Data Policy Notice
This Notice sets out the data policies of Bank of China (Hong Kong) Limited, Nanyang Commercial Bank Limited, Chiyu Banking Corporation Limited and BOC Credit Card (International) Limited (each a "Company") in respect of their respective data subjects (as hereinafter defined). The rights and obligations of each Company under this Notice are several and not joint. No Company shall be liable for any act or omission by another Company.
The term "data subject(s)", wherever mentioned in this Notice, includes the following categories of individuals :-
- applicants for or customers/users of banking/financial services and facilities provided by a Company and their referees;
- sureties and parties providing security, guarantee or any form of support for obligations owed to a Company;
- directors, shareholders, officers and managers of any corporate applicants and customers/users; and
- suppliers, contractors, service providers and other contractual counterparties of the Company.
For the avoidance of doubt, "data subjects" shall not include any incorporated bodies. The contents of this Notice shall apply to all data subjects and form part of any contracts for services that the data subjects have or may enter into with the Company from time to time. If there is any inconsistency or discrepancy between this Notice and the relevant contract, this Notice shall prevail insofar as it relates to the protection of the data subjects' personal data. Nothing in this Notice shall limit the rights of the data subjects under the Personal Data (Privacy) Ordinance (the "Ordinance").
From time to time, it is necessary for the data subjects to supply the Company with data in connection with various matters such as the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking or other services by the Company, or the provision of supplies or services to the Company.
Failure to supply such data may result in the Company being unable to open or continue accounts or establish or continue banking facilities or provide banking or other services.
Data relating to the data subjects are collected or received by the Company from time to time. Such data may include, but not limited to, data collected from data subjects in the ordinary course of the continuation of the relationship between the Company and data subjects, for example, when data subjects write cheques, deposit money, effect transactions through credit cards issued or serviced by the Company or generally communicate verbally or in writing with the Company.
The purposes for which the data relating to the data subjects may be used will vary depending on the nature of the data subjects' relationship with the Company, they may include (without limitation) the following :-
- assessing the merits and suitability of the data subjects as actual or potential applicants for banking / financial services and facilities and/or processing their applications;
- enabling the Company to ensure the daily operation of the services and credit facilities provided to the data subjects;
- conducting credit checks whenever appropriate (including, without limitation, upon an application for consumer credit and upon periodic review of the credit) and carrying out matching procedures (as defined in the Ordinance);
- creating and maintaining the Company's credit scoring models;
- providing reference;
- assisting other financial institutions to conduct credit checks and collect debts;
- ensuring ongoing credit worthiness of data subjects;
- researching and/or designing financial services or related products for data subjects' use;
- marketing financial services or related products;
- determining amount of indebtedness owed to or by data subjects;
- enforcing data subjects' obligations including without limitation the collection of amounts outstanding from data subjects;
- meeting the requirements to make disclosure under the requirements of any law binding on the Company or any of its branches or under and for the purposes of any guidelines issued by regulatory or other authorities with which the Company or any of its branches are expected to comply;
- enabling an actual or proposed assignee of the Company, or participant or sub-participant of the Company's rights in respect of the data subjects to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
- comparing data of data subjects or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking adverse action against the data subjects;
- maintaining a credit history or otherwise, a record of data subjects (whether or not there exists any relationship between data subjects and the Company) for present and future reference; and
- purposes incidental, associated or relating thereto.
Data held by the Company relating to data subjects will be kept confidential but the Company may provide and disclose (as defined in the Ordinance) such data to the following parties for the purposes set out in the previous paragraph:
- the Company's holding companies, branches, subsidiaries, representative offices and affiliates, wherever situated;
- the other Companies and their respective holding companies, branches, subsidiaries, representative offices and affiliates, wherever situated;
- any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to the Company in connection with the operation of its business;
- any other person under a duty of confidentiality to the Company or who has undertaken to keep such data confidential;
- the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
- any person making payment into a data subject's account;
- any person receiving payment from a data subject, the banker of such person and any intermediary(ies) which may handle or process such payment;
- credit reference agencies, and, in the event of default, to debt collection agencies;
- any financial institution and charge or credit card issuing companies with which the data subjects have or propose to have dealings;
- any other person who has established or proposes to establish any business relationship with the Company or recipient of the data;
- any person to whom the Company is under an obligation to make disclosure under the requirements of any law binding on the Company or any of its branches or under and for the purposes of any guidelines issued by regulatory or other authorities with which the Company or any of its branches are expected to comply;
- any actual or proposed assignee of the Company or participant or sub-participant or transferee of the Company's rights in respect of data subjects; and
- selected parties for the purpose of informing data subjects of services and/or products which the Company reasonably believes will be of interest to the data subjects,
notwithstanding that any of such parties' place of business is outside the places where the Company has operations, or that such data following disclosure will be collected, held, processed, used or further disclosed by such parties in whole or part outside the places where the Company has operations in accordance with the applicable local practices, laws, rules and regulations.
Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any data subject has the right:
- to check whether the Company holds data about him and has access to such data;
- to require the Company to correct any data relating to him which is inaccurate;
- to ascertain the Company's policies and practices in relation to data and to be informed of the kind of personal data held by the Company;
- in relation to consumer credit, to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant credit reference agency or debt collection agency; and
- in relation to consumer credit data which has been provided by the Company to a credit reference agency (except where the consumer credit applied for involves a residential mortgage loan), to instruct the Company upon termination of an account by full repayment to make a request to the credit reference agency to delete such data from its database, as long as the instruction is given within 5 years of termination and at no time did the account have a default of payment lasting in excess of 60 days within 5 years immediately before account termination. In the event the account has had a default of payment lasting in excess of 60 days, the data may be retained by the credit reference agency until the expiry of 5 years from the date of final settlement of the amount in default or 5 years from the date of discharge of the individual's bankruptcy as notified to the credit reference agency whichever is earlier.
The Company has the right to charge a reasonable fee for the processing of any data access request.
The Company may have obtained credit report on the data subjects from credit reference agency(ies) in considering any application for credit. In the event that the data subjects wish to access the credit report, the Company will advise them the contact details of the relevant credit reference agency(ies).
The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed is as follows:
Bank of China Group Investment Limited
23/F, Bank of China Tower, 1 Garden Road, Hong Kong.
Fax : (852) 28772629
If there is any inconsistency between the English version and the Chinese version of this Notice, the Chinese version shall prevail in relation to any matters arising in the Mainland China exclusive of Hong Kong, the English version shall prevail in relation to any matters arising in Hong Kong and elsewhere.