PRIVACY POLICY
 • Privacy Policy Statement
 • Notice to Customers relating to the Personal Data (Privacy) Ordinance (the "Ordinance")

CMB WING LUNG BANK LIMITED

Privacy Policy Statement

As a CMG member (as defined below), it is the policy of CMB Wing Lung Bank Limited ("the Bank") and its subsidiaries (collectively referred to as the "Bank Group") to respect the privacy of their customers and keep the information relating to a customer secure and confidential. The Bank Group is committed to protecting the privacy, confidentiality and security of personal data the Bank Group holds by complying with the requirements of Personal Data (Privacy) Ordinance (the “Ordinance”) with respect to the management of personal data. The Bank Group is equally committed to ensuring that all its employees and agents uphold these obligations.

Statement of Practices and Kinds of Personal Data Held by the Bank Group

There are different kinds of personal data and sensitive personal data held by the Bank Group. There are mainly two broad categories of personal data held by the Bank Group, namely:

(a)   data of potential and existing customers (including but not limited to (i) customers or applicants for banking/financial services and banking/credit facilities, (ii) sureties, referees, guarantors and providers of security, (iii) shareholders, directors, officers and managers of corporate customers or applicants, and (iv) sole proprietors or partners of customers or applicants); and
(b)   data of employees.

In addition, personal data may also be provided by other persons, including but not limited to agents and business partners of the Bank Group.

The kinds of personal data held by the Bank Group may include (but are not limited to) name, title, address, e-mail address, employment information, contact details, date of birth, nationality, financial information, credit information, marital status, identity card or passport numbers and other personal information in the public domain.

It is necessary for the Bank Group to hold such data for various purposes including, without limitation, the opening or continuation of accounts, the establishment or continuation of banking/credit facilities, and the provision of securities and futures trading, credit card, insurance, tenancy and property management, concierge services and other banking and financial services.

Personal Data Collection and Usage

The Bank Group collects personal data through fair and lawful means on a voluntary basis. The data is used by the Bank Group or CMG for the purposes indicated in the respective screens in which individuals are invited to provide personal data and/or in the Notice to Customers relating to the Personal Data (Privacy) Ordinance (the "Notice"). The Bank Group will provide the Notice on or before the collection of personal data in an appropriate format and manner. For details, please refer to the Notice, including the consequences of failure to provide such data.

Personal data held by the Bank Group is kept confidential and the Bank Group does not use personal data for any purpose other than those already specified in this Privacy Policy Statement and/or in the Notice or unless such usage is permitted or required by law.

Personal data is collected through the use of the Bank Group’s website or smartphone app (the "APP") .

When an individual visits the Bank Group’s web portal (without logging in to NET Banking), the Bank Group records the visit only as a "hit" or records such use only as a “hit” but does not collect any personal identifiable information of the visitor or user. The Bank Group will gather and analyze these records to compile general statistics about usage of the Bank Group's web portal. The Bank Group also collects information about the visit or use by means of “cookies” files. “Cookies” are small pieces of data transmitted to and stored in the visitor's local hard drive. “Cookies” cannot retrieve information stored in the visitor's hard disk. The information collected by “cookies” is anonymous visitor’s personalized settings information and contains no name or address information or any information that will enable anyone to contact the visitors via any means. For NET Banking services, a “cookie” with a unique identifier assigned by the Bank Group will be stored in the visitors’ web browsers throughout the session after login and the “cookies” will expire upon logging off.The data obtained through the use of “cookies” will be used for web portal personalization and marketing. Should a visitor wish not to be tracked by “cookies”, the visitor may change his/her browser settings. However, a visitor may not be able to take full advantage of the Bank Group’s website because certain functionalities may not be available if a visitor does not accept “cookies”.

    Similarly, when an individual uses the APP, the Bank Group uses behavioural tracking tools to:
  • help the Bank Group improve the design and functionality of the APP by tracking the user’s digital footprint within the APP;
  • enable the Bank Group to gather statistics on new and repeated users to evaluate the effectiveness of the APP or the Bank Group’s services; and
  • recognise the user’s device (if the user is a repeated user), record the user’s access to and/or digital footprint in the APP, record the user’s response to the Bank Group’s advertisements, track the pages and links accessed by the user within the APP. The Bank Group uses such information to make the APP more relevant to the user’s interests based on his/her past behaviour and/or tailor the advertisements or offers on the APP or third party websites or applications which are most likely to suit the interests of such user.
    When an individual uses the APP, the Bank Group may also separately access the following information from his/her smartphone:
  • to provide the nearest branch location service, the APP will use the camera lens and/or location service of the smartphone to collect the user’s location in order to locate the nearest branch(es) from the user’s current location. This feature requires the user’s authorization on location;
  • to provide better user experience and reduce the waiting time for downloading data when using the APP, the APP will store the downloaded data on the user’s smartphone; and
  • to provide the transaction or information notification service, the APP will save the user’s preferences on the notification service in the Bank Group’s servers. This feature requires user’s authorization on notification service.

The information gathered may include time and duration of a user’s use of the APP and the pages viewed by a user while using the APP. As behavioural tracking is integral to the operation of the APP and the provision of a quality service to users, the APP’s design does not permit behavioural tracking to be disabled. Any individual who does not consent to the use of behavioural tracking tools should access the Bank’s services using NET Banking instead.

The Bank Group generally has closed circuit television systems (“CCTV”) installed at the Bank Group’s premises (e.g. branches). Information collected is mainly used for security, management and other related purposes as stated in the Notice.

Personal Data Disclosure Restrictions

The Bank Group follows strict privacy procedures in regard to protection of personal data. No disclosure of personal identifiable information to third parties is allowed unless the relevant individual has already been informed or has provided the consent (where required) or the disclosure is permitted or required by any law binding on the Bank Group or any of its branches. For possible transferees (whether within or outside Hong Kong), please refer to the Notice.

Personal Data Retention

The Bank Group retains all records of transactions for validation and auditing purposes. Appropriate retention periods apply and the Bank Group takes all practicable steps to ensure that personal data will not be kept longer than is necessary for the fulfilment of the intended purpose and for compliance with the legal, regulatory and accounting requirements from time to time.

Under applicable circumstances, individuals may have the right to ask the Bank Group to delete their personal data or not to transfer or share their personal data. Please refer to the Notice for further details.

Personal Data Security

All personal data provided to the Bank Group is secured with restricted access by authorized and trained personnel. The Bank Group has security measures in place to protect personal data. Encryption technology is employed for sensitive data to protect the privacy of individuals during data transmission.

Data Access Requests and Data Correction Requests

The Bank Group processes all Data Access Requests (“DARs”) and Data Correction Requests in accordance with the Ordinance. Requestors for access are advised to use the form prescribed by the Office of the Privacy Commissioner for Personal Data, Hong Kong. The Bank Group has the right to charge a reasonable but not excessive fee to comply with DARs. In addition, the Bank Group will check the identity of the requestor to ensure that the requestor is the person legally entitled to make the data access or correction request.

Outsourcing Arrangement

If the Bank Group engages outsourcing service providers or data processors to handle or process personal data (whether within or outside Hong Kong), outsourcing service providers or data processors are required to adhere to specific standards to prevent any loss or unauthorised access, use, modification or disclosure, either by contractual provisions or other means.

Direct Marketing

The Bank Group may use the collected personal data in direct marketing subject to the relevant individual’s consent (which includes an indication of no objection). If an individual does not wish the Bank Group to use his/her personal data in direct marketing, he/she may exercise his/her opt-out right by notifying the Bank Group.

Debt Collection

The Bank Group may use a customer’s personal data if the customer is in default of payment for debt collection purposes, including the transfer of the customer’s appropriate personal data to debt collection agencies for debt collection purposes.

Changes to Privacy Policy Statement

This Privacy Policy Statement is subject to review and change from time to time. Please approach the Bank Group or visit the Bank Group’s website for the Bank Group’s latest Privacy Policy Statement.

Contact Us

Request for access to data or correction of data or for information regarding policies and practices and kinds of data held should be addressed to:

The Data Protection Officer
CMB Wing Lung Bank Limited
45 Des Voeux Road Central, Hong Kong
Telephone: 230 95555

Interpretation

In this Privacy Policy Statement:

"CMG" means:

(a) the Bank or its successor;
(b) any subsidiary undertaking, related company, associated company, direct and/or indirect parent undertaking of the Bank;
(c) any subsidiary undertaking of any such parent undertaking;
(d) any related company of (a), (b) and (c) above; and
(e) any associated company of (a), (b) and (c) above;

and “CMG member” shall mean any of them; and

the expressions "subsidiary undertaking", "parent undertaking" and "undertaking" bear the meanings under the Companies Ordinance (Cap.622).

In case of any discrepancy between the English and Chinese versions of this Privacy Policy Statement, the English version prevails.

October 2023

 

 

CMB WING LUNG BANK LIMITED

Notice to Customers relating to the Personal Data (Privacy) Ordinance (the “Ordinance”) (the “Notice”)

In compliance with the Ordinance, CMB Wing Lung Bank Limited (the “Bank”) informs you that:
1. From time to time, it is necessary for customers, potential customers and various other individuals (including (i) customers or applicants for banking/financial services and banking/credit facilities, (ii) sureties, referees, guarantors and providers of security, (iii) shareholders, directors, officers and managers of corporate customers or applicants, (iv) sole proprietors or partners of customers or applicants and/or (v) other contractual counterparties) (collectively, “data subjects”) to supply the CMG (as defined in paragraph 20 below) with data in connection with various matters including the opening or continuation of accounts and the establishment or continuation of banking/credit facilities or provision of securities and futures trading, credit card, insurance, tenancy and property management and other banking and financial services.
2. Failure to supply such data may result in the CMG being unable to open or continue accounts or establish or continue banking/credit facilities or provide securities and futures trading, credit card, insurance, tenancy and property management and other banking and financial services for its customers.
3. Data is collected from data subjects in the ordinary course of the continuation of the CMG’s business relationship with such data subjects, including (without limitation) through third parties, the public domain, data subjects’ use of the mobile application and website, cookies and behavioural tracking tools of the CMG, when payments are made to data subjects’ accounts, when data subjects instruct the CMG to enter into transactions, when data subjects write cheques, deposit money, repay loans, conduct securities and futures trading, apply for credit cards, request the CMG to provide tenancy and property management services or purchase insurance or other banking and financial products and services (including personal data received from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit reference agencies”)).
4.
The purposes for which data relating to a data subject may be used vary depending on the nature of the data subject’s relationship with the CMG, which may comprise all or any one or more of the following purposes:-
(i) the daily management and operation of the services and credit facilities provided by the CMG to the data subject, including determining whether to provide or continue with the provision of, banking, financial and other services (such as concierge services) to the data subject;
(ii) provision of bankers’ references;
(iii) conducting credit checks (including upon applications for consumer credit and periodic or special reviews of such consumer credit which normally take place one or more times each year) and, subject to the requirements set out in the Ordinance, carrying out matching procedures (as defined in the Ordinance);
(iv) creating and maintaining the CMG’s credit or behaviour scoring models;
(v) assisting other financial institutions or other credit providers in the Hong Kong Special Administrative Region (“Hong Kong”) approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit providers” ), credit or charge card issuing companies and debt collection agents to conduct credit checks and collect debts;
(vi) ensuring ongoing credit worthiness of data subjects;
(vii) conducting market, service or product analysis or researching, designing, developing or improving financial services or related products of the CMG for data subjects’ use;
(viii) marketing services, products, merchandise and other subjects (in respect of which the CMG may or may not be remunerated) (please see further details in relation to direct marketing in paragraph 7 below);
(ix) determining the amount of indebtedness owed to or by data subjects;
(x) the enforcement of data subjects’ obligations, including the collection of amounts outstanding from data subjects and those providing security or guarantee for data subjects’ obligations;
(xi) complying with the obligations, requirements or arrangements for disclosing and using data that apply to or are expected to be complied with by each CMG member or any service provider of a CMG member according to:
(1) any law binding or applying to it within or outside Hong Kong existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
(2) any guidelines or guidance given or issued by any legal, regulatory, governmental, judicial, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);
(3) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, judicial, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers (collectively, the “Authorities”) that is assumed by or imposed on any CMG member by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant Authorities; or
(4) any agreement or treaty between the Authorities;
(xii) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the CMG and/or any other use of data and information in accordance with any CMG group-wide and/or industry-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(xiii) enabling an actual or proposed assignee of the CMG (including its legal, accounting and/or commercial advisers), or any participant or sub-participant of CMG’s rights in respect of the data subjects (including legal, accounting or commercial advisers to such participant or sub-participant) to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
(xiv) comparing data of data subjects or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking adverse action against the data subjects;
(xv) maintaining a credit history of data subjects (whether or not there exists any relationship between data subjects and the CMG) for present and future reference;
(xvi) reasonable internal management and control purposes relating to the provision of the services to customers of the CMG (including security controls, investigations, risk management, and the defence of claims ); and
(xvii) purposes relating thereto.
5. The data of a data subject may be processed, kept and transferred or disclosed in and to any country (in or outside Hong Kong, e.g. Mainland of China) as the CMG may consider appropriate for the purposes set out under paragraph 4. Data held by the CMG relating to data subjects will be kept confidential but the CMG may, as it considers appropriate in its sole discretion, provide the data of a data subject to the following parties whether inside or outside Hong Kong (e.g. Mainland of China) for the purposes set out in paragraph 4:--
(i) any agent, contractor, claim adjuster or third party service provider (including any CMG member as an outsourcing service provider and any operator of any interface (such as application programming interface) that links to, or on which information is in any way made available about, the CMG’s products and/or services) who provides administrative, management, payment or securities clearing, underwriting, depository, custodian, registration, anti-money laundering, customer contact centre, credit card authorization, card embossing process or other services to any CMG member in connection with the operation of any of its businesses;
(ii) any other person under a duty of confidentiality to the CMG including any CMG member which has undertaken to keep such information confidential;
(iii) the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
(iv) credit reference agencies (including the operator of any centralized database used by credit reference agencies); and, in the event of default, to debt collection agencies;
(v) any person to whom a CMG member is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to a CMG member, or any Authorities for the purposes of any guidelines or guidance given or issued by such Authorities with which a CMG member is expected to comply, or pursuant to any contractual or other commitment of a CMG member with any such Authorities, in each case, whether existing currently and in the future;
(vi) any actual or proposed assignee of the CMG (including their legal, accounting and/or commercial advisers) or participant or sub-participant or transferee of the CMG’s rights (including their legal, accounting and/or commercial advisers) in respect of the data subject;
(vii) any insurance company or agent, securities and futures broker, merchant (including merchants accepting credit cards issued by the CMG and entities with whom the CMG provides affinity/co-branded/private label credit card services (the names of such merchant/entities can be found in the application form(s) for the relevant services and products) or other business partners of the CMG;
(viii) any financial institution and charge card or credit card issuing or acquiring companies with which the data subjects have or propose to have dealings;
(ix) any party giving or proposing to give a guarantee or third party security to guarantee or secure the data subjects’ obligations;
(x) Joint Electronic Teller Services Limited (“JETCO”) (including in connection with any “know-your customer” checks), operators or participants of the JETCO network and other issuers of ATM cards;
(xi) the bank of any merchant in connection with any credit card payment or transactions for the purpose of verifying the identity of the cardholder;
(xii) any CMG member in Hong Kong or other jurisdiction(s);
(xiii)
(1) third party financial institutions, insurers, credit card companies, securities, investment, merchandise and/or lifestyle services providers;
(2) third party reward, loyalty, co-branding and privileges programme providers;
(3) co-branding partners of the CMG (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
(4) charitable or non-profit making organisations; and
(5) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the CMG engages; and
(xiv) any other person with the express or implied consent of the data subject. Notwithstanding and without prejudice to the foregoing, subject to any requirements or restrictions on disclosure of information under any law binding on the Bank or given by any court or regulatory authority which has jurisdiction over the Bank, the Bank may refuse to disclose or transfer the data of a data subject to any third party or any CMG member.
6. With respect to data in connection with mortgages applied by a data subject (whether as a borrower, mortgagor or guarantor and whether in the data subject’s sole name or in joint names with others) on or after 1 April 2011, the following data relating to the data subject (including any updated data of any of the following data from time to time) may be provided by the CMG, on its own behalf and/or as agent, to credit reference agencies:
(i) full name;
(ii) capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subject’s sole name or in joint names with others);
(iii) Hong Kong Identity Card Number or travel document number;
(iv) date of birth;
(v) correspondence address;
(vi) mortgage account number in respect of each mortgage;
(vii) type of the facility in respect of each mortgage;
(viii) mortgage account status in respect of each mortgage (e.g. active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
(ix) if any, mortgage account closed date in respect of each mortgage. Credit reference agencies will use the data supplied by the CMG for the purposes of compiling a count of the number of mortgages from time to time held by the data subject with credit providers, as borrower, mortgagor or guarantor respectively and whether in the data subject’s sole name or in joint names with others, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance).
7. USE OF DATA IN DIRECT MARKETING
The CMG intends to use a data subject's data in direct marketing and the CMG requires the data subject's consent (which includes an indication of no objection) for that purpose. In this connection, please note that:
(i) the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a data subject held by the CMG from time to time may be used by the CMG in direct marketing;
(ii) the following classes of services, products and subjects may be marketed:
(1) financial, insurance, credit card, banking, securities, investment, concierge and related services and products;
(2) merchandise, consumer goods, commodities, data, products or services or offers or discounts;
(3) reward, loyalty or privileges programmes and related services and products;
(4) services and products offered by the CMG’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
(5) donations and contributions for charitable and/or non-profit making purposes;
(iii) the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the CMG and/or:
(1) any CMG member;
(2) third party financial institutions, insurers, credit card companies, securities, investment, merchandise and/or lifestyle services providers;
(3) third party reward, loyalty, co-branding or privileges programme providers;
(4) co-branding partners of the CMG and/or any CMG member (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
(5) charitable or non-profit making organisations;
(iv) the CMG also intends to provide the data described in paragraph 7(i) to all or any of the persons described in paragraph 7(iii) for use by them in marketing those services , products and subjects described in paragraph 7(ii), and the CMG requires the data subject's written consent (which includes an indication of no objection) for that purpose; and
(v) the CMG may receive money or other property in return for providing the data to the other persons under paragraph 7(iv) and, when requesting the data subject's consent or no objection as described in paragraph 7(iv), the CMG will inform the data subject if it will receive any money or other property in return for providing the data to such other persons.
If the data subject does not wish the CMG to use or provide to other persons his/her data for use in direct marketing as described above, the data subject may exercise his/her opt-out right by notifying the CMG.
8. Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any data subject has the right:-
(i) to check whether the CMG holds data about him and of access to such data;
(ii) to require the CMG to correct any data relating to him which is inaccurate;
(iii) to ascertain the CMG’s policies and practices in relation to data and to be informed of the kind of personal data held by the CMG;
(iv) in relation to consumer credit data, to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of data access and correction requests to the relevant credit reference agencies or debt collection agencies; and
(v) in relation to any account data (including any account repayment data) which has been provided by the CMG to a credit reference agency, to instruct the CMG, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the CMG to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).
9. In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as described in paragraph 8(v)) may be retained by credit reference agencies until the expiry of five years from the date of final settlement of the amount in default.
10. In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as described in paragraph 8(v)) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to credit reference agencies, whichever is earlier.
11. The CMG may have obtained credit reports on a data subject and any of its sureties from credit reference agencies in considering any application for credit. In the event the data subject or any of its sureties wishes to access the credit reports or to request to have any personal data of the data subject held by the credit reference agencies corrected pursuant to the Ordinance, the CMG will advise the contact details of the relevant credit reference agencies.
12. The CMG may access the database of a credit reference agency for the purpose of credit review of any data subject from time to time. In particular, the CMG may access the consumer credit data of any data subject held by a credit reference agency for the purpose of the review of their existing consumer credit facilities which may involve the consideration by the CMG of any of the following matters:
(i) an increase in the credit amount;
(ii) the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or
(iii) the putting in place or the implementation of a scheme of arrangement with the data subject.
13. In accordance with the terms of the Ordinance, the CMG has the right to charge a reasonable fee for the processing of any data access or correction request.
14. The CMG may use algorithms when considering and processing a data subject’s application for products and services. The algorithms provide automatic assessments and decisions based on the personal data collected. The parameters used in these assessments have been selected to provide a fair and objective assessment of a data subject’s personal data and have been tested for reliability and fairness. If the CMG is uncertain about the accuracy of the personal data that will be used in an algorithmic assessment, the CMG will seek your clarification.
15. The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed is:-
The Data Protection Officer
CMB Wing Lung Bank Limited
45 Des Voeux Road Central, Hong Kong
Telephone: 230 95555
16. A data subject may, at any time and without charge, choose not to receive the CMG’s promotional material. Such data subject must inform the Bank in writing at the address specified in paragraph 15 or such other updated address as the Bank may notify data subjects from time to time if a data subject does not wish to receive such material.
17. Nothing in this Notice shall limit the rights of data subjects under the Ordinance.
18.
(a) The security of personal data is important to the CMG. The CMG has technical and organisational security measures in place to safeguard personal data. These security measures ensure that confidentiality and integrity of customer information is not compromised. Multiple layers of protection have been put in place to protect against leakage of personal data to external parties. Personal data will be encrypted by strong data encryption algorithms using encryption keys unique to the CMG and with proper key management. When using external service providers, the CMG requires that they adhere to security standards mandated by the CMG. The CMG may do this through contractual provisions, including any such provisions approved by a privacy regulator, and oversight of the service provider. Regardless of where personal data is transferred, the CMG takes all steps reasonably necessary to ensure that personal data is kept securely. The foregoing is without prejudice to any provisions limiting our liability in the General Conditions for Accounts and Services.
(b) The Internet is not a secure form of communication and a data subject who sends the CMG any personal data over the Internet accepts the risks that this carries including the risk of access and interference by unauthorised third parties. Information passing over the Internet may be transmitted internationally (even when sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than a data subject’s country of residence.
19. TRANSFER OF PERSONAL DATA TO DATA SUBJECTS’ THIRD PARTY SERVICE PROVIDERS USING THE BANK’S APPLICATION PROGAMMING INTERFACES (“API”) The Bank may, in accordance with the data subject’s instructions to the Bank or third party service providers engaged by the data subject, transfer the data subject’s data to third party service providers using the Bank’s API for the purposes notified to the data subject by the Bank or third party service providers and/or as consented to by the data subject in accordance with the Ordinance.
20. In this Notice, the following terms shall have the following meanings:
"CMG" means:
(a) the Bank or its successor;
(b) any subsidiary undertaking, related company, associated company, direct and/or indirect parent undertaking of the Bank;
(c) any subsidiary undertaking of any such parent undertaking;
(d) any related company of (a), (b) and (c) above; and
(e) any associated company of (a), (b) and (c) above;
and "CMG member" shall mean any of them; and
the expressions "subsidiary undertaking", "parent undertaking" and "undertaking" bear the meanings under the Companies Ordinance (Cap. 622).
21. In case of any discrepancy between the English and Chinese versions, the English version prevails.

Effective Date: 31st January 2024



Copyright(c) CMB Wing Lung Bank Ltd. 2021 All right reserved