Shanghai Commercial Bank Group

Shanghai Commercial Bank Limited and its subsidiaries

Circular to Customers and Other Individuals relating to the Collection and Handling of Personal Data

(formerly known as “Circular to Customers and Other Individuals relating to the Personal Data (Privacy) Ordinance”)

This Circular is brought to the attention of various individuals including without limitations bank customers, individuals to whom services or products may be provided by the Group (as hereinafter defined), applicants for banking services and facilities, sureties and persons providing security or guarantee for credit facilities, as well as shareholders, directors, officers and managers of corporate customers or applicants and other contractual counterparties (“Customers”) so that Customers may have a better understanding of the rights under the Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region (the “Ordinance”) and the reasons and necessities of providing personal data to Shanghai Commercial Bank Limited (the “Bank”) and/or its subsidiaries (collectively the “Group”). In this Circular, “Bank Group Company” means any subsidiary of the Bank, any direct or indirect holding company of the Bank, or any subsidiary, affiliate or associated entity of any such holding company.

From time to time, it is necessary for Customers to supply the Group with data in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking or other financial services or tenancy and property management services.
Failure to supply such data may result in the Group being unable to open or continue accounts or establish or continue banking facilities or provide banking or other financial services or tenancy and property management services.
It is also the case that data are collected from Customers in the ordinary course of the continuation of the business relationship, for example, when Customers write cheques, deposit money, repay indebtedness, use electronic banking services, conduct transactions in relation to securities, insurance or cards, generally communicate verbally or in writing with the Group, or otherwise carry out transactions as part of the Group's services. The Group will also collect data relating to the Customer from third parties, including third party service providers with whom the customer interacts in connection with the marketing of the Group's products and services and in connection with the Customer's application for the Group's products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit reference agencies”)).
Where applicable, the purposes for which data relating to a Customer may be used, processed, stored, transferred, disclosed and/or exchanged by the Group or any Bank Group Company (whether in the Hong Kong Special Administrative Region or elsewhere) are as follows: -

1. considering and assessing the Customer's application for the products and services of the Group or any Bank Group Company;
2. the processing of applications for services and credit facilities;
3. the daily operation of the services and credit facilities provided to Customers, including for credit assessment, statistical or behaviour analysis, or creating and maintaining the credit scoring models of the Group or any Bank Group Company;
4. provision of reference;
5. conducting credit and status checks (including without limitations upon applications for consumer credit and periodic or special reviews of such credit);
6. assisting other card issuers or credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit providers”) to conduct credit checks and collect debts;
7. maintaining application and credit history of Customers for internal reference, and ensuring ongoing credit worthiness of Customers;
8. researching, designing financial services or related products for Customers' use;
9. marketing services, products and other subjects (in respect of which the Group may or may not be remunerated) (please see further details in Paragraph (I) below);
10. determining the amount of indebtedness owed to or by Customers;
11. collection of amounts outstanding from Customers and those providing security for Customers' obligations;
12. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches and offices or any Bank Group Company or that it is expected to comply according to:
  1. any law binding or applying to it within or outside the Hong Kong Special Administrative Region existing currently and in the future(e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
  2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the Hong Kong Special Administrative Region existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information); and
  3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any of its branches and offices or any Bank Group Company by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
13. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group or any Bank Group Company and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
14. enabling an actual or proposed assignee of the Group or any Bank Group Company, or participant or sub-participant of the rights of the Group or any Bank Group Company in respect of the Customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
15. the performance of procedures for comparing (whether by manual or automated means) the Customers' data with other information supplied by the Customers (for whatever purposes), including without limitation, procedures undertaken for the purpose of taking adverse action against Customers;
16. giving effect to the Customer's orders relating to transactions or otherwise, and carrying out instructions of the Customer;
17. providing services in connection with the accounts, whether the services are provided by or through, the Group, any Bank Group Company or any other person;
18. exchanging information with merchants accepting credit cards issued by the Group and organizations with whom the Group provides affinity/co-branded/private label credit card services; and
19. all other incidental and associated purposes relating to any of the above.

Data held by the Group relating to a Customer will be kept confidential but, subject to the Customer’s separate consent (insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to the Group’s process and/or use of the Customer’s data) the Group may provide such information to the following parties, where applicable, for the purposes set out in Paragraph (D): -

1. any agent, contractor, claim adjuster or third party service provider who provides administrative, data processing, financial information, telecommunications, computer, debt collection, technology outsourcing, payment or securities clearing, insurance or other services to the Group or any Bank Group Company in connection with the operation of its business;
2. any other person under a duty of confidentiality to the Group including any Bank Group Company, a business partner or other merchant or affinity entity which has undertaken expressly or impliedly to keep such information confidential;
3. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
4. third party service providers with whom the Customer has chosen to interact with in connection with the Customer's application for the products and services of the Group or any Bank Group Company;
5. credit reference agencies (including the operator of any centralized database used by credit reference agencies), and, in the event of default, to debt collection agencies;
6. any person to whom the Bank or any of its branches and offices or any Bank Group Company is under an obligation or otherwise required to make disclosure for public interest or under the requirements of any law, regulation or court order binding on or applying to the Bank or any of its branches and offices or any Bank Group Company or any disclosure under and for the purposes of any codes, guidelines, circulars or directions issued by any legal, regulatory, government, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Bank or any of its branches and offices or any Bank Group Company are expected to comply, or any disclosure pursuant to any contractual or other commitment of the Bank or any of its branches and offices or any Bank Group Company with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside the Hong Kong Special Administrative Region and may be existing currently and in the future;
7. any actual or proposed assignee of the Group or any Bank Group Company or participant or sub-participant or transferee of the rights of the Group or any Bank Group Company in respect of the Customer;
8. 1. any Bank Group Company;
  2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
  3. third party reward, loyalty, co-branding or privileges programme providers;
  4. co-branding partners of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
  5. charitable or non-profit making organizations; and
  6. external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Group engages for the purposes set out in Paragraph (D)(ix);

1. any nominees in whose names securities or other assets may be registered or custodians who may hold securities or other assets;
2. any person with whom the Group enters into or proposes to enter into a transaction on behalf or on account of the Customer, or persons representing the same;
3. any assignee, transferee, participant, sub-participant, delegate, successor or person to whom the securities account agreement is novated;
4. any person with the express or implied consent of the Customers; and
5. any third party in connection with Paragraph (D)(x).

Such information may be transferred to a place outside the Hong Kong Special Administration Region. Insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, we will obtain the Customer’s separate consent in relation to such international transfers.

To the extent required under the PIPL, the Group will, prior to sharing the Customer’s personal data with third parties, notify the Customer of the name and contact details of the recipients, the purposes and means of processing and provision of the Customer’s personal data, and the types of personal data to be provided and shared, and obtain the Customer’s separate consent to the sharing of the Customer’s personal data. The foregoing data recipients will use the personal data to the extent necessary for the specific purposes set out in this Circular and store the personal data for the minimum length of time required to fulfil the purposes, or insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, in accordance with the PIPL.
Customers' data may be processed, stored and transferred or disclosed in and to another jurisdiction outside the Hong Kong Special Administrative Region as the Group or data recipient referred to in Paragraph (E) considers appropriate and necessary. Such data may also be processed, stored, released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders), codes, guidelines, circulars and directions issued by regulatory or other authorities in such jurisdiction.
Some of the data collected by the Group may constitute sensitive personal data under the PIPL. The Group will only process sensitive personal data if strict protection measures are put in place and there is sufficient necessity to justify the processing. Insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, such sensitive personal data will be processed with the Customer’s separate consent.
The Group intends to use a Customer's data in direct marketing and the Group requires the Customer's consent (which includes an indication of no objection) for that purpose. In this connection, please note that:

1. the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a Customer held by the Group from time to time may be used by the Group in direct marketing;
2. the following classes of services, products and subjects may be marketed:

1. 1. financial, insurance, credit card, banking and related services and products;
  2. reward, loyalty or privileges programmes and related services and products;
  3. services and products offered by the Group's co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
  4. donations and contributions for charitable and/or non-profit making purposes;

1. the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Group and/or:

1. 1. any Bank Group Company;
  2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
  3. third party reward, loyalty, co-branding or privileges programme providers;
  4. co-branding partners of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);and
  5. charitable or non-profit making organizations;

1. in addition to marketing the above services, products and subjects itself, the Group also intends to provide the data described in Paragraph (I)(i) above to all or any of the persons described in Paragraph (I)(iii) above for use by them in marketing those services, products and subjects, and the Group requires the Customer's written consent (which includes an indication of no objection) for that purpose;
2. The Group may receive money or other property in return for providing the data to the other persons in Paragraph (I)(iv) above and, when requesting the Customer's consent or no objection in Paragraph (I)(iv) above, the Group will inform the Customer if it will receive any money or other property in return for providing the data to the other persons.

If a Customer does not wish the Group to use or provide to other persons his data for use in direct marketing as described above, the Customer may exercise his opt-out right by notifying the Group.

The Group may, in accordance with the Customers' instructions to the Group or third party service providers engaged by the customer, transfer Customers' data to third party service providers using the Group's application programming interfaces for the purposes notified to the customer by the Group or third party service providers and/or as consented to by the customer in accordance with the Ordinance.
Under and in accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data) the PIPL, and the Code of Practice on Consumer Credit Data approved and issued with revisions from time to time under the Ordinance: -

1. any relevant individual has the right:-

1. 1. to check whether the Group holds data about him and of access to such data;
  2. to require the Group to correct any data relating to him which is inaccurate;
  3. to ascertain the Group's policies and practices in relation to data and to be informed of the kind of personal data held by the Group;
  4. to be informed, upon request, about which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of access and correction requests to the relevant credit reference agency(ies) or debt collection agency(ies);
  5. in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Group to a credit reference agency, to instruct the Group upon termination of the account by full repayment to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within 5 years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within 5 years immediately before account termination (as determined by the Group). Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Group to the credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any));
  6. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to request the Group to delete the Customer’s personal data;
  7. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to object to certain uses of the Customer’s personal data;
  8. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, request an explanation of the rules governing the processing of the Customer’s personal data;
  9. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to ask that the Group transfer personal data that you have provided to the Group to a third party of your choice under circumstances as provided under the PIPL;
  10. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to withdraw any consent for the collection, processing or transfer of the Customer’s personal data (the Customer should note that withdrawal of their consent may result in the Group being unable to open or continue accounts or establish or continue banking facilities or provide banking services); and
  11. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to have decisions arising from automated decision making (ADM) processes explained and to refuse to such decisions being made solely by ADM.

1. where applicable, the Group may from time to time access the consumer credit data of an individual held by any credit reference agencies in the course of the consideration of any grant of consumer credit or the review or renewal of existing consumer credit facilities granted to the individual as borrower or to another person for whom the individual proposes to act or acts as mortgagor or guarantor or for the purpose of the reasonable monitoring of the indebtedness of the individual while there is currently a default by the individual as borrower, mortgagor or guarantor. In particular, the Group may from time to time access the consumer credit data for the purpose of the review of the existing consumer credit facilities granted to assist the Group in considering any of the following matters: -

1. 1. an increase in the credit amount;
  2. the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and
  3. the putting in place or the implementation of a scheme of arrangement with the individual Customer.

1. in relation to consumer credit, in the event of any default in repayment, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days (as measured by the Group) from the date such default occurred, the individual Customer will be liable to have his/her account repayment data (as defined in Paragraph (K)(i)(5) above) retained by any credit reference agencies to which the Group has provided his/her data until the expiry of 5 years from the date of final settlement of the amount in default.
2. in the event any amount in an account is written-off due to a bankruptcy order being made against a Customer, the account repayment data (as defined in Paragraph (K)(i)(5) above) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of 5 years from the date of final settlement of the amount in default or the expiry of 5 years from the date of discharge from a bankruptcy as notified by the Customer with evidence to the credit reference agency(ies), whichever is earlier.

In relation to the mortgage applications received by the Group on or after 1 April 2011, of all the data which may be collected or held by the Group from time to time in connection with mortgages, the following data relating to the Customers (including any updated data of any of the following data) will be provided by the Group to credit reference agencies: -

1. full name;
2. capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the customer's sole name or in joint names with others);
3. Hong Kong Identity Card Number or travel document number;
4. date of birth;
5. correspondence address;
6. mortgage account number in respect of each mortgage;
7. type of the facility in respect of each mortgage;
8. mortgage account status in respect of each mortgage (e.g. active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
9. if any, mortgage account closed date in respect of each mortgage.

Credit reference agencies will use the above data supplied by the Group for the purposes of compiling a count of the number of mortgages from time to time held by the Customers with credit providers, as borrower, mortgagor or guarantor respectively and whether in the Customer's sole name or in joint names with others, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance). For any account relating to a mortgage loan which already existed prior to 1 April 2011 and continues to exist after that date, the Group will not provide the above data to the credit reference agency unless (1) the prescribed consent of the Customer has been obtained for the disclosure; or (2) the repayment of such account reveal a currently outstanding material default.

The Group may have obtained credit report(s) on the Customer from credit reference agency(ies) in considering any application for credit. In the event the Customer wishes to access the credit report(s), the Group will advise the contact details of the relevant credit reference agency(ies).
In accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data) as permitted under the PIPL, the Group has the right to charge a reasonable fee for the processing of any data access request.
The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows:-

    The Data Protection Officer

    Shanghai Commercial Bank Limited

    GPO Box 139 Hong Kong

    Fax: (852) 2525 2336

Customers may, at any time and without charges, choose not to receive our promotional material. Please contact the Group's staff for details when necessary.
Customers acknowledge that telephone calls with the Group's staff may be recorded and used as evidence by the Group without further notice.
Nothing in this Circular shall limit the rights of Customers under the Ordinance and the PIPL.
In the event of any inconsistency between the English and Chinese versions of this Circular, the English version shall prevail.
This Circular as may be revised, amended or updated from time to time shall be deemed an integral part of all contracts, agreements, credit facility letters, account mandates and other binding arrangements which the Customer has entered into or intend to enter into with the Group.