Home
banner

Privacy Statement

Privacy Policy Statement of Shanghai Commercial Bank Limited (the "Bank") and its Subsidiaries (collectively the "Group")

The purpose of this Statement is to set out the policies and practices of the Group's commitment to protecting personal data privacy in accordance with the provisions of the Personal Data (Privacy) Ordinance ("Ordinance").

In this Statement, "Bank Group Company" means any subsidiary of the Bank, any direct or indirect holding company of the Bank, or any subsidiary, affiliate or associated entity of any such holding company.

  1. Kinds of Personal Data Held

    There are two broad categories of personal data held by the Group:

    1. Personal Data of Customers
      Customer records, which are necessary for customers to supply to the Group in connection with the opening or continuation of accounts, establishment or continuation of banking facilities, provision of banking or other financial services and/or tenancy and property management services.
    2. Personal Data of Employees
      Personnel records, which include personal details, job particulars, details of remuneration and benefits, performance appraisals, disciplinary matters and other relevant information relating to job applicants, subcontract staff, employees, former employees and their family members of the Group for performing human resources management functions.

  2. Main Purposes of Keeping Personal Data

    1. In relation to Customers:
      The purposes for which data relating to a customer may be used are as follows: -
      1. considering and assessing the Customer's application for the products and services of the Group or any Bank Group Company;
      2. the processing of applications for services and credit facilities;
      3. the daily operation of the services and credit facilities provided to Customers, including for credit assessment, statistical or behaviour analysis, or creating and maintaining the credit scoring models of the Group or any Bank Group Company;
      4. provision of reference;
      5. conducting credit and status checks (including without limitations upon applications for consumer credit and periodic or special reviews of such credit);
      6. assisting other card issuers or credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model to conduct credit checks and collect debts;
      7. maintaining application and credit history of Customers for internal reference, and ensuring ongoing credit worthiness of Customers;
      8. researching, designing financial services or related products for Customers' use;
      9. marketing services, products and other subjects (in respect of which the Group may or may not be remunerated);
      10. determining the amount of indebtedness owed to or by Customers;
      11. collection of amounts outstanding from Customers and those providing security for Customers' obligations;
      12. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches and offices or any Bank Group Company or that it is expected to comply according to:
        1. any law binding or applying to it within or outside the Hong Kong Special Administrative Region ("Hong Kong") existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information); and
        3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any of its branches and offices or any Bank Group Company by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
      13. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group or any Bank Group Company and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
      14. enabling an actual or proposed assignee of the Group or any Bank Group Company, or participant or sub-participant of the rights of the Group or any Bank Group Company in respect of the Customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
      15. the performance of procedures for comparing (whether by manual or automated means) the Customer's data with other information supplied by the Customers (for whatever purposes), including without limitation, procedures undertaken for the purpose of taking adverse action against Customers;
      16. giving effect to the Customer's orders relating to transactions or otherwise, and carrying out instructions of the Customer;
      17. providing services in connection with the accounts, whether the services are provided by or through, the Group, any Bank Group Company or any other person;
      18. exchanging information with merchants accepting credit cards issued by the Group and organizations with whom the Group provides affinity/co-branded/private label credit card services; and
      19. all other incidental and associated purposes relating to any of the above.
    2. In relation to Employees:
      The purposes for which data relating to job applicants, subcontract staff and employees may be used are as follows:
      1. assessing the job applicant's/subcontract staff's /employee's suitability to assume the job duties of the position concerned, or any other positions;
      2. determining and reviewing salaries, bonuses and other remuneration and benefits;
      3. consideration for appraisals, promotion, training, secondment, assignments or transfer;
      4. consideration of eligibility for and administration of staff loans and other benefits and entitlements;
      5. providing employee references and for background screening /vetting;
      6. conducting assessments and investigations pursuant to any laws, regulations or orders binding on the Group or internal guidelines of the Group and registering with regulatory authorities or institutions for purposes associated with the job requirements or duties;
      7. monitoring compliance with any laws, regulations or orders binding on the Group or internal guidelines of the Group;
      8. meeting obligations, requirements or arrangements of any member of the Bank Group Company to comply with:
        1. any laws, regulations or orders within or outside Hong Kong existing currently or in the future;
        2. (any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently or in the future;
        3. any present or future contractual or other commitment with local or foreign legal, regulatory, judicial, administrative, public or law enforcement body, or governmental, tax, revenue, monetary, securities or futures exchange, court, central bank or other authorities, or self-regulatory or industry bodies or associations of financial service providers or any of their agents with jurisdiction over all or any part of the Bank Group Company; and
      9. all other incidental and associated purposes relating to any of the above .

  3. Collection of Personal Data

    1. In relation to the collection of personal data, the Group will provide the individuals with a copy of the Circular to Customers and Other Individuals relating to the Collection and Handling of Personal Data ("Circular") and/or the Personal Information Collection Statement (Notice to Job Applicants/Subcontract Staff / Employees relating to the Personal Data (Privacy) Ordinance) (the "PICS") (as and where applicable), informing them the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data and other relevant information.
    2. In relation to the collection of personal data when you visit the Group's website, please refer to the Internet Privacy Policy Statement of the Group for details.

  4. Retention of Personal Data

    1. The personal data will not be kept longer than necessary for the fulfillment of the purposes for which the personal data are or are to be used at the time of the collection and for compliance with the legal, regulatory and accounting requirements from time to time.

  5. Disclosure and Transfer of Personal Data

    1. The personal data will not be disclosed to other parties unless such disclosure is made in accordance with the Circular and/or the PICS and/or is permitted or required by any law binding on the Group.
    2. The Group may, in accordance with the Customers' instructions to the Group or third party service providers engaged by the Customer, transfer Customers' data to third party service providers using the Group's application programming interfaces for the purposes notified to the Customer by the Group or third party service providers and/or as consented to by the Customer in accordance with the Ordinance.

  6. Security of Personal Data

    1. The Group commits to protecting the personal data by restricting access by authorized personnel, providing secure data storage facilities and incorporating security measures into equipment in which data is held. Encryption technology is employed for sensitive data transmission.
    2. If the Group engages data processors to handle or process personal data on the Group's behalf (whether within or outside Hong Kong), the Group will adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processors for processing.

  7. Revision of Privacy Policy Statement

    1. This Statement is subject to review and amendment from time to time. Please approach the Group and/or visit the Group's website regularly for the Group's latest Statement.

  8. Data Access Requests and Data Correction Requests

    1. The Group will comply with and process all data access and correction requests in accordance with the provisions of the Ordinance.
    2. The Group may impose a reasonable fee for complying with a data access request in accordance with the Ordinance.
    3. Data access requests and data correction requests to the Group may be addressed to the Data Protection Officer.

  9. Contact Details of the Data Protection Officer

    1. Request for access to personal data or correction of personal data or for information regarding policies and practices on personal data and kinds of data held should be addressed to:
      The Data Protection Officer
      Shanghai Commercial Bank Limited
      GPO Box 139 Hong Kong
      Fax: (852) 2525 2336

  10. Miscellaneous

    1. If there is any inconsistency between the English version and the Chinese version of this Statement, the English version shall prevail.

June 2024

 
Shanghai Commercial Bank Limited Internet Privacy Policy Statement

Welcome to the Web Site of Shanghai Commercial Bank Limited ("the Bank"). This section explains our policy regarding any personal information you might supply to us when you visit this site. The Bank adopts a high standard to respect the privacy of its customers and keep the information relating to a customer secure and confidential. The Bank also educates and conducts regular training programs to all staff to keep them aware of the importance of customers' privacy and requires them to comply with strict standards of security and confidentiality. Information is collected on the use of web site from the Bank's customers and the Bank's web site visitors. If you do provide personal information, such as address, e-mail, telephone and fax numbers, as well as demographic and customer identification, please read our Circular to Customers and Other Individuals relating to the Collection and Handling of Personal Data ("the Circular") below in advance. We will maintain the personal information as well as your business activities and transactions, according to our usual strict security and confidentiality standard.

 

Data Collection and Usage

The Bank collects personal data from the Bank's web site visitors on a voluntary basis. Personal information may include name, title, e-mail address etc. Personal information held by the Bank is kept confidential and the Bank does not use customers' personal information for any purposes other than those already specified to customers herein or in the Circular or unless such usage is permitted or required by law.

 

When an individual visits this web site, the Bank records the visit as a "hit", and gathers and analyses this information to compile general statistics about usage of the Bank's web site. The Bank may also collect other information from the visitors, on voluntary basis, in browsing the Bank's website so as to personalise the settings or provide more useful information, promotions and contents to the visitors on the webpages. Information related to session management, user preferences and service entitlements may be stored in Cookies. Cookies are small pieces of information stored on a web browser that can be retrieved by this web site. For those customers using the real time quote services in Internet / Mobile Stock Trading, the Bank will assign an identifier which will be stored in the Cookies after login. Customers may disable Cookies from their web browser, and if this is the case, they may be unable to access the Internet / Mobile Stock Trading services, some functions of the Bank's Internet Banking services and other before login financial services.

 

The Bank may also work with third parties which use applications such as Google Analytics to research on the number of visitors, usage patterns and behaviour for statistical analysis and reporting, and for the improvement of our marketing activities.  Information recorded through the use of these applications is aggregated and then shared with the Bank. No personal identifiable information is collected from this research.

 

Data Disclosure Restrictions

The Bank follows strict privacy procedures in regard to protection of personal data. No disclosure of personal identifiable information to third parties is allowed except with the consent of the relevant customer or the disclosure has already been authorized in the Circular or otherwise is permitted or required by law.

 

Data Retention

The Bank retains all records of online transactions for validation and auditing purposes. Information will not be kept longer than is necessary for the fulfilment of the purpose for which the same are to be used. Those information that is no longer required will be erased and destroyed.

 

Data Security

All personal data provided to the Bank is secured with restricted access by authorized personnel who are properly trained in the handling of customer information and the protection of the privacy of personal data of customers. The authorized personnel report to the Bank's Data Protection Officer who exercises routine supervision to ensure compliance with high security and confidentiality standard. Encryption technology is employed for sensitive data to protect customers' privacy during data transmission.

 

Enquiries

For further details of the policy and practice and the kind of data held by the Bank, please contact our Data Protection Officer as follows:-

The Data Protection Officer
Shanghai Commercial Bank Limited
G.P.O Box 139 Hong Kong
Fax:(852)2525 2336
 

 
Shanghai Commercial Bank Limited and its subsidiaries
Circular to Customers and Other Individuals relating to the Collection and Handling of Personal Data
(formerly known as "Circular to Customers and Other Individuals relating to the Personal Data (Privacy) Ordinance")

This Circular is brought to the attention of various individuals including without limitations bank customers, individuals to whom services or products may be provided by the Group (as hereinafter defined), applicants for banking services and facilities, sureties and persons providing security or guarantee for credit facilities, as well as shareholders, directors, officers and managers of corporate customers or applicants and other contractual counterparties ("Customers") so that Customers may have a better understanding of the rights under the Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region (the "Ordinance") and the reasons and necessities of providing personal data to Shanghai Commercial Bank Limited (the "Bank") and/or its subsidiaries (collectively the "Group"). In this Circular, "Bank Group Company" means any subsidiary of the Bank, any direct or indirect holding company of the Bank, or any subsidiary, affiliate or associated entity of any such holding company.

  1. (A) From time to time, it is necessary for Customers to supply the Group with data (including without limitation, those supplied via interfaces powered by artificial intelligence) in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking or other financial services or tenancy and property management services.
  2. Failure to supply such data may result in the Group being unable to open or continue accounts or establish or continue banking facilities or provide banking or other financial services or tenancy and property management services.
  3. It is also the case that data are collected from Customers in the ordinary course of the continuation of the business relationship, for example, when Customers write cheques, deposit money, repay indebtedness, use electronic banking services, conduct transactions in relation to securities, insurance or cards, generally communicate verbally or in writing with the Group, or otherwise carry out transactions as part of the Group's services. The types of data which may be collected include without limitation Customer's identification data, contact data, financial data, behavioural data, biological data, geo-location data and data from public sources. The Group will also collect data relating to the Customer from third parties, including third party service providers with whom the customer interacts in connection with the marketing of the Group's products and services and in connection with the Customer's application for the Group's products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as "credit reference agencies")).
  4. Where applicable, the purposes for which data relating to a Customer may be used, processed, stored (whether on the cloud or not), transferred, disclosed and/or exchanged by the Group or any Bank Group Company (whether in the Hong Kong Special Administrative Region or elsewhere) are as follows: -
    1. considering and assessing the Customer's application for the products and services of the Group or any Bank Group Company;
    2. the processing of applications for services and credit facilities;
    3. the daily operation of the services and credit facilities provided to Customers, including for credit assessment, statistical or behaviour analysis, or creating and maintaining the credit scoring models of the Group or any Bank Group Company;
    4. provision of reference;
    5. conducting credit and status checks (including without limitations upon applications for consumer credit and periodic or special reviews of such credit which will normally take place one or more times each year);
    6. assisting other card issuers or credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as "credit providers" ) to conduct credit checks and collect debts;
    7. maintaining application and credit history of Customers for internal reference, and ensuring ongoing credit worthiness of Customers;
    8. researching, designing financial services or related products for Customers' use;
    9. marketing services, products and other subjects (in respect of which the Group may or may not be remunerated) (please see further details in Paragraph (I) below);
    10. determining the amount of indebtedness owed to or by Customers;
    11. collection of amounts outstanding from Customers and those providing security for Customers' obligations;
    12. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches and offices or any Bank Group Company or that it is expected to comply according to:
      1. any law binding or applying to it within or outside the Hong Kong Special Administrative Region existing currently and in the future(e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
      2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the Hong Kong Special Administrative Region existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information); and
      3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any of its branches and offices or any Bank Group Company by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
    13. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group or any Bank Group Company and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing, fraud and/or other unlawful activities;
    14. enabling an actual or proposed assignee of the Group or any Bank Group Company, or participant or sub-participant of the rights of the Group or any Bank Group Company in respect of the Customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
    15. the performance of procedures for comparing (whether by manual or automated means) the Customers' data with other information supplied by the Customers (for whatever purposes), including without limitation, procedures undertaken for the purpose of taking adverse action against Customers;
    16. giving effect to the Customer's orders relating to transactions or otherwise, and carrying out instructions of the Customer;
    17. providing services in connection with the accounts, whether the services are provided by or through, the Group, any Bank Group Company or any other person;
    18. exchanging information with merchants accepting credit cards issued by the Group and organizations with whom the Group provides affinity/co-branded/private label credit card services; and
    19. all other incidental and associated purposes relating to any of the above.
  5. Data held by the Group relating to a Customer will be kept confidential but, subject to the Customer's separate consent (insofar as the Personal Information Protection Law of the People's Republic of China ("PIPL") is applicable to the Group's process and/or use of the Customer's data) the Group may provide such information to the following parties, where applicable, for the purposes set out in Paragraph (D): -
    1. any agent, contractor, claim adjuster or third party service provider who provides administrative, data processing, financial information, telecommunications, computer, debt collection, technology outsourcing, payment or securities clearing, insurance or other services to the Group or any Bank Group Company in connection with the operation of its business;
    2. any other person under a duty of confidentiality to the Group including any Bank Group Company, a business partner or other merchant or affinity entity which has undertaken expressly or impliedly to keep such information confidential;
    3. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
    4. third party service providers with whom the Customer has chosen to interact with in connection with the Customer's application for the products and services of the Group or any Bank Group Company;
    5. other banks and financial services providers to whom the Customer has chosen to provide his information held by the Group or any Bank Group Company in connection with the provision of services to the Customer by those other banks and financial service providers;
    6. credit reference agencies (including the operator of any centralized database used by credit reference agencies), and, in the event of default, to debt collection agencies;
    7. any person to whom the Bank or any of its branches and offices or any Bank Group Company is under an obligation or otherwise required to make disclosure for public interest or under the requirements of any law, regulation or court order binding on or applying to the Bank or any of its branches and offices or any Bank Group Company or any disclosure under and for the purposes of any codes, guidelines, circulars or directions issued by any legal, regulatory, government, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Bank or any of its branches and offices or any Bank Group Company are expected to comply, or any disclosure pursuant to any contractual or other commitment of the Bank or any of its branches and offices or any Bank Group Company with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside the Hong Kong Special Administrative Region and may be existing currently and in the future;
    8. any actual or proposed assignee of the Group or any Bank Group Company or participant or sub-participant or transferee of the rights of the Group or any Bank Group Company in respect of the Customer;
      1. any Bank Group Company;
      2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
      3. third party reward, loyalty, co-branding or privileges programme providers;
      4. co-branding partners of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
      5. charitable or non-profit making organizations; and
      6. external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Group engages for the purposes set out in Paragraph (D)(ix);
    10. any nominees in whose names securities or other assets may be registered or custodians who may hold securities or other assets;
    11. any person with whom the Group enters into or proposes to enter into a transaction on behalf or on account of the Customer, or persons representing the same;
    12. any assignee, transferee, participant, sub-participant, delegate, successor or person to whom the securities account agreement is novated;
    13. any person with the express or implied consent of the Customers; and
    14. any third party in connection with Paragraph (D)(x).
    Such information may be transferred to a place outside the Hong Kong Special Administration Region. Insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, we will obtain the Customer's separate consent in relation to such international transfers.
  6. To the extent required under the PIPL, the Group will, prior to sharing the Customer's personal data with third parties, notify the Customer of the name and contact details of the recipients, the purposes and means of processing and provision of the Customer's personal data, and the types of personal data to be provided and shared, and obtain the Customer's separate consent to the sharing of the Customer's personal data. The foregoing data recipients will use the personal data to the extent necessary for the specific purposes set out in this Circular and store the personal data for the minimum length of time required to fulfil the purposes, or insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, in accordance with the PIPL.
  7. Customers' data may be processed, stored and transferred or disclosed in and to another jurisdiction outside the Hong Kong Special Administrative Region as the Group or data recipient referred to in Paragraph (E) considers appropriate and necessary. Such data may also be processed, stored, released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders), codes, guidelines, circulars and directions issued by regulatory or other authorities in such jurisdiction.
  8. Some of the data collected by the Group may constitute sensitive personal data under the PIPL. The Group will only process sensitive personal data if strict protection measures are put in place and there is sufficient necessity to justify the processing. Insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, such sensitive personal data will be processed with the Customer's separate consent.
  9. The Group intends to use a Customer's data in direct marketing and the Group requires the Customer's consent (which includes an indication of no objection) for that purpose. In this connection, please note that:
    1. the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a Customer held by the Group from time to time may be used by the Group in direct marketing;
    2. the following classes of services, products and subjects may be marketed:
      1. financial, insurance, credit card, banking and related services and products;
      2. reward, loyalty or privileges programmes and related services and products;
      3. services and products offered by the Group's co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
      4. donations and contributions for charitable and/or non-profit making purposes;
    3. the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Group and/or:
      1. any Bank Group Company;
      2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
      3. third party reward, loyalty, co-branding or privileges programme providers;
      4. co-branding partners of the Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);and<
      5. charitable or non-profit making organizations;
    4. in addition to marketing the above services, products and subjects itself, the Group also intends to provide the data described in Paragraph (I)(i) above to all or any of the persons described in Paragraph (I)(iii) above for use by them in marketing those services, products and subjects, and the Group requires the Customer's written consent (which includes an indication of no objection) for that purpose;
    5. The Group may receive money or other property in return for providing the data to the other persons in Paragraph (I)(iv) above and, when requesting the Customer's consent or no objection in Paragraph (I)(iv) above, the Group will inform the Customer if it will receive any money or other property in return for providing the data to the other persons.
    If a Customer does not wish the Group to use or provide to other persons his data for use in direct marketing as described above, the Customer may exercise his opt-out right by notifying the Group.
  10. The Group or its third party service providers may use big data analytics and artificial intelligence (BDAI) to process, analyse or predict data / result relating to the data subjects to achieve the purposes listed in paragraph D above. The Group may also use BDAI to facilitate automated decision-making for enhancing customer services and experiences, strengthening risk management and compliance, offering personalized products and services, as well as improving operational efficiency
  11. The Group may, in accordance with the Customers' instructions to the Group, other banks providing services to the Customer or third party service providers (including other financial service providers) engaged by the Customer, transfer Customers' data to such other banks and third party service providers using the Group;s application programming interfaces for the purposes notified to the Customer by the Group, the Customer's other banks or third party service providers and/or as consented to by the Customer in accordance with the Ordinance
  12. Under and in accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data) the PIPL, and the Code of Practice on Consumer Credit Data approved and issued with revisions from time to time under the Ordinance: -
    1. any relevant individual has the right:-
      1. to check whether the Group holds data about him and of access to and (insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data) to copy such data;
      2. to require the Group to correct any data relating to him which is inaccurate;
      3. to ascertain the Group's policies and practices in relation to data and to be informed of the kind of personal data held by the Group;
      4. to be informed, upon request, about which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of access and correction requests to the relevant credit reference agency(ies) or debt collection agency(ies);
      5. in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Group to a credit reference agency, to instruct the Group upon termination of the account by full repayment to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within 5 years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within 5 years immediately before account termination (as determined by the Group). Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Group to the credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any));
      6. insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, to request the Group to delete the Customer's personal data;
      7. insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, to object to certain uses of the Customer's personal data;
      8. insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, request an explanation of the rules governing the processing of the Customer's personal data;
      9. insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, to ask that the Group transfer personal data that you have provided to the Group to a third party of your choice under circumstances as provided under the PIPL;
      10. insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, to withdraw any consent for the collection, processing or transfer of the Customer's personal data (the Customer should note that withdrawal of their consent may result in the Group being unable to open or continue accounts or establish or continue banking facilities or provide banking services), such personal data will not be kept longer than necessary for the fulfillment of the purposes of the personal data at the time when they are collected and for compliance with the legal, regulatory and accounting requirements from time to time; and
      11. insofar as the PIPL is applicable to the Group’s process and/or use of the Customer’s data, to have decisions arising from automated decision making (ADM) processes explained and to refuse to such decisions being made solely by ADM.
    2. where applicable, the Group may from time to time access the consumer credit data of an individual held by any credit reference agencies in the course of the consideration of any grant of consumer credit or the review or renewal of existing consumer credit facilities granted to the individual as borrower or to another person for whom the individual proposes to act or acts as mortgagor or guarantor or for the purpose of the reasonable monitoring of the indebtedness of the individual while there is currently a default by the individual as borrower, mortgagor or guarantor. In particular, the Group may from time to time access the consumer credit data for the purpose of the review of the existing consumer credit facilities granted to assist the Group in considering any of the following matters: -
      1. an increase in the credit amount;
      2. the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and
      3. the putting in place or the implementation of a scheme of arrangement with the individual Customer.
    3. in relation to consumer credit, in the event of any default in repayment, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days (as measured by the Group) from the date such default occurred, the individual Customer will be liable to have his/her account repayment data (as defined in Paragraph (L)(i)(5) above) retained by any credit reference agencies to which the Group has provided his/her data until the expiry of 5 years from the date of final settlement of the amount in default.
    4. in the event any amount in an account is written-off due to a bankruptcy order being made against a Customer, the account repayment data (as defined in Paragraph (L)(i)(5) above) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of 5 years from the date of final settlement of the amount in default or the expiry of 5 years from the date of discharge from a bankruptcy as notified by the Customer with evidence to the credit reference agency(ies), whichever is earlier.
    5. (v) insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data, close relatives handling the personal data of a deceased customer may request actions such as accessing, copying, correcting and/ or deleting the deceased's personal data.
  13. In relation to the mortgage applications received by the Group on or after 1 April 2011, of all the data which may be collected or held by the Group from time to time in connection with mortgages, the following data relating to the Customers (including any updated data of any of the following data) will be provided by the Group to credit reference agencies: -
    1. full name;
    2. capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the customer's sole name or in joint names with others);
    3. Hong Kong Identity Card Number or travel document number;
    4. date of birth;
    5. correspondence address;
    6. mortgage account number in respect of each mortgage;
    7. type of the facility in respect of each mortgage;
    8. mortgage account status in respect of each mortgage (e.g. active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and
    9. if any, mortgage account closed date in respect of each mortgage.
    Credit reference agencies will use the above data supplied by the Group for the purposes of compiling a count of the number of mortgages from time to time held by the Customers with credit providers, as borrower, mortgagor or guarantor respectively and whether in the Customer's sole name or in joint names with others, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance). For any account relating to a mortgage loan which already existed prior to 1 April 2011 and continues to exist after that date, the Group will not provide the above data to the credit reference agency unless (1) the prescribed consent of the Customer has been obtained for the disclosure; or (2) the repayment of such account reveal a currently outstanding material default.
  14. The Group may have obtained credit report(s) on the Customer from credit reference agency(ies) in considering any application for credit. In the event the Customer wishes to access the credit report(s), the Group will advise the contact details of the relevant credit reference agency(ies).
  15. In accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Group's process and/or use of the Customer's data) as permitted under the PIPL, the Group has the right to charge a reasonable fee for the processing of any data access request.
  16. The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows:-
    The Data Protection Officer
    Shanghai Commercial Bank Limited
    GPO Box 139 Hong Kong
    Fax: (852) 2525 2336
  17. Customers may, at any time and without charges, choose not to receive our promotional material. Please contact the Group's staff for details when necessary.
  18. Customers acknowledge that telephone calls with the Group's staff may be recorded and used as evidence by the Group without further notice.
  19. Nothing in this Circular shall limit the rights of Customers under the Ordinance and the PIPL.
  20. In the event of any inconsistency between the English and Chinese versions of this Circular, the English version shall prevail.
  21. This Circular as may be revised, amended or updated from time to time shall be deemed an integral part of all contracts, agreements, credit facility letters, account mandates and other binding arrangements which the Customer has entered into or intend to enter into with the Group.

© Shanghai Commercial Bank Limited Effective Date: 1 February 2026


The Code of Practice on Person-to-Person Marketing Calls aims to promote good practice to the banking industry in conducting telemarketing activities.
 
Previous pageBack to top