Privacy policy

Privacy Policy Statement

It is the policy of CMB Wing Lung Bank Group (the "Group") to respect the privacy of their customers and keep the information relating to a customer secure and confidential. The Group also educates all staff of the importance of customers' privacy and requires them to comply with the strictest standards of security and confidentiality. Information is collected on the use of web portal from the Group's customers, which include the Group's web portal visitors.

Data Collection and Usage

The Group collects personal data from the Group's web portal visitors on a voluntary basis. Personal information may include name, title, e-mail address, etc. The information is used by the Group for the purposes indicated in the respective screens in which customers are invited to provide personal data and in the following Notice to Customers. Personal information held by the Group is kept confidential and the Group does not use customers' personal information for any purposes other than those already specified to customers herein or in the Group's Notice to Customers or unless such usage is permitted or required by law.

When an individual visits this web portal, the Group records the visit only as a "hit" but does not capture any personal identifiable information about the visitor. The Group gathers and analyzes this information to compile general statistics about usage of the Group's web portal. The Group also collects information about the visit by means of cookies files (Cookies are small pieces of data transmitted to and stored in the visitor's local hard drive). The data obtained would be used for web portal personalization and marketing. Cookies can not retrieve information stored in the visitor's hard disk. The visitor has a choice not to accept the cookies files, but if this is the case, certain functionality may not be available.

Data Disclosure Restrictions

The Group follows strict privacy procedures in regard to protection of personal data. No disclosure of personal identifiable information to third parties is allowed unless the related customer has been previously informed or the disclosure is permitted or required by any law binding on the Group or any of its branches.

Data Retention

The Group retains all records of online transactions for validation and auditing purposes. Information that is no longer required is destroyed.

Data Security

All personal data provided to the Group is secured with restricted access by authorized personnel. Encryption technology is employed for sensitive data to protect customers' privacy during data transmission.

Contact Us

Request for access to data or correction of data or for information regarding policies and practices and kinds of data held should be addressed to:

Data Protection Officer
CMB Wing Lung Bank Limited
45 Des Voeux Road Central, Hong Kong

Interpretation

In this statement, "Group" means CMB Wing Lung Bank Ltd., any subsidiary undertaking of CMB Wing Lung Bank Ltd., any direct or indirect parent undertaking of CMB Wing Lung Bank Ltd., any subsidiary undertaking of any such parent undertaking, or any of their related or associated companies including, for the avoidance of doubt, undertakings within the group of China Merchants Group.

June 2009

Notice to Customers relating to the Personal Data (Privacy) Ordinance (the "Ordinance"):

In compliance with the Ordinance, CMB Wing Lung Bank Ltd ("Bank") would wish to inform you of the following:

From time to time, it is necessary for customers, potential customers and various other individuals (including without limitation applicants for banking/financial services and banking/credit facilities, sureties, referees, guarantors, providers of security, shareholders, directors, officers and managers of corporate customers or applicants, and sole proprietors or partners of applicants and other contractual counterparties) (collectively, "data subjects") to supply the Group (as defined in paragraph 17 below) with data in connection with various matters including without limitation the opening or continuation of accounts and the establishment or continuation of banking/credit facilities or provision of securities and futures trading, credit card, insurance, tenancy and property management and other banking and financial services.

Failure to supply such data may result in the Group being unable to open or continue accounts or establish or continue banking/credit facilities or provide securities and futures trading, credit card, insurance, tenancy and property management and other banking and financial services for its customers.

It is also the case that data are collected from data subjects in the ordinary course of the continuation of the Group's business relationship with such data subjects, including without limitation, when payments are made to data subjects' accounts, when data subjects instruct the Bank to enter into transactions, when data subjects write cheques, deposit money, repay loans, conduct securities and futures trading, apply for credit cards, request the Bank to provide tenancy and property management services or purchase insurance or other banking and financial products and services.

The purposes for which data relating to a data subject may be used will vary depending on the nature of the data subject's relationship with the Group, which may comprise all or any one or more of the following purposes:-

(i)	the daily management and operation of the services and credit facilities provided by the Group to the data subject, including determining whether to provide or continue with the provision of, banking and financial services to the data subject;
(ii)	provision of bankers' references;
(iii)	conducting credit checks (including without limitation upon applications for consumer credit and periodic or special reviews of such consumer credit) which normally take place one or more times each year and, subject to the requirements set out in the Ordinance, carrying out matching procedures (as defined in the Ordinance);
(iv)	creating and maintaining the Group's credit or behaviour scoring models;
(v)	assisting other financial institutions, credit or charge card issuing companies and debt collection agents to conduct credit checks and collect debts;
(vi)	ensuring ongoing credit worthiness of data subjects;
(vii)	conducting market, service or product analysis or researching, designing, developing or improving financial services or related products of the Group for data subjects' use;
(viii)	marketing services, products and other subjects (in respect of which the Group may or may not be remunerated) (please see further details in paragraph 7 below);
(ix)	determining the amount of indebtedness owed to or by data subjects;
(x)	the enforcement of data subjects' obligations, including but without limitation the collection of amounts outstanding from data subjects and those providing security or guarantee for data subjects' obligations;
(xi)	complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Group or any Group member or that it is expected to comply according to:
	(1)	any law binding or applying to it within or outside the Hong Kong Special Administrative Region existing currently and in the future;
	(2)	any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the Hong Kong Special Administrative Region existing currently and in the future;
	(3)	any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Group or any Group member by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
(xii)	complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(xiii)	enabling an actual or proposed assignee of the Group (including their legal, accounting and/or commercial advisers), or participant or sub-participant of the Group's rights in respect of the data subjects (including legal, accounting and/or commercial advisers to such participant or sub-participant) to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
(xiv)	comparing data of data subjects or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking adverse action against the data subjects;
(xv)	maintaining a credit history of data subjects (whether or not there exists any relationship between data subjects and the Group) for present and future reference;
(xvi)	exchanging information with merchants accepting credit cards issued by the Group and entities with whom the Group provides affinity/co-branded/private label credit card services (each a "merchant" or an "affinity entity") (the names of such affinity entities can be found in the application form(s) for the relevant services and products);
(xvii)	verifying data subjects' identities with the bank of any merchant in connection with any credit card payment or transaction;
(xviii)	for reasonable internal management purposes (including without limitations, the defence of claims and the monitoring of the quality and efficiency of services offered or provided by the Group); and
(xix)	purposes relating thereto.

The data of a data subject may be processed, kept and transferred or disclosed in and to any country (in or outside Hong Kong) as the Group or any of the transferees contemplated in paragraph 4 may consider appropriate for the purposes set out under paragraph 4. Such data may also be released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) to which the Group and/or such contemplated transferees are subject to the applicable jurisdiction (inside or outside Hong Kong). Data held by the Group relating to data subjects will be kept confidential but the Group is authorized to provide the data of a data subject to the following parties whether inside or outside Hong Kong for the purposes set out in paragraph 4:-

(i)	any agent, contractor, claim adjuster or third party service provider who provides administrative, management, telecommunications, computer, payment or securities clearing, underwriting, depository, custodian, registration or other services to the Group in connection with the operation of its business;
(ii)	any other person under a duty of confidentiality to the Bank including a Group member which has undertaken to keep such information confidential;
(iii)	the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
(iv)	credit reference agencies; and, in the event of default, to debt collection agencies;
(v)	any person to whom the Group or Group member is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the Group or Group member, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Group or Group member is expected to comply, or any disclosure pursuant to any contractual or other commitment of the Group or Group member with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside the Hong Kong Special Administrative Region and may be existing currently and in the future;
(vi)	any actual or proposed assignee of the Group (including their legal, accounting and/or commercial advisers) or participant or sub-participant or transferee of the Group's rights (including their legal, accounting and/or commercial advisers) in respect of the data subject;
(vii)	any insurance company or agent, and securities and futures broker, merchant or other business partners of the Group;
(viii)	any financial institution and charge card or credit card issuing companies with which the data subjects have or propose to have dealings;
(ix)	any party giving or proposing to give a guarantee or third party security to guarantee or secure the data subjects' obligations;
(x)	Joint Electronic Teller Services Limited ("JETCO"), operators or participants of the JETCO network and other issuers of ATM cards;
(xi)	the bank of any merchant in connection with any credit card payment or transactions for the purpose of verifying the identity of the cardholder;
(xii)	any Group member in Hong Kong or other jurisdiction(s);
(xiii)	(1)	third party financial institutions, insurers, credit card companies, securities and investment services providers;
	(2)	third party reward, loyalty, co-branding and privileges programme providers;
	(3)	co-branding partners of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
	(4)	charitable or non-profit making organisations; and
	(5)	external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Group engages for the purposes set out in paragraph 4(viii); and
(xiv)	any other person (x) where public interest requires; or (y) with the express or implied consent of the data subject.

With respect to data in connection with mortgages applied by a data subject (whether as a borrower, mortgagor or guarantor and whether in the data subject's sole name or in joint names with others) on or after 1 April 2011, the following data relating to the data subject (including any updated data of any of the following data from time to time) may be provided by the Group, on its own behalf and/or as agent, to a credit reference agency:

(i)	full name;
(ii)	capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subject's sole name or in joint names with others);
(iii)	Hong Kong Identity Card Number or travel document number;
(iv)	date of birth;
(v)	correspondence address;
(vi)	mortgage account number in respect of each mortgage;
(vii)	type of the facility in respect of each mortgage;
(viii)	mortgage account status in respect of each mortgage (e.g. active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
(ix)	if any, mortgage account closed date in respect of each mortgage.

The credit reference agency will use the above data supplied by the Group for the purposes of compiling a count of the number of mortgages from time to time held by the data subject with credit providers in Hong Kong, as borrower, mortgagor or guarantor respectively and whether in the data subject's sole name or in joint names with others, for sharing in the consumer credit database of the credit reference agency by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance).

USE OF DATA IN DIRECT MARKETING
The Group intends to use a data subject's data in direct marketing and the Group requires the data subject's consent (which includes an indication of no objection) for that purpose. In this connection, please note that:

(i)	the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a data subject held by the Group from time to time may be used by the Group in direct marketing;
(ii)	the following classes of services, products and subjects may be marketed:
	(1)	financial, insurance, credit card, banking and related services and products;
	(2)	reward, loyalty or privileges programmes and related services and products;
	(3)	services and products offered by the Group's co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
	(4)	donations and contributions for charitable and/or non-profit making purposes;
(iii)	the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Group and/or:
	(1)	the Group member;
	(2)	third party financial institutions, insurers, credit card companies, securities and investment services providers;
	(3)	third party reward, loyalty, co-branding or privileges programme providers;
	(4)	co-branding partners of the Group and the Group member (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
	(5)	charitable or non-profit making organisations;
(iv)	in addition to marketing the above services, products and subjects itself, the Group also intends to provide the data described in paragraph 7(i) above to all or any of the persons described in paragraph 7(iii) above for use by them in marketing those services, products and subjects, and the Group requires the data subject's written consent (which includes an indication of no objection) for that purpose;
(v)	The Group may receive money or other property in return for providing the data to the other persons in paragraph 7(iv) above and, when requesting the data subject's consent or no objection as described in paragraph 7(iv) above, the Group will inform the data subject if it will receive any money or other property in return for providing the data to the other persons.

If data subject does not wish the Group to use or provide to other persons his/her data for use in direct marketing as described above, the data subject may exercise his/her opt-out right by notifying the Group.

Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any data subject has the right:-

(i)	to check whether the Group holds data about him and of access to such data;
(ii)	to require the Group to correct any data relating to him which is inaccurate;
(iii)	to ascertain the Group's policies and practices in relation to data and to be informed of the kind of personal data held by the Group;
(iv)	in relation to consumer credit data, to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of a data access and correction request to the relevant credit reference agency or debt collection agency; and
(v)	in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Group to a credit reference agency, to instruct the Group, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Group to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).

In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph 8(v) above) may be retained by the credit reference agency until the expiry of five years from the date of final settlement of the amount in default.

10.

In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as defined in paragraph 8(v) above) may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to the credit reference agency, whichever is earlier.

11.

The Group may have obtained a credit report on a data subject and any of its sureties from a credit reference agency in considering any application for credit. In the event the data subject or any of its sureties wishes to access the credit report or to request to have any personal data of the data subject held by the credit reference agency corrected pursuant to the Ordinance, the Group will advise the contact details of the relevant credit reference agency.

12.

The Group may access the database of a credit reference agency for the purpose of credit review of any data subject from time to time. In particular, the Group may access the consumer credit data of any data subject held by a credit reference agency for the purpose of the review of their existing consumer credit facilities which may involve the consideration by the Group of any of the following matters:

(i)	an increase in the credit amount;
(ii)	the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or
(iii)	the putting in place or the implementation of a scheme of arrangement with the data subject.

13.

In accordance with the terms of the Ordinance, the Group has the right to charge a reasonable fee for the processing of any data access or correction request.

14.

The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed is:-
The Data Protection Officer
CMB Wing Lung Bank Ltd
45 Des Voeux Road Central, Hong Kong
Telephone: 230 95555

15.

You may, at any time and without charge, choose not to receive our promotional material. You must inform us in writing at the address specified in paragraph 14 or such other updated address as we may notify you from time to time if you do not wish to receive such material.

16.

Nothing in this Notice shall limit the rights of data subjects under the Ordinance.

17.

In this Notice, the following terms shall have the following meanings:
"Group" and "CMB Wing Lung Bank Group" mean the Bank or its successor, any subsidiary undertaking of the Bank, any related company of the Bank, any associated company of the Bank, any direct and/or indirect parent undertaking of the Bank, any subsidiary undertaking of any such parent undertaking, any of their related companies, any of their associated companies including, for the avoidance of doubt, undertakings within the group of China Merchants Group Ltd (and "Group member" shall be construed accordingly); and
The expressions "subsidiary undertaking", "parent undertaking" and "undertaking" bear the meanings under the Companies Ordinance (Cap.32).

18.

In case of any discrepancy between the English and Chinese versions, the English version prevails.