Personal information collection statement

ZA Bank Limited (“we” or “us”)

Notice to customers and other individuals relating to the Personal Data (Privacy) Ordinance

(Cap. 486, “Ordinance”) and the Code of Practice on Consumer Credit Data

(“Notice”)

Collection of data

1. From time to time, we may collect data of customers and other individuals in connection with matters and purposes set out in this Notice. These customers and other individuals may include the following or any of them（collectively “you”or “your”）：

(a) applicants or accountholders for Facilities, Products and Services;

(b) customers;

(d) referees;

(e) corporate officers and managers, (e.g. authorised signatories, contact persons, company secretary, directors, shareholders, beneficial owners of a corporate);

(f) suppliers, agents, contractors, service providers and other contractual counterparties; and

(g) any third party transacting with or through us.

2. Broadly, we collect personal data (such as your name, identity card number, date of birth, correspondence address, phone number, email address, identification document image, facial image, employment information, address and income proof images, credit-related information etc.), supplied by you to us from time to time in connection with matters and purposes set out in paragraph 5.

3. The collection of personal data is necessary to allow us to provide you with the Facilities, Products and Services. If the personal data requested by us is not supplied, we may be unable to establish, maintain or provide Facilities, Products and Services to you.

4. We may also collect your data, directly or indirectly, in the ordinary course of our business, including (without limitation) information received from third parties, the public domain, collected through your use of the mobile applications, websites, cookies, behavioural or location tracking tools, banking services, financial services or other services of the ZhongAn Group, and/or when you write cheques or deposit money or effect transactions through cards.

Use of data

5. We may use your data for any of the following purposes:

(a) considering and processing your applications for the establishment of Facilities, Products and Services;

(b) operating and maintaining Facilities, Products and Services, including to understand the overall picture of your relationship with the ZhongAn Group by linking data in respect of all accounts you are connected to;

(c) meeting our internal operational requirements or that of the ZhongAn Group (including credit and risk management, system or product development and planning, insurance, audit and administrative purposes);

(d) conducting credit checks on you (including upon an application for Facilities, Products and Services and when we review credit which normally takes place once or many times each year);

(e) creating and maintaining our credit and risk scoring models;

(f) maintaining your credit history for present and future reference;

(g) assisting other financial institutions to conduct credit checks and collect debts;

(h) ensuring your ongoing credit worthiness;

(i) in connection with matching against any data held by us or the ZhongAn Group for any purpose set out in this paragraph 5 (whether or not with a view to taking any adverse action against you);

(j) designing financial products and services (including banking, cards, financial, insurance, securities and investment services or related products, if applicable) for your use;

(k) marketing services, products and other subjects (see paragraph 7 below);

(l) determining the amount of indebtedness owed to or by you;

(m) enforcing your obligations, to us or any other member of the ZhongAn Group, including collecting amounts outstanding from you;

(n) meeting or complying with any obligations, requirements or arrangements for disclosing and using data that apply to us or any other member of the ZhongAn Group or that it is expected to comply according to:

(i) any present or future law or regulation within or outside Hong Kong (e.g. the Inland Revenue Ordinance (Cap. 112) and its provisions including those concerning automatic exchange of financial account information);

(ii) any present or future guidelines or guidance issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);

(iii) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers applicable to us or any member of the ZhongAn Group by reason of its financial, commercial, business or other interests or activities in or related to the relevant jurisdiction (“Authorities”, and each an “Authority”); and

(iv) any demand or request from an Authority;

(o) meeting any obligations, policies, measures or arrangements for sharing data and information within the ZhongAn Group and/or any other use of data and information pursuant to any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing, fraudulent activities or other unlawful activities;

(p) enabling an actual or potential assignee of all or any part of our business and/or asset or participant or sub-participant of our rights in respect of you, to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;

(q) in connection with any member of the ZhongAn Group defending or responding to any legal, governmental, or regulatory or quasi-governmental related matter, action or proceeding (including any prospective action or legal proceedings), including where it is in our legitimate interests or any member of the ZhongAn Group to seek professional advice, for obtaining legal advice or for establishing, exercising or defending legal rights;

(r) organising and delivering seminars for you;

(s) managing, monitoring and assessing the performance of any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to us in connection with the establishment, operation or maintenance of Facilities, Products and Services, if applicable; and

(t) any other purposes relating to the purposes listed above.

Disclosure of data

6. Data we hold is kept confidential but we may provide, transfer or disclose such data or information to any one or more of the following parties (whether within or outside Hong Kong) for the purposes set out in paragraph 5:

(a) any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to us in connection with the establishment, operation, maintenance or provision of Facilities, Products and Services;

(b) any other person under a duty of confidentiality to us including any other member of the ZhongAn Group which has undertaken to keep such information confidential;

(d) credit reference agencies and, in the event of default, to debt collection agencies;

(e) any person or entity to whom we or any other member of the ZhongAn Group is under an obligation or otherwise required to make disclosure in connection with or for the purposes set out in paragraphs 5(n)and 5(o) above;

(f) any financial institution and merchant acquiring company with which you have or propose to have dealings;

(g) any actual or proposed assignee of all or any part of our business and/or asset or participant or sub-participant or transferee of our rights in respect of you;

(h) any party giving or proposing to give a guarantee or third party security to guarantee or secure your obligations;

(i) any interface (such as an application programming interface) that links to, or in any way makes available information about our Facilities, Products and Services;

(j) any member of the ZhongAn Group acting as a data controller in respect of your data;

(k) third party financial institutions, insurers, credit card companies, securities and investment services providers;

(l) third party reward, loyalty, co-branding and privileges programme providers;

(m) our co-branding partners and/or co-branding partners of any member of the ZhongAn Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);

(n) charitable or non-profit making organisations; and/or

(o) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that we engage for the purposes set out in paragraph 5(k) above.

Use of data in direct marketing

7. We intend to use your data for direct marketing but we may not do so unless we have received your consent (or indication of no objection). Please note that:

(a) we may use your name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data in direct marketing;

(b) we may market the following classes of services, products and subjects:

(i) financial, insurance, fiduciary, investment services, credit card, securities, investment, banking and related services and products;

(ii) reward, loyalty or privileges programmes and related services and products;

(iii) services and products offered by our co-branding partners (the names of such co-branding partners can be found in the application form(s) and/or advertising material(s) for the relevant services and products, as the case may be); and

(iv) donations and contributions for charitable and/or non-profit making purposes;

(i) any member of the ZhongAn Group;

(ii) third party financial institutions, insurers, credit card companies, securities and investment services providers;

(iii) third party reward, loyalty, co-branding or privileges programme providers;

(iv) our co-branding partners and/or co-branding partners of any member of the ZhongAn Group; and

(v) charitable or non-profit making organisations.

You may opt-out of receiving direct marketing materials from us or request us to cease using your personal data or contact information either generally or selectively for direct marketing purposes by notifying us.

Provision of data for use in direct marketing

8. In addition to marketing the services, products and subjects set out in paragraph 7(b) above ourselves:

(a) we also intend to provide the data described in paragraph 7(a) above to all or any of the persons described in paragraph 7(c) above for use by them in marketing those services, products and subjects, and we require your written consent (which includes an indication of no objection) for that purpose; and

(b) we may receive money or other property in return for providing the data to the other persons in paragraph 8(a) above and, when requesting your consent or no objection pursuant to paragraph 8(a) above, we will inform you if we will receive any money or other property in return for providing the data to the other persons.

If you do not wish us to provide your data to other persons for use in direct marketing, you may exercise your opt-out right by notifying us.

Personal data of another person

9. Where you have provided us with another person's personal data, you should provide him/her with a copy of this Notice and inform them of how we may use their data.

Provision of data to credit reference agencies and debt collection agencies

10. We may provide (amongst others) the following data relating to you to a credit reference agency and/or a debt collection agency:

(a) your general particulars (being your name, address, contact information, date of birth, Hong Kong Identity Card Number or travel document number); and

(b) your credit application data (being the fact that you have made an application for consumer credit, the type and the amount of credit sought).

Data access requests

11. In accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data issued under the Ordinance, you have the right:

(a) to check whether we hold data about you and/or access to such data;

(b) to require us to correct any data relating to you which is inaccurate;

(c) to ascertain our policies and procedures in relation to data and to be informed of the kind of personal data held by us and/or you have access to;

(d) to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access or correction request to the relevant credit reference agency or debt collection agency; and

(e) to instruct us to make a request to the credit reference agency to delete any account data (including account repayment data) from its database within 5 years of termination of your account by full repayment provided that there has not been any default of payment in relation to the account, lasting in excess of 60 days within 5 years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by us to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).

12. In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph 11(e) above) may be retained by the credit reference agency until the expiry of 5 years from the date of final settlement of the amount in default.

13. In the event any amount in an account is written-off due to a bankruptcy order being made against you, the account repayment data (as defined in paragraph 11(e) above) may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of 5 years from the date of final settlement of the amount in default or the expiry of 5 years from the date of discharge from a bankruptcy as notified by you with evidence to the credit reference agency, whichever is earlier.

14. Without limiting the generality of the foregoing, we may from time to time access your personal and account information or records held by the credit reference agency for the purpose of reviewing any of the following matters in relation to the existing credit facilities granted to you or a third party whose obligations are guaranteed by you:

(a) an increase in the credit amount;

(b) the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and

15. We may have obtained your credit report from a credit reference agency in considering any application for credit. In the event you wish to access the credit report, we will advise the contact details of the relevant credit reference agency.

16. Your data may be processed, kept and transferred or disclosed in and to any country as we or any person who has obtained such data from us referred to in paragraph 6 above consider appropriate. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.

17. In accordance with the terms of the Ordinance, we have the right to charge a reasonable fee for the processing of any data access request.

Use of algorithmic assessments

18. We may use certain algorithms when considering and processing your application for the establishment of Facilities, Products and Services. The algorithms may provide automatic assessments and decisions based on the personal data collected pursuant to paragraph 4 above. The parameters used in these assessments would have been selected to provide a fair and objective assessment of your personal data and tested for reliability and fairness. If we are uncertain about the accuracy of the personal data that may be used in an algorithmic assessment, we will endeavour to seek your clarification.

How to reach us

19. The person to whom requests for access to or correction of data held by us, or for information regarding our data policies and practices and kinds of data held by us are to be addressed is as follows:

Data Protection Officer

ZA Bank Limited

Address: Unit 1301, Level 13, IT Street, Cyberport 3, 100 Cyberport Road, Hong Kong

Email: bank_dpo@za.group

Should you have any queries, please do not hesitate to contact either your relationship manager or our Data Protection Officer at bank_dpo@za.group.

20. Nothing in this document shall limit your rights under the Ordinance.

Others

21. Security

(a) The security of personal data is important to us. We have technical and organisational security measures in place to safeguard your personal data (including personal data in transit and storage). These security measures ensure that confidentiality and integrity of your personal data is not compromised. Multiple layers of protection have been put in place to protect against leakage of personal data to external parties. Personal data will be encrypted by strong data encryption algorithms using encryption keys unique to us and with proper key management. When using external service providers, we require that they adhere to security standards mandated by us and the ZhongAn Group. The ZhongAn Group may do this through contractual provisions, including any such provisions approved by a privacy regulator, and oversight of the service provider. Regardless of where personal data is transferred, we take all steps reasonably necessary to ensure that personal data is kept securely.

(b) You should be aware that the Internet may not be a secure form of communication and sending us personal data over the Internet may carry with it risks including the risk of access and interference by unauthorised third parties. Information passing over the Internet may be transmitted internationally (even when sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than your country of residence.

22. We and the ZhongAn Group retain personal data in line with applicable legal and regulatory obligations and for business and operational purposes. In the majority of cases this will be for 7 years from the end of your relationship with the ZhongAn Group.

23. To the extent permitted by law, we and other members of the ZhongAn Group may record and monitor electronic communications with you to ensure compliance with legal and regulatory obligations and internal policies for the purposes outlined at paragraph 5 above.

24. You should also read our Privacy Policy Statement and the cookie policy (set out in our Conditions of Use of Website and Conditions of Use of App) when using our online services.

Definitions

In this document, unless inconsistent with the context or otherwise specified, the words below shall have the following meanings:

“account(s)” means, for each facility, product or service which we may from time to time make available to you, the account that is, opened and/or maintained in respect of it from time to time.

“accountholder(s)” means holder(s) of an account, and includes joint accountholder(s) in case there is more than one holder for an account.

“card” means an ATM card, a debit card, a credit card, or a revolving card or all of them, as the context requires.

“disclose”, “disclosing” or “disclosure” in relation to personal data, includes disclose or disclosing information inferred from the data.

“Facilities, Products and Services” means products or services offered or to be offered by or through us (which may include banking, cards, financial, insurance, fiduciary, securities and/or investments products and services as well as products and services relating to these, subject to obtaining the relevant regulatory approvals in Hong Kong or elsewhere).

“Hong Kong” means the Hong Kong Special Administrative Region.

“ZhongAn Group” means each of or collectively ZhongAn Technologies International Group Limited and its subsidiaries and affiliates.

Please circulate this document to any and all data subjects (as defined in the Ordinance) relating to your account(s) with us. In case of inconsistency between the English and Chinese versions, the English version shall prevail.

IMPORTANT: By accessing this website and any of its pages you are agreeing to the terms set out above. Thank you for choosing ZA Bank Limited.

ZA Bank Limited

September 2019