Login Internet Banking

Personal/Private Banking Business Register Now
Internet Banking
 

 

E-Banking Services Personal Information Collection and Privacy Policy Statements

Industrial and Commercial Bank of China (Asia) Limited (the "Bank") respects customer's privacy and will take all reasonable steps to ensure that customer's personal data will be protected. The Bank will also take all reasonable steps to ensure that the customer's personal information collected, retained and provided by the Bank is accurate. If the Bank becomes aware of any inaccuracies in the Bank's records, the Bank will take prompt steps to make appropriate corrections.
By accessing this website and any of its pages thereof, you are agreeing to be bound by the terms and conditions set out below and by continuing to use this website following the posting of any changes to these terms you are deemed to have accepted and to be bound by the changes made. If you do not agree to the terms and conditions below, do not access this website or any pages thereof.

PROTECTION OF PERSONAL DATA

Encryption

Encryption technology is employed by the Bank for transmitting and receiving sensitive data on the internet to endeavour to protect the customer's privacy. The customer's browser needs to be of the required specification for the encryption technology as specified in the Bank's user's guide.

Protect your computer

a. Install the most up-to-date anti-virus software and update the software with virus signature regularly.
b. Install personal firewall software on your computer to prevent hackers from accessing computer or intrusion via the internet.
c. You are recommended to discuss with reputable information security professionals and software vendors to select the best suitable security protection software.

Never disclose your PIN of e-banking and personal information

a. Do not disclose your PIN of internet banking, phone banking and ATM to any persons (including bank staff and the police) or any doubtful websites or allow anyone else to use your PIN and do not record it anywhere. The Bank will never contact customer directly or via other electronic channel (e.g. e-mail) to ask customer for their PIN and personal information for internet banking, phone banking, or ATM services. These include customer’s User ID, Digital Certificate, PIN, account number, identification/passport number, address, phone number etc.
b. Do not use personal identifiers (e.g. user ID/password) that are easy to guess such as birthday, HKID number, telephone number, names of family members or common names, etc. Do not to use the passwords for accessing other services (for example, connection to the internet or accessing other websites).
c. Regularly change your PIN via e-banking services (e.g. every 1 month).
d. Check your bank balance and transactions regularly. Notify the Bank immediately if you discover any errors or unauthorized transactions.
e. Do not use the internet banking user ID or PIN for other online services (e.g. e-mail, internet access).
f. Do not use e-banking services through public or from shared computers such as those in cyber café or public libraries.
g. Close all browser windows before logging on to e-banking to protect your financial information from unauthorized access from another website.
h. Always check the date and time of your last visit to our e-banking services at Main Menu after login. If you suspect anything unusual, please contact the Bank immediately.
i. Always log off after having finished using e-banking services.
j. Always disconnect after having finished using the e-banking services. Avoid leaving your connection on, especially with broadband access, unless you are actively using it.

COLLECTION OF PERSONAL DATA

Clicktrail

Some of the customer's personal information may be gathered by the Bank by monitoring the customer's "clicktrail". The Bank may monitor and track the customer's use of the Bank's website to identify a usage pattern of the Bank's website and to build up a usage profile of the customer. This information is sometimes called a "clicktrail". It describes the pages in the Bank's website the customer has visited. We may use this information for marketing purposes, as well as one or more of the following types of uses:-

a. ongoing account administration;
b. customer verification procedures;
c. marketing to the customer the product of the Bank or the Bank group;
d. credit checking;
e. data verification;
f. any purpose relating to or in connection with compliance with any law, regulation, court order or request of a regulatory body; and
g. any other purpose relating to or in connection with the business or dealings of the Bank or the Bank group.

Cookies

The Bank uses Cookies only for the purpose of maintaining the communication connection between customer terminal and bank server in every customer logon to our Internet Banking. The Bank does not record any customer information inside the Cookies. Customers may change the settings on their internet browsers for disabling the cookies transmission from the Bank's website. However, such disabling will prevent that customer from being able to make use of the Bank's internet banking services.

CIRCULAR TO CUSTOMERS AND OTHER INDIVIDUALS

The Bank requests the customer to note the contents of the Bank's Circular to Customers and Other Individuals relating to the Personal Data (Privacy) Ordinance set out at the end of this E-Banking Services Personal Information Collection and Privacy Statements.

DISCLAIMER

Information Usage

Products and services referred to in this website are offered only in jurisdictions where and when they may be lawfully offered by the Bank. The materials on this website is not intended for use by persons located in or resident in jurisdictions that restrict the distribution of this material by the Bank. These pages should not be regarded as an offer or solicitation to sell products or make transactions in any jurisdiction to any person to whom it is unlawful to make such an invitation or solicitation in such jurisdictions. Persons accessing these pages are required to inform themselves about and observe any relevant restrictions.

The Bank may from time to time specify the type and scope of the e-banking services. The Bank reserves the right to modify, expand or reduce the scope of the e-banking services from time to time without giving prior notice to the Customer.

Copyright

All information and data provided in the Bank's website, including that provided in third party websites hyperlinked to the Bank's website ("Provided Information") is subject to copyright of either the Bank or other third party provider.

The customer may save one copy of the content of the Bank's websites on the customer's disk and print extracts of it for the customer's own personal and non-commercial use. Any other copying, distribution, storing, or transmission of any kind, or any sort of commercial use, of the content of the Bank's website is prohibited.

No Warranty and No Advice

All information and descriptions contained in this website are subject to change from time to time. While every care has been taken in preparing the information and materials contained in this website, such information and materials are provided to you "as is" without warranty or representation of any kind, express or implied, and does not constitute investment advice or a recommendation to the customer and should not be relied on in that regard. The Bank does not assume responsibility for any reliance the customer may place on the Provided Information. In particular, no warranty or representation regarding non-infringement, security, accuracy, fitness for a particular purpose or freedom from computer virus, Trojan horses, worms, software bombs or similar items is given in conjunction with such information and materials.

The information contained in these pages is solely for reference purpose only and is not intended to provide professional advice and should not be relied upon in that regard. Persons accessing these pages are advised to obtain appropriate professional advice where necessary.

Linked Websites

The Bank is not responsible for the access to, the use of or the contents of other websites linked to the Bank's website.

Internet Communications

The Bank endeavours to ensure, but does not guarantee, uninterrupted availability of the Bank's website or the accuracy and timeliness of the data the Bank transmits. It is possible that inaccuracies and omissions may be contained in the material on the Bank's website and that inaccuracies, omissions and delays may occur in its conversion and electronic distribution by the Bank. The Bank excludes, to the full extent allowed by law, all liabilities (whether in contract or tort) for any loss, including indirect or incidental loss, resulting from any unavailability of the Bank's website, from the customer's access to or use of the Bank's website and the information in it, or the customer's saving of any content from the Bank's website or any content delivered to the customer by the Bank's website.

GOVERNING LAW

Use of this website shall be governed by the laws of the Hong Kong Special Administrative Region and any dispute shall be subject to the non-exclusive jurisdiction of the courts of the Hong Kong Special Administrative Region.

 

May 2009

Revision of our Circular to Customers and Other Individuals relating to the Personal Data (Privacy) Ordinance

With a view to providing additional information to our customer about the uses of personal data, we are pleased to enclose our revised Circular.

The revision’s highlight:

    1. Please see paragraph (5), (11) and (15) for the updated terms regarding《insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to the Bank’s process and/or use of the data of data subject 》
    2. The Updated PDPO Circular also incorporates new paragraph (8), (9) and (11)(vi)to(xi) for the updated terms regarding《insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to the Bank’s process and/or use of the data of data subject 》

September 2023

Industrial and Commercial Bank of China (Asia) Limited (the "Bank") Circular to Customers and Other Individuals relating to the Personal Data (Privacy) Ordinance (the "Ordinance")

(1)From time to time, it is necessary for customers and various other individuals (including without limitation applicants for banking/financial services and credit facilities, sureties and persons providing security or guarantee for credit facilities, shareholders, directors, officers and managers of corporate customers or sole proprietors or partners or applicants and other contractual counterparties) (collectively "data subjects") to supply the Bank with data in connection with the opening or continuation of accounts and the establishment or continuation of banking/credit facilities or provision of banking/financial services.

(2)Failure to supply such data may result in the Bank being unable to open or continue accounts or establish or continue banking/credit facilities or provide banking/financial services.

(3) It is also the case that data are collected from data subjects in the ordinary course of the continuation of the banking relationship, for example, when data subjects write cheques, deposit money or otherwise carry out transactions as part of the Bank’s services. The Bank will also collect data relating to the customer from third parties, including third party service providers with whom the customer interacts in connection with the marketing of the Bank’s products and services and in connection with the customer’s application for the Bank’s products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit reference agencies”)).

(4) The purpose for which data relating to a data subject may be used are as follows :

i.considering and assessing the data subjects’ application for the Bank’s products and services;
ii. the daily operation of the services and credit facilities provided to data subjects;
iii. conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
iv.creating and maintaining the Bank’s credit scoring models;
v. provision of reference (status enquiries);
vi.assisting other credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as“credit providers”) to conduct credit checks and collect debts;
vii. ensuring ongoing credit worthiness of data subjects;
viii. designing financial services or related products for data subjects' use;
ix. marketing services, products and other subjects in respect of which the Bank may or may not be remunerated (please see further details in paragraph (6) below);
x. determining the amount of indebtedness owed to or by data subjects;
xi. the enforcement of data subjects' obligations, including without limitation the collection of amounts outstanding from data subjects and those providing security for data subjects' obligations;
xii complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or Bank’s Group Companies or that it is expected to comply according to:
(a)any law binding or applying to it within or outside Hong Kong existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information) or any court order being enforceable on it;
(b)any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);and
(c)any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or Bank’s Group Companies by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
xiii.complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the group of the Bank and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing. tax evasion or other unlawful activities;
xiv.enabling an actual or proposed assignee of the Bank’s Group Companies Group Companies, or participant or sub-participant of the rights of the Bank or those of Bank’s Group Companies in respect of data subjects to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
xv.exchanging information with merchants which accept credit cards issued by the Bank and entities with whom the Bank provides affinity/co-branded /private label credit card services (each a “merchant” or an “affinity entity”);
xvi.verifying data subjects’ identities with any card acquirer of a merchant in connection with any card transactions;
xvii. for purposes of risk management of the group of the Bank;xviii.maintaining a credit history or otherwise, a record of data subjects (whether or not there exists any relationship between data subjects and the Bank) for present and future reference;
and
xix. purposes relating thereto.
(5) Data held by the Bank relating to a data subject will be kept confidential but, subject to the data subject’s separate consent (insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to the Bank’s process and/or use of the data of data subject) the Bank may provide such information to the following parties for the purposes set out in paragraph (4) :

i.any Bank’s Group Companies, agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to the Bank or Bank’s Group Companies in connection with the operation of its business;
ii.any other person under a duty of confidentiality to the Bank or a Bank’s Group Companies which has undertaken to keep such information confidential;
iii. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
iv.third party service providers with whom data subjects have chosen to interact with in connection with data subjects’ application for the Bank’s products and services;
v. a person making any payment into data subject’s account (by providing a copy of a deposit confirmation slip which may contain the name of the data subject);
vi.credit reference agencies (including the operator of any centralized database used by credit reference agencies), and, in the event of default, to debt collection agencies;
vii.any person to whom the Bank or Bank’s Group Companies is under an obligation or otherwise required to make disclosure under the requirements of any law, regulation or court order binding on or applying to the Bank or Bank’s Group Companies, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Bank or Bank’s Group Companies is expected to comply, or any disclosure pursuant to any contractual or other commitment of the Bank or Bank’s Group Companies with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently and in the future;
viii.any actual or proposed assignee of the Bank or Bank’s Group Companies, or participant or sub-participant or transferee of the rights of the Bank or those of Bank’s Group Companies in respect of the data subject;
ix .a merchant or an affinity entity which has undertaken to keep such data confidential; and
x (a) any Bank’s Group Companies;
(b) third party financial institutions, insurers, credit card companies, securities and investment services providers;
(c) third party reward, loyalty, co-branding and privileges programme providers;
(d) co-branding partners of the Bank and any Bank’s Group Companies (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
(e) charitable or non-profit making organisations; and
(f) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Bank engages for the purposes set out in paragraph (4)(ix).
The Bank may disclose data to any or all the parties stated above and may do so notwithstanding that the recipient’s place of business is outside Hong Kong, including Mainland China, or that such information following disclosure will be collected, held, processed or used by such recipient in whole or part outside Hong Kong.Insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, we will obtain the data subject’s separate consent in relation to such international transfers. Personal images and identification information collected by the bank shall not be used for purposes other than maintaining public security, unless relevant separate consent has been obtained.

(6) Use Of Data In Direct Marketing
The Bank uses and/or intends to use the data of a data subject in direct marketing and the Bank requires the consent of the data subject (which includes an indication of no objection) for that purpose. In this connection, please note that:

i. the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a data subject held by the Bank from time to time may be used by the Bank in direct marketing;
ii. the following classes of services, products and subjects may be marketed:
(a) financial, insurance, credit card, banking and related services and products;
(b) reward, loyalty or privileges programmes and related services and products;
(c) services and products offered by the Bank’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
(d) donations and contributions for charitable and/or non-profit making purposes;
iii. the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Bank and/or:
(a) any Bank’s Group Companies;
(b) third party financial institutions, insurers, credit card companies, securities and investment services providers;
(c) third party reward, loyalty, co-branding or privileges programme providers;
(d) co-branding partners of the Bank and any Bank’s Group Companies (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
(e) charitable or non-profit making organisations;
iv. in addition to marketing the above services, products and subjects itself, the Bank also provides and/or intends to provide the data described in paragraph (6)(i) above to all or any of the persons described in paragraph (6)(iii) above for use by them in marketing those services, products and subjects, and the Bank requires written consent of the data subject (which includes an indication of no objection) for that purpose;
v.The Bank may receive money or other property in return for providing the data to the other persons in paragraph (6)(iv) above and, when requesting the consent of the data subject or no objection as described in paragraph (6)iv above, the Bank will inform the data subject if it will receive any money or other property in return for providing the data to the other persons.

vi The Bank uses and/or provides the personal data of a data subject for direct marketing only if the Bank receives the explicit consent from the data subject indicating that he has no objection to it. If a data subject agrees to let the Bank use or provide to other persons his personal data for use in direct marketing as described above, the data subject may, without charge, exercise his opt-in right by notifying the Bank. The data subject may make the opt-in request by providing the written instruction or completing the relevant bank form and returning to the Bank or visiting any of the Bank’s branches.If a data subject does not wish the Bank to use or provide to other persons his data for use in direct marketing as described above, the data subject may exercise his opt-out right by notifying the Bank.

(7) With respect to data in connection with mortgages applied by a data subject (whether as a borrower, mortgagor or guarantor and whether in the data subject’s sole name or in joint names with others) on or after 1 April 2011, the Bank may, on its own behalf and/or as agent, provide the following data relating to the data subject (including any update) to a credit reference agencies:

i. full name;
ii. capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subject’s sole name or in joint names with others);
iii. Hong Kong Identity Card Number or travel document number;
iv. date of birth;
v. address;
vi. mortgage account number in respect of each mortgage;
vii. type of the facility in respect of each mortgage;
viii. mortgage account status in respect of each mortgage (e.g., active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
ix. if any, mortgage account closed date in respect of each mortgage.

Credit reference agencies will use the above data for the purposes of compiling a count of the number of mortgages from time to time held by the data subject with credit providers, as borrower, mortgagor or guarantor respectively and whether in the data subject’s sole name or in joint names with others, for sharing in the consumer credit databases of the credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance).

(8)To the extent required under the PIPL, the Bank will, prior to sharing the data subject’s personal data with third parties, notify the data subject of the name and contact details of the recipients, the purposes and means of processing and provision of the data subject’s personal data, and the types of personal data to be provided and shared, and obtain the data subject’s separate consent to the sharing of the data subject’s personal data. The foregoing data recipients will use the personal data to the extent necessary for the specific purposes set out in this Notice and store the personal data for the minimum length of time required to fulfil the purposes, or insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, in accordance with the PIPL.

(9)Some of the data collected by the Bank may constitute sensitive personal data under the PIPL. The Bank will only process sensitive personal data if strict protection measures are put in place and there is sufficient necessity to justify the processing. Insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, such sensitive personal data will be processed with the data subject’s separate consent.

(10)Transfer Of Personal Data To Data Subject’s Third Party Service Providers Using Application Progamming Interfaces of the Bank (“API”) The Bank may, from time to time, in accordance with the data subject’s instructions to the Bank or third party service providers engaged by the data subject, transfer data subject’s data to third party service providers using the Bank’s API for the purposes notified to the data subject by the Bank or third party service providers and/or as consented to by the data subject in accordance with the Ordinance.

(11) Under and in accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject) the PIPL and the Code of Practice on Consumer Credit Data, the data subject has the right :

      1. to check whether the Bank holds data about him and of access to such data;
      2. to require the Bank to correct any data relating to him which is inaccurate;
      3. to ascertain the Bank’s policies and practices in relation to data and to be informed of the kind of personal data held by the Bank;
      4. to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant credit reference agency or debt collection agency; and
      5. in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Bank to a credit reference agency, to instruct the Bank, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Bank to the credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).
      6. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, to request the Bank to delete the personal data of the data subject;
      7. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, to object to certain uses of the personal data of the data subject;
      8. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, request an explanation of the rules governing the processing of the personal data of the data subject;
      9. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, to ask that the Bank transfer personal data that the data subject have provided to the Bank to a third party of data subject’s choice under circumstances as provided under the PIPL;
      10. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, to withdraw any consent for the collection, processing or transfer of the personal data of the data subject (the data subject should note that withdrawal of his consent may result in the Bank being unable to open or continue accounts or establish or continue banking facilities or provide banking services); and
      11. insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject, to have decisions arising from automated decision making (ADM) processes explained and to refuse to such decisions being made solely by ADM.

(12) In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph (11)(v) above) may be retained by credit reference agencies until the expiry of five years from the date of final settlement of the amount in default.

(13) In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as defined in paragraph (11)(v) above) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to the credit reference agency(ies), whichever is earlier.

(14) The Bank may from time to time access the consumer credit data of a data subject held by a credit reference agency in the course of the consideration of any grant of consumer credit or the review or renewal of existing customer credit facilities granted to the data subject as borrower or to another person for whom the data subject proposes to act or acts as guarantor or for the purpose of the reasonable monitoring of the indebtedness of the data subject while there is currently a default by the data subject as borrower or as guarantor. In particular, the Bank may access the consumer credit data for the purpose of the review of the existing consumer credit facilities granted to assist the Bank in considering any of the following matters:-

i. an increase in the credit amount;
ii. the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or
iii. the putting in place or the implementation of a scheme of arrangement with the data subject.

If the data subject wishes to access the credit reports obtained by the Bank from the credit reference agency(ies), the Bank will advise the contact details of the relevant credit reference agency(ies).

(15) In accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Bank’s process and/or use of the data of data subject), the Bank has the right to charge a reasonable fee for the processing of any data access request.

(16) The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed is as follows :

The Data Protection Officer
Industrial and Commercial Bank of China (Asia) Limited
33/F., ICBC Tower,
3 Garden Road
Central, Hong Kong
Fax : 2805 1166

(17) Nothing in this Circular shall limit the rights of data subjects under the Ordinance.

(18) This Circular shall be deemed an integral part of all contracts, agreements, credit facility letters, account mandates and other binding arrangements which the data subject has entered into or intends to enter into with the Bank.

(19) In this Circular, the following terms shall have the following meanings : “Bank’s Group Companies” means any subsidiary of the Bank, any direct or indirect holding company of the Bank, any subsidiary of any such holding company or any of their related companies (that is such companies’ equity interest is held by any of the foregoing) including companies within the group of Industrial and Commercial Bank of China; “subsidiary” and “holding company” bear the meanings under the Companies Ordinance (Cap.622)

In case of discrepancies between English and Chinese versions, the English version shall prevail.

September 2023

ICBC(Asia)“ Apps Service Personal Data Collection and Privacy Policy Statement” (Effective Date: [21 June 2023])

I User Information Protection Guidelines

Industrial and Commercial Bank of China (Asia) Limited (the "Bank" or “ICBC(Asia)”) values customers privacy and will take all reasonable measures to ensure customer personal data will be protected. The Bank will explain how the Bank collects,uses, stores and shares the information when using our Apps products or services, and how the Bank accesses, updates, deletes and protects the information through the ICBC(Asia) “Apps Service Personal Data Collection and Privacy Policy Statement”. The Bank will also take all reasonable measures to ensure that the customers personal information collected, retained and provided by the Bank is accurate. In case of any inaccuracies found in the Bank's records, the Bank will take prompt measures to make appropriate corrections.

ICBC(Asia) “Apps Service Personal Data Collection and Privacy Policy Statement” will be applicable to all of our Apps products/or services. For Internet banking service, the “E-Banking Services Personal Information Collection and Privacy Policy Statements” will be referred.

By using the Apps you are agreeing to the terms set out below and continuing to use this Apps following the posting of any changes to these terms will signify your consent to the changes made. If customers do not agree to the terms and conditions below, please do not use the Apps .

II Types, Purpose and Content of Personal Data Collection

i )Types of Personal Data Collection

When using our Apps’ service, the Apps will collect the information that customers provide when using the service or generated during using the service, which can optimize our services and keep the customer account safe:

When customers use the Apps’ service, in order to ensure customers are using our services normally, maintain the operation of our service normally, improve and optimize our service experience and ensure the security of customer accounts, the Bank will collect the log information from customers’mobile as follows:

Device model, operating system, unique device identifier (Android ID for Android), Clipboard information,IMSI,IMEI,MAC address, login IP address, the way of access network, type and status, network quality data, operation log, service log information.

This type of information is fundamental that must be collected for the Bank to provide the services.

ii) Authorization of Accessing Personal Data

When customers use the Apps’ services, the Bank may need customers to grant the following personal authorities in order to ensure they are using our services normally, safeguard the normal operation of our services, improve our services and protect customer accounts’ security:

Camera: QR code scanning, facial recognition, bank card scanning and other functions.

Album: Storage of and access to QR code pictures and identity documents, pictures, and other functions.

Positioning: Getting the users’ locations, automatically providing corresponding regional services and outlet map, and other functions.

Fingerprint/Face ID: Log-on or small-value payment authentication and other functions.

Phone book: Provide services related to mobile phone related service in a simplest way.

Such authorization information is sensitive information.

Clipboard: Used for quick transfer function.

Bluetooth: Used for getting the phone name.

Microphone/Recording: Used for voice search, intelligent customer service function.

Siri: Used for processing transfer requests via Siri.

Storage: Used for logging to change and save the avatar picture and other functions like scanning.

Such authorization information is sensitive information.

In order to comply with the following matters or to perform the Bank’s duties, requirements or arrangements (whether compulsory or voluntary), the Bank may access customers’ personal data without necessarily obtaining their authorization in advance:

1) Complying with any international treaties, economic or trade sanctions regimes, law, regulation, judgment, court order, industry norms (refer to as "Laws") with binding or applicable over all or any part of the ICBC(Asia) within or outside the Hong Kong Special Administrative Region (refer to "Hong Kong") exist currently and in future (e.g. the Inland Revenue Ordinance and its provisions including those related to automatic exchange of financial account information);

2) Complying with any current or future guidelines, guidance, policy or requests given or issued by any court, regulatory, government, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with binding or applicable over all or any part of the ICBC(Asia), within or outside Hong Kong, or ICBC(Asia) (e.g. guidelines, guidance or requests given or issued by the Inland Revenue Department including those related to automatic exchange of financial account information);

3) Due to commercial activities, any current or future contractual or other commitments undertaken or applicable to ICBC(Asia ) that is assumed by any court, regulator, government, tax, law enforcement or other authorities, or self-regulator or industry bodies or associations of financial services providers with jurisdiction over all or any part of the ICBC(Asia), within or outside Hong Kong (collectively called "Authorities" );Or any agreement or treaty between Authorities;

4) Conduct any action to meet our obligations of measures or arrangements within ICBC(Asia) on prevention or detection of money laundering, terrorist financing or other unlawful activities;

5) Fulfilling responsibility given by Laws of prevention or detection or investigation on any acts or attempts to circumvent or violate money laundering, terrorist financing, bribery, tax evasion, fraud, evasion of economic or trade sanctions and/or relating to these matters ;

6) To sign and fulfill the necessary terms if agreement according to your requirements;

7) Information collected will be used for maintaining the products and proper operation provided, e.g. in case of discovery and handling product or service failure;

8)Any circumstances relating to, supplementary or inevitable to the above mentioned matters

Please make sure that the functions and services the Bank provide to customers will be updated and developed from time to time. If a certain function or service is not included in the above description but the Bank has collected customers’ information, the Bank will inform customers of the use of content and scope , purpose of information collection, obtain customers’ consent by screen message prompt and announcement on our bank website.

iii) Purpose of Personal Data Collection

    1. The information of the data subjects may be used for the following purposes: To handle the applications for banking/financial services and credit facilities;
    2. The daily operation of the services and credit facilities provided to data subjects;
    3. Conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place once or more a year;
    4. Creating and maintaining the Bank’s credit scoring models;
    5. Provision of reference (status inquiries);
    6. Assisting other financial institutions to conduct credit checks and collect debts;
    7. Ensuring ongoing credit worthiness of data subjects;
    8. Designing financial services or related products for data subjects' use;
    9. Marketing services, products and other subjects in respect of which the Bank may or may not be remunerated;
    10. Determining the amount of indebtedness owed to or by data subjects;
    11. The enforcement of data subjects' obligations, including without limitation the collection of amounts outstanding from data subjects and those providing security for data subjects' obligations;
    12. Comply with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or a Bank Group Company or that it is expected to comply according to:

      • any laws binding or applying to it within or outside Hong Kong existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information) or any court order being enforceable on it;
      • any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, laws enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those related to automatic exchange of financial account information);
      • any present or future contractual or other commitment with local or foreign legal, regulator, governmental, tax, laws enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed or imposed by the Bank or the Bank Group Company by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, laws enforcement or other authority, or self-regulatory or industry bodies or associations;
    13. Comply with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the group of the Bank and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing. tax evasion or other unlawful activities;

    14. Enable an actual or proposed assignee of the Bank or a Bank Group Company, or participant or sub-participant of the rights of the Bank or those of a Bank Group Company in respect of the data subject to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;

    15. Exchanging information with merchants which accept credit cards issued by the Bank and entities with whom the Bank provides /co-branded /private label credit card services (“merchant” or an “co-branded merchant”);

    16. Verify identity with data subjects with any card merchant acquirer in connection with any card transactions;

    17. For purposes of risk management of the Bank group , we may use your data for maintaining a credit history or other bank record (whether or not there exists any relationship between data subjects and the Bank) for present and future reference; and for the purposes of related use.

        III Information Storage

        The Bank will retain customer information properly in accordance with the relevant laws, regulations and regulatory requirements of The Government of the Hong Kong Special Administrative Region .

        In general, the Bank only retains customer information if necessary for the realization of customer service, such as:

        Mobile number,E-mail Address: The Bank needs to retain customer’s mobile number and the e-mail address for 7 years if you close the bank account o matter if you have used the mobile banking service or not.

        User's Profile Picture: If customers use our bank’s Apps service, the Bank need to retain all the profile pictures uploaded by customers all the time. When customers change the profile picture, the Bank will delete the previous profile picture.

        When the Bank terminates the operation of the products or services, the Bank will notify customers via email, SMS, our bank website,announcement etc.. We will delete customers information within a reasonable period of time in accordance with relevant laws and regulations.

        IV. Information Security Protection

        The Bank is devoted to the commitment of the information security for each customer, to prevent the loss, misuse, unauthorized access or disclosure of customer information.

        The Bank will use any security measures at rational safety level to keep customer information safe, such as cryptogram and anonymous disposal.

        To prevent customer information leakage, the Bank will keep improving our technical measures to enhance the security of the software installed on customers’ devices. For instance, The Bank will encrypt the transaction information to make sure the information transmission is secured.

        The Bank has instituted specific criteria, procedures and organization to keep customer information safe. For instance, The Bank controls the authorities of our staffs to access customer information strictly and requests them to obey the security obligation forcibly and carry on the audit.

        The Bank will launch the emergent procedure in the case of security issues, such as customer information leakage, to minimize the influence of the event. In the meantime, The Bank will notify customers by sending notifications, such as email, SMS, our bank website, announcement, etc..

        V. How the Bank Uses Customer Personal Information

        The Bank uses customer personal information with the aim to comply with the laws, regulation, and regulatory provisions, build up,review, maintain and develop the relationship with the customers. The personal information collected may include: the frequency of the Apps usage, crash data, overall usage, performance data and the download source of our bank Apps. The Bank will not combine the information stored in the analysis software with any personal information provided in the Apps.

        To provide customers with more accurate, personalized, and convenient services the Bank may conduct comprehensive statistics and analyze customer information. The Bank may provide customers with notifications of marketing activities, commercial electronic information, or advertisements which customers may be interested basing on the aforementioned information. If customers do not wish to receive such information, customers may choose to unsubscribe in accordance with the methods suggested by the Bank.

        Note: The Bank will not use information from "Phone Book", "Album" or other APIs that can access user data to build customer contact database or distribution to third parties, collect information of other Apps installed in customer’s device for other commercial purpose such as analyzing or advertising / marketing. The Bank will not contact customers with the information from “Address Book” or “Album” .

        If the Bank uses customer information beyond the scope of the purpose, direct or reasonable used of information collected, the Bank will inform customers and get their consent through online channels before using customer information.

        VI Management of Personal Data

        i)Manage Personal Information

        Management of personal information includes inquiry, amendment, delete of personal information. Unless stipulated by laws, regulations and regulations, customers can inquire personal information related to the Apps service by visiting our branches, customers can submit application at branches to update their personal information. Customers can also inquire their personal information via the Apps. The Bank will provide the online functions for personal information modification in accordance with Hong Kong laws, regulations and regulatory requirements. The Bank will handle all the requirements of data access and data correction in accordance with the regulations.

        Customers can request the Bank to delete their personal information in the following situations:

          1. If customers consider that the Bank handles their personal information violating the laws, regulations and regulatory requirements.
          2. If customers consider that the Bank collects and uses their personal information without their permission.
          3. Customers no longer use the Bank’s products or services, or terminate their accounts.

    ii) Scope of Authorization

    Customers can inquire the access right via mobile device which customers have authorized the Apps to access the camera, photo album, location, fingerprint / face ID, and also change or revoke the corresponding access right at any time. Refusing to authorize these permissions will prevent customers from using the corresponding functions but will not affect the normal use of other functions in the Apps. Customers can also inquire and modify the settings via Apps which has made previously for business handling. Before customers modify the settings, the Bank will verify their identity. After customers log in to the Apps, they can proceed with the following operations:

    Set up designated Personal Information: Providing the functions of modifying the mobile number, e-mail address, profile picture and other personal information according to the local regulatory regulations.

    Login Management: Providing the functions of login-related settings, including enabling or disabling fingerprint / face ID login, gesture password login, modifying login password, setting up gesture password.

    ICBC Messenging: Providing the functions of enabling or disabling the push notifications of ICBC Messenging on this device and set up different types of ICBC Messenging. If customers choose to enable the push notification, the system will record their device information.

    iii)Account Termination

              1. Customers may terminate an account or service after they have given 30 days’ prior written notice to us or a shorter notice accepted by us, and complied with our reasonable requirements and paid our reasonable fees.
              2. Customers may close their account(s) by providing their no less than 30 days’ prior notice.not limited to where the account(s) is/are being used or is/are suspected of being used for illegal activities), the Bank may close their account(s) with immediate effect without prior notice.
              3. Within 14 days (or such longer period as we agree) after the termination of customers’ account, they will give us instructions for the delivery (at their risk and subject to our rights) of their property (if any), and pay all reasonable fees and expenses. If customers have not done so, the bank will continue to hold the property at their risk and subject to our rights, but without the obligations, under the “Master Terms and Conditions - Banking Services” of the Bank. No interest will be payable on any credit balance as from the date of termination.
              4. Termination of an account or a service will not affect accrued rights or subsisting transactions. The Bank may cancel, close out or complete any outstanding instruction or contract. Clauses 2 (Information), 7 (Payments / delivery), 8.4 (overdue interest), 10 (Limit of our liability), 11 (Your indemnity), 13(Set-off and lien) and 15 (Evidence) of the “Master Terms and Conditions - Banking Services”of the Bank will survive termination.

      iv) Responding to Customers’Requests

      If customers are unable to access, update or delete their information through the above methods, or customers consider that the Bank have obtained or used their information improperly or violated the agreement on their information, customers can directly contact the Bank via our hotline or visit our branches. The Bank will actively response to customers’ requirements within the scope of laws and regulations and regulatory provisions. The Bank will comply with all data access and correction requirements as required by the Ordinance. The Bank may verify customers’ identity before processing their request. The Bank may refuse the requests that are unreasonably repeated, posing risks to the legitimate rights and interests of others, or are impractical.

      Despite the above agreement, according to the relevant laws and regulations of Hong Kong and regulatory provisions, the Bank may not be able to response to the request of customers in the following circumstances:

                1. Related to the personal information controllers implementing the obligations by laws and regulations;
                2. Related to national security and national defense security directly;
                3. Related to public safety, public health and major public interests directly;
                4. Related to criminal investigation, prosecution, trial and execution of judgments directly;
                5. The personal information controller has sufficient evidence to show that the personal information subject has subjective malice or abuse of the rights;
                6. In order to protect the life, property and other major legitimate rights and interests of the personal information subject or other individuals, but difficult to obtain customer’s own consent;
                7. Responding to the request of the personal information subject will cause serious damage to the legitimate rights and interests of the personal information subject or other individuals and organizations;
                8. Involving commercial secrets;
                9. Other situations required by the competent authorities or regulatory regulations in the country (region) where the Bank is located.

        VII. External Disclosure of Information

        7.1 Information Disclosure

        The Bank will not disclose customer information collected. If the Bank must disclose it to the public, the Bank will inform customers of its purpose, the type of information to be disclose and sensitive information involved possibly, and soliciting customers’ consent or authorization by online notice or other means.

        7.2 Third Party SDK Services

        When customers use the functions or services in ICBC(Asia) Mobile Banking Apps, the Bank may use the software service kits provided by the third party service provider (referred to “SDK”) with corresponding business qualifications and capabilities in certain circumstances. The third party service provider will collect your necessary information.

        Please find the below third parties in specific:

        (1)Huawei Push Notification SDK: In order to notify the customers promptly, the Bank adopts Huawei Push Notification SDK. This SDK will collect the unique identification information of the mobile device and the information of the subscription list for APP push notification service.

        (2)Xiaomi Push Notification SDK: In order to notify the customers promptly, the Bank adopts Xiaomi Push Notification SDK. This SDK will collect the unique identification information, version of the operating system, language, model, regional setting, system type and network type of the mobile device for APP push notification service.

        (3)Baidu Positioning SDK: In order to provide the location related information, the Bank adopts Baidu Positioning SDK. This SDK will collect the unique identification information, latitude and longitude,IMEI, version of the operating system of the mobile device for positioning services.

        (4)Hong Kong TransUnion Limited SDK: In order to facilitate the account opening for Hong Kong customers, the Bank adopts Hong Kong TransUnion Limited SDK. This SDK will collect the image of the ID card, ID profile picture, short video of the ID card for e-account opening, photo of the face for ID card scanning and Liveness Detection.

        (5)Bonree SDK (Android): In order to improve the stability of the "ICBC (Asia) Mobile Banking" APP, the Bank uses BORUI SDK, in which it needs to obtain your Android ID, CPU, device model, operation system version, battery capacity, network status, partial click records in the application, access right for reading mobile phone status and sketchy location for the purposes of performance monitoring and optimization of the network request and crash of the "ICBC (Asia) Mobile Banking" App.
        Bonree SDK (iOS): In order to improve the stability of the "ICBC (Asia) Mobile Banking" APP, the Bank uses BORUI SDK, in which it needs to obtain your IDFV(Identifier For Vendor), CPU, device model, operation system version, battery capacity, network status, partial click records in the application and sketchy location for the purposes of performance monitoring and optimization of the network request and crash of the "ICBC (Asia) Mobile Banking" App.

        (6)In order to provide you with real-time speech recognition function and real-time speech synthesis broadcast function, the Bank uses the iFLYTEK SDK, which would use the following permissions during use:
        1. Recording permission: used to record audio for speech recognition function;
        2. Network permission: Used to send speech or text to the server for speech recognition and speech synthesis. iFLYTEK SDK would not collect users’ sensitive data and save users’ voice, text and other information on the server during use.

        (7)FIDO SDK: In order to provide customers with fingerprint security authentication services, the Bank would use the FIDO SDK, which needs to collect the information of mobile phone device model, device name, mobile phone manufacturer name, operating system version for model compatibility support and troubleshooting.

        (8)Security Assistance SDK: In order to improve the security of login, payment, card application, bill inquiry, account limit adjustment, and financial transaction functions, the Bank uses the security assistance SDK (com.example.msdeviceinfo), which needs to obtain customers’ Android ID, CPU model, manufacturer, device model, system type, operator information, network category information for transaction security analysis.

        VIII. Use of Positioning Information

        When customers use other Bank’Apps services, the Bank will collect the following log information in order to ensure customers are using the Bank’s services normally and safely, improve the services and protect the security accurately,the Bank may collect the sensitive information such as location of the customers, which can only be used to provide customers with relevant services only if the Bank obtain customers’ consent. Refusing to provide the information will only restrict customers location-related functions, it will not affect customers’ normal use of other functions in the Apps.

        IX. Information Protection for Minors

        The Apps provides financial services to Hong Kong local and overseas users, the products and services are primarily aimed at adults with independent financial capabilities. The Bank do not collect information on minors without independent financial capacity.

        X. Notification and Modification

        This Privacy Policy will be updated from time to time in accordance with laws, regulations, regulatory policies and operational requirements. However, without customers’ explicit consent, the Bank will not reduce customers’ rights that they should have under this Policy. The Bank will post an update on the website or the Apps and notify customers by means of a website announcement or other appropriate means before the effective date.

        XI. How to Contact Us

        If customers have any questions, comments or suggestions about this Privacy Policy or the personal information, customers can call our service hotline at (852)21895588 or visit our branches for consultation or feedback.

        I/We confirm and accept all the statements above.