Privacy Commissioner for Personal Data. The Branch highly values personal privacy and strives to preserve the confidentiality and security of all the personal information which the Branch may collect. This Statement will not limit the rights of the data subjects under the Ordinance and/or other applicable laws (including the laws within and outside the Hong Kong Special Administrative Region).
- DEFINITIONSThe term "data subject(s)", wherever mentioned in this Statement, includes the following categories of individuals:-
The term "employee(s)", wherever mentioned in this Statement, includes employees and/or applicants for any openings offered by the Branch.
- applicants for or customers, authorised signatories, beneficiaries and other users of financial, securities, investment, banking and related services and products and facilities and so forth provided by the Branch;
- sureties, guarantors and parties providing security, guarantee or any form of support for obligations owed to the Branch; and
- directors, shareholders, officers and managers of any corporate applicants and data subjects/users, and any other authorised persons of any corporate applicants and data subjects/users as duly authorised by them from time to time.
The term “user(s)”, wherever mentioned in this Statement, includes visitors and/or users of the Branch's electronic platform, or where visitors and/or users communicate with the Branch through any electronic device, including, without limitation, computers and mobile phones (“electronic devices”).
The term "other individuals", wherever mentioned in this Statement, include suppliers, contractors, service providers, business partners, visitors and other contractual counterparties of the Branch who are individuals and the employee(s) of the above-mentioned parties (if applicable).
The term “the Branch’s website” means https://www.cibhk.com.
The term “the Branch’s mobile application”, whenever mentioned in this Statement, means personal mobile banking application that can be downloaded and installed on any operating system supported by the Branch functioning on any mobile device, through which customers can access internet banking services.
The term “internet banking service”, whenever mentioned in this Statement, means the corporate and/or personal internet banking services which can be accessed by customers through the Branch’s website or the Branch’s mobile application offered by the Brach to customers from time to time.
The term “the Branch’s electronic platform”, whenever mentioned in this Statement, includes the Branch’s website and the Branch’s mobile application, and any other platform(s) provided by the Branch which can assess internet banking service via internet.
- KINDS OF PERSONAL DATA HELD
There are three broad categories of personal data held in the Branch.
- Data SubjectsPersonal data held by the Branch regarding data subjects may include the following:-
- information provided to the Branch from time to time in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of financial, securities, investment, banking and related services and products and facilities, for example name and address, occupation, contact details, demographic data, date of birth and nationality of directors, shareholders, officers and managers of customers and their identity cards and/or passport numbers, place and date of issue thereof;
- information obtained by the Branch in the ordinary course of the continuation of the business relationship, for example, when data subjects write cheques, deposit money, effect transactions serviced by the Branch or generally communicate verbally or in writing with the Branch (by means of documentation or telephone recording system, as the case may be), including portfolio information, transaction patterns and behaviour and financial background;
- information as to credit standing provided by a referee, credit reference agency or debt collection agency; and
- information which is searchable in the public domain.
- EmployeesPersonal data relating to employment held by the Branch may include the following:-
- name and address, contact details, date of birth and nationality of employees and potential employees and their spouses and their identity card and/or passport numbers and place and date of issue thereof;
- additional information compiled about potential employees to assess their suitability for a job in the course of the recruitment selection process which may include references obtained from their current or former employers or other sources;
- additional information compiled about employees which may include records of remuneration and benefits paid to the employees, records of job postings, transfer and training, records of medical checks, sick leave and other medical claims and performance appraisal reports of the employees;
- relevant personal data pertaining to former employees may be required by the Branch to fulfill its obligations to the former employees and its legal obligations under certain ordinances; and
- information which is in the public domain.
- Other IndividualsPersonal data records of other individuals may include but are not limited to their name, address, e-mail address, contact phone number and other operational and administrative records relating to them.
- PURPOSES FOR WHICH PERSONAL DATA ARE HELD
- Data Subjects
It is necessary from time to time for data subjects to supply the Branch with data in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking and other financial services. It is also the case that data is collected from data subjects in the ordinary course of the continuation of the banking and other financial relationship.
The purposes for which the data relating to the Data Subjects may be used are as follows:-
- assessing the merits and suitability of the data subjects as actual or potential applicants for opening or continuation of accounts with the Branch and the establishment or continuation of banking facilities or provision of banking services (including financial, securities, investment and trading services and internet banking services) (collectively the “Services”) and/or processing and/or approving their applications, variation, renewals, cancellations, reinstatements and claims;
- facilitating?the daily operation of the Services and credit facilities provided to the data subjects or the Branch’s corporate clients;
- conducting credit checks whenever appropriate (including, without limitation, at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year) and carrying out matching procedures (as defined in the Ordinance);
- creating and maintaining the Branch’s credit and risk related systems, maintaining a credit track record of data subjects for present and future reference;
- providing reference;
- assisting other financial institutions, credit card issuing companies and debt collection agents to conduct credit checks and collect debts;
- monitoring ongoing credit worthiness of data subjects;
- designing financial, securities, investment, banking and related services and products and facilities for data subjects' use;
- with the consent (or indication of no objection), marketing services, products and other subjects (please see details in the Branch’s Personal Information Collection Statement (“PICS”)), data subjects have the right to reject this purpose;
- verifying the data/information provided by any other data subject or third party;
- determining amounts owed to or by the data subjects;
- enforcing data subjects’ obligations to the Branch, including without limitation the collection of amounts outstanding from data subjects and those providing security for data subjects' obligations;
- complying with obligations, requirements or arrangements for disclosing and using data that apply to the Branch and/or any of its direct and/or indirect holding companies, subsidiaries and associated companies and/or related companies and/or any of the branches of the Branch and/or any of the aforementioned holding companies (collectively, the “Industrial Bank Group”) or that any of them shall comply or is expected to comply according to:
- any law, regulation, judgment, court order, the request(s) of any appointed or authorized liquidator, receiver, trustee, etc., code of practice, sanction rules, whether within or outside the Hong Kong Special Administrative Region (“Hong Kong”) and whether present or future, (such as Inland Revenue Ordinance and its provisions, including those concerning Automatic Exchange of Financial Account Information);
- any law, regulations, guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently or in the future (such as guideline, guidance or request given or issued by the Inland Revenue Department including those guidelines, guidance or request concerning automatic exchange of financial account information);
- any present or future contractual obligations or other commitment, agreements or treaties or other commitments with local or foreign legal, regulatory, judiciary, administration, public and law enforcement authorities, or governmental, tax, financial, security and future exchange, court, central bank law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that are assumed by or imposed on the Bank or the Industrial Bank Group;
- complying with applicable obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Bank or the Industrial Bank Group and/or any other use of data and information in accordance with any bank-wide programmes for compliance with relevant sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
- xv.enabling an actual or proposed assignee of the Branch, or participant or sub-participant of the Branch's rights in respect of the data subjects to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; and
- fulfilling any other purposes relating to the abovementioned purposes.
- EmployeesThe purposes for which the data relating to the employees may be used in connection with the employer and employee relationship and human resources management, including but not limited to the following purposes:-
- processing employment applications;
- determining and reviewing salaries, bonuses and other benefits;
- conducting reference check with previous employers;
- consideration for promotion, training, transfer or secondment;
- registering employees as intermediaries or licensees with statutory authorities/institutions for purposes directly related or associated to the employment;
- monitoring compliance with internal rules of the Branch;
- meeting the requirements to make disclosure under the requirements of any laws binding on the Branch or under and for the purposes of any guidelines issued by regulatory or other authorities with which the Branch are expected to comply;
- administering all matters and benefits concerning the employee retirement and insurance schemes; and
- purposes relating thereto.
- Other IndividualsThe purposes for which the data relating to other individuals may be used are as follows:-
- engaging, managing, monitoring and assessing the business relationship with the suppliers, contractors, service providers, business partners and their staff who provide services to the Branch; and
- facilitating the daily operation and administration of the above.
- SECURITY OF PERSONAL DATA
It is the policy of the Branch to ensure an appropriate level of protection for personal data in order to prevent unauthorised or accidental access, processing, erasure, loss or other use of that data, commensurate with the sensitivity of the data and the harm that would be caused by occurrence of any of the aforesaid events. It is the practice of the Branch to achieve appropriate levels of security protection by restricting physical access to data by providing secure storage facilities, and incorporating security measures into equipment in which data is held. Measures are taken to ensure the integrity, prudence, and competence of persons having access to personal data. Personal data is only transmitted by secure means to prevent unauthorised or accidental access. If the Branch engages a data processor (whether within or outside Hong Kong) to process personal data on the Branch’s behalf, the Branch would adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
If a data subject provides personal data, the Branch will encrypt the data before transmission to ensure confidentiality of the data. Access to or processing of the personal data of a data subject will be restricted to authorized persons only.
The Branch may from time to time transmit a data subject’s data to locations outside of the Hong Kong Special Administrative Region for the purposes set out in Section 4 above. If required under applicable laws, the Branch will seek the data subject’s separate consent to such cross-border transmissions.
- ACCURACY OF PERSONAL DATAIt is the policy of the Branch to ensure accuracy of all personal data collected and processed by the Branch. Appropriate procedures are implemented to provide for relevant personal data to be regularly checked and updated to ensure that it is reasonably accurate having regard to the purposes for which that data is used. In so far as personal data held by the Branch consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.
- COLLECTION AND USE OF PERSONAL DATA
In relation to the collection of the personal data, the Branch will provide the data subjects with a copy of the PICS and/or (as and where applicable) the employees with a copy of any relevant notice in connection with the collection of their personal data and records and/or (as and where applicable) will notify other individuals of the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information.
Prior to collection and obtaining any personal data from the public domain, the Branch will observe the original purposes of making the personal data available in the public domain (such as the purpose of establishing the public register in the enabling legislation) and the restrictions, if any, imposed by the original data users on other users.
With respect to collection of information and personal data through internet (including by computer and/or other kinds of mobile communication devices) or when a user communicates with the Branch via an electronic device, the following terms only apply to the Branch’s electronic platform or when a user communicates with the Branch via an electronic device:
- This section is limited to information collected through the Branch's electronic platform, the Branch's online advertising and electronic communications only. This section does not apply after a user has left the Branch's electronic platform, or accessing a third party website on which the Branch's online advertising is displayed or a link to a third party website which is not operated or controlled by the Branch.
- There are sections of the Branch's website and official WeChat account where specifically require users to provide personal information, for example, users are required to complete an online form to submit an inquiry about products or services, to apply for specific products or services, and reserve personal title, contact information (mobile phone/email), asset size, identity and background information (such as entrepreneur, senior executive, professional investor, etc.), etc., for the purpose of the Branch’s staff to contact customers in respond to inquiries about products or services, or enquiries and application for specific products or services. Please read the applicable terms and conditions for these products and services. If the user does not agree with the above, please do not continue to use the Branch's website and official WeChat account or provide that the user's personal data to the Branch.
- The personal data provided on the Bank's website in connection with job applications (if applicable) will be used for assessing the suitability of applicants for job applications. The Branch's will collect the applicants’ basic personal information including name, email address, contact number, educational background and resume. When submitting job applications via the Branch’s website, please read the Branch’s notice regarding employees’ records. Failure of the applicant to provide such information may result in the Branch being unable to process his or her job application.
- The Branch's mobile application may access (i) installation ID, (ii) location data, (iii) microphone, (iv) camera, (v) address book, (vi) calendar, (vii) biometric authentication module and (viii) voice recognition on a user's mobile device in order to deliver the services of the relevant mobile application. However, the user's location, calendar, biometric authentication information and related information will not be stored or recorded in the Branch's database. If a user's electronic device has a memory card, the Branch may access the memory card to modify or delete the application data stored on the memory card in order to enable the Branch's mobile application services to operate. If a user does not want the Branch to have access to the information through the aforementioned methods, the user may change the settings on the mobile device or uninstall the mobile application at any time. In that case, the user will not be able to enjoy all services of the Branch's mobile application or can only enjoy part of the services.
- With respect to the Branch’s official WeChat account, after a user (including customers and non-customers of the Branch) follows the official WeChat account, the Branch will automatically obtain the Open ID, avatar photo, nickname, gender, country/region/city, follow/bind time and status through the WeChat platform for notification message, statistics and analysis purposes. The Branch may also transmit the above information to service providers for user identity verification and reply transmission purposes, if necessary. If a user does not want to provide the above information to the Branch, the user may unfollow the Branch’s official WeChat account. In that case, the user will not be able to enjoy the services of the Branch’s official WeChat account.
- Except as the Branch specifically requires personal information for its internet banking, mobile banking, e-form, mobile application services, and official WeChat account services, users will not be required to provide their personal information to use the Branch's website.
- RETENTION OF PERSONAL DATAThe personal data and information provided by data subjects and/or the employees and/or other individuals will not be kept longer than necessary for the fulfillment of the purposes for which the personal data and information are or are to be used at the time of the collection and for compliance with the legal, regulatory and accounting requirements from time to time. For example, data relating to customers will be kept for a period of 7 years or such other period as prescribed by applicable laws and regulations after closure of account/termination of service. If the Branch engages a data processor (whether within or outside Hong Kong) to process personal data on the Branch’s behalf, the Branch would adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.
- DISCLOSURE OF PERSONAL DATAPersonal data would not be disclosed to other parties unless such disclosure is made in accordance with (A) the PICS; (B) (as and where applicable) any relevant notice in connection with the collection of employee’s personal data and records; (C) the consent from data subjects, employees and/or other individuals (as the case may be) regarding the disclosure of their data; and/or (D) the Ordinance and any other applicable laws and regulations.
- DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS
The Branch would comply with and process all data access and correction requests in accordance with the provisions of the Ordinance.
The Branch may impose a reasonable fee for complying with a data access request in accordance with the Ordinance. The Branch is only allowed to charge a person entitled to make such request for the costs for complying with such a request. If a person making a data access request requires an additional copy of the personal data that the Branch has previously supplied pursuant to an earlier data access request, the Branch may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy.
Data access and correction requests to the Branch may be addressed to the Branch’s Data Protection Officer (“BDPO”) or other persons as specifically advised by the Branch.
Cookies will collect anonymous visitor data, including the Website user’s personalised settings information (such as language preferences), and aggregate research data on number of visitors, behaviour and usage patterns. No personal data is stored in cookies unless it is expressly stated otherwise, brought to the Website user’s notice and agreed by the Website user in advance.
The Website user can set his/her browser to disable cookies. However, disabling cookies will mean that the Website user is unable to take full advantage of the Website, including accessing any internet banking services. The Website user acknowledges that, by accepting cookies, they will have acknowledged that their information is being collected, stored, accessed and used as outlined above.
The Bank may also work with third parties which uses applications (including but not limited to cloud computing) to research certain usage and activities on parts of the Website on the Bank’s behalf. These third parties may use technologies such as tracking tags and "cookies", etc. to conduct such research. These third parties collect information similar to the Bank’s cookies to collect further information about Website users, especially to collect aggregate user data, such as number of visitors to the Website, usage patterns, etc., and will be used for more accurate reporting and to improve the effectiveness of the Bank’s marketing. Information recorded through the use of these applications are aggregated, and no personally identifiable information about the individual Website user is collected or shared by these third parties with the Bank as a result of such research. No customer personal data is stored by the third parties through their technologies. The Website user may choose to disable the third parties’ tools and technologies through changing the setting on their browser, however, the Website user may not be able to access the Branch’s internet banking services.
- OTHER PRACTICES
The following are maintained by the Branch to ensure compliance with the Ordinance:-
- a Log Book as provided for in section 27 of the Ordinance;
- internal policies and guidelines on compliance with the Ordinance for use by staff of the Branch;
- CONTACT DETAILS
To co-ordinate and oversee compliance with the Ordinance and the personal data protection policies of the Branch, a BDPO has been appointed by the Bank.
The contact details of the BDPO are as follows:
Attn: Data Protection Officer
Industrial Bank Co. Ltd.,
Hong Kong branch
12/F, One, International Finance Centre
1 Harbour View Street, Central, Hong Kong
Date: February 2024