Privacy Statements

Privacy Policy Statement

  1. INTRODUCTION
    1. This Statement is adopted as the Privacy Policy Statement (the "Statement") of The Bank of East Asia, Limited (the "Bank"). The purpose of this Statement is to establish the policies and practices of the Bank’s commitment to protect the privacy of personal data and to act in compliance with the provisions of the Personal Data (Privacy) Ordinance (the "Ordinance") and the relevant guidelines issued by the Privacy Commissioner for Personal Data (the "Privacy Commissioner").
    2. For the Bank's local subsidiaries as well as branches and subsidiaries in Chinese Mainland, Macau, Taiwan and overseas, they are required to establish their own policies and practices to ensure full compliance with the applicable legal and regulatory requirements in their respective jurisdictions relating to personal data protection.
  2. KINDS OF PERSONAL DATA HELD BY THE BANK
    1. There are two broad categories of personal data held in the Bank. They are personal data related to customers and employees (including former employees)/ prospective employees of the Bank.
    2. Personal data held by the Bank regarding customers may include the following:
      1. name and address, occupation, contact details, date of birth and nationality of customers and spouses of customers and their identity card and/or passport numbers and place and date of issue thereof;
      2. current employer, nature of position, annual salary and other benefits of customers and spouses of customers;
      3. details of properties, assets and investments held by customers and their spouses;
      4. details of other assets and liabilities (actual or contingent) of customers and their spouses;
      5. information obtained by the Bank in the ordinary course of the continuation of the banking and other financial relationship (for example, when customers write cheques or deposit money or otherwise carry out transactions as part of the Bank’s services, or when customers communicate verbally or in writing with the Bank, by means of, including but not limited to, documentation, transaction system or telephone recording system, as the case may be);
      6. data collected from third parties, including Bank’s group companies and third party service providers with whom the customer interacts in connection with the marketing of the Bank’s products and services and in connection with the customer’s application for the Bank’s products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as "credit reference agencies"));
      7. information as to credit standing provided by a referee, credit reference agency or debt collection agency in connection with a request to collect a debt due from any customer to the Bank; and
      8. information which is in the public domain.
    3. Personal data held by the Bank regarding employees (including former employees) and prospective employees may include the following:
      1. name and address, contact details, date of birth and nationality of employees and prospective employees and their dependents and their identity card and/or passport numbers and place and date of issue thereof;
      2. additional information compiled about prospective employees to assess their suitability for a job in the course of the recruitment and selection process which may include references obtained from their current or former employers or other sources, "MRC information" which includes specific information on employees’ conduct which will be collected for employment history verification by the Bank under Mandatory Reference Checking ("MRC") Scheme and credit rating reports obtained from credit reference agencies;
      3. additional information compiled about employees in the ordinary course of the continuation of the employment relationship which may include records of remuneration and benefits paid to the employees, records of job postings, transfer/secondment and training, records of medical checks and sick leaves, health data, records of outside employment/ appointment and performance appraisal reports of the employees;
      4. relevant personal data pertaining to former employees required by the Bank, including MRC information, to fulfil its obligations to the former employees and its legal obligations under certain ordinances and regulatory requirements, including MRC Scheme; and
      5. information which is in the public domain.
    4. The Bank may hold other kinds of personal data which it needs in the light of experience and the specific nature of its business.
  3. PURPOSES THE PERSONAL DATA IS HELD
    1. All personal data collected will only be used for purposes which are directly related to the Bank’s functions or activities. Personal data collected may be transferred to third parties when necessary for the same purposes. Individuals concerned would be informed of the possible transferees of their personal data when their personal data is collected.
    2. It is necessary for customers to supply the Bank with data in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking and other financial services, including handling requests or complaints relating thereto by the Bank.
    3. It is also the case that data is collected from customers in the ordinary course of the continuation of the banking and other financial relationship.
    4. The purposes for which data relating to customers may be used are as follows:
      1. Processing, considering and assessing the customer’s application for the Bank’s products and services which may involve use of automated decision making (ADM) processes;
      2. the daily operation of the products, services and credit facilities provided to customers which may involve use of ADM processes and business management of the Bank Group;
      3. conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
      4. creating and maintaining the Bank’s credit scoring models;
      5. assisting other credit providers in the Hong Kong Special Administrative Region ("Hong Kong") approved for participation in the Multiple Credit Reference Agencies Model to conduct credit checks and collect debts;
      6. ensuring ongoing credit worthiness of customers;
      7. designing financial services or related products for customers’ use;
      8. marketing services, products and other subjects (please see further details in paragraph (7) of the Bank’s Personal Information Collection (Customers) Statement);
      9. verifying the data or information provided by any other customer or third party;
      10. determining amounts owed to or by customers;
      11. enforcing customers’ obligations, including but not limited to the collection of amounts outstanding from customers and those providing security for customers’ obligations;
      12. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches or that it is expected to comply according to:
        1. any law binding or applying to it within or outside Hong Kong existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);
        3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any of its branches by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
      13. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the group of the Bank and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
      14. enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the Bank’s rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; and
      15. purposes relating thereto.
    5. The Bank may, in accordance with the customer’s instructions to the Bank or other banks providing services to the customer or third party service providers (including other financial service providers) engaged by the customer, transfer customer’s data to such other banks and third party service providers using the Bank’s Application Programming Interfaces for the purposes notified to the customer by the Bank, the customer’s other banks or third party service providers and/or as consented to by the customer in accordance with the Ordinance.
    6. The purposes for which data relating to employees (including former employees) and prospective employees may be used are as follows:
      1. processing employment applications including MRC assessment, where applicable;
      2. determining and reviewing salaries, bonuses and other benefits;
      3. conducting fit and proper assessment and performance assessment according to internal policy or regulatory requirements or consideration of promotion, training, secondment or transfer;
      4. determining any disciplinary or rectifying action arising from employees’ conduct or employees’ ability to perform their job requirements;
      5. consideration of eligibility for and administration of staff loans, medical and other benefits and entitlements, and staff recreation and volunteer activities;
      6. providing employee references, with MRC information where applicable;
      7. registering employees as intermediaries or licensees with statutory authorities / institutions for purposes directly related or associated to the employment;
      8. monitoring compliance with regulatory requirements and internal governance, policies, procedures, guidelines or rules of the Bank;
      9. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches or that it is expected to comply according to:
        1. any law binding or applying to it within or outside Hong Kong existing currently and in the future; or
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future;
      10. detecting or conducting investigation regarding any suspicious fraud cases, misconduct (e.g. fake sick leave) or criminal related activities;
      11. public health protection, prevention of disease or control of pandemic;
      12. assessing the suitability of the employee’s continuance in employment; and
      13. for human resource management or purposes relating thereto.
  4. SECURITY OF PERSONAL DATA
    1. It is the policy of the Bank to ensure an appropriate level of protection for personal data in order to prevent unauthorised or accidental access, processing, erasure, loss or use of that data, commensurate with the sensitivity of the data and the harm that would be caused by occurrence of any of the aforesaid events. It is the practice of the Bank to achieve appropriate levels of security protection by restricting physical access to and processing of data by providing secure storage facilities, and incorporating security measures into equipment in which data is held. Measures are taken to ensure the integrity, prudence and competence of persons having access to personal data and the access to the personal data is granted on a need-to-know basis only. Personal data is only transmitted by secured means to prevent unauthorised or accidental access. If the Bank engages a data processor including cloud service providers (whether within or outside Hong Kong) to process personal data on the Bank’s behalf, the Bank would adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
  5. ACCURACY OF PERSONAL DATA
    1. It is the policy of the Bank to ensure that all practicable steps have been taken to maintain the accuracy of all personal data collected and processed by the Bank having regard to the purpose for which the personal data is or is to be used. Appropriate procedures are implemented such that all personal data is regularly checked and updated. In so far as personal data held by the Bank consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.
  6. COLLECTION OF PERSONAL DATA
    1. When collecting personal data, the Bank will satisfy itself that the purposes for which the data is collected are lawful and directly related to the Bank’s functions or activities. The manner of collection is lawful and fair in the circumstances and the personal data collected is necessary but not excessive for the purposes for which it is collected.
    2. On or before collecting personal data, the Bank will provide the individuals concerned with a Personal Information Collection Statement ("PICS") informing them of the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information. Practicable steps will be taken by the Bank to ensure that the individuals concerned are informed of whether it is obligatory or voluntary for them to supply the data and, if obligatory, the consequences for them if they fail to do so.
    3. Prior to using any personal data collected by the Bank from public domain, due regards will be given by the Bank to observe the original purposes of making the personal data available in the public domain (such as the purpose of establishing the public register in the enabling legislation). The restrictions, if any, imposed by the original data users of the public domain on further uses and the reasonable expectation of personal data privacy of the individuals concerned will be observed by the Bank.
    4. In relation to the online collection of personal data, for example, online application for the Bank’s product or service or campaign online registration, the Bank will provide the relevant terms and conditions for these products and services and campaigns as well as the applicable PICS on or before the data collection, to inform the individuals concerned of the purpose of collection of personal data, classes of persons to whom the data may be transferred, their rights to access and correct the data and other relevant information (including retention period of the data where applicable).
    5. The Bank will follow strict standards of security and confidentiality to protect any information provided to the Bank online. Encryption technology is employed for sensitive data transmission on the Internet to protect individuals’ privacy.
    6. Use of Cookies, Tags and Web Logs etc.
    7. The Bank uses cookies, tags and web logs to identify users’ web browser for the following purposes:-
      1. Session Identifier
      2. The Bank will not store user’s sensitive information in cookies. Once a session is established, all the communications will use the cookies to identify a user.
      3. Analytical Tracking
      4. Users’ visit to the Bank’s online platforms and social networks (including but not limited to the Bank’s websites, mobile applications and Facebook) will be recorded for analysis and information may be collected through technologies such as cookies, tags and web logs etc. The information collected is anonymous research data and no personally identifiable information is collected. The Bank mainly collects the information to understand more about our users including user demographics, interests and usage patterns, and to improve the effectiveness of our online marketing.
    8. The information may be transferred to or collected by third parties on our behalf (for example, providers of external service like web traffic tracking and reporting, online advertisement serving) for the above use. The information would not be further transferred to other parties by the third parties engaged by the Bank. The information collected is anonymous research data and no personally identifiable information is collected or shared by the third parties.
    9. Most web browsers are initially set up to accept cookies. Users can choose to "not accept" cookies by changing the settings on the web browsers but this may disable the access to the Bank’s Internet banking and certain features on the Bank’s online platforms and social networks will not work properly. The Bank will retain the collected information for as long as is necessary to fulfil the original or directly related purpose for which it was collected and to satisfy any applicable statutory, regulatory or contractual requirements.
    10. The information collected through technologies such as cookies, tags and web logs etc. will be retained for a period of no longer than 3 years.
    11. The Bank installs closed circuit television ("CCTV") (with recording mode) systems at bank premises and automated teller machines primarily for general security purposes to protect the safety of customers and the staff, business assets, intellectual property or other proprietary rights. Access to and use of the CCTV records will be granted to authorised personnel only. The Bank may disclose the CCTV records to third parties including regulatory authorities and law enforcement agencies where it is necessary in order for it to respond to any legal processes or to investigate any incidents or complaints, etc.
    12. Subject to the aforesaid, all CCTV records will be erased according to the Bank’s policies and guidelines. The security measures that apply to the CCTV records will be consistent with this Statement.
  7. DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS
    1. It is the policy of the Bank to comply with and process all data access requests ("DARs") and data correction requests ("DCRs") in accordance with the provisions of the Ordinance, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.
    2. The Bank may, subject to the Ordinance and the guidelines issued by the Privacy Commissioner, impose a fee for complying with a DAR. The Bank is only allowed to charge a DAR requestor for the costs which are directly related to and necessary for complying with a DAR. If a person making a DAR requests for an additional copy of the personal data that the Bank has previously supplied pursuant to an earlier DAR, the Bank may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy.
    3. DARs and DCRs to the Bank may be addressed to the Bank’s Group Data Protection Officer ("GDPO") or other person as specifically advised.
  8. RETENTION OF PERSONAL DATA
    1. The Bank takes all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which such data is or is to be used. The Bank usually holds data relating to the customer(s) and employee(s) for a period of 7 years or such other period as prescribed by applicable laws and regulations after closure of account, termination of service or cessation of employment.
    2. Regarding personal data collected from job applicants, unless there is subsisting reason that the Bank is obliged to retain the data for a longer period (such as other period as prescribed by applicable laws and regulations), the Bank may hold the data of unsuccessful applicants for a period up to 2 years from the date of rejecting the applicants.
    3. If the Bank engages a data processor including cloud service providers (whether within or outside Hong Kong) to process personal data on the Bank’s behalf, the Bank would adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.
  9. OTHER PRACTICES
    1. The Bank will keep this Statement under regular review.
    2. The following are maintained by the Bank to ensure compliance with the Ordinance:
      1. A Log Book as provided for in section 27 of the Ordinance;
      2. Internal policies and guidelines on compliance with the Ordinance for observance by staff of the Bank;
      3. Data Access Request Form (GF 357) and Data Correction Request Form (GF 362) for individuals’ requests for access to and correction of personal data held by the Bank.
  10. APPOINTMENT OF DATA PROTECTION OFFICER
    1. The GDPO has been appointed by the Bank to co-ordinate and oversee compliance with the Ordinance and the personal data protection policies of the Bank.
    2. The contact details of the GDPO are as follows:
      The Group Data Protection Officer Telephone : (852) 3608 3608
      The Bank of East Asia, Limited Fax : (852) 3608 6172
      10 Des Voeux Road Central Website : www.hkbea.com
      Hong Kong
      (Should there be any discrepancy between the English and Chinese versions, the English version shall prevail.)
  11. June 2025