Privacy Statement-OCBC China

Effective date:2023-12-01

The following Privacy Policy sets out the Bank's rules on the processing and protection of customers' personal information.

OCBC Bank Limited (hereinafter referred to as "our Bank" or "the Bank") recognizes the importance of personal information to its customers and is committed to protecting the security of customers' personal information.

This Privacy Policy is a general personal information policy that is uniformly applied by the Bank and applies to the Bank's business, products and services as well as operations or management. When it comes to specific business, products, or services, the Bank's rules for processing and protecting personal information may also be clearly stated to customers through corresponding business, product, service agreements or authorization letters, etc. to ensure that customers' authorization or consent is obtained. If customers provide the Bank with personal information related to third parties (e.g., customers’ spouses, children, parents, or affiliated individuals such as shareholders, directors, legal representatives, etc.), they’re also requested to convey the above contents and this Privacy Policy to the relevant third parties to ensure their authorization or consent is obtained. The Privacy Policy and the above documents constitute the complete terms and conditions of the personal information of the Bank's customers to handle related business, products or services. Customers are requested to read this Privacy Policy carefully to ensure that they are fully aware of and understand the meaning of its contents, especially those in bold font and the corresponding legal consequences.

Customer personal information is the basis for the Bank to expand business and provide high-quality services. At the same time, ensuring the security of customers' personal information has always been the Bank's service tenet and important task. In accordance with relevant laws and regulations on personal information protection, we hereby inform you of the Bank's processing rules for customers' personal information as follows:

I. Principles of processing personal information

The Bank recognizes the importance of personal information to its customers, and is committed to maintaining customers' trust in the Bank by adhering to the following principles for the protection of personal information: legality, legitimacy and necessity, integrity, clear and reasonable purpose, ensuring safety, openness and transparency, and quality assurance, etc. When handling (including but not limited to collecting, storing, using, processing, transmitting, providing, disclosing, and deleting) customers’ personal information, the Bank will strictly abide by relevant laws and regulations, and take effective measures to strengthen the protection of customers’ personal information, to ensure information security and prevent information leakage and misuse.

II. Types of personal information to be processed

1. Personal information refers to various digital or written information (excluding anonymized information) in relation to an identified or identifiable natural person. Personal information processed by the Bank through business or other legitimate channels includes but not limits to the following:

Personal identification information, including an individual's name, gender, employer, occupation, position, contact details, date of birth, nationality, and type, number and expiry date of identity documents, date and place of issuance of documents, marital status, family status, address of habitual residence or workplace and photos, etc;
Personal property information, including income, real estate, vehicles, amount of tax, amount paid for the provident fund, details of investments or other assets, etc.
Personal biometric information, such as portrait, fingerprint, voice, etc.;
Personal account information, including account numbers, account opening time, account opening institutions, account balance, and transactions details;
Personal credit information, including credit card repayment, loan repayment and other credit transaction information, litigation, investigation, credit investigation, penalty information, and other information that can reflect a person's credit status;
Personal financial transaction information, including personal information acquired, saved, and retained by the Bank in the course of any payment and settlement, investment and wealth management, or other banking business, and personal information generated via the Bank's business relationships between customers and third-party organizations, such as insurance brokers, insurance companies, securities firms, fund companies, trust companies, wealth management subsidiaries of commercial banks, payment institutions, etc.;
Derivative information, including personal consumption habits, personal trading or risk appetite, risk tolerance, willingness to invest, objectives, knowledge, and experience, etc., by analyzing the original information of which we can gain insights of individual habits and preference.
Relevant personal information obtained in the course of establishing business relationships with corporate clients, such as the names, residences, contact information, employment relationships, shareholding, and investment relationships of the corporate clients’ legal representatives, directors, and natural person shareholders;
Other information obtained in the course of establishing and maintaining a business relationship for the purpose of fulfilling contractual, legal and regulatory compliance obligations, such as the time and place (including geographic location and Internet Protocol address) at which a customer conducts a transaction or uses a service, records of correspondence and other communications with the Bank (including audio-visual recordings, call logs, records and content of communications), and personal information involved with relevant customer investigations (e.g. personal information required to be collected in the context of customer due diligence, sanctions, and anti-money-laundering investigations), and so on.

2. The bank may collect and process sensitive personal information of customers. If the Bank does so, it needs to obtain the separate consent of customers when required by applicable laws and regulations. The processing of sensitive personal information may expose customers’ rights and safety to risks, the likelihood and severity of which depend on the type and the purpose of sensitive personal information. This may result in tangible, material or immaterial harm, in particular discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of professionally confidential personal information, etc. However, the Bank will only process customers’ sensitive personal information for legitimate and relevant purposes, functions or uses stated in Section 4 of this Policy and will take all legally required measures to ensure the security of customers’ sensitive personal information. Please note that the Bank may not be able to enter into legal agreements, provide services, or initiate/maintain a business relationship with a customer if the he or she does not provide sensitive personal information to the Bank. (Sensitive personal information refers to that, once leaked or illegally used, it is likely to infringe on the personal dignity of natural persons or endanger personal and property safety, including biometrics, religious beliefs, specific identities, medical & health, financial accounts, whereabouts, and personal information of minors under the age of fourteen.)

III. Methods of processing personal information

The Bank collects customers' personal information in the following ways:

· Personal information requested from customers for the purpose of conducting business or maintaining normal business contacts with customers, including but not limited to personal information provided by customers for the Bank's payment and settlement, wealth management and other intermediary businesses, and personal information provided by customers for the Bank's business with third-party organizations, such as insurance brokers, insurance companies, securities firms, fund companies, trust companies, wealth management subsidiaries of commercial banks, and payment institutions, etc.;

· Personal information collected when customers use the Bank's digital apps (such as personal computers and mobile phones);

· Collect personal information provided by a reference person where necessary;

· Personal information collected through any credit rating service agencies, and third-party data consulting and service agencies;

· Personal information obtained from credit agencies in the course of the credit approval process; in the event that a customer is in arrears, such information may be provided for collection agents acting on behalf of the Bank;

· Obtain personal information from publicly available sources, including any registers that are open to public inspection;

· Collect personal information (including account information and financial transaction information, etc.) generated by customers when they conduct business in the Bank;

· If a customer provides the Bank with personal information relating to third parties, such as customers’ spouses, children, parents, or associated individuals such as shareholders, directors, legal representatives, etc., the customer declares and warrants that it has obtained the separate consent of such third parties, that the source of information is lawful, and that it agrees to customers’ provision of such personal information to the Bank. The customer must ensure that it has made the third parties and customers’ associated individuals aware of the name and contact details of the Bank, the scope and purpose of the personal information collected and processed, and that such personal information will be processed in accordance with this Policy;

· Other methods authorized by the customer or permitted by laws and regulations.

IV. Purposes, functions or usage of personal information processing

Personal information may be used by the Bank for the following purposes or functions:

Day-to-day operations and promotion of products, services, and credit facilities for customers;
Credit investigations conducted when customers apply for credit, and periodic or special examinations such as credit, compliance, audit, regulation, and tax examinations conducted once a year or more;
Develop, test, optimize, and maintain our credit scoring model, credit risk control model, anti-fraud, and anti-money laundering model;
Credit checks and debt collection through other third-party organizations;
Ensure that customers maintain reliable credit and ensure credit security;
Financial services or related products designed for customers;
Promote the services or products of the Bank and/or selected third party organizations;
Calculate the debts and liabilities between the Bank and customers;
Chase late payments owed by customers and those who guarantee their debts;
The Bank negotiates or enters into relevant transfer agreements with any confirmed or intended transferees.
Cross-marketing, product or service promotion, market research, and satisfaction surveys by different business units of the Bank. Customers may choose not to provide such information, which will only prevent customers from participating in or enjoying the corresponding convenience or functions, but will not affect the normal use of other services of the Bank;
Disclosures required by any applicable laws, rules, regulations, judgements, decisions, rulings, self-regulatory codes, sanctioning regimes or authorities as amended or replaced from time to time;
Access to or use of management, consulting, telecommunications, computer, payment, data storage/processing, law, accounting, auditing, tax, translation, outsourcing and/or other third-party services;
Meet the reasonable operational requirements of the Bank or the OCBC Group (including and not limited to credit and risk management, data statistics, analyses, processing, handling, archiving and back-up, design and development/improvement of systems, products and services, as well as planning, insurance and auditing);
Video surveillance and measures (e.g. access control) to protect the rights of the owner of the premises, to prevent intruders from entering, and to maintain the security of the premises. Please note that personal information collected during video surveillance and telephone/audio recordings may also be used for purposes other than maintaining public safety, such as to fulfil regulatory requirements of a supervisory authority);
Other purposes authorized by customers and permitted by laws and regulations.

V. Sharing, transfer, and public disclosure of personal information

1. Entrusting

The Bank may entrust a third party (e.g. an organization entrusted by the Bank to provide customer service, loan collection or litigation processing) to collect customers’ personal information, and the act of entrustment will not go beyond the scope of the authorization we have obtained from customers, or third parties receive from customers when providing services.

For those entrusted third parties, the Bank will conduct personal information protection impact assessments and sign contracts with the them, requiring them to deal with customers’ personal information in accordance with laws and regulations, the Bank's relevant personal information processing rules, and other confidentiality or security requirements, and will supervise them as well. Once it is discovered that a third party fails to proceed personal information as entrusted, or fails to effectively perform personal information security protection responsibilities, the Bank will immediately require the third party to stop relevant behavior and take effective remedial measures to control or eliminate the security risks to which the personal information is exposed. If necessary, the Bank will terminate the business relationship with the third party and require it to delete the personal information obtained from the Bank in a timely manner.

2. Sharing

The Bank will keep the customers' personal financial information confidential. However, the Bank may provide such information to the following parties when necessary, such as the processing of related business for customers and risk management. In such cases, the Bank will act in accordance with laws, regulations and supervisory requirements, and will take effective measures to protect personal information security:

The ultimate holding company of the Bank (Oversea-Chinese Banking Corporation Limited registered in Singapore), the Holding Companies, and any subsidiary of them, the Bank’s subsidiaries, branches, sub-branches, deputies, correspondents, agency banks or representative offices (hereinafter referred to as "OCBC Group");
The Bank’s auditors and professional advisers (including lawyers);
Any prospective assignee or transferee of the Bank;
Any person who provides a guarantee in respect of a credit granted by the Bank to a borrower;
Any person who is jointly and severally liable to the Bank with a borrower;
Any public security agency or government official conducting a criminal investigation;
Suppliers of printers and computer systems to the Bank, personnel who install and maintain such equipment and suppliers of other goods or services used by the Bank (including insurance companies);
Any person to whom disclosure is permitted or required in accordance with any mandatory provisions of laws, regulations, supervisory requirements etc.;
Credit agencies, rating agencies, other members or compliance committees of them; and/or
Authorities such as government agencies or departments;
Other third parties that provide support to the Bank in providing banking products or services, risk management, operations, etc., and undertake confidentiality responsibilities to the Bank.

When required to do so by applicable laws and regulations, the Bank will inform the customer of the matters relating to the provision of customers’ personal information by the Bank to the third party, including the name of the recipient of personal information, contact information, processing purpose, processing method and type of personal information (and, in the case of a cross-border data transfer, it also includes the method and procedure for the customer to exercise the relevant rights to the overseas personal information recipient, etc.), and obtain customers’ separate consent. The Bank will assess the legality, legitimacy and necessity of the information collected by such third party. The Bank will require the third party to take protective measures for customers’ information and strictly comply with relevant laws and regulations and regulatory requirements. The Bank will obtain customers’ consent or confirm that the third party has obtained customers’ consent in accordance with the requirements of laws and regulations, in the form of confirmation agreements, page prompts in specific scenarios, interactive processes, and protocols.

Whether personal information is processed domestically or overseas, in accordance with applicable personal information protection laws, customers' personal information will be protected by the confidentiality and security regulations that the Bank, members of the OCBC Group and their employees, and third parties must abide by.

3. Transfer

The Bank will not transfer the personal information provided by the customer to any company, organization or individual unless we have obtained customers’ separate consent, except for transfers required in connection with any business/asset transfer, reorganization, disposal, merger, demerger, acquisition of the Bank. In such cases, the Bank will notify the name or names and contact information of the recipients of the personal information as required by applicable laws and regulations, and will ask them to continue to fulfil the obligations of the processors of personal information under this Policy. If the recipients of personal information changes the original purpose or method of processing, it shall obtain the consent from the individuals again in accordance with laws and regulations.

4. Public disclosure

Unless otherwise agreed by the customer, the Bank will not publicly disclose relevant personal information. If public disclosure is necessary, the Bank will inform the customer of the purpose of public disclosure, the type of information to be disclosed and the sensitive information that may be involved, and obtain customers’ separate consent, unless otherwise stipulated by laws and regulations.

VI. Automated decision-making

The Bank may automate the processing of some of a customer's personal information to assess certain personal circumstances, which is necessary to help the Bank provide personalized services, improve service quality and meet legal and regulatory requirements. For example:

Fight money laundering, terrorist financing, fraud, and other financial crimes, and assess risks and violations that pose a threat to assets. At the same time, these measures also help to protect the safety of customers.
Use assessment tools to inform and advise customers specifically about the Bank’s products and services, including researches on market outlook and insights. These tools allow the Bank to tailor made communications and marketing approaches according to customer needs.

The Bank will ensure that automated decision-making is transparent and results are fair and equitable, and will not apply unreasonable differential treatment to individuals in terms of transaction prices and other trading conditions.

Customers have the right to refuse the application of these tools, but this may affect the Bank's ability to manage the business relationship with customers or to provide customers with tailored products and services. Please also note that in some cases customers cannot exercise this right, such as automated processing authorized by laws or regulations.

VII. Protection of personal information of minors

The Bank pays special attention to the protection of minors’ personal information. We do not intend to collect any personal information of them unless we have obtained the consent of their parents or guardians and provided relevant products or services for them (e.g. the minors may become the beneficiaries of some of the insurance products or trust products distributed by the Bank, or the successors in right of the customers of the Bank, etc.).

If a customers are minors under the age of fourteen, the customer's parents or guardians are advised to read this Policy carefully. If the customer's parents or guardians do not consent to the submission of the customer's personal information, please terminate the submission of the information immediately and notify the Bank of the situation as soon as possible so that the Bank can take effective measures.

VIII. Special cases of processing personal information

Generally, the Bank will process customers' personal information based on customers' consent. However, in the following cases, the Bank is not required to obtain customers’ consent to process their personal information:

Necessary for the start and execution of a contract signed with the customers;
Necessary for the fulfilment of legal duties or statutory obligations;
Necessary to respond to public health emergencies, or to protect the life, health, and property of customers or other individuals in emergency situations;
Conduct news reports and public opinion supervision and other acts for the sake of public interest, to process personal information within a reasonable scope;
The processing of personal information disclosed by the customer or other legally disclosed information within a reasonable scope in accordance with applicable laws and regulations;
Other circumstances stipulated by laws and administrative regulations.

IX. Retention period of personal information

The Bank will retain customer information for a minimum retention period necessary to satisfy the purposes and uses for which the information was collected, in accordance with laws, regulations, regulatory requirements, and filing, accounting, auditing, and reporting requirements, as well as the purposes and uses described in this Policy. However, special agreements between customers or related customers and the Bank, or record enquiries provided for customers, related customers, regulators, and other relevant authorities for the purpose of clearing up the creditor-liability relationship between customers or related customers and the Bank, which need to continue to be retained, will not apply to the rules above.

X. Responsibilities and obligations for personal information

1. Responsibilities and obligations of customers

For the security of customers’ personal information, customers and the Bank share the same important responsibility. Customers shall keep relevant personal information, such as customers’ bank account information, identification information (such as user names, password, and other dynamic passwords, authentication codes, etc.), including the documents, equipment, or other media associated with or likely to record such information, in a safe and secure environment, and shall only use such information and relevant documents, equipment or other media in a safe and secure environment. At no time shall customers disclose or allow any other person to use such information or related documents, equipment, or other media. Otherwise, once such personal information is disclosed, customers and related third parties may suffer losses, and may have adverse legal consequences for customers and related third parties. If customers believe that the personal information and/or related documents, equipment, or other media of the customer and relevant third parties have been leaked, lost or stolen, or other circumstances that may affect customers’ safe use of our products, equipment or services, the customers and the relevant third parties should notify the Bank immediately, so that appropriate measures can be taken to prevent the losses from expanding.

2. Responsibilities and obligations of the Bank

The Bank makes every effort to ensure the security of personal information provided by customers. The Bank provides personal information security education and training to relevant internal personnel. In the unfortunate event of a personal information security incident, the Bank will activate its emergency response plan and take appropriate disposal and remedial measures to prevent the incident from escalating and losses from expanding. At the same time, the Bank will also report personal information security incidents and their disposition to the regulatory authorities in accordance with laws and regulations as well as the requirements of regulatory authorities.

XI. Means and procedures for customers to exercise personal information rights

Customers have the right to request the Bank to safeguard the security of personal information in accordance with laws and regulations and this Policy, and to request the exercise of rights related to personal information granted to customers by applicable laws and regulations.
Customers have the right to enquire with the Bank whether the Bank holds customers’ personal information and to review and copy the personal information provided by the customer.
Customers have the right to change the scope of customers’ authorized consent or to withdraw the authorization and contact the Bank to do so. When customers change the scope of authorization, the Bank will no longer process the corresponding personal information. However, customers’ decision to withdraw consent will not affect the Bank's previous processing of personal information based on customers’ authorization.
Customers have the right and obligation to promptly update the personal information provided by customers in the Bank to ensure that the relevant information is accurate and up-to-date. Customers have the right to request the Bank to facilitate the updating of the customers' personal information and the right to request the Bank to correct any inaccurate information about the customers.
In the case of personal credit or guarantee, customers have the right to know their personal information disclosed by the Bank to credit agencies, so that the customer can request the relevant credit reference agency to review and correct the information.
Customers have the right to request the Bank to delete or otherwise properly handle personal information that has exceeded the retention period in accordance with laws and regulations, this policy, and the agreement between the customers or the relevant customers and the Bank. In the event of the Bank's separation and merger or other legally stipulated circumstances, the Bank will promptly cease its activities of collecting personal information, notify the customers of the relevant notification in the form of individual delivery or public announcement, and delete or anonymize personal information it holds, unless otherwise stipulated by laws, regulations or supervisory authorities.
Contact information of the person in charge of personal information protection in the Bank: [40089 40089].
Any request for access to, correction of, or deletion of, withdrawal of authorization, processing of personal information beyond the retention period, or for information on the Bank's practices relating to the protection of personal information, or for the exercise of rights relating to personal information granted to customers by applicable laws and regulations, may be addressed to the Bank at the contact details set out below:

Company Name: OCBC Bank Limited

Address: OCBC Centre, No. 1155, Yuanshen Road, Pudong New Area, Shanghai, China

Postcode: 200135

Contact: Customer Service Center

Email: CustomerVoice@ocbc.com

Contact Number: National Service Hotline 40089 40089 (Mainland China); +86 755 2583 3688 (Hong Kong, Macao, Taiwan and overseas)

For security purposes, customers may be required to provide written requests, or otherwise prove customers’ identities. The Bank may require the customers to verify their identities before processing their request. If customers have any questions, complaints, feedback, comments or suggestions, please contact the Bank. In addition to the above-mentioned contact methods, customers can also visit our branches to contact the Bank.

XII. Development, entry into force, updating and other aspects of the Policy

1. The Bank has formulated and published this Policy on its official website. This Policy shall come into effect on the date of its publication.

2. In accordance with the changes in national laws and regulations and the operational needs of the service, the Bank will amend this Policy or the relevant rules on processing personal information from time to time, and the amended contents will be announced through the Bank's official websites and other channels, and will take effect upon announcement and will supersede the previous relevant contents. Customers should pay attention to the relevant notices, announcements and changes in the agreements and rules from time to time. In particular, when the following major changes occur:

Significant changes in the Bank’s service model, such as the purpose of processing personal information, the type of personal information handled, and how personal information is used;
Significant changes in the Bank's ownership structure, organizational structure, etc., such as change of owners due to business restructuring, etc.;
Change in the main recipients to whom personal information is made available, transferred or publicly disclosed;
Significant changes have taken place in the rights of customers to participate in the processing of personal information and in the manner in which they are exercised;
Change in the contact details and complaint channels of the Bank responsible for processing personal information;
Other changes that may have a significant impact on the rights and interests of customers' personal information.

3. Customer acknowledge and confirm that if they and/or relevant third parties do not agree with the updated content, they should contact the Bank immediately to withdraw or choose not to provide the relevant personal information, otherwise the customers and the third parties will be deemed to have agreed to accept the updated content. If the customers choose not to provide the relevant information, they may not be able to use a certain product/service or a certain part of the product/service, but it will not affect their usage of other products/services provided by the Bank.

If the customer provides the personal information of another person to the Bank, the customer should ensure that the person understands this policy in detail, specifically inform the person how the Bank will collect and use his/her personal information, and obtain the relevant authorization and consent from the person. Customer may remind the person to read this Policy beforehand or provide the person with a copy of this Policy.

4. The validity, execution, interpretation and resolution of disputes of this policy shall be governed by the laws of the People's Republic of China.

5. If any dispute or controversy between customers and the Bank in relation to the content of this Privacy Policy or its implementation, it shall first be resolved through friendly negotiation; if the negotiation fails, either party may file a lawsuit with a court of competent jurisdiction in the place where the Bank is located.

The previous version of the Privacy Policy is set out here for information purposes only.