.
.
NOTICE RELATING TO THE PERSONAL DATA (PRIVACY) ORDINANCE (“ORDINANCE”)
1. From time to time, it is necessary for data subjects to supply the Club with data in connection with matters such as:- (i) the application for Memberships; (ii) the establishment or maintenance of Memberships; and/or (iii) the establishment or operation or provision of goods or services offered by or through the Club; (collectively Services), and/or (iv) the receipt of supplies and services to the Club. Failure to supply such data may result in the Club being unable to establish, maintain or provide Services to data subjects. It is also the case that data are collected, directly or indirectly, by the Club from data subjects transacting with or through the Club in the ordinary course of the Club’s business, including (without limitation) information received from third parties, the public domain, collected through use of the websites, cookies and electronic services of the Club, and/or when data subjects deposit money or effect transactions through cards.
2. Data relating to a data subject may be used for any one or more of the following purposes:- (i) processing applications from the data subject (including suitability of the data subject’s application(s)) for the Membership; (ii) operating, maintaining and providing Services to the data subject, including to enable the Club or any member of the Club to fulfil any contract for Services that a data subject has requested and/or to understand the overall picture of the relationship of a data subject with the Club by linking data in respect of all accounts such data subject is connected to; (iii) conducting credit checks on the data subject (whether in respect of an application for Services); (iv) maintaining credit history of the data subject for present and future reference; (v) ensuring ongoing credit worthiness of the data subject; (vi) designing Services for data subject’s use; (vii) marketing services, products and other subjects (please see further details below); (viii) determining the amount of indebtedness owed to or by data subjects; (ix) enforcement of data subjects’ obligations, to the Club or any other member of the Club; (x) meeting or complying with any obligations, requirements or arrangements for disclosing and using data that apply to the Club or any other member of the Club or that it is expected to comply according to:- (1) any law or regulation binding on or applying to it within or outside Hong Kong existing currently and in the future; (2) any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future; (3) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Club or any member of the Club by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations; (xi) meeting or complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Club and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities; (xii) enabling an actual or potential assignee of all or any part of the business and/or asset of the Club or participant or sub-participant of the Club’s rights in respect of the data subject, to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; (xiii) in connection with any member of the Club defending or responding to any legal, governmental, or regulatory or quasi-governmental related matter, action or proceeding (including any prospective action or legal proceedings), including where it is in the legitimate interests of the Club or any member of the Club to seek professional advice, for obtaining legal advice or for establishing, exercising or defending legal rights; (xiv) in connection with any member of the Club making or investigating an insurance claim or responding to any insurance related matter, action or proceeding; (xv) organizing and delivering seminars for the data subjects; (xvi) managing, monitoring and assessing the performance of any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to the Club in connection with the establishment, operation, maintenance or provision of Services; and/or (xvii) any other purposes relating to the purposes listed above.
3. Data the Club holds relating to a data subject is kept confidential but the Club may provide, transfer or disclose such data or information to any one or more of the following parties (whether within or outside Hong Kong): (i) any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to the Club in connection with the establishment, operation, maintenance or provision of Services; (ii) any other person under a duty of confidentiality to the Club including any other member of the Club which has undertaken to keep such information confidential; (iii) any person or entity to whom the Club or any other member of the Club is under an obligation or otherwise required to make disclosure under the requirements of any law or regulation binding on or applying to the Club or any other member of the Club, or any disclosure under and for the purposes of any guidelines, guidance, directives, rules, codes, circulars or other similar documents issued or given by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Club or any other member of the Club is expected to comply, or any disclosure pursuant to any contractual or other commitment of the Club or any other member of the Club with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently and in the future; (iv) any financial institution and merchant acquiring company with which a data subject has or proposes to have dealings; (v) any actual or proposed assignee of all or any part of the business and/or asset of the Club or participant or sub-participant or transferee of the Club’s rights in respect of the data subjects; (vi) any party giving or proposing to give a guarantee or third party security to guarantee or secure the data subject’s obligations; and/or (vii) (1) any member of the Club which may include a Head Office function acting as a data controller in respect of data subject’s data; (2) third party financial institutions, insurers, credit card companies, securities and investment services providers; (3) third party reward, loyalty, co-branding and privileges programme providers; (4) co-branding partners of the Club and/or any member of the Club (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); (5) charitable or non-profit making organizations; and (6) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centers, data processing companies and information technology companies) that the Club engages for the purposes set out above.
USE OF DATA IN DIRECT MARKETING
4. The Club intends to use a data subject’s data in direct marketing and the Club requires the data subject’s consent (which includes an indication of no objection) for that purpose. In this connection, please note that: (i) the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a data subject held by the Club from time to time may be used by the Club in direct marketing; (ii) the following classes of services, products and subjects may be marketed: (1) financial, insurance, fiduciary, investment services, credit card, securities, investment, banking and related services and products; (2) reward, loyalty or privileges programmes and related services and products; (3) services and products offered by the Club’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and (4) donations and contributions for charitable and/or non-profit making purposes; (iii) the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Club and/or:- (1) any member of the Club; (2) third party financial institutions, insurers, credit card companies, securities and investment services providers; (3) third party reward, loyalty, co-branding or privileges programme providers; (4) co-branding partners of the Club and/or any member of the Club (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and (5) charitable or non-profit making organizations.
5. In addition to marketing the above services, products and subjects itself, the Club also intends to provide the data described in paragraph (i) above to all or any of the persons described in paragraph (iii) above for use by them in marketing those services, products and subjects, and the Club requires the data subject’s written consent (which includes an indication of no objection) for that purpose; the Club may receive money or other property in return for providing the data to the other persons above and, when requesting the data subject’s consent or no objection as described in paragraph (iv) above, the Club will inform the data subject if it will receive any money or other property in return for providing the data to the other persons. If a data subject does not wish the Club to use or provide to other persons his/her data for use in direct marketing as described above, the data subject may exercise his/her opt-out right by notifying the Club.
6. Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any data subject has the right:- (i) to check whether the Club holds data about him and/or access to such data; (ii) to require the Club to correct any data relating to him which is inaccurate; (iii) to ascertain the Club’s policies and procedures in relation to data and to be informed of the kind of personal data held by the Club and/or he/ she has access to; (iv) to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access or correction request to the relevant credit reference agency or debt collection agency; and (v) in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Club to a credit reference agency, to instruct the Club, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Club to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)). (i) In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph (h)(v) above) may be retained by the credit reference agency until the expiry of five years from the date of final settlement of the amount in default. (j) In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as defined in paragraph (h)(v) above) may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to the credit reference agency, whichever is earlier. (k) Without limiting the generality of the foregoing, the Club may from time to time access the personal and account information or records of a data subject held by the credit reference agency for the purpose of reviewing any of the following matters in relation to the existing credit facilities granted to a data subject or a third party whose obligations are guaranteed by a data subject:- (i) an increase in the credit amount; (ii) the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and (iii) the putting in place or the implementation of a scheme of arrangement with the data subject or the third party. (l) The Club may have obtained a credit report on a data subject from a credit reference agency in considering any application for credit. In the event a data subject wishes to access the credit report, the Club will advise the contact details of the relevant credit reference agency. (m) Data of a data subject may be processed, kept and transferred or disclosed in and to any country as the Club or any person who has obtained such data from the Club referred to in (e) above considers appropriate. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country. (n) In accordance with the terms of the Ordinance, the Club has the right to charge a reasonable fee for the processing of any data access request. (o) Data subjects located in the European Union may also have the following additional rights:- (i) the Club or any other member of the Club will use profiling, including behavioral analysis, to assist in providing data subjects with better Services, to make decisions and to prevent money laundering, terrorism, fraud and other financial crime, for example profiling will help to try and detect whether use of a credit card may be fraudulent. If any profiling will result in an automated decision relating to a data subject who is an accountholder, we will let the accountholder know and the accountholder will have the right to discuss the decision with the Club; (ii) in some circumstances a data subject has the right to ask the Club to delete the personal data of such data subject, for example if the Club no longer has a valid reason to process it; (iii) in some circumstances a data subject may have the right to object to how the Club processes the personal data of such data subject but this does not mean that the data subject can decide or choose how the Club processes the personal data other than in relation to marketing. If a data subject has any concerns about how the Club processes his/her/its personal data, such data subject should discuss this at a branch or with a relationship manager. The Club may not be able to offer Services if the data subject does not want the Club to process the personal data the Club considers necessary to process to provide such Services; (iv) in some circumstances a data subject may have the right to restrict how the personal data of such data subject is processed; (v) in some circumstances a data subject may have the right to request the personal data that has been given to the Club in a machine readable format; (vi) a data subject has the right to complain to the Privacy Commissioner for Personal Data. The person to whom requests for access to or correction of data held by the Club, or for information regarding the Club’s data policies and practices and kinds of data held by the Club are to be addressed is as follows: R.O. of The Club ZFU Limited (q) Nothing in this document shall limit the rights of data subjects under the Ordinance. (r) Security:- (i) The security of personal data is important to the Club. The Club has technical and organisational security measures in place to safeguard each the personal data of each data subject. When using external service providers, the Club requires that they adhere to security standards mandated by the Club and the Club. The Club may do this through contractual provisions, including any such provisions approved by a privacy regulator, and oversight of the service provider. Regardless of where personal data is transferred, the Club takes all steps reasonably necessary to ensure that personal data is kept securely. (ii) Data subject(s) should be aware that the Internet is not a secure form of communication and they must not send the Club any personal data over the Internet as this carries with it risks including the risk of access and interference by unauthorised third parties. Information passing over the Internet may be transmitted internationally (even when sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than in the country of residence of a data subject. (s) The Club retain personal data in line with applicable legal and regulatory obligations and for business and operational purposes. In the majority of cases this will be for seven years from the end of a data subject’s relationship with the Club. (t) To the extent permitted by law, the Club and other members of the Club may record and monitor electronic communications with data subjects to ensure compliance with legal and regulatory obligations and internal policies for the purposes outlined at paragraph (d) above. (u) Data subjects should also read the cookie policy when using the Club’s online services.
7. In this document, unless inconsistent with the context or otherwise specified, the words in bold shall have the following meanings:- Membership(s) means, for service which the Club may from time to time make available to the data subjects, the account that is, opened and/or maintained in respect of it from time to time. Member(s) means holder(s) of Membership, and includes nominee(s) in case of Corporate Member. Payment Card means an ATM card, a debit card, a credit card, or a revolving card or all of them, as the context requires. Data subject(s) has the meaning given to it in the Ordinance and includes applicants or members for Services, customers, security providers, referees, corporate officers and managers, (e.g. authorized signatories, contact persons, company secretary, directors, shareholders, beneficial owners of a corporate), suppliers, agents, contractors, service providers and other contractual counterparties and any third party transacting with or through the Club. Disclose, disclosing or disclosure, in relation to personal data, includes disclose or disclosing information inferred from the data. Hong Kong means the Hong Kong Special Administrative Region. The Club means each of or collectively The Club Zfu Limited and its subsidiaries and affiliates (including each branch or representative office). Should there be any inconsistencies between the English and Chinese versions, the English version shall prevail.