China CITIC Bank International

Privacy Policy Statement

China CITIC Bank International Limited (the “Bank”) is committed to protecting the privacy, confidentiality and security of the personal data we hold by complying with the requirements of Personal Data (Privacy) Ordinance (the “Ordinance”) with respect to the management of personal data. We are equally committed to ensuring that all our employees and agents uphold these obligations. The purpose of this Privacy Policy Statement is to set out the policies and practices of the Bank's commitment to protecting personal data privacy in accordance with the provisions of the Ordinance.

Personal Data Held by the Bank

Generally speaking, the Bank holds two broad categories of personal data.

  1. Personal data of customers
    Customers are required to supply the Bank with personal data from time to time:
    • for the opening or operations of accounts, the provision or continuation of banking facilities or provision of products or services offered by or through the Bank (which include credit card, securities, commodities, investment, banking and related services and products and facilities); and/ or
    • in the ordinary course of the Bank serving customers, for instance, when the customers issue cheques, deposit money, effect transactions through credit cards issued or serviced by the Bank, generally communicate verbally or in writing with the Bank or otherwise carry out transactions as part of the Bank's services. The Bank will also collect data relating to the customer from third parties, including third party service providers with whom the customer interacts in connection with the marketing of the Bank's products and services and in connection with the customer's application for the Bank's products and services.
  2. Personal Data of Staff
    Staff records, which include but are not limited to the name, phone number(s), address(es), email address(es), date of birth, nationality, identity card and / or passport numbers, application forms, references, appraisal and disciplinary records, remuneration details and curriculum vitae of the staff.

Purposes of Keeping Personal Data

  1. In relation to the customers:
    The personal data relating to customers may be used for the following purposes:-
    1. considering and assessing the customer's application for the Bank's products and services;
    2. the daily operation of the banking facilities or services provided to customers;
    3. conducting credit checks at the time of application for banking services or banking facilities and at the time of regular or special reviews which normally will take place one or more times each year;
    4. creating and maintaining the Bank’s credit scoring models;
    5. assisting other financial institutions, credit or charge card issuers or credit reference agencies to conduct credit checks and collect debts;
    6. ensuring ongoing credit worthiness of customers;
    7. designing financial services or related products for customers' use;
    8. identifying and formulating servicing strategies for customers’ use;
    9. marketing services, products and other subjects (please see further details in the Bank’s Notice to Customers and Other Individuals Relating to the Personal Data (Privacy) Ordinance and the Code of Practice on Consumer Credit Data (“Notice”)
    10. determining the amount of indebtedness owed to or by customers;
    11. collection of amounts outstanding from customers and those providing security for customers' obligations;
    12. satisfying or complying with any obligations, requirements or arrangements for disclosing and using data that apply to the Bank, any other member of the Group (which should, for the purpose of this Statement, include the Bank, any subsidiary undertaking of the Bank and/or any of their respective associated or affiliate undertakings, any direct or indirect parent undertaking of the Bank, any subsidiary undertaking of any such parent undertaking and/or any of their respective associated or affiliate undertakings, including, for the avoidance of doubt, undertakings within the group of CITIC Group Corporation) and/or any of their respective branches or offices that it is expected to satisfy or comply according to:
      1. any laws, rules or regulations binding on or applying to the Bank, any other member of the Group and/or any of their respective branches or offices, within or outside Hong Kong, existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
      2. any notifications, directives, guidelines or guidance given or issued by or agreement with any legal, regulatory, governmental, tax, law enforcement or other authorities, or self- regulatory or industry bodies or associations of financial services providers with which the Bank, any other member of the Group and/or any of their respective branches or offices is/are obliged, required, advised, recommended or expected to comply, within or outside Hong Kong, existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);
      3. any present or future contractual or other commitment with local or foreign legal, regulatory, supervisory, governmental, tax, law enforcement or other authorities, or self- regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank, any other member of the Group and/or any of their respective branches or offices by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, supervisory, governmental, tax, law enforcement or other authority, or self- regulatory or industry bodies or associations,
      including but not limited to making disclosure to any relevant supervisory, regulatory, tax or other governing authorities having jurisdiction over or having contractual agreement or other form of agreement with the Bank, any other member of the Group and/or any of their respective branches or offices;
    13. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
    14. facilitating consolidated supervision of the Group, including but not limited to the conduct of internal audit and the performance of risk management;
    15. enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the Bank's rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participant;
    16. maintaining a credit history of customers (whether or not there exists any relationship between the customer and the Bank or the recipient of the data) for present and future reference; and
    17. all other incidental and associated purposes directly relating thereto and other purposes to which the customers may from time to time agree.
  2. In relation to the staff:
    The personal data relating to staff may be used by the Bank for the following purposes:
    1. processing employment application;
    2. performing and providing reference and background check;
    3. reviewing, determining and administering salaries, bonuses and any other benefits should be employed;
    4. appraising job performance, consideration of promotion, training, secondment, transfer and career development;
    5. consideration of eligibility for staff loans, other benefits and entitlements;
    6. monitoring compliance with the internal rules of the Bank; and
    7. any other purposes directly or indirectly relating to the compliance by the Bank or any of the employment or statutory obligations.

Collection of Personal Data

  1. In relation to the collection of personal data, the Bank will inform customer and staff the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data and other relevant information. The Bank will provide the customer with the Notice.

Use of Cookies

  1. In order to improve the Bank’s Internet services to customers, the Bank will occasionally use a “cookie” and/or other similar files or programs when customers visit the Bank’s website and mobile applications. Cookies are small bits of information that are automatically stored on customers’ web browser in their devices (e.g. computers, tablets or smartphones) that can be retrieved by the Bank’s website or mobile applications. Many cookies last only through a single session, or visit. Others may have an expiration date, or may remain on customers’ devices until customers delete them.
  2. The Bank will use cookies to store information about customers’ visit to the Bank’s website and mobile applications so as to understand customers’ usage patterns, optimize the design and features of the Bank’s website and mobile applications and, where permitted by customers provide them with direct marketing materials.
  3. The Bank may use cookies to temporarily identify customers’ devices after customers have logged in to a secure page on the Bank’s website so that the Bank’s web server can maintain a dialogue with customers’ web browser in order for customers to carry out certain activities. Cookies will be expired upon logging off. No information is stored in this type of cookie.
  4. The Bank may also use cookies or collect information about customers’ devices such as IP address, location data, device ID and other technical information to enhance security of the Bank’s website and mobile applications and prevent and detect financial crime.
  5. In addition to the information the Bank collects from cookies, the Bank also obtains information that you provide to the Bank online.
  6. Most browsers are initially set to accept cookies. Customers can set their browser to disable cookies through browser setting (browser’s ‘help’ function should tell how to do this). However, customers may not have access to certain parts of the Bank’s website after disabling cookies, including i-banking Service. Customers cannot manage cookies in the Bank’s mobile applications.
  7. If customers accept cookies during their use of the Bank’s website or continue to use the Bank’s mobile applications, customers will be acknowledging that their information (which may be combined with their other information collected by the Bank from time to time) is being collected, stored, accessed and used as outlined above or in accordance with the Notice.

Third-party research platforms and agencies

The Bank may work with third parties to research certain usage and activities on the Bank’s websites, mobile applications and/or social media platforms on behalf of the Bank. These third-party platforms and/or agencies may include Google, Yahoo!, Facebook, LinkedIn, Baidu, Tencent, etc.

Such third parties may use technologies such as cookies, spotlight monitoring (this manages tagging which is used for example, to track which advertisement users clicked on to take them to a site) and web beacons (these are used to monitor the behaviour of the users, for example whether they scroll down a page) to collect information for this research. They use the information collected through such technologies (i) to find out more about the users of the Bank’s websites and/or mobile applications, including user demographics and behaviour and usage patterns, (ii) for more accurate reporting and (iii) to improve the effectiveness of the related marketing efforts. They aggregate the information collected and then share it with us.

As part of the information shares with the third-party platforms and/or agencies, the Bank may share your advertising identifier and "installation event" (the data in relation to when you first install or use the Bank’s websites and/or applications). No personally identifiable information about you would be collected or shared by third-party agencies with the Bank as a result of this research.

Should you wish to disable the cookies associated with such technologies, you may change the setting on your web browser. However, you may not be able to take full advantage of the Bank’s websites and/or mobile applications.

To find out more about the use of cookies and the information-collecting practices and opt-out procedures of third-party platform and agencies, you may visit their privacy policy statements.

China CITIC Bank International Limited respects personal data privacy and commits to observing the provisions of the Personal Data (Privacy) Ordinance.

Security of Personal Data

  1. The Bank will strive at all times to protect the personal data by restricting access to authorized personnel on a need-to-know basis, providing secure data storage facilities and incorporating security measures into equipment in which data is held.
  2. All information transmitted via China CITIC Bank International i-banking is protected by proper encryption which could prevent unauthorized users from reading the information.
  3. If the Bank engages data processors to handle or process personal data on the Bank’s behalf (whether within or outside Hong Kong), the Bank would adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processors for processing.

Retention of Personal Data

The personal data provided by the customers and/or the staff will not be kept longer than necessary for the fulfillment of the purposes for which the personal data are or are to be used at the time of the collection and for compliance with the legal, regulatory and accounting requirements from time to time.

Disclosure of Personal Data

The personal data would not be disclosed to other parties unless such disclosure is made in accordance with the Notice and/or the disclosure is permitted or required by any law binding on the Bank.

Data Breach Handling

The Bank will ensure any material breaches of personal data protection requirements, loss or leakage of customer data is properly and timely handled and reported to the appropriate authorities when appropriate.

Revision of Privacy Policy Statement

The contents of this Statement are subject to review and may be amended from time to time. Please approach the Bank and/or visit the Bank’s website regularly for the Bank’s latest Statement.

Data Access Requests and Data Correction Requests

  1. The Bank would comply with and process all data access and correction requests in accordance with the provisions of the Ordinance.
  2. The Bank may impose a reasonable fee for complying with a data access request in accordance with the Ordinance.
  3. Requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows:

The Data Protection Officer
China CITIC Bank International Limited
30/F., Two Taikoo Place, Taikoo Place, 979 King's Road, Quarry Bay, Hong Kong.
Fax: 2258 2615

Should there be any inconsistencies between the English and Chinese versions, the English version shall prevail.

March 2023

© 中信銀行(國際)有限公司版權所有。 © China CITIC Bank International Limited. All rights reserved.