Top of main content

HSBC Bank (China) Company Limited Personal Information and Privacy Protection Policy (For Personal Business)

Date of Update: 29 Feb, 2024

Effective Date: 29 Feb, 2024

HSBC Bank (China) Company Limited (“HSBC”, “the Bank”, “we” or “us”) take the confidentiality and security of personal information very seriously, and strive at all times to protect personal information and privacy of our customers and other related personal information subjects (“you” or “Personal Information Subject”) according to law. We therefore formulate this Personal Information and Privacy Protection Policy for individual business (this “Policy”) to help you understand the purposes, methods, and scope of personal information we collect and use, our practices regarding personal information and privacy protection, your rights and interests with regard to personal information and privacy and how to assert your rights and interests.

This Policy shall apply to personal information of you when you visit, browse, or use our website or mobile device application, apply for or use any product, service of services of us, handle any business or make any transaction with us, provide personal guarantee to individual customers, participate in any of our marketing events and surveys, and in any way contact or correspond with us in the context of personal business. We shall collect, use, store, disclose, and protect your personal information in accordance with this Policy. We may separately issue specific personal information protection policy tailor made for specific channels, products, services, businesses and activities (such as the Personal Information and Privacy Protection Policy for Personal Digital Banking Services). The specific personal information protection policy so made shall apply in the specific scenarios as prescribed in such policy. If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you and us, such other agreements or terms and conditions shall prevail.

In terms of personal business, this Policy has replaced the previous Personal Information and Privacy Protection Policy. Any reference to the Personal Information and Privacy Protection Policy in any document in relation to personal business shall be deemed to be a reference to this Policy.

Please read through this Policy carefully and pay particular attention to the provisions that are bolded and underlined which we think have material impacts on your interests and/or deal with your sensitive personal information. The key points of this Policy are summarized as below:

  1. For your convenience to understand the purpose and category of personal information we collect when you sign up for our service, we therefore explain them under the particular service scenario.
  2. When you sign up for some particular services, we will collect your sensitive personal information after you give us express consent if required by applicable laws and regulations. Refusal on providing consent might affect you use related service, but will not affect you use other services we provided.
  3. To provide the service per you request, we might need to share your personal information to a third party. We will carefully assess the legitimacy, propriety, and necessity of the data sharing with the third party. We will ask the relevant third party to take all data protection measures required pursuant to applicable laws and regulations.

We fully understand how important your personal information means to you, and we will exert our best effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of Information Security, Participation, Fairness and Transparency. We are also committed to take appropriate security measures to protect your information.

The table of content of this Policy is set out as below:

I. How We Protect Your Personal Information 

II. How We Collect Your Personal Information 

III. How We Use Your Personal Information 

IV. How We Store Your Personal Information 

V.  How We Share, Transfer and Publicly Disclose Your Personal Information 

VI. Special Circumstances for Information Processing 

VII. How We Use Cookies and Similar Technologies 

VIII. Your Rights Relating to Personal Information 

IX. How to Contact Us 

X. Protection of Minors' Personal Information 

XI. Formulation, Effectiveness and Update of this Policy and Others 

I.How We Protect Your Personal Information

  1. Information security is our top priority. We will endeavour at all times to safeguard your personal information against unauthorised or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate security and managerial measures to secure your personal information. We will take responsibility in accordance with the law if your personal information suffers from unauthorised access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
  2. Our website supports advanced encryption technology - an existing industry standard for encryption over the internet to protect your personal information. When you provide sensitive personal information through our website or applications, it will be automatically converted into codes so as to ensure secure transmission afterwards. Our web servers are protected behind "firewalls" and our systems are monitored to prevent any unauthorized access. Our mobile banking application software has passed Union-pay payment application software security test conducted by Bank Card Test Centre and the software filing for financial client mobile application with National Internet Finance Association of China.
  3. We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
  4. We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or separate agreement between us or based on your separate consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and require them to take all data protection measures required pursuant to applicable laws and regulations when processing your personal information.
  5. For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your bank account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our products, devices or services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
  6. We will organize regular staff training and drills on emergency response so as to let the relevant staff be familiar with their job duties and emergency procedures. If unfortunately personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform you of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it is difficult to notify each Personal Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable law, regulation and regulatory requirements.

II. How We Collect Your Personal Information

  1. Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information include name, birth date, ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, contact information, address, account information, property status, location and etc. Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial account, individual location tracking etc. as well as any personal information of a minor under the age of 14 (i.e. child).
  2. For the purpose of complying with law, regulation and regulatory provision, or as required for us to provide you with various products and services and continuously improve our products and services, or in order to contact or communicate with you, understand the needs of you, build up, review, maintain and develop our relationship with you, we may receive and keep the personal information provided by yourself, or, according to law, regulation, regulatory provision, your authorisation or consent, collect, enquire, and verify by proper methods your and/or related parties’ personal information from/with members of the HSBC Group or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties, joint applicants, contact persons, close relatives and other entities/individuals). “HSBC Group” under this Policy means HSBC Holdings plc, and/or any of, its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually), and “member of the HSBC Group” has the same meaning.
  3. The personal information we so collect may be recorded in paper, electronic means (including but not limited to the information we collect via our self-service machine, website, online banking, mobile banking, WeChat account, WeChat application or other mobile device applications, email, SMS or other channels) or any other means.
  4. When you visit, browse, use our website and/or applications as a visitor, we may collect information about the browser or device you use (such as IP address, operating system, and browser version), your browsing actions and patterns. We use Cookies and similar technologies to collect above information. You may disable Cookies by changing your settings (for details, please refer to Article VII of this Policy “How We Use Cookies and Similar Technologies”).

The technical information which cannot identify any individual will not be treated as personal information. However, when such technical information can identify the individual alone or in combination with other information, we will protect it as your personal information.

We may invite you to subscribe to our newsletter, updates, alerts or to participate in our marketing events or survey via our website and/or applications (such as our WeChat subscription account). If you accept relevant invitation, we may collect the information you provide to us by filling out contact forms or questionnaires, etc. The said information may include name, telephone number, mobile phone number, email, employer name, and job position etc. Refusal to provide such information will not affect your visiting, browsing or using our website and/or applications.  

5. When you are our prospect or existing individual customer, in order for us to provide you with our products/services and to handle relevant banking business, we may collect the following information upon your consent or authorization or in accordance with applicable laws and regulations:
Products/Services/Business
Information We May Need to Collect
Account Management (including opening bank accounts, applying for bank cards, and updating of relevant information)

(1) Personal identity information, including your name, gender, nationality, ethnic group, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), company address, residence address and date of moving to the residence address, contact information (including mobile number, email address, mailing address), employment status (including industry, occupation, position and employer), face feature information;

(2) Personal property information, including your income, tax resident status, taxpayer identification number, and source of funds. May also collect the status of your real property and investment;

(3) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks

Savings

We need to collect your name, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), account number, transaction type, amount and currency type. At the same time, in order to provide you with inquiry and convenient access services, we need to collect your transactions information and information about the delegate (only applicable to entrusted handlings). For large transactions, additional information will be required including the source of funds, purposes of funds, purposes of transactions and additional supporting documents.

 

Payment and Transfer

(1) Your personal name, account number, type/number of ID certificate, and mobile number, face feature information;

(2) Your payer’s information, including the payer's name, account number, ID certificate number, type of ID certificate, bank information of the remitting account, amount and currency of the remittance, and purpose of remittance;

(3) Your payee's information, including the name of the payee, bank information of beneficiary account, the account number, the currency type of the account (only applicable to cross-border transfer), the address of the payee, the amount and currency of the remittance, and the purpose of remittance;

(4) For the remittance of study abroad, the school or college where the student is studying, the account of the receiving school or college, the student's academic number, the payment notice number, the purpose of remittance, and the email address; The documents required for foreign exchange payment beyond annual quota shall include: the ID certificate, payment notice, admission notice, passport, visa, household registration information (Hu Kou)/birth certificate (payment by the next of kin) of the person studying abroad.

Foreign Exchange Settlement and Foreign Exchange Swap services

(1) Your name, nationality, ID certificate information (including certificate type, number, date of expiry, issue country/region), account number and name of financial account, purpose of foreign exchange settlement, and source of funds.

(2) When providing the foreign exchange settlement, we may collect additional materials, including income document, your company and position, school admission information (normally is admission notice), overseas spending supporting documents, relationship supporting and other relevant materials as required by the SAFE.

Investments and Insurance(including purchase of  investment, financial management, insurance or other financial products)

(1) Personal identity information including name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), marital status, information on family members, the relationship with the insured person;

(2) Personal property information, including personal or family income status, personal or family expenditure status, personal or household liabilities, your tax resident status, tax payer identification number, status of your real property, movable property and investment status;

(3) Personal account information, including your account number, account type, account opening date, account opening institution, account balance and account transaction status;

(4) Personal financial transaction information, including transaction information you retain in payment and settlement, investment or financial management, safe box or other banking business, and your transaction information generated during your interaction with securities companies, fund companies, futures companies, payment institutions or other third-party institutions via us;

(5) Your personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

(6) For insurance services, we need to collect insured person’s name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position, employer, annual income), health information on the insured, height and weight of the insured, information on beneficiaries, and information on insurance policies.

Home Loan Mortgage

(1) Personal identity information, including your name, gender, nationality, ethic group, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address and date of moving to the residence address, contact information (including fixed telephone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), working years, marital status, educational background;

(2) Personal property information, including your personal or family income status, personal or household liabilities and contingent liabilities, the net assets and the premises status of the individual or household, the collateral; 

(3) Personal credit information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(4) Other information relevant to the determination of the eligibility for purchasing the premises, including the number of premises the family (including the applicant himself or herself, spouse and minors) currently owns, real estate transaction information, social security information, qualification certificate, and property donation status;

(5) The personal information of your connected individuals, including information about your spouse, minors, joint applicant/borrower (and their spouse), authorized representative, and the transferor of property. The collection of personal information of the foregoing person shall not exceed the scope of personal information collected from you under this service.

Small Business Owner Loan

(1) Personal identity information, including your name, gender, nationality, ethic group , ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), date of birth, marital status, next of kin, household registration information (Hu  Kou), residence address and date of moving to the residence address, contact information (including fixed telephone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer);

(2) Personal account information (if applicable), including your account number, account type, account opening date, account opening institution, account balance and account transaction status;

(3) Personal property information, including your personal income status, liabilities and contingent liabilities, as well as net asset information if required;

(4) Personal credit information, we may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks;

(6) Your business partner’s connected individuals’ personal information. The collection of personal information of the foregoing person shall not exceed the scope of personal information collected from you under this service.

Credit Cards

When you apply a credit card with us, you need to provide the following information:

(1) Personal identity information, including your name, gender, nationality, ethic group, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed phone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), working years, contact information (including name, mobile phone number and relationship), marital status, educational background, photos;

(2) Personal property information, including your personal income status, liability and contingent liabilities status, as well as net asset information;

(3) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile; 

(4) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks.

 

When you use the bank’s credit card service, you need to provide the following information:

(1) To activate your card, need to collect your ID certificate type, ID certificate number, date of birth, credit card number, card validity period, CVV2, SMS verification code on the reserved mobile phone number when you apply for a credit card, and face feature information;

(2) Repayment and repayment setup, and need to collect your repayment account, repayment amount, card number of the remitting bank, mailing address of bills, and email address;

(3) Log on to the rewards platform "Rewards Mall" for reward points redeem, including your name, mobile phone number, SMS verification Code, ID certificate number and address information, credit card number, credit card status and credit card reward points balance;

(4) For credit quota adjustments, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database and other legally established credit reference agencies;

(5) Apply for statement and transaction instalments, we need to collect your credit card number, tenors and amount;

(6) For transaction monitoring, we may collect your transactions and supporting documents (if applicable).

Apply to all above products/services/business

Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents),.When using digital banking, your device type, operating system, unique device identifier (Android ID, UUID, IMEI, MAC address), software version, logon IP address, internet service provider (ISP), device accelerators and gravity sensing devices will be collected.

Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

5. When you are our prospect or existing individual customer, in order for us to provide you with our products/services and to handle relevant banking business, we may collect the following information upon your consent or authorization or in accordance with applicable laws and regulations:
Products/Services/Business
Account Management (including opening bank accounts, applying for bank cards, and updating of relevant information)
Information We May Need to Collect

(1) Personal identity information, including your name, gender, nationality, ethnic group, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), company address, residence address and date of moving to the residence address, contact information (including mobile number, email address, mailing address), employment status (including industry, occupation, position and employer), face feature information;

(2) Personal property information, including your income, tax resident status, taxpayer identification number, and source of funds. May also collect the status of your real property and investment;

(3) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks

Products/Services/Business
Savings
Information We May Need to Collect

We need to collect your name, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), account number, transaction type, amount and currency type. At the same time, in order to provide you with inquiry and convenient access services, we need to collect your transactions information and information about the delegate (only applicable to entrusted handlings). For large transactions, additional information will be required including the source of funds, purposes of funds, purposes of transactions and additional supporting documents.

 

Products/Services/Business
Payment and Transfer
Information We May Need to Collect

(1) Your personal name, account number, type/number of ID certificate, and mobile number, face feature information;

(2) Your payer’s information, including the payer's name, account number, ID certificate number, type of ID certificate, bank information of the remitting account, amount and currency of the remittance, and purpose of remittance;

(3) Your payee's information, including the name of the payee, bank information of beneficiary account, the account number, the currency type of the account (only applicable to cross-border transfer), the address of the payee, the amount and currency of the remittance, and the purpose of remittance;

(4) For the remittance of study abroad, the school or college where the student is studying, the account of the receiving school or college, the student's academic number, the payment notice number, the purpose of remittance, and the email address; The documents required for foreign exchange payment beyond annual quota shall include: the ID certificate, payment notice, admission notice, passport, visa, household registration information (Hu Kou)/birth certificate (payment by the next of kin) of the person studying abroad.

Products/Services/Business
Foreign Exchange Settlement and Foreign Exchange Swap services
Information We May Need to Collect

(1) Your name, nationality, ID certificate information (including certificate type, number, date of expiry, issue country/region), account number and name of financial account, purpose of foreign exchange settlement, and source of funds.

(2) When providing the foreign exchange settlement, we may collect additional materials, including income document, your company and position, school admission information (normally is admission notice), overseas spending supporting documents, relationship supporting and other relevant materials as required by the SAFE.

Products/Services/Business
Investments and Insurance(including purchase of  investment, financial management, insurance or other financial products)
Information We May Need to Collect

(1) Personal identity information including name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), marital status, information on family members, the relationship with the insured person;

(2) Personal property information, including personal or family income status, personal or family expenditure status, personal or household liabilities, your tax resident status, tax payer identification number, status of your real property, movable property and investment status;

(3) Personal account information, including your account number, account type, account opening date, account opening institution, account balance and account transaction status;

(4) Personal financial transaction information, including transaction information you retain in payment and settlement, investment or financial management, safe box or other banking business, and your transaction information generated during your interaction with securities companies, fund companies, futures companies, payment institutions or other third-party institutions via us;

(5) Your personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

(6) For insurance services, we need to collect insured person’s name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position, employer, annual income), health information on the insured, height and weight of the insured, information on beneficiaries, and information on insurance policies.

Products/Services/Business
Home Loan Mortgage
Information We May Need to Collect

(1) Personal identity information, including your name, gender, nationality, ethic group, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address and date of moving to the residence address, contact information (including fixed telephone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), working years, marital status, educational background;

(2) Personal property information, including your personal or family income status, personal or household liabilities and contingent liabilities, the net assets and the premises status of the individual or household, the collateral; 

(3) Personal credit information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(4) Other information relevant to the determination of the eligibility for purchasing the premises, including the number of premises the family (including the applicant himself or herself, spouse and minors) currently owns, real estate transaction information, social security information, qualification certificate, and property donation status;

(5) The personal information of your connected individuals, including information about your spouse, minors, joint applicant/borrower (and their spouse), authorized representative, and the transferor of property. The collection of personal information of the foregoing person shall not exceed the scope of personal information collected from you under this service.

Products/Services/Business
Small Business Owner Loan
Information We May Need to Collect

(1) Personal identity information, including your name, gender, nationality, ethic group , ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), date of birth, marital status, next of kin, household registration information (Hu  Kou), residence address and date of moving to the residence address, contact information (including fixed telephone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer);

(2) Personal account information (if applicable), including your account number, account type, account opening date, account opening institution, account balance and account transaction status;

(3) Personal property information, including your personal income status, liabilities and contingent liabilities, as well as net asset information if required;

(4) Personal credit information, we may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks;

(6) Your business partner’s connected individuals’ personal information. The collection of personal information of the foregoing person shall not exceed the scope of personal information collected from you under this service.

Products/Services/Business
Credit Cards
Information We May Need to Collect

When you apply a credit card with us, you need to provide the following information:

(1) Personal identity information, including your name, gender, nationality, ethic group, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address, contact information (including fixed phone, mobile phone number, email address, mailing address), employment status (including industry, occupation, position and employer), working years, contact information (including name, mobile phone number and relationship), marital status, educational background, photos;

(2) Personal property information, including your personal income status, liability and contingent liabilities status, as well as net asset information;

(3) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile; 

(4) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks.

 

When you use the bank’s credit card service, you need to provide the following information:

(1) To activate your card, need to collect your ID certificate type, ID certificate number, date of birth, credit card number, card validity period, CVV2, SMS verification code on the reserved mobile phone number when you apply for a credit card, and face feature information;

(2) Repayment and repayment setup, and need to collect your repayment account, repayment amount, card number of the remitting bank, mailing address of bills, and email address;

(3) Log on to the rewards platform "Rewards Mall" for reward points redeem, including your name, mobile phone number, SMS verification Code, ID certificate number and address information, credit card number, credit card status and credit card reward points balance;

(4) For credit quota adjustments, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database and other legally established credit reference agencies;

(5) Apply for statement and transaction instalments, we need to collect your credit card number, tenors and amount;

(6) For transaction monitoring, we may collect your transactions and supporting documents (if applicable).

Products/Services/Business
Apply to all above products/services/business
Information We May Need to Collect

Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents),.When using digital banking, your device type, operating system, unique device identifier (Android ID, UUID, IMEI, MAC address), software version, logon IP address, internet service provider (ISP), device accelerators and gravity sensing devices will be collected.

Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

The above information is the basic information we must collect to provide you with banking products or services, to perform our contract with you and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you will not be able to use our relevant banking products or services we provide.

6. When you give or propose to give guarantees for obligations owed by our individual customers to us, we may collect the following information upon your consent or authorization or in accordance with applicable laws and regulations:
Products/Services/Business
Information We May Need to Collect
To give or propose to give guarantees for obligations owed by home mortgage loan customers

(1) Personal identity information, including your personal name, gender, nationality, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address and date of moving to the residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position, employer), marital status, educational background, and your relationship with the borrower;

(2) Personal property information, including your personal income status, liabilities and net assets;

(3) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(4) Other personal information arising from the customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks.

To give or propose to give guarantees for obligations owed by Small Business Owner loan customers

(1) Personal identity information, including your personal name, gender, nationality, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), contact information (including fixed telephone number, mobile phone number, email address, and mailing address), employment status (including industry, occupation, position and employer), marital status, and next of kin relationship;

(2) Personal account information (if applicable), including your account number, account type, opening time of the account, account opening institution, account balance and account transaction status;

(3) Personal property information, including your personal income status, liability status, specific information on collateral, and information on your personal net assets;

(4) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks.

Apply to all above products/services/business Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).
6. When you give or propose to give guarantees for obligations owed by our individual customers to us, we may collect the following information upon your consent or authorization or in accordance with applicable laws and regulations:
Products/Services/Business
To give or propose to give guarantees for obligations owed by home mortgage loan customers
Information We May Need to Collect

(1) Personal identity information, including your personal name, gender, nationality, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), residence address and date of moving to the residence address, contact information (including fixed telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, position, employer), marital status, educational background, and your relationship with the borrower;

(2) Personal property information, including your personal income status, liabilities and net assets;

(3) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(4) Other personal information arising from the customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks.

Products/Services/Business
To give or propose to give guarantees for obligations owed by Small Business Owner loan customers
Information We May Need to Collect

(1) Personal identity information, including your personal name, gender, nationality, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), contact information (including fixed telephone number, mobile phone number, email address, and mailing address), employment status (including industry, occupation, position and employer), marital status, and next of kin relationship;

(2) Personal account information (if applicable), including your account number, account type, opening time of the account, account opening institution, account balance and account transaction status;

(3) Personal property information, including your personal income status, liability status, specific information on collateral, and information on your personal net assets;

(4) Personal credit bureau information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions and anti-money laundering checks.

Products/Services/Business
Apply to all above products/services/business
Information We May Need to Collect
Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. personal information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).

The above information is the basic information we must collect to proceed relevant guarantee business, to provide products or services to relevant customers, to perform our contract with you or such customers and to comply with laws, regulations and regulatory requirements. If you refuse to provide those information (or the information so provided is incomplete, inaccurate or untrue), you or relevant customers will not be able to use the relevant banking products or services we provide.

7. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the relevant information for specific purposes or functions, for example, the personal information that you provide to us for the purposes of improving service experience, participating in our marketing activities or survey, making an appointment to open an account or for other business. You can choose not to provide such information. Your failure to provide such information will make you unable to participate or enjoy the corresponding convenience or functions, but will not affect your normal use of our other services. 

8. Please understand that the services we provide are constantly evolving. If you choose to use any other service not listed above for which we have to collect your information, we will separately explain to you, the purposes, methods, and scope of personal information we collect, through reminders on pages, interaction with you, agreements entered into with you or other appropriate method, and obtain your consent for that. We will use, store, disclose, and protect your information in accordance with this Policy and other agreements (if any) between you and us. If you choose not to provide certain information, you may be unable to use certain or part of the service, but your use of other services we provide will not be affected.

III. How We Use Your Personal Information

  1. When you visit, browse, use our website and/or applications as a visitor, we may use your information for the following purposes:
    (1) to respond to your queries and requests; 
    (2) to provide you with information, products or services that you request from us or which we feel may interest you, subject to your prior consent; 
    (3) to perform contracts or agreements entered into between you and us; 
    (4) to allow you to interact with us at our website and/or applications;
    (5) to notify you about changes to our website and/or applications;
    (6) to ensure the content of our website and/or application is presented in an effective manner on your device;
    (7) to maintain proper and secure operation of website and/or applications as well as banking business or services, to prevent and control risk, or to detect and prevent misuse or abuse of our website, applications, products or services; 
    (8) to meet the compliance obligations of us or the HSBC Group, or to comply with any applicable laws and regulations that we and HSBC Group are subject to; and
    (9) to make statistics and analysis of the use of our business, products, services or functions. But such statistics will not contain any of your personally identifiable information.
  2. When you are our prospect or existing individual customer, or providing personal guarantee to our individual customer, we may use your information for the following purposes:
    (1) to provide you with products or services, handle relevant personal guarantee business, to recognize or verify the identity of you, or to approve, manage, handle, execute or effect transactions requested or authorised by you;
    (2) to comply with any Applicable Laws (“Applicable Laws” refer to any applicable statute, law, regulation, ordinance, rule, judgment, decree, voluntary code, directive, sanctions regime, court order applicable to any member of the HSBC Group, agreement between any member of the HSBC Group and an authority, or agreement or treaty between authorities and applicable to the Bank or a member of the HSBC Group) and any order or requirement from any authority;
    (3) to perform the Bank's and/or the HSBC Group's compliance obligations (including regulatory compliance, tax compliance and/or compliance with any Applicable Laws or requirement of any authority), or to implement any policy or procedure made by the Bank and/or the HSBC Group for the performance of compliance obligations;
    (4) to ensure safe and stable financial services, prevention or prohibition of illegal or incompliant activities, to control or reduce risks, to detect, investigate and prevent any real, suspected or potential financial crime (including money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions, and/or violations, or acts or attempts to circumvent or violate any Applicable Laws relating to these matters) and to manage financial crime risk;
    (5) to collect any amounts due from any debtor;
    (6) to conduct credit or credit reference checks, to verify, obtain or provide credit references or credit information;
    (7) to enforce or defend the Bank or any member of the HSBC Group’s rights, or to perform the Bank or any member of the HSBC Group’s obligations;
    (8) as required by or to fulfil the Bank or the HSBC Group’s reasonable operational requirements (including for credit and risk management, data statistics, analysis, processing and handling, archiving and recording, system, product and service design, research, development and improvement, planning, insurance, audit and administrative purposes);
    (9) market or promote relevant products or services to you, to assess your’ interests in relevant products or services, or to conduct market research or survey or satisfaction survey; and
    (10) to obtain or utilize administrative, consultancy, telecommunications, computer, payment, data storage, processing, outsourcing and/or other products or services.
  3. The above information collection and use in this Policy shall not impact our use of your information for the purposes as otherwise agreed between you and us.
  4. If we use your personal information for the purposes other than the purposes of collection and use as set forth in this Policy or in other agreement between you and us, we shall inform you how we use this information and obtain consent from you before using your personal information for such additional purposes as per applicable laws and regulations.

IV. How We Store Your Personal Information

In principle, the personal information we collect and generate within the territory of the People's Republic of China will be stored in the territory of the People's Republic of China. Since we provide products or services through resources and servers across the world, which means that to the extent permitted by regulatory rules and applicable laws, your personal information may be transferred to the foreign jurisdiction, or be accessed from these jurisdictions. If we transfer your personal information overseas, we will comply with applicable laws and regulations related to cross border data sharing. Whether it is processed domestically or overseas, in accordance with applicable data protection legislation, your personal information will be protected by a strict code of secrecy and security which, the Bank, other members of the HSBC Group, their staff and third parties are subject to.

We comply with Chinese laws and regulations on data storage. When we collect or process your information, we will, according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, and the purposes as set forth in this Policy, store your information for a period as minimum as necessary to fulfil the purposes of information collection. For example, in accordance with Administrative Measures for the Customer Identification Verification and Preservation of Customer Identification Material and Transaction Records of Financial Institutions, Administrative Rules on RMB Settlement Accounts and relevant financial regulations as well as Provisions on the Scope of Collection and Preservation Period in the Document Archiving of Enterprises, the customer materials shall be kept for at least 5 to 30 years or even longer, depending on the usage purpose and document nature of relevant material. We have data retention policies. After the retention period expires under relevant data retention policy, we will destroy, delete or anonymize relevant information, or where the destruction, deletion or anonymization is not possible, store your personal information securely and separate it from other data processing. The exception is when the information needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, special agreement between you or relevant customers and us, or for settlement of indebtedness between you or relevant customers and us, or for record check or enquiry from you, relevant customers, regulators or other authorities.

V. How We Share, Transfer and Publicly Disclose Your Personal Information

  1. Entrusted Processing and Sharing

    For the purposes set out above in this Policy, we may provide or disclose all or part of your personal information to the following recipients under the preconditions that such provision or disclosure is necessary and is made with proper protective measures (please refer to Article I of this Policy “How We Protect Your Personal Information” for details) and the recipients may also, for the aforesaid purposes, use, process or further disclose the information they receive provided that corresponding protective measures are adopted pursuant to the applicable laws or our requirements:

    (1) any member of the HSBC Group;

    (2) any contractor, subcontractor, agent, third party product or service provider, licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers);

    (3) any regulator of the Bank or any member of the HSBC Group or any other authority, or any organisation or individual designated by such regulators or authorities;

    (4) anyone acting on your behalf according to your authorisation or according to law, payment recipients, beneficiaries, account agents, correspondent and agent banks (e.g.  for CHAPS, BACS, SWIFT), clearing houses, clearing or settlement systems, or anyone making any payment to you;

    (5) any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you receive from the Bank, or any business you handle at the Bank or any transaction you make with the Bank (for example, the person who provides or intends to provide any mortgage or other security for any of your debt to the Bank, or the beneficiary of the insurance product that the Bank distributes to you);

    (6) other financial institutions, industrial associations, bank card organisations, credit rating agencies, credit reference agencies (including without limitation, the Basic Financial Credit Information Database) or information service providers;

    (7) any third party fund manager providing you with asset management services through us;

    (8) any third party to whom we provide referral, agency or intermediary service; and

    (9) any party in connection with any business/asset transfer, restructure, disposal, merger, spin-off or acquisition transactions of the Bank.

    Subject to applicable laws and regulations, we will seek separate consent (if legally required) from you and notify you of the data sharing with the third parties, including the data recipient’s identity, contact information, purpose of processing, method of processing and the type of personal information.

    In case of cross border personal data sharing, we will also conclude a data protection agreement with the offshore personal information recipient, and if required, in the format of standard data protection clause issued by Cyberspace Administration of China as well as specify your relevant personal information subject’s right in your capacity as a third party beneficiary under said agreement pursuant to applicable laws and regulations, for example the manner and method of exercising your right towards the offshore personal information recipient. If you want to know more details about aforesaid data protection agreement, you may contact us to raise such request via the method listed in Article IX of this Policy “How to Contact Us”.
  2. Transfer
    Without your separate consent, we will not transfer your personal information to any other company, organization or individual, except in the case of business/asset transfer, restructure, disposal, merger, spin-off or acquisition transactions where the transfer is necessary. In such cases, we will inform you of the identity and contact method of the personal information recipient as per applicable laws and regulations as well as request said recipient to comply with this Policy. If the personal information recipient changes the purposes and methods of personal information processing activities under this Policy, it shall re-obtain the consent from you.
  3. Public Disclosure
    We will not disclose your personal information to the public unless we have your separate consent.

VI. Special Circumstances for Information Processing

We will process your personal information (such as information collection, storage, use, analysis, transfer, provision, disclosure) based on your consent. To the extent allowed by laws and regulations, we may process your personal information without your consent under the following circumstances:

  1. where it is necessary for entering into a contract or the performance of a contract to which you are the party;
  2. where it is necessary for compliance with a legal obligation to which we are subject;
  3. where it is necessary in order to protect your or others’ vital interests related to life and property in an emergency or respond to public health emergencies;
  4. where it is within reasonable limits in order to carry out news coverage or media supervision for the public interest;
  5. where it is within reasonable range according to law to process the information which has been legally made public or publicized by yourself; or
  6. other circumstances stipulated by laws and regulations.

VII. How We Use Cookies and Similar Technologies

  1. Your visit, browse, use of any of our website or digital banking service related applications may be recorded for analysis on the number of visitors to the site and/or applications, general use patterns and your personal use patterns and improving your experience. Some of this information will be gathered through the use of Cookies and similar technologies. Such technologies can enable our website or applications to recognise your device and store information about your use of website and/or applications so to provide continuous services to you and to tailor the content of our website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to access the information stored on the Cookies and similar technologies for the aforesaid purposes.

    The information collected by Cookies is anonymous aggregated data, and contains no personal information such as name, address, telephone, email etc.

  2. Most local terminals are initially set to accept Cookies. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected. Different local terminals offer different methods for setting changes, and you can find information on how to manage cookie settings on certain browsers via the following links.

VIII. Your Rights Relating to Personal Information

  1. You have the right to request us to protect and secure your personal information in accordance with the provisions of the law, regulation and this Policy. You have the right to exercise your rights of individual granted by applicable laws and regulations. 
  2. You have the right to check with us whether we hold your personal information as well as to access and copy your personal information.
  3. You have the right to change the scope of authorization or withdraw your consent. We will not further process the related information once you change your authorization. Please note the withdrawal of consent will not affect the lawfulness of processing based on consent given by you before its withdrawal.
  4. You have the right and obligation to update your personal information with us to ensure that all the information is accurate and up-to-date. You have the right to request us to provide convenience for you to update your personal information with us and to correct any of your information that is inaccurate.
  5. In relation to personal credit or guarantee, you have the right to request to be informed of your personal information that is disclosed to credit reference agencies by us, so as to enable your request to the relevant credit reference agencies for access to and correction of your information.
  6. You have the right to request us to delete or otherwise properly dispose of your personal information that is beyond retention period in accordance with the applicable law and regulation, this Policy, and other agreement between you or relevant customers and us. If we cease our operation, we will stop collecting any personal data from you in a timely manner, delete or anonymize all your personal information, and inform you of such operation cessation via courier or public announcement, except as otherwise provided by laws and regulations or where the personal data deletion is technically not possible.
  7. Nothing in this Policy will shall limit the other rights you should have as a Personal Information Subject under applicable laws and regulations.

IX. How to contact us

  1. Requests for access to, copy, correction or deletion of personal information, for change/withdrawal of authorisation or disposal of personal information beyond retention period, for a copy of this Policy, enquiries about our practices regarding personal information and privacy protection, or exercising other rights you are granted by the applicable laws and regulations, should be addressed to:
    Data Privacy Officer (DPO)
    HSBC Bank (China) Company Limited
    36/F HSBC Building, Shanghai IFC, 8 Century Avenue, Pudong, Shanghai, 200120
    E-mail: hsbcaoc@hsbc.com.cn
    Tel: 95366 (24-hour, Mon-Sun)
  2. For security purpose, you may need to raise your request in written form or use other methods to prove your identity. We may request you to verify your identity before processing your request.
  3. Upon the receipt of your request, we will reply to you within 15 working days or shorter period as prescribed by law and regulation (if any). 
  4. We will not charge fees for the processing of your above-mentioned reasonable requests for checking, correcting or otherwise disposing of your personal information.
    Notwithstanding the foregoing, we may reject your request if it is illegal, noncompliant, or unnecessarily repeated, needs excessive technical means (for example, the need to develop information systems or fundamentally change current practices), brings risks to the legitimate rights and interests of others, is unreasonable or technically impracticable.
    We may not be able to respond to your request under any of the following circumstances:
    (1) where the request is in relation to our legal and financial compliance obligation under laws and regulations;

    (2) where the request is in direct relation to state security or national defence security;
    (3) where the request is in direct relation to public security, public sanitation, or major public interests;
    (4) where the request is in direct relation to criminal investigations, prosecutions, trials, execution of rulings, etc.;
    (5) where there is sufficient evidence that you are intentionally malicious or abuse your rights;
    (6) where the purpose is to protect you or other individual’s life, property and other substantial legal interests but difficult to acquire your consent;
    (7) where responses to your request will give rise to serious damage to your or any other individual or organisation’s legal rights and interests; or
    (8) where the request involves any trade secret.
  5. Unless we have your prior consent, we will not send you advertisement promotion message. If at any time you would like us to cease using or providing to others your personal information for advertisement promotion purpose, you are entitled to notify us and exercise your right of choice, not to receive such advertisement promotion any more. If you so choose to reject advertisement promotion message, please contact our Call Centre by calling +86 400-820-8878. After receipt of your request we will, as soon as practical (usually no later than 15 working days from your request), take actions to ensure no more advertisement promotion message should be sent to you.
  6. You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or demand compensation according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy.
    If you have any query, complaint, feedback, comment or suggestion, or have problem with automated decision results,please Contact HSBC. You may contact us through the contact information listed in this Policy, by calling our hotline or visiting our branches or sub-branches. You may also visit our official website www.hsbc.com.cn to enquire the nearby branches or sub-branches, or other contact information of us suitable for you.

X. Protection of Minors’ Personal Information

  1. We pay particular attention to protection of the minors’ personal information. We have no intention to collect any minors’ personal information, unless it is agreed by their parents or guardians and it is necessary for the products or services offered to the minors (for example, the minors may be the holders of the Junior Account offered by us, the holders of supplementary card of certain credit cards issued by us, the beneficiaries of the insurance products that we distribute, the heirs of our customers, etc.)
  2. If you are under of the age of 18 (including children under the age of 14), it is suggested that your parents or guardians should carefully read this Policy and any of your personal information should be provided only after seeking consent from them. Meanwhile, it is suggested that your use of our products and services should be under the guidance of your parents or guardians. If they do not agree you to provide your personal information or to use any of our products or services, you should immediately stop providing the information or stop using our products and services. Please notify us of such event as soon as possible, so as to allow us to take appropriate measures accordingly.
  3. If you are under the age of 18 (including children under the age of 14), for those personal information we collect with the consent of your parents or guardians, we will only use or disclose such information to the extent allowed by law and regulation or expressly consented by your parents or guardians or necessary for protection of the minors’ interests.

XI. Formulation, Effectiveness, Update of this Policy and Others

  1. The Policy is made by us and published at our websites and takes effect on the date of issuance. The Policy may be amended or updated from time to time, particularly in the events of major changes as follows:
    1) Major changes in our service model, such as changes in the purpose of processing personal information, changes in the types of personal information being processed, the use methods of personal information, etc.;
    (2) Major changes in our ownership structure, organisational structure, etc., such as changes as result of business adjustments, bankruptcy, mergers, etc.;
    (3) Changes in the main objects of personal information sharing, transfer or public disclosure;
    (4) Significant changes in your rights relating to personal information or in the methods to exercise such rights;
    (5) Changes of our contacts for personal information related requests/enquiries, changes of our contacts for complaint or feedback;
    (6) Other major changes which may significantly impact your interests in personal information.
    We will post the changes to the Policy or the updated Policy through pop-ups, announcements, etc. on our website. Changes to the Policy shall not diminish or limit the rights you should have as a personal information subject under applicable laws and regulations.
  2. Where you provide to us personal information about another person, you should ensure that person acknowledges this Policy, and, in particular, tell him/her how we may collect and use his/her personal information and obtain the consent/authorization of such person. You should remind that person to read this Policy in advance and may also give him/her a copy of this Policy.
  3. In case of discrepancy between the Chinese and English versions of this Policy, the Chinese version shall apply and prevail.