Protecting your personal data

Your personal data is important to us, and we want to make sure you know how we use and protect it. Personal data is information that either identifies you or is about you as an individual. In this privacy notice, we’ll explain how we collect, share, and process your personal data. We’ll also tell you about your rights and how you can exercise them. From time to time, we may also provide you where relevant, with additional privacy information in a separate notice for specific channels, products, services, businesses and activities.

In this privacy notice, “we”, “us” or “our”, refers to the Standard Chartered Group branch, subsidiary or legal entity operating under the Standard Chartered brand you interact with either directly or indirectly that processes your personal data and decides how it is collected and used. Standard Chartered Group means each of, or collectively, Standard Chartered PLC, its subsidiaries and affiliates, including each branch or representative office. Please refer to the ‘How to get in touch’ section of this privacy notice for details of the relevant Standard Chartered Group member(s) providing this privacy notice.

Some of our affiliates’ websites have their own brand identity and their own separate privacy notices to provide relevant information for specific products and services they provide. You should refer to the relevant privacy notices as directed by those affiliates in relation to how they use your personal data. This privacy notice does not apply to third-party websites where our online advertisements are displayed or to linked thirdparty websites we do not operate or control. These websites should have their own privacy notices, which you can read to understand how they collect and process your personal data and your rights.

We’ll update this privacy notice from time to time. You can find the current version date listed at the end of this privacy notice. If you have any questions or concerns about your personal data, please don’t hesitate to get in touch (you can find our details under ‘How to get in touch’ below).

What types of personal data do we collect?

We may collect the following types of personal data about you. In this privacy notice, “You” refers to you as an individual, as relevant if you are:

• a personal banking client;
• a representative of, or an individual directly or indirectly related to or associated with: (i) a company, business or organisation that is our personal banking client; or (ii) a person or a company, business or organisation that has a relationship with our personal banking client; or
• a representative of, or an individual directly or indirectly related to or associated with: (i) a company, business or organisation that is our business or corporate banking client; or (ii) a person or a company, business or organisation that has a relationship with our business or corporate banking client.

In addition, “You” has the same meaning as a “data subject” (defined below).

If you give us someone else’s personal data, you must have their permission and explain to them how we’ll use it.

We may collect the following types of personal data about you, as relevant and permitted or required by applicable law:

• Identification data – information that identifies (uniquely or semi uniquely) you. For example, your name, your date of birth, your gender, your user login credentials, your photographs, CCTV and video recordings of you and other identifiers, including official/government identifiers such as national identification number, passport number and tax identification number
• Contact data – information that allows addressing, sending or communicating a message to you. For example, your email address, your phone or mobile number and your residential or business address
• Professional data – information about your educational or professional background
• Geo-location data – information that provides or contains a device’s location. For example, your internet protocol (“IP”) address or your cookies identifier
• Behavioural data – analytics information that describes your behavioural characteristics relating to your use of our products and services. For example, usual transactional activities, your browsing behaviour on our websites and how you interact as a user of our products and services, or those provided by third-party organisations, such as our advertising partners and social media platform providers
• Personal relationship data – information about associations or close connections between individuals or entities that can determine your identity. For example, spouse or employer relationships
• Communications data – information relating to you contained in voice, messaging, email, livechats and other communications we have with you. For example, service requests.
• Financial and commercial data – your account and transaction information or information that identifies your financial position and background, status and history as necessary to provide relevant products and services. For example, your debit or credit card details, your source of funds, your financial and credit rating history
• Biometric data – information that identifies you physically. For example, facial recognition information, your fingerprint or voice recognition information
• Health data – information relating to your health status. For example, disability information relevant to accessibility
• Criminal convictions, proceedings or allegations data – information about criminal convictions or related information that we identify in relation to our financial crime prevention obligations, for example, details about any criminal convictions or related information. This includes details of offences or alleged offences or convictions.

We often collect personal data directly from you, but we may also obtain your personal data from other sources as necessary, depending on the relevant products and services that we are providing, including from:

• People you know – such as:
  • parents or guardians of minors. If you are a minor (normally this means if you are under 18 years old, but this might be younger depending on where you live). We will get your parent or guardian’s consent before collecting, using or sharing your personal data
  • your joint account holders
  • your referees; and
  • other people you appoint to act on your behalf
• Businesses and other organisations – such as:
  • your employer and/or company, business or organisation you represent or is related to you
  • other financial institutions and financial service providers
  • strategic referral partners, including business alliance, co-branding partners or other companies or organisations that the Standard Chartered Group cooperates with based on our contractual arrangements or other joint ventures to provide relevant third-party products and services
  • credit bureaus or credit reference agencies, credit protection providers, rating agencies, debt collection agencies, fraud prevention agencies and organisations (including credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model)
  • service partners, such as advertising and market research companies and social media platform providers
  • regulatory and other entities with authority over the Standard Chartered Group, such as tax authorities, law enforcement or authorities imposing financial sanctions
• Our corporate and business clients – where you receive the benefit of our services in relation to our contract with the company, business or organisation you interact with. For example, resolving payment disputes with our merchant clients
• Publicly available resources – such as online registers or directories or online publications, social media posts and other information that is publicly available
• Cookies – when you visit, browse, or use our websites, online banking or mobile applications, we may use cookies to automatically collect certain information from your device. We may use such information, where relevant, for internal analysis and troubleshooting, to recognise you and remember your preferences, to improve the quality of and to personalise our content and to determine the security status of your account. For more information on how we use cookies and how you can control them when visiting our websites, please see our Cookie Policy.

Why do we collect your personal data?

We collect your personal data so that we can provide our products and services, manage our relationship with our clients and operate our business. This is necessary when you hold your own bank account with us and also when you represent, or are associated with, other individuals, companies, businesses or organisations who bank with us, for example, if you act as a guarantor, employee, shareholder, director, officer or authorised person.

If you have or are associated with more than one account with Standard Chartered Group, we may link all your accounts and personal data to enable us to have an overall picture of our client relationships.

What we use your personal data for is often referred to as our purposes of processing. We do this by prior notification of the purposes of processing, with your consent where required by law, or where otherwise permitted or required by applicable law. We may not be able to offer or provide facilities, products and services if you do not provide us with or do not want us to process the personal data that we consider is necessary and/or is required to meet our legal and regulatory obligations.

Purposes of Processing

We process your personal data for the following purposes, as necessary to provide relevant products and services, depending on whether you have your own bank account with us or you represent, or are associated with, other individuals, companies, businesses or organisations who bank with us.

Assessing and providing products and services to our clients

This includes:

• assessing eligibility, merits and/or suitability of products and services offered by us or any member of Standard Chartered Group and process applications for clients; we may retain a record of the application if our eligibility criteria are not met
• assessing your suitability as an individual guarantor
• conducting relevant due diligence and know-your-customer (“KYC”) checks as required by applicable law
• conducting credit checks (whether in respect of an application for, or modification of the terms of our products or services or during regular or special review which normally will take place once or more each year) and financial assessments as required by applicable law and regulations.
• setting credit limits for clients
• obtaining quotations, assisting with applications and interacting with strategic referral partners on behalf of clients for co-branding and other third-party products and services, such as insurance and wealth management products
• opening accounts.

Managing banking relationships and administering client accounts

This includes:

• establishing, continuing and managing banking relationship and account with us or, where applicable, any member of the Standard Chartered Group
• providing clients with appropriate access to our products and services, such as our online and mobile banking platforms
• operating, providing, reviewing and evaluating facilities, products and services offered by or through us or any member of Standard Chartered Group to fulfil our contractual obligations with clients for facilities, products and services
• effecting and verifying transactions and acting on instructions or requests, such as transferring money between accounts and making payments to third parties for clients
• maintaining up-to-date records of authorised persons and signature lists
• maintaining statements detailing the amount of indebtedness owed to or by you
• administering, for example, credit facilities or loans for clients
• maintaining contact information
• responding to questions or managing any complaints, including monitoring social media conversations and posts to identify conversations, sentiments, and complaints about the Standard Chartered Group
• issuing notifications about changes to the terms and conditions of our products and services
• recording our communications for record-keeping and evidential purposes including online messages, email and telephone
• contacting clients relating to the products and services we are providing
• facilitating open banking for clients, including with account information service providers.

Operating our business

This includes:

• managing authentication and user access controls for clients, for example, for online and mobile banking
• audits of our business operations
• creating and maintaining our credit scoring models relating to clients
• conducting relevant credit management activities, which includes maintaining client credit history for present and future reference, updating credit bureaus and credit reference agencies and ensuring ongoing credit worthiness and credit checks
• assisting other credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model to conduct credit checks and collect debts
• assisting other banks and third parties recover funds that have entered client accounts as a result of erroneous payments
• engaging in business operational management, such as performing administrative tasks relating to the products and services we provide, monitoring and reporting of our financial portfolio, risk management activities, audits and ensuring operation of our communications and processing systems, systems development and testing, business planning and decision-making.

Improving our products and services to our clients

This includes:

• developing, testing and analysing our systems, products and services
• monitoring and recording our communications with you, for example, phone calls, for training and quality purposes
• conducting market research and customer satisfaction surveys
• designing our products and services for your use, for example credit cards
• conducting marketing in relation to our products and services
• managing, monitoring and assessing the performance of any agent, contractor or third-party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to us in connection with the establishment, operation, maintenance or provision of our products and services
• conducting demographic analytics and gathering insights by aggregating data such as behavioural data from the use of our products and services and our applications to provide you with more tailored products and services.

For further information on direct marketing, please refer to ‘When do we conduct direct marketing?’ section of this privacy notice.


Keeping you and our people safe

This includes:

• conducting identity verification security checks for building access
• using CCTV surveillance recordings at our branches, premises and ATMs for the purposes of preventing and detecting fraud and/or other crimes, such as theft
• investigating and reporting on incidents or emergencies on our properties and premises
• for the security of our systems and networks in order to keep your data safe and confidential
• for other health and safety compliance purposes
• monitoring social media conversations and posts to protect clients from sharing data publicly that could be used for fraud.

Detecting, investigating and preventing financial crimes

This includes:

• meeting or complying with Standard Chartered Group policies, including identifying individuals and performing investigative procedures, measures or arrangements for sharing data and information within the Standard Chartered Group
• any other use of data and information in accordance with any group-wide programmes for compliance with sanction or prevention or detection of money laundering, terrorist financing or other unlawful activities
• conducting identity verification security checks against government and other official centralised databases, as required by law
• monitoring and recording our voice and electronic communications and screening applications and transactions in connection with actual or suspected fraud, financial crime or other criminal activities, for example to detect unusual transaction behaviour
• recording and monitoring voice and electronic communications with us, to the extent permitted by applicable law, to ensure compliance with our legal and regulatory obligations and internal policies
• conducting checks against government and non-government third parties’ fraud prevention and other financial crime prevention databases to prevent money laundering, terrorism, fraud and other financial crimes, to protect you, our clients and the integrity of the financial market. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or employment to you.

Complying with applicable laws, regulations and other requirements

This includes:

• meeting or complying with Standard Chartered Group policies, including identifying individuals and performing investigative procedures, measures or arrangements for sharing data and information within the Standard Chartered Group
• meeting or complying with (contractual or otherwise) any relevant local and foreign law, regulations, rules, directives, judgments or court orders, requests, guidelines, best or recommended practices, government sanctions, embargo, reporting requirements, restrictions, demands from or agreements with any authority (including domestic or foreign tax authorities), court or tribunal, law enforcement agency, or selfregulatory or industry bodies or associations of financial services providers, exchange body in any relevant jurisdiction where the Standard Chartered Group operates
• sharing personal data relating to your personal bank account with a local tax authority in accordance with applicable law or regulations. The local tax authority may share or may require us to share such information with other overseas tax authorities in accordance with applicable law or regulations (for example, tax law and regulations relating to automatic exchange of financial account information). We may need to collect extra information from you for such purpose to comply with applicable law or regulations.

Exercising Standard Chartered Group’s legal rights and conducting legal proceedings

This includes:

• tracing and exercising our rights and protecting ourselves against harm to our rights and interests
• retaining records as may be necessary as evidence for any potential litigation or investigation
• recovering debts and arrears
• conducting litigation to enforce our rights or the rights of any other member of the Standard Chartered Group obtaining professional advice
• investigating or making an insurance claim
• responding to any insurance related matter, action or proceeding
• defending or responding to any current or prospective legal, governmental or quasi-governmental, regulatory, or industry bodies or associations related matter, action or proceeding or for establishing, exercising or defending legal rights.

Facilitating Standard Chartered Group mergers, acquisitions, and divestments

This includes:

• evaluating our business and providing continuity of services to you after a transfer of our business as a result of a merger, acquisition, sale or divestment
• enabling an actual or potential assignee of all or any part of our business and/or asset or participant or sub-participant of our rights in respect of the data subject, to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation.

When do we conduct direct marketing?

We may sometimes, and with your consent as required by applicable law, use your personal data in direct marketing. In this connection, please note that:-

1. your name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of you held by us from time to time may be used by us in direct marketing;
2. the following classes of services, products and subjects may be marketed:
   • news, offers and promotions about our or other Standard Chartered Group products and services
   • financial, insurance, fiduciary, investment services, credit card, securities, investment, banking and related services and products;
   • reward, loyalty or privileges programmes and related services and products
   • products and services offered by our co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant products and services, as the case may be);
   • charitable and/or non-profit making donations, sponsorships and contributions.
3. the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by us and/or:-
   • any member of the Standard Chartered Group;
   • third party financial institutions, insurers, credit card companies, securities and investment, mobile wallets & digital payment services providers;
   • third party reward, loyalty, co-branding or privileges programme providers;
   • co-branding partners of the Bank and/or any member of the Standard Chartered Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
   • charitable or non-profit making organisations;

In addition to marketing the above services, products and subjects ourselves, we also intend to provide your personal data to all or any of persons described in paragraph (iii) under the same section for use by them in marketing those services, products and subjects, and we require your written consent (which includes an indication of no objection) for that purpose.

We may conduct market research using demographic and insights analytics by aggregating the personal data that we hold about you to provide you with marketing communications, which are more relevant and tailored for you.

We may share limited information about you with social media platform providers we engage with for the purpose of online social media advertising where you have permitted us and the social media platform provider(s) to use cookies that support our marketing on these platforms. For example, to check whether you have an account with social media platform providers, so we can ask them to display more relevant marketing communication messages to you about our products and services or to exclude you from receiving advertisements for our products and services which you already use.

For more information on how we use cookies in relation to marketing, please see our Cookie Policy.

Where we may receive money or other property in return for providing personal data to other persons mentioned above, we are required to inform you prior to doing so collecting your consent or no objection before disclosing your personal data for such marketing purposes.

You may withdraw your consent or opt-out from receiving such marketing communications or providing to other persons your data for use in direct marketing as described above in accordance with your rights by contacting us using the details in the ‘How to get in touch’ section below without charge.

When do we use automated decision-making?

We may use the personal data we collect to conduct data analytics, including profiling and behavioural analysis, to make quicker automated decisions in our business operations and to evaluate your personal characteristics to predict outcomes and risks. We require that rules followed by such automated systems are designed to make fair and objective decisions. We may use artificial intelligence and machine learning to help improve our communications and client experience, make our business operational processes safer and more efficient and enable us to provide faster responses and improve turnaround time. For example, we may use automated decision-making for the following:

• Client digital onboarding processes - account opening approval processes using electronic Know-Your-Customer (eKYC) checks by verifying the authenticity of scanned identification documents and a photo through biometric facial recognition and liveliness check
• Operational efficiency - voicebots for call centre identification verification
• Client engagement - client marketing campaigns and communications to recommend more tailored products and services based on insights from your personal data and your interactions with robo advisors and chatbots.
• Risk management - monitoring of accounts and transactions to detect unusual activities to prevent fraud or money laundering, terrorism and other financial crimes (for example, detecting whether the use of your credit card may be fraudulent) and approval of loan applications and credit decisions based on credit-scoring models.

For further information on your rights in relation to automated decisions that affect you, please refer to the ‘What are your personal data protection rights?’ section.

Who may we share your personal data with?

We may share your personal data within the Standard Chartered Group. Standard Chartered Group may share your personal data for the purposes of processing as set out in this privacy notice, including with our service providers, our business partners, other third parties and as required by law or requested by any authority. Who these are depends on your interactions with us as an individual.

We limit how, and with whom, we share your personal data, and take steps to ensure your personal data is kept confidential and protected when we share it. We may share your personal data for our purposes of processing with the following, where relevant and allowed by law:

• Other members of the Standard Chartered Group
• Authorised third parties
  • legal guardians, joint account holders, actual or intended guarantors/sureties, trustees, beneficiaries, executors, or authorised persons of our clients, any actual or potential participants or sub-participants in relation to any of our obligations in respect of any banking agreement, assignees, novatees or transferees (or any officers, employees, agents or advisers of any of them)
  • any other person you have authorised us by your consent to share your personal data with.
• Third parties that can verify your information
  • credit bureaus or credit reference agencies (including the operator of any centralised database used by credit reference agencies), credit protection providers, rating agencies, debt collection agencies, fraud prevention agencies and organisations
  • other non-government third parties that conduct financial crime prevention databases checks to prevent money laundering, terrorism, fraud and other financial crimes.
• Our service partners
  • professional advisers, such as auditors, legal counsel, conveyancers and asset valuation specialists
  • insurers or insurance brokers
  • service providers, such as operational, administrative, data processing and other technology service providers, including anyone engaged or partnered with to analyse and facilitate improvements or enhancements in Standard Chartered Group’s operations or provision of products and services
  • providers of professional services, such as market researchers, forensic investigators and management consultants
  • advertising companies and social media platform providers
  • third-party product providers including, for example, securities and investments providers, fund managers and insurance companies
  • third-party service providers, such as telemarketing and direct sales agents and call centres.
• Strategic referral partners
  • business alliance, co-branding partners or other companies or organisations that the Standard Chartered Group cooperates with based on contractual arrangements or other joint ventures to provide relevant third-party products and services
  • charitable and non-profit organisations.
• Other financial services organisations
  • other financial institutions, such as merchant banks, correspondent banks or national banks
  • market infrastructure providers and securities clearing providers
  • payment service providers, including mobile wallet and digital payment service providers, merchants, merchant acquiring companies, credit card companies, payment processors and card association members, payment-initiation and card-based payment instrument service providers such as VISA and Mastercard,
  • account information service providers
  • any financial institution and merchant acquiring company with which you have or propose to have dealings.
• Government authorities, law enforcement agencies and others
  • as required by law or as requested by any authority, which includes any government, quasi-government, regulator, administrative, regulatory or supervisory body, court, tribunal, law enforcement agency, exchange body or domestic or foreign tax authorities, having jurisdiction over any Standard Chartered Group member whether within or outside your jurisdiction and whether or not that Standard Chartered Group member has a relationship with you. self-regulatory or industry bodies or associations of financial services providers in any relevant jurisdiction where the Standard Chartered Group operates.
• Other third parties
  • the company, business or organisation, as applicable, that you represent or is related to you
  • third parties in case of a merger, acquisition or divestment: if we transfer (or plan to transfer) or assign any part of our business or assets. If the transaction goes ahead, the interested party may use or disclose your personal information in the same way as set out in this privacy notice, and subsequently notify you of any changes they may make in terms with confidentiality how they process your personal data
  • any other person under a duty of to us, including any other members of the Standard Chartered Group, which has undertaken to keep such information confidential.

Where do we transfer personal data?

Your personal data may be processed, kept, stored, shared, transferred or disclosed by us within the Standard Chartered Group or with other third parties* for the purposes described in this privacy notice. We do this in order to operate effectively, efficiently and securely in facilitating transactions and providing products and services to our clients, to improve and support our processes and business operations and to comply with our legal and regulatory obligations. This may involve processing, keeping, storing, sharing, transferring or disclosing your personal data locally or cross border to other jurisdictions, which may be subject to relevant local practices and laws, rules and regulations including right of access available to the overseas authorities.

* Please refer to our website (www.sc.com/hk) for the list of countries where such parties may be located.

Where recipients of personal data are in jurisdictions that are outside Hong Kong, and local laws may not have similar data protection laws as Hong Kong, we will take all reasonable steps necessary to ensure that your personal data has an appropriate adequate level of protection and safeguards to comply with applicable law, for example, by using Recommended Model Contractual Clauses issued by the Office of the Privacy Commissioner for Personal Data (“PCPD”).

How do we protect your personal data?

We take the privacy and security of your personal data very seriously. To protect your data, we have put in place a range of appropriate technical, physical and organisational measures to safeguard and keep your personal data confidential, for example, by using contracts with appropriate confidentiality, data protection and security terms in our arrangements with third parties. Standard Chartered Group has implemented information security data privacy policies, including incident management and reporting procedures, rules and technical measures to protect personal data and to comply with legal and regulatory requirements. We train and require staff who access your personal data to comply with our data privacy and security standards. We require our service providers, or other third parties we engage with and to whom we disclose your personal data to implement similar confidentiality, data privacy and security standards and measures when they handle, access or process your personal data.

How long do we keep your personal data?

For the purposes described in this privacy notice, we keep your personal data for business operational or legal reasons while you engage with us and may retain your personal data for a period of time afterwards, depending on the type of personal data, in accordance with our data retention policy standards and as required by applicable law or regulations. We will take steps to delete, anonymise, destroy and/or stop using personal data when we no longer need it.

What are your personal data protection rights?

We respect your personal data, and you have the following rights about how we use your information:

• Your right to access your data: You have the right to check whether we hold data about you and request a copy of the data
• Your right to correct your data: If your personal details have changed, or you believe we have incorrect or out of date information about you, you can ask us to update it
• Your right to change or withdraw consent: We may sometimes ask for your consent to process your personal data. If you change your mind, let us know. However, we may not be able to provide our products and services or engage with you without certain personal data
• Your right to withdraw from direct marketing: You can withdraw your consent or object to receiving invitations to surveys and marketing communications at any time.

We will respond to requests to exercise your personal data rights in line with applicable law. We may ask you to verify your identity before processing your request. If you have any questions about your rights, please contact us using the details below.

How to get in touch

The following Standard Chartered Group companies act as the data user (sometimes known as controller in other jurisdictions) responsible for processing your personal data in Hong Kong:

Standard Chartered Bank (Hong Kong) Limited

The person to whom requests for access to or correction of data held by us, or for information regarding our data policies and practices and kinds of data held by us are to be addressed is as follows:

The Data Protection Officer
Standard Chartered Bank (Hong Kong) Limited
GPO Box 21
Hong Kong

In accordance with the terms of the Ordinance, we may charge a reasonable fee for the processing of any data access request. If you have any questions about this privacy notice or would like to exercise any of your personal data protection rights, please do not hesitate to contact either your relationship manager or our designated hotline +852 2886 6023.

Got a complaint?

If you have any concerns or complaints about how we’re using your personal data, please talk to us. You can contact the branch or your relationship manager or get in touch with our Data Protection Officer. You can also contact the Office of the Privacy Commissioner for Personal Data (PCPD) at https://www.pcpd.org.hk.

Cookies

Please see our separate Cookie Policy.

In this document, unless inconsistent with the context or otherwise specified, the following words shall have the following meanings: -

account(s) means, for each facility, service or product which we may from time to time make available to the data subjects, the account that is, opened and/or maintained in respect of it from time to time.

accountholder(s) means holder(s) of an account, which includes joint accountholder(s) in case there is more than one holder for an account.

data subject(s) has the meaning given to it in the Ordinance and includes applicants or accountholders for Facilities, Products and Services, customers, security providers, guarantors, referees, corporate officers and managers, (e.g. authorized signatories, contact persons, company secretary, directors, shareholders, beneficial owners of a corporate), beneficiaries, suppliers, agents, contractors, service providers and other contractual counterparties and any third party transacting with or through us.

disclose, disclosing or disclosure, in relation to personal data, includes disclose or disclosing information inferred from the data.

Hong Kong means the Hong Kong Special Administrative Region.

in any capacity means whether as a borrower, mortgagor or guarantor and whether in the data subject’s sole name or joint names with others.

mortgage count means the number of mortgage loans held by the data subject (in any capacity) with credit providers in Hong Kong from time to time.

Other Terms and Conditions

There may be specific terms and conditions in our banking and product agreements that govern the collection, use and disclosure of your personal data. Such other terms and conditions must be read in conjunction with this privacy notice. In the case of discrepancies between the English and Chinese versions of this privacy notice, the English version shall apply and prevail. This privacy notice was updated on 26 November, 2023.



APPENDIX 1 : Personal Data (Privacy) Ordinance Code of Practice on Consumer Credit Data

If you apply for, have or have had a loan (including a mortgage) with us, we may provide your personal data to credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model, or in case of default, debt collection agencies. The credit reference agencies will use it to compile a count of mortgages held by you with credit providers which will be added into centralised consumer credit databases shared between credit providers, to help credit providers assess whether to provide you with credit and collect debts.

With respect to data in connection with mortgages applied by a data subject (in any capacity) on or after 1 April 2011, the following data relating to the data subject (including any updated data of any of the following data from time to time) may be provided by us, on our own behalf and/or as agent, to credit reference agencies:

• full name;
• capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subject’s sole name or in joint names with others);
• Hong Kong Identity Card Number or travel document number;
• date of birth;
• correspondence address;
• mortgage account number in respect of each mortgage;
• type of the facility in respect of each mortgage;
• mortgage account status in respect of each mortgage (e.g. active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
• if any, mortgage account closed date in respect of each mortgage.

Credit reference agencies will use the above data supplied by us for the purposes of compiling a count of the number of mortgages from time to time held by the data subject with credit providers, as borrower, mortgagor or guarantor respectively and whether in the data subject’s sole name or in joint names with others, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance).

We may from time to time access the mortgage count held by the credit reference agency(ies) in the course of:

• considering mortgage loan application(s) made by the data subject (in any capacity) from time to time;
• reviewing any credit facility (including mortgage loan) granted or to be granted to the data subject (in any capacity) which is in default for a period of more than 60 days with a view to putting in place any debt restructuring, rescheduling or other modification of the terms of such credit facility by us;
• reviewing any credit facility (including mortgage loan) granted or to be granted to the data subject (in any capacity), where there is in place any debt restructuring, rescheduling or other modification of the terms of such credit facility between us and the data subject consequent upon a default in the repayment of such credit facility for implementing such arrangement;
• reviewing any credit facility (including mortgage loan) granted or to be granted to the data subject (in any capacity), with a view to putting in place any debt restructuring, rescheduling or other modification of the terms of any credit facility initiated by the request of the data subject; and/or
• reviewing, evaluating and modifying terms of any credit facility (including mortgage loan) granted or to be granted to the data subject (in any capacity) from time to time, and reviewing the same with the data subject. We may from time to time access the mortgage count held by the credit reference agency(ies) in the course of (after 31 March 2013):
• reviewing and renewing mortgage loans granted or to be granted to the data subject (in any capacity); and/or
• considering the application for credit facility (other than mortgage loan) by the data subject (in any capacity other than mortgagor) and/or reviewing or renewing any facility (other than mortgage loan) granted or to be granted to the data subject (in any capacity other than mortgagor), in each case where such facility is in an amount not less than such level or to be determined by a mechanism as prescribed or approved by PCPD from time to time.

In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined above) may be retained by credit reference agencies until the expiry of five years from the date of final settlement of the amount in default.

In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as defined above) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to the credit reference agency(ies), whichever is earlier.

Without limiting the generality of the foregoing, we may from time to time access the personal and account information or records of a data subject held by the credit reference agency(ies) for the purpose of reviewing any of the following matters in relation to the existing credit facilities granted to a data subject or a third party whose obligations are guaranteed by a data subject:

• an increase in the credit amount;
• the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and
• the putting in place or the implementation of a scheme of arrangement with the data subject or the third party.

We may have obtained credit report(s) on a data subject from credit reference agency(ies) in considering any application for credit or modification of terms of the credit. In the event a data subject wishes to access the credit report(s), we shall advise the contact details of the relevant credit reference agency(ies).

Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data, you have the following additional rights:

• to ascertain from us our policies and procedures in relation to personal data and to be informed of the kind of personal data held by us and/or you have access to;
• to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of access or correction requests to the relevant credit reference agency(ies) or debt collection agency(ies); and
• in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by us to a credit reference agency, to instruct us, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by us to the credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).

Contact us if you would like further details about data which is routinely disclosed to credit reference agencies or debt collection agencies, as well as information on how to make data access or correction requests to these agencies.

We will respond to requests to exercise your rights in relation to personal data in line with applicable laws. You can exercise your rights by contacting us as detailed in the ‘How do you Contact Us?’ section of this privacy notice.


APPENDIX 2 : Transfer of Personal Data Using Application Programming Interface (API)

We may, in accordance with the data subject’s instructions to us or third-party service providers engaged by the data subject, transfer data subject’s data to third party service providers using our API for the purposes notified to the data subject by us or third-party service providers and/or as consented to by the data subject in accordance with the Ordinance.


APPENDIX 3 : China Personal Information Protection Law (PIPL)

Insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to our process and/or use of your data, this PIPL Appendix supplements the Hong Kong privacy notice/PICS

Sensitive Personal Information

Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of fourteen. We will process your sensitive personal information only when there is a specific purpose, when it is of necessity, and under the circumstance where strict protective measures are taken. Insofar as the PIPL is applicable to our process and/or use of your data, such sensitive personal data will be processed with your separate consent.

Sharing Personal Information

To the extent required under the PIPL, we will, prior to sharing your personal information with third parties, notify you of the name and contact details of the recipients, the purposes and means of processing and provision of your personal data, and the types of personal information to be provided and shared, and obtain your separate consent to the sharing of your personal information. The foregoing data recipients will use the personal information to the extent necessary for the specific purposes set out in this privacy notice and store the personal data for minimum length of time required to fulfil the purposes, or insofar as the PIPL is applicable to our process and/or use of your data, in accordance with the PIPL.

Your Additional Rights Under PIPL

Insofar as the PIPL is applicable to our process and/or use of your personal information, you have the following additional rights:

• to request us to delete your personal information;
• to object to certain uses of your personal information;
• to request an explanation of the rules governing the processing of your personal data;
• to ask that we transfer personal information that you have provided to us to a third party of your choice under the circumstances provided under the PIP;
• to withdraw any consent for the collection, processing or transfer of your personal data (you should note that withdrawal of your consent may result in us being unable to open or continue accounts or establish or continue banking facilities or provide banking services); and
• In some services, we may make decisions based solely on non-human and automated decision-making mechanisms, including information systems, algorithms, etc. If these decisions significantly affect your legal rights, you have the right to request an explanation from us, and we will also provide appropriate remedies.

Standard Chartered Bank (Hong Kong) Limited
Last Updated in November 2023




Issued by Standard Chartered Bank (Hong Kong) Limited