Date of Update: 24 February 2022
Effective Date: 24 February 2022
HSBC Bank (China) Company Limited (“HSBC”, “the Bank”, “we” or “us”) take the confidentiality and security of personal information very seriously, and strive at all times to protect personal information and privacy of our customers and other related personal information subjects (“you” or “Information Subject”) according to law. We therefore formulate this Personal Information and Privacy Protection Policy (this “Policy”) to help you understand the purposes, methods, and scope of personal information we collect and use, our practices regarding personal information and privacy protection, your rights and interests with regard to personal information and privacy and how to assert your rights and interests. Please read through this Policy carefully and pay particular attention to the provisions that are bolded and/or underlined.
- For your convenience to understand the purpose and category of personal information we collect when you sign up for our service, we therefore explain them under the particular service scenario.
- When you sign up for some particular services, we will collect your sensitive personal information (for example, biometric information) after you give us clear, active consent. Refusal on providing consent might affect you use related service, but will not affect you use other services we provided.
- To provide the service per you request, we might need to share your personal information to third party. We will carefully assess the legitimacy, propriety,, and necessity of the data sharing with third party. We will ask the relevant third party take all data protection measures required pursuant to Laws and Regulations. We will in accordance with the requirements of Laws and Regulations, ask for your consent or ask the relevant third party to demonstrate they have received your consent via confirmation agreement, page prompt and/or interactive process.
We fully understand how important your personal information means to you, and we will exert our effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of information security, Participation, Fair and Transparency. We are also committed to take appropriate security measures to protect your information.
This Policy shall apply to personal information of you and related parties that may be involved when you visit, browse, or use our website or mobile device application, apply for or use any product, device or service of us, handle any business or make any transaction with us, participate in any of our marketing events and surveys, and in any way contact or correspond with us, no matter the information is provided by yourself or by the related parties, or collected or acquired by us from other sources according to law, regulation, regulatory provision, or based on your or related parties’ authorisation or consent.
The table of content of this Policy is set out as below:
I. How We Protect Your Personal Information
II. How We Collect Your Personal Information
III. How We Use Your Personal Information
IV. How We Store Your Personal Information
V. How We Share, Transfer and Publicly Disclose Your Personal Information
VI. Special Circumstances for Information Processing
VIII. Your Rights Relating to Personal Information
IX. How to Contact Us
X. Protection of Minors’ Personal Information
XI. Formulation, Effectiveness and Update of this Policy and Others
We shall collect, use, store, disclose, and protect your and related parties’ personal information in accordance with this Policy. We may separately issue specific personal information protection policy tailor made for specific channels, products, services, businesses and activities (such as the Personal Information and Privacy Protection Policy for Digital Banking). The specific personal information protection policy so made shall apply in the specific scenarios as prescribed in such policy.
If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you (or relevant parties of which you are a representative or with which you have a relationship) and us, such other agreements or terms and conditions shall prevail.
I. How We Protect Your Personal Information
- Information security is our top priority. We will endeavour at all times to safeguard your personal information against unauthorised or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate physical, electronic and managerial measures to secure your personal information. We will take responsibility in accordance with the law if your information suffers from unauthorised access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
- Our website supports advanced encryption technology - an existing industry standard for encryption over the Internet to protect data. When you provide personal sensitive information through our website, it will be automatically converted into codes so as to ensure secure transmission afterwards. Our web servers are protected behind “firewalls” and our systems are monitored to prevent any unauthorized access. Our mobile banking application software has passed Union-pay payment application software security test conducted by Bank Card Test Centre and the software filing for mobile financial client application of National Internet Finance Association of China.
- We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
- We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or other agreement (if any) or based on your or related parties’ separate consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide by the security standards of this Policy when processing personal information.
- For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your bank account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our products, devices or services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
- We will organize regular staff training and drills on emergency response. If unfortunately personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform you of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it is difficult to notify each Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable law, regulation and regulatory requirements.
II. How We Collect Your Personal Information
- Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information include name, birth date, ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, contact information, address, account information, property status, location and etc., Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial account, individual location tracking etc. as well as any personal information of a minor under the age of 14.
- For the purpose of complying with law, regulation and regulatory provision, or as required for us to provide you or relevant parties with various products and services and continuously improve our products and services, or in order to contact or communicate with you or relevant parties, understand the needs of you or relevant parties, build up, review, maintain and develop our relationship with you or relevant parties, we may receive and keep the personal information provided by yourself or by related parties, or, according to law, regulation, regulatory provision, your or relevant parties’ authorisation or consent, collect, enquire, and verify by proper methods your and/or related parties’ personal information from/with members of the HSBC Group or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties, joint applicants, contact persons, close relatives and other entities/individuals). “HSBC Group” under this Policy means HSBC Holdings plc, and/or any of, its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually), and “member of the HSBC Group” has the same meaning.
- The personal information we so collect may be in paper, electronic or any other forms.
The technical information which cannot identify any individual will not be treated as personal information. However, when such technical information can identify the individual alone or in combination with other information, we will protect it as your personal information.
We may invite you to subscribe to our newsletter, updates, alerts or to participate in our marketing events or survey via our website and/or applications (such as our WeChat subscription account). If you accept relevant invitation, we may collect the information you provide to us by filling out contact forms or questionnaires, etc. The said information may include name, telephone number, email address, employer name, and job position etc. Refusal to provide such information will not affect your visiting, browsing or using our website and/or applications.
- When you are our prospect or existing individual customer, in order for us to provide you with our products/services and to handle relevant banking business, we may collect the following information upon your consent or authorization: