Top of main content

HSBC Bank (China) Company Limited Personal Information and Privacy Protection Policy

Date of Update: 15 October, 2021

Effective Date: 1 November, 2021

HSBC Bank (China) Company Limited ("HSBC", "the Bank", "we" or "us") take the confidentiality and security of personal information very seriously, and strive at all times to protect personal information and privacy of our customers and other related personal information subjects ("you" or "Information Subject") according to law. We therefore formulate this Personal Information and Privacy Protection Policy (this "Policy") to help you understand the purposes, methods, and scope of personal information we collect and use, our practices regarding personal information and privacy protection, your rights and interests with regard to personal information and privacy and how to assert your rights and interests. Please read through this Policy carefully and pay particular attention to the provisions that are bolded and/or underlined.

  1. For your convenience to understand the purpose and category of personal information we collect when you sign up for our service, we therefore explain them under the particular service scenario.
  2. When you sign up for some particular services, we will collect your sensitive personal information (for example, biometric information) after you give us clear, active consent. Refusal on providing consent might affect you use related service, but will not affect you use other services we provided.
  3. To provide the service per you request, we might need to share your personal information to third party. We will carefully assess the legitimacy, propriety,, and necessity of the data sharing with third party. We will ask the relevant third party take all data protection measures required pursuant to Laws and Regulations. We will in accordance with the requirements of Laws and Regulations, ask for your consent or ask the relevant third party to demonstrate they have received your consent via confirmation agreement, page prompt and/or interactive process.

We fully understand how important your personal information means to you, and we will exert our effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of information security, Participation, Fair and Transparency. We are also committed to take appropriate security measures to protect your information.
This Policy shall apply to personal information of you and related parties that may be involved when you visit, browse, or use our website or mobile device application, apply for or use any product, device or service of us, handle any business or make any transaction with us, participate in any of our marketing events and surveys, and in any way contact or correspond with us, no matter the information is provided by yourself or by the related parties, or collected or acquired by us from other sources according to law, regulation, regulatory provision, or based on your or related parties' authorisation or consent.

The table of content of this Policy is set out as below:

I. How We Protect Your Personal Information

II. How We Collect Your Personal Information

III. How We Use Your Personal Information

IV. How We Store Your Personal Information

V.  How We Share, Transfer and Publicly Disclose Your Personal Information

VI. Special Circumstances for Information Processing

VII. How We Use Cookies and Other Technologies

VIII. Your Rights Relating to Personal Information

IX. How to Contact Us

X. Protection of Minors' Personal Information

XI. Formulation, Effectiveness and Update of this Policy and Others

We shall collect, use, store, disclose, and protect your and related parties' personal information in accordance with this Policy. We may separately issue specific personal information protection policy tailor made for specific channels, products, services, businesses and activities (such as the Personal Information and Privacy Protection Policy for Digital Banking). The specific personal information protection policy so made shall apply in the specific scenarios as prescribed in such policy. If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you (or relevant parties of which you are a representative or with which you have a relationship) and us, such other agreements or terms and conditions shall prevail.

I.How We Protect Your Personal Information

  1. Information security is our top priority. We will endeavour at all times to safeguard your personal information against unauthorised or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate physical, electronic and managerial measures to secure your personal information. We will take responsibility in accordance with the law if your information suffers from unauthorised access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
  2. Our website supports advanced encryption technology - an existing industry standard for encryption over the Internet to protect data. When you provide personal sensitive information through our website, it will be automatically converted into codes so as to ensure secure transmission afterwards. Our web servers are protected behind "firewalls" and our systems are monitored to prevent any unauthorized access. Our mobile banking application software has passed Union-pay payment application software security test conducted by Bank Card Test Centre and the software filing for mobile financial client application of National Internet Finance Association of China.
  3. We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
  4. We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or other agreement (if any) or based on your or related parties' separate consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide by the security standards of this Policy when processing personal information.
  5. For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your bank account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our products, devices or services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
  6. We will organize regular staff training and drills on emergency response. If unfortunately personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform you of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it is difficult to notify each Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable law, regulation and regulatory requirements.

II. How We Collect Your Personal Information

  1. For the purpose of complying with law, regulation and regulatory provision, or as required for us to provide you or relevant parties with various products and services and continuously improve our products and services, or in order to contact or communicate with you or relevant parties, understand the needs of you or relevant parties, build up, review, maintain and develop our relationship with you or relevant parties, we may receive and keep the personal information provided by yourself or by related parties, or, according to law, regulation, regulatory provision, your or relevant parties' authorisation or consent, collect, enquire, and verify by proper methods your and/or related parties' personal information from/with members of the HSBC Group or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties, joint applicants, contact persons, close relatives and other entities/individuals). "HSBC Group" under this Policy means HSBC Holdings plc, and/or any of, its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually), and "member of the HSBC Group" has the same meaning.
  2. The personal information we so collect may be in paper, electronic or any other forms.
  3. When you visit, browse, use our website and/or applications as a visitor, we may collect information about the browser or device you use (such as IP address, operating system, and browser version), your browsing actions and patterns. We use Cookies and other similar technologies to collect above information. You may disable Cookies by changing your settings (for details, please refer to Article VII of this Policy "How We Use Cookies and Other Technologies").

The technical information which cannot identify any individual will not be treated as personal information. However, when such technical information can identify the individual alone or in combination with other information, we will protect it as your personal information.

We may invite you to subscribe to our newsletter, updates, alerts or to participate in our marketing events or survey via our website and/or applications (such as our WeChat subscription account). If you accept relevant invitation, we may collect the information you provide to us by filling out contact forms or questionnaires, etc. The said information may include name, telephone number, email address, employer name, and job position etc. Refusal to provide such information will not affect your visiting, browsing or using our website and/or applications.

4.When you are our prospect or existing individual customer, in order for us to provide you with our products/services and to handle relevant banking business, we may collect the following information upon your consent or authorization:

Purposes or Functions (Products/Services/Business)
Information We May Need to Collect
To open bank account; to apply for/collect bank card; to process savings, money receiving, payment or transfer, credit card, loan business; to purchase investment, insurance or other financial products; to maintain proper and secure operation of banking business, to prevent and control banking related risk
(1) Personal identity information, including name, sex, nationality, citizenship, registered residence (Hu Kou), ethnic, type/number/validity period of ID certificate, occupation, education, diploma, working experience, telephone number, e-mail, contact information, age, birth date, place of birth, marital status, health status, family status, place of residence, the date of moving to residence, home address, work address, photo, social security information, occupational information, personal virtual identity and authentication information (e.g. Internet Banking account information), any relationship with politically exposed person ("PEP") and relevant information etc.;

 (2) Personal property information, including personal income, real property, movable property (e.g. vehicle, financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

 (3) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.;

 (4) Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

 (5) Personal credit information, including credit card, loan and other credit transaction information, litigation and investigation information, penalty and any other information about personal credit status;

 (6) Personal financial transaction information, including personal information acquired, kept, recorded during any payment, settlement, wealth management, safe deposit box or other banking business, personal information generated from transactions made through us with any third party institution like insurance company, securities company, fund house, futures company or payment agency, and etc.;

 (7) Transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

 (8) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws and regulations and regulatory requirements, e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc

(9)Personal information acquired during related guest survey, eg: Due Diligence, personal information needed to be collected during the process of sanction or anti-money laundry survey.

4.When you are our prospect or existing individual customer, in order for us to provide you with our products/services and to handle relevant banking business, we may collect the following information upon your consent or authorization:

Purposes or Functions (Products/Services/Business)
To open bank account; to apply for/collect bank card; to process savings, money receiving, payment or transfer, credit card, loan business; to purchase investment, insurance or other financial products; to maintain proper and secure operation of banking business, to prevent and control banking related risk
Information We May Need to Collect
(1) Personal identity information, including name, sex, nationality, citizenship, registered residence (Hu Kou), ethnic, type/number/validity period of ID certificate, occupation, education, diploma, working experience, telephone number, e-mail, contact information, age, birth date, place of birth, marital status, health status, family status, place of residence, the date of moving to residence, home address, work address, photo, social security information, occupational information, personal virtual identity and authentication information (e.g. Internet Banking account information), any relationship with politically exposed person ("PEP") and relevant information etc.;

 (2) Personal property information, including personal income, real property, movable property (e.g. vehicle, financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

 (3) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.;

 (4) Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

 (5) Personal credit information, including credit card, loan and other credit transaction information, litigation and investigation information, penalty and any other information about personal credit status;

 (6) Personal financial transaction information, including personal information acquired, kept, recorded during any payment, settlement, wealth management, safe deposit box or other banking business, personal information generated from transactions made through us with any third party institution like insurance company, securities company, fund house, futures company or payment agency, and etc.;

 (7) Transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

 (8) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws and regulations and regulatory requirements, e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc

(9)Personal information acquired during related guest survey, eg: Due Diligence, personal information needed to be collected during the process of sanction or anti-money laundry survey.

The above information is the basic information we must collect to provide you with banking products or services, to perform our contract with you and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you will not be able to use our regular banking products or services.

5. When you give or propose to give guarantees for obligations owed by our individual customers or non-individual customers (including corporate, enterprise, institution or other legal entities) to us, we may collect the following information upon your or relevant customer's consent or authorization:

Purposes or Functions (Products/Services/Business)
Information We May Need to Collect
To give or propose to give guarantees for obligations owed by our individual customers or non-individual customers to the Bank; to maintain proper and secure operation of banking business, to prevent and control banking related risk
(1) Personal identity information, including name, sex, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with relevant customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with PEP and relevant information etc.;

(2) Personal property information, including personal income, real property, movable property (e.g. vehicle, financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

(3) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.

(4) Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

(5) Personal credit information, including credit card, loan and other credit transaction information, litigation and investigation information, penalty and any other information about personal credit status;

(6) Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanctions or anti-money laundering checks etc.;

(7) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws, regulations and regulatory requirements, e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records(including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.

5. When you give or propose to give guarantees for obligations owed by our individual customers or non-individual customers (including corporate, enterprise, institution or other legal entities) to us, we may collect the following information upon your or relevant customer's consent or authorization:

Purposes or Functions (Products/Services/Business)
To give or propose to give guarantees for obligations owed by our individual customers or non-individual customers to the Bank; to maintain proper and secure operation of banking business, to prevent and control banking related risk
Information We May Need to Collect
(1) Personal identity information, including name, sex, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with relevant customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with PEP and relevant information etc.;

(2) Personal property information, including personal income, real property, movable property (e.g. vehicle, financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

(3) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.

(4) Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

(5) Personal credit information, including credit card, loan and other credit transaction information, litigation and investigation information, penalty and any other information about personal credit status;

(6) Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanctions or anti-money laundering checks etc.;

(7) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws, regulations and regulatory requirements, e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records(including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.

The above information is the basic information we must collect to proceed relevant guarantee business, to perform our contract with you or such customers and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you or relevant customers will not be able to use the relevant banking products or services we provide.

6. When you are a connected person of our prospect or existing non-individual customers (for the purpose of this Policy, connected person means any other person with whom our prospect or existing non-individual customer has a relationship, including but not limited to, a director, supervisor or employee of a company, partners or members of a partnership, any shareholder, substantial owner, controlling person, or beneficial owner, trustee, settler or protector of a trust, account holder of a designated account, payee of a designated payment, representative, agent or nominee of the account holder, or the account holder's principal where the account holder is acting on another's behalf), we may collect the following information upon your or relevant customer's consent or authorization:

Purposes or Functions (Products/Services/Business)
Information We May Need to Collect
To provide banking products/services or businesses to relevant customers; to maintain proper and secure operation of banking business, to prevent and control banking related risk
(1) Personal identity information, including name, sex, nationality,  type/number/validity period of ID certificate, occupation, job position, relationship with relevant customers  (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, personal virtual identity and authentication information (e.g. login information required for corporate internet banking), any relationship with PEP and relevant information etc.;

(2) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.

(3) Personal credit information, including source of wealth, litigation and investigation information, penalty and any other information about personal credit status;

(4) Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanctions or anti-money laundering checks etc.;

(5) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws, regulations and regulatory requirements, e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records(including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.

6. When you are a connected person of our prospect or existing non-individual customers (for the purpose of this Policy, connected person means any other person with whom our prospect or existing non-individual customer has a relationship, including but not limited to, a director, supervisor or employee of a company, partners or members of a partnership, any shareholder, substantial owner, controlling person, or beneficial owner, trustee, settler or protector of a trust, account holder of a designated account, payee of a designated payment, representative, agent or nominee of the account holder, or the account holder's principal where the account holder is acting on another's behalf), we may collect the following information upon your or relevant customer's consent or authorization:

Purposes or Functions (Products/Services/Business)
To provide banking products/services or businesses to relevant customers; to maintain proper and secure operation of banking business, to prevent and control banking related risk
Information We May Need to Collect
(1) Personal identity information, including name, sex, nationality,  type/number/validity period of ID certificate, occupation, job position, relationship with relevant customers  (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, personal virtual identity and authentication information (e.g. login information required for corporate internet banking), any relationship with PEP and relevant information etc.;

(2) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.

(3) Personal credit information, including source of wealth, litigation and investigation information, penalty and any other information about personal credit status;

(4) Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanctions or anti-money laundering checks etc.;

(5) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws, regulations and regulatory requirements, e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records(including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.

The above information is the basic information we must collect to provide products or services to relevant customers, to perform our contract with you or such customers and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you or relevant customers will not be able to use the relevant products or services we provide.

7. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the relevant information for specific purposes or functions, for example, the personal information that you provide to us for the purposes of improving service experience, participating in our marketing activities or survey, making an appointment to open an account or for other business. You can choose not to provide such information. Your failure to provide such information will make you unable to participate or enjoy the corresponding convenience or functions, but will not affect your normal use of our other services.

8. Please understand that the services we provide are constantly evolving. If you or relevant customers choose to use any other service not listed above for which we have to collect your information, we will separately explain to you or relevant customers, the purposes, methods, and scope of personal information we collect etc., through reminders, alerts, interaction with you, agreements entered into with you or other appropriate method, and obtain your or relevant customers' consent for that. We will use, store, disclose, and protect your information in accordance with this Policy and other agreements (if any) between you and us. If you or relevant customers choose not to provide certain information, you or relevant customers may be unable to use certain or part of the service, but your or relevant customers' use of other services we provide will not be affected.

III.How We Use Your Personal Information

  1. We will use your information to realize the purposes and functions mentioned in above Article II of this Policy "How We Collect Your Personal Information". 
  2. When you visit, browse, use our website and/or applications as a visitor, we may use your information for the following purposes:
    (1) to respond to your queries and requests; 
    (2) to provide you with information, products or services that you request from us or which we feel may interest you, subject to your prior consent;
    (3) to perform contracts or agreements entered into between you and us; 
    (4) to allow you to interact with us at our website and/or applications;
    (5) to notify you about changes to our website and/or applications;
    (6) to ensure the content of our website and/or application is presented in an effective manner on your device;
    (7) to maintain proper and secure operation of website and/or applications as well as banking business or services, to prevent and control risk, or to detect and prevent misuse or abuse of our website, applications, products or services; 
    (8) to meet the compliance obligations of us or the HSBC Group, or to comply with any applicable laws and regulations that we and HSBC Group are subject to; and
    (9) to make statistics and analysis of the use of our business, products, services or functions. But such statistics will not contain any of your personally identifiable information.
  3. When you are our prospect or existing individual customer, a connected person of our non-individual customers or a personal guarantor, we may use your information for the following purposes:
    (1) to provide you or related parties with products or services, to recognize or verify the identity of you or related parties, or to approve, manage, handle, execute or effect transactions requested or authorised by you or related parties;
    (2) to comply with any Applicable Laws ("Applicable Laws" refer to any applicable local or foreign statute, law, regulation, ordinance, rule, judgment, decree, voluntary code, directive, sanctions regime, court order applicable to any member of the HSBC Group, agreement between any member of the HSBC Group and an authority, or agreement or treaty between authorities and applicable to the Bank or a member of the HSBC Group) and any order or requirement from any authority;
    (3) to perform the Bank's and/or the HSBC Group's compliance obligations (including regulatory compliance, tax compliance and/or compliance with any Applicable Laws or requirement of any authority), or to implement any policy or procedure made by the Bank and/or the HSBC Group for the performance of compliance obligations;
    (4) to ensure safe and stable financial services, prevention or prohibition of illegal or incompliant activities, to control or reduce risks, to detect, investigate and prevent any real, suspected or potential financial crime (including money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions, and/or violations, or acts or attempts to circumvent or violate any Applicable Laws relating to these matters) and to manage financial crime risk;
    (5) to collect any amounts due from any debtor;
    (6) to conduct credit or credit reference checks, to verify, obtain or provide credit references or credit information;
    (7) to enforce or defend the Bank or any member of the HSBC Group's rights, or to perform the Bank or any member of the HSBC Group's obligations;
    (8) as required by or to fulfil the Bank or the HSBC Group's reasonable operational requirements (including for credit and risk management, data statistics, analysis, processing and handling, archiving and recording, system, product and service design, research, development and improvement, planning, insurance, audit and administrative purposes);
    (9) subject to your or relevant parties' authorization, market or promote relevant products or services to you or relevant parties, to assess your or relevant parties' interests in relevant products or services, or to conduct market research or survey or satisfaction survey; and
    (10) to obtain or utilize administrative, consultancy, telecommunications, computer, payment, data storage, processing, outsourcing and/or other products or services.
  4. The above information collection and use in this Policy shall not impact our use of your information for the purposes as otherwise agreed between you or related parties and us.
  5. If we use your personal information for the purposes other than the purposes of collection and use as set forth in this Policy or in other agreement between you or related parties and us, we shall obtain your consent before using your personal information for such additional purposes.

IV. How We Store Your Personal Information

We comply with Chinese laws and requirements on data storage. When we collect or process your information, we will, according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, and the purposes as set forth in this Policy, store your information for a period as minimum as necessary to fulfill the purposes of information collection. To provide the cross-border service(eg: cross-border remittance), after obtaining your consent, your information may be transferred to abroad. Under this circumstance, we will adopt appropriate, necessary and effective security methods(encryption) to protect your information security. After the retention period expires, we will destroy, delete or de-identify relevant information, or where the destruction, deletion or anonymization is not possible, store your personal information securely and separate it from other data processing. The aforementioned requirements do not apply to the information that needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, special agreement between you or relevant customers and us, or for settlement of indebtedness between you or relevant customers and us, or for record check or enquiry from you, relevant customers, regulators or other authorities.

V.How We Share, Transfer and Publicly Disclose Your Personal Information

  1. Entrusted Processing and Sharing

    For the purposes set out above in this Policy, we may provide or disclose all or part of your personal information to the following recipients under the preconditions that such provision or disclosure is necessary and is made with proper protective measures (please refer to Article I of this Policy "How We Protect Your Personal Information" for details) and the recipients may also, for the aforesaid purposes, use, process or further disclose the information they receive provided that corresponding protective measures are adopted pursuant to the applicable laws or our requirements:

    (1) any member of the HSBC Group;

    (2) any contractor, subcontractor, agent, third party product or service provider, licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers);

    (3) any regulator of the Bank or any member of the HSBC Group or any other authority, or any organisation or individual designated by such regulators or authorities;

    (4) anyone acting on your or relevant customers' behalf according to your or relevant customers' authorisation or according to law, payment recipients, beneficiaries, account nominees, intermediary, correspondent and agent banks (e.g. those for CHAPS, BACS and SWIFT), clearing houses, clearing or settlement systems, market counterparts, upstream withholding agents, swap or trade repositories, stock exchanges, companies in which you or relevant customers have an interest in securities (where such securities are held by us for you or relevant customers), or anyone making any payment to you;

    (5) any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you receive from the Bank, or any business you or relevant customers handle at the Bank or any transaction you or relevant customers make with the Bank (for example, the person who provides or intends to provide any mortgage or other security for any of your or relevant customers' debt to the Bank, or the beneficiary of the insurance product that the Bank distributes to you);

    (6) other financial institutions, industrial associations, bank card organisations, credit rating agencies, credit reference agencies (including without limitation, the Basic Financial Credit Information Database) or information service providers;

    (7) any third party fund manager providing you or relevant customers with asset management services through us;

    (8) any third party to whom we provide referral, agency or intermediary service; and

    (9) any party in connection with any business/asset transfer, restructure, disposal (including securitisation), merger, spin-off or acquisition transactions of the Bank.


    Such provision or disclosure will involve cross border transmission of personal information, including information being transmitted to or being accessed from overseas only when the above recipient(s) is an overseas institution/person. Whether it is processed domestically or overseas, in accordance with applicable personal information or data protection legislation, your personal information will be protected by a strict code of secrecy and security which, the Bank, other members of the HSBC Group, their staff and third parties are subject to.
    Subject to applicable laws and regulations, we will seek your separate consent and notify you of the data sharing/transferring, including the data receiver's identity, contact information, purpose of processing, method of processing and the type of personal information (if cross-border transfer involved, we will also notify you the manner and method of exercise your right).
  2. Transfer
    Without your separate consent, we will not transfer your personal information to any other company, organization or individual, except in the case of business/asset transfer, restructure, disposal (including securitization), merger, spin-off or acquisition transactions where the transfer is necessary. In such cases, we will inform you of the identity, contact etc. of the personal information recipient according to the requirements of applicable laws and regulations and request the personal information recipient to comply with this Policy. If the personal information recipient changes the purposes, methods etc. of personal information processing under this Policy, it shall re-obtain the consent from you.
  3. Public Disclosure
    We will not disclose your personal information to the public unless we have your separate consent.

VI. Special Circumstances for Information Processing

We will process your information (collection, storage, use, analysis, transfer, provide, disclosure) based on your consent. To the extent allowed by laws and regulations, we may process your personal information without your consent under the following circumstances:

  1. Where it is necessary for entering into a contract or the performance of a contract to which you are the party.
  2. Where it is necessary for compliance with a legal obligation to which we are subject.
  3. Where it is necessary in order to protect your vital interests in an emergency or respond to public health emergencies.
  4. Where it is within reasonable limits in order to carry out news coverage or media supervision for the public interest.
  5. Where it is within reasonable range according to law to process the information has been legally made public or publicized by yourself.
  6. Other circumstances stipulated by laws and regulations.

VII.How We Use Cookies and Other Technologies

  1. Your visit, browse, use of any of our website or mobile device applications may be recorded for analysis on the number of visitors to the site and/or applications, general use patterns and your personal use patterns and improving your experience. Some of this information will be gathered through the use of "Cookies". Cookies are small bits of information automatically stored on your local terminal, which can be retrieved by your local terminal. Cookies can enable our website or applications to recognise your device and store information about your use of website and/or applications so to provide more useful features to you and to tailor the content of our website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to access the information stored on the Cookies.
    The information collected by Cookies is anonymous aggregated data, and contains no personal information such as name, address, telephone, email address etc.
  2. Our website and/or applications may also work with third parties to research certain use and other activities on the website and/or application. These third parties include without limitation to Doubleclick, Yahoo!, Nielsen//NetRatings, WebTrends, Google and Adobe. They use technologies such as spotlight monitoring, Web Beacons and Cookies etc. to collect information for such research. They use the information collected through such technologies (i) to find out more about users of our website and/or applications, including user demographics and behaviour and use patterns, (ii) for more accurate reporting, and (iii) to improve the effectiveness of our marketing. They aggregate the information collected and then share it with us. The data we provide to such companies may include your advertising ID and installation event (refers to data about your first installation or use of our website and/or application). However, we will not collect personally identifiable information about you from such companies or provide such companies with personally identifiable information about you for the purpose of this research.
  3. Most local terminals are initially set to accept Cookies. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected. Different local terminals offer different methods for setting changes, and you can find information on how to manage cookie settings on certain browsers via the following links.

VIII.Your Rights Relating to Personal Information

  1. You have the right to request us to protect and secure your personal information in accordance with the provisions of the law, regulation and this Policy.
  2. You have the right to check with us whether we hold your personal formation and to check the personal information you have provided to us.
  3. You have the right to change the scope of authorization or withdraw your consent, and exercise your right per the method listed in "IX How to contact us". We will not further process the related information once you change your authorization. Please note the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
  4. You have the right and obligation to update your personal information with us to ensure that all the information is accurate and up-to-date. You have the right to request us to provide convenience for you to update your personal information with us and to correct any of your information that is inaccurate.
  5. In relation to personal credit or guarantee etc., you have the right to request to be informed of your personal information that is disclosed to credit reference agencies by us, so as to enable your request to the relevant credit reference agencies for access to and correction of your information.
  6. You have the right to request us to delete or otherwise properly dispose of your personal information that is beyond retention period in accordance with the applicable law and regulation, this Policy, and other agreement between you or relevant customers and us.
  7. This Policy will not restrict other rights of you as the Information Subject under Chinese laws.

IX. How to contact us

  1. Requests for access to, correction or deletion of personal information, for withdrawal of authorisation or disposal of personal information beyond retention period, for a copy of this Policy, or enquiries about our practices regarding personal information and privacy protection, should be addressed to:
    Chief Data Officer
    HSBC Bank (China) Company Limited
    19/F HSBC Building, Shanghai IFC, 8 Century Avenue, Pudong, Shanghai, 200120
    E-mail: hsbcaoc@hsbc.com.cn
    Tel: +86 400-820-3090 (8:30am - 5:30pm, Monday to Friday during the working days)
  2. For security purpose, you may need to provide the request in written form or use other methods to prove your identity. We may request you to verify your identity before processing your request.
  3. Upon the receipt of your request, we will reply to you within 15 working days or shorter period as prescribed by law and regulation (if any).
  4. We will not charge fees for the processing of your above-mentioned reasonable requests for checking, correcting or otherwise disposing of your personal information.
    Notwithstanding the foregoing, we may reject your request that is illegal, noncompliant, or unnecessarily repeated, needs excessive technical means (for example, the need to develop information systems or fundamentally change current practices), brings risks to the legitimate rights and interests of others, is unreasonable or beyond technically impracticable requests.
    We may not be able to respond to your request under any of the following circumstances:
    (1) 
    Where the request is in relation to our legal and financial compliance obligation under laws and regulations .
    (2) where the request is in direct relation to state security or national defence security;
    (3) where the request is in direct relation to public security, public sanitation, or major public interests;
    (4) where the request is in direct relation to criminal investigations, prosecutions, trials, execution of rulings, etc.;
    (5) where there is sufficient evidence that you are intentionally malicious or abuse your rights;
    (6) where the purpose is to protect you or other individual's life, property and other substantial legal interests but difficult to acquire your consent;
    (7) where responses to your request will give rise to serious damage to your or any other individual or organisation's legal rights and interests; or
    (8) where the request involves any trade secret.
  5. Unless we have your prior consent, we will not send you advertisement promotion message. If at any time you would like us to cease using or providing to others your personal information for advertisement promotion purpose, you are entitled to notify us and exercise your right of choice, not to receive such advertisement promotion any more. If you so choose to reject advertisement promotion message, please contact our Call Centre by calling +86 400-820-8878. After receipt of your request we will, as soon as practical (usually no later than 15 working days from your request), take actions to ensure no more advertisement promotion message should be sent to you.
  6. You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or demand compensation according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy.
    If you have any query, complaint, feedback, comment or suggestion, please Contact HSBC. You may contact us through the contact information listed in this Policy, by calling our hotline or visiting our branches or sub-branches. You may also visit our official website www.hsbc.com.cn to enquire the nearby branches or sub-branches, or other contact information of us suitable for you.

X. Protection of Minors' Personal Information

  1. We pay particular attention to protection of the minors' personal information. We have no intention to collect any minors' personal information, unless it is agreed by their parents or guardians and it is necessary for the products or services offered to the minors (for example, the minors may be the holders of the Junior Account offered by us, the holders of supplementary card of certain credit cards issued by us, the beneficiaries of the insurance products that we distribute, the heirs of our customers, etc.).
  2. If you are under 18 years of age, it is suggested that your parents or guardians should carefully read this Policy and any of your personal information should be provided only after seeking consent from them. Meanwhile, it is suggested that your use of our products and services should be under the guidance of your parents or guardians. If they do not agree you to provide your personal information or to use any of our products or services, you should immediately stop providing the information or stop using our products and services. Please notify us of such event as soon as possible, so as to allow us to take appropriate measures accordingly.
  3. If you are under 18 years of age, for those personal information we collect with the consent of your parents or guardians, we will only use or disclose such information to the extent allowed by law and regulation or expressly consented by your parents or guardians or necessary for protection of the minors' interests.

XI.Formulation, Effectiveness, Update of this Policy and Others

  1. The Policy is made by us and published at our websites and takes effect on the date of issuance. The Policy may be amended or updated from time to time, particularly in the events of major changes as follows:
    (1) Major changes in our service model, such as changes in the purpose of processing personal information, changes in the types of personal information being processed, the use methods of personal information, etc.;
    (2) Major changes in our ownership structure, organisational structure, etc., such as changes as result of business adjustments, bankruptcy, mergers, etc.;
    (3) Changes in the main objects of personal information sharing, transfer or public disclosure;
    (4) Significant changes in your rights relating to personal information or in the methods to exercise such rights;
    (5) Changes of our contacts for personal information related requests/enquiries, changes of our contacts for complaint or feedback;
    (6) Other major changes which may significantly impact your interests in personal information.
    We will post the changes to the Policy or the updated Policy through pop-ups, announcements, etc. on our website. Changes to the Policy shall not diminish or limit the rights you should have as an Information Subject under Chinese law.
  2. Where you provide to us personal information about another person, you should ensure that person acknowledges this Policy, tell him/her how we may collect and use his/her personal information and obtain the consent of such person. You should remind that person to read this Policy in advance and may also give him/her a copy of this Policy.
  3. In case of discrepancy between the Chinese and English versions of this Policy, the Chinese version shall apply and prevail.