x

私隱政策

私隱政策

有關客戶個人資料之私隱政策聲明

1. 詮譯
「聲明」 此私穩政策聲明
「本公司」 寶灃信貸有限公司
「寶灃集團」 此包括: - 本公司或其繼承者; 及 - 所有由同一控股股東控制之關聯公司、附屬公司或母公司 「該條例」 個人資料(私隱)條例
「MCRA」 多家個人信貸資料服務機構模式
「信貸提供者」 獲准加入MCRA的信貸資料服務機構
「客戶」 潛在或現有(1)個人客戶、或(2) 企業客戶之股東、董事、管理人員及經理、或 (3)獨資或合 伙客戶之東主或合伙人。

2. 引言

2.1 此聲明被作為寶灃集團成員之本公司採納。訂立此聲明的目的,是為確立本公司全力執行及遵守保障個人資料原則的政策及實 務,以遵守該條例的各項條款及條文,及施行由香港持牌放債人公會及香港個人資料私隱專員公署就該條例而頒布的指引。本 公司同樣承諾確保其所有僱員及代理堅守這些責任。

2.2 此聲明只涵蓋有關本公司持有其客戶的個人資料的私隱政策。有關本公司與其客戶無關的個人資料(如本公司的僱員)的政策載 於另一獨立文件,並不包含在本聲明內。

3. 本公司持有的個人資料的種類

3.1 本公司持有的客戶個人資料可能包括下列各項:
(a) 客戶及其配偶的姓名和地址、職業、聯絡詳情、出生日期和國籍、其身份證及/或護照號碼及證件發出日期和地點;
(b) 客戶諮詢人的姓名和聯絡詳情;
(c) 客戶及其配偶現時的僱主、職位性質、年薪及其他福利;
(d) 客戶及其配偶持有的物業、資產或投資的詳情;
(e) 客戶及其配偶所有的其他資產或負債(實有或或然)的詳情;
(f) 客戶家庭開支及須撫養人數;
(g) 本公司在延續與客戶日常業務關係中獲得的資料(例如,當客戶在一般情況下以口頭或書面形式與本公司溝通時,本公司 亦會收集客戶的資料,當中可能以文書形式、電話錄音或網上系統收集(視屬何等情況而定);
(h)本公司向第三方(包括客戶因本公司產品及服務的推廣以及申請本公司產品及服務而接觸的第三方服務供應商)收集與客 戶有關的資料(包括從信貸資料服務機構接收個人資料)。
(i) 就要求追收任何客戶拖欠本公司款項而由諮詢人、信貸資料服務機構或收數公司提供的信用狀況資料;及
(j) 可透過公開渠道取得的資料。

3.2 本公司或會持有鑑於經驗及其業務特別性質所需的其他種類的個人資料。

4. 使用個人資料的目的

4.1 本公司只會為直接與本公司的職能或活動有關的目的使用所收集的個人資料。個人資料可能在有需要的情況下為了同樣的目的 被轉移至其他第三者。本公司會在收集個人資料的時候,通知有關人士其個人資料的可能承轉人。

4.2 客戶在開立或延續信貸戶口、建立或延續信貸或分期貸款或本公司所提供的其他財務產品及服務時,需要不時向本公司提供有 關的資料。

4.3 客戶與本公司在延續日常業務運作中,本公司亦會收集客戶的資料。

4.4 客戶的資料可能會用於下列用途:
(a) 處理、考慮及評估本公司產品及服務的申請;
(b) 為客戶提供服務和信貸便利所涉及之日常運作;
(c) 在客戶申請信貸時進行的信貸調查,及每年進行一次或以上的定期或特別信貸審查時,進行的信用檢查;
(d) 編制及維持本公司的信貸評分模式;
(e) 協助其他於香港獲核准加入MCRA的信貸提供者進行信用檢查及追討欠債;
(f) 確保客戶持續維持可靠信用;
(g) 設計提供客戶使用的金融服務或有關產品;
(h) 推廣服務、產品及其他標的(詳情請參閱本公司《個人資料收集(客戶)聲明》第11段);
(i) 核實任何其他客戶或第三方提供的數據或資料;
(j) 計算本公司與客戶之間的欠債金額;
(k) 進行保險索賠、評估或分析, 並協助保險公司進行索償稽查;
(l) 執行客戶向本公司之應負責任,包括但不限於向客戶及為客戶的債務提供抵押的人士追收欠款;
(m) 使本公司的實際或建議承讓人,或就本公司對客戶的權利的參與人或附屬參與人評核其擬承讓,參與或附屬參與的交 易;及
(n) 履行根據下列適用於寶灃集團或任何寶灃集團成員或其服務供應商或其被期望遵守的就披露及使用資料的義務、規定或安 排:
(i) 不論於香港境內或境外及不論目前或將來存在的對其具法律約束力或適用的任何法律;
(ii) 不論於香港境內或境外及不論目前或將來存在的任何法律、監管、政府、司法、稅務、執法或其他機關,或金融服務 供應商的自律監管或行業組織或協會作出或發出的任何指引或指導;及
(iii) 寶灃集團或任何寶灃集團成員因其位於或跟相關本地或外地的法律、監管、政府、司法、稅務、執法或其他機關,或 自律監管或行業組織或協會的司法管轄區有關的金融、商業、業務或其他利益或活動,而向該等有關機構承擔或被彼 等施加的任何目前或將來的合約或其他承諾;
(o) 遵守寶灃集團為符合制裁或預防或偵測清洗黑錢、恐怖分子融資活動或其他非法活動的任何方案下有關於寶灃集團內共用 資料及資訊及其任何其他使用而指定的任何義務、要求、政策、程序、措施或安排;
(p) 營運和內部監控,包括風險評估或統計分析;
(q) 比較客戶與其他人士的資料,以進行信貸核查、資料核實或生產或驗證資料(不論其目的是否用作採取對客戶有不利影響 的行動);
(r) 保留客戶信貸記錄以便現時及將來用作參考;
(s) 合理內部管理目的(包括保安控制、調查、風險管理、反詐騙、反申索防禦以及監察本公司所推出服務的質量及效率); 及
(t) 與上述有關的用途。

5. 個人資料的保安
5.1 本公司的政策是為確保個人資料的保安及防止資料被未獲准許或意外的查閱、處理、刪除、喪失或使用,就個人資料因應其敏 感程度及考慮如此等事情發生便能造成的損害程度提供適度的保障。為達到適當程度的保安,本公司的一貫做法為透過提供安 全的儲存設施(包括在資料存置設備實施保安措施),來嚴格限制資料被查閱及處理。本公司亦會採取措施以確保處理該等資 料的人士具備良好操守、審慎態度及辦事能力;基於有需要知道的原則來審批查閱資料權限。個人資料只會以妥善保安的方式 傳送,從而防止資料被未獲准許或意外的查閱。如本公司聘用(不論是在香港或香港以外聘用)資料處理者,以代本公司處理 個人資料,本公司將採用合約規範方法或其他方法,以防止轉移予該資料處理者作處理的個人資料被未獲准許或意外的查閱、 處理、刪除、喪失或使用。

6. 個人資料的披露

6.1 本公司依從嚴謹之保障私隱程序以處理個人資料。除非有關個人事前得到知會或提供同意(如需要)或在本公司須遵守的任何 法例所容許或要求下,本公司並不准許將個人資料披露予第三者。

6.2 第5.1段所指的客戶個人資料的可能受讓人(不論是在香港或香港以外)包括:
(a) 任何代理人、審計員、承包人、或向本公司提供行政、一般支援、審計、資料管理、信貸監控、分析、產品審視、欺詐行 為審視及調查、合規監管、電訊、電腦、付款或證券結算、電子身份認證服務、資料處理、債務追收、保險、專業性或其 他與本公司業務運作有關的服務的第三方服務供應商,不論其所在地;
(b) 任何對本公司有保密責任的人士,包括本公司的不同部門及任何其他已承諾保持該資料保密的寶灃集團成員;
(c) 出票銀行向出票人提供已付款支票的副本(而其中可能載有關於收款人的資料);
(d) 任何付款到資料當事人賬戶的人士;
(e) 任何從資料當事人收取付款的人士、其收款銀行及任何處理或辦理該付款的中介人士;
(f) 信貸資料服務機構(包括信貸資料服務機構所使用的任何中央資料庫之經營者);及在資料當事人違約或欠賬>時,將該 等資料提供給收債公司;
(g) 任何提供或擬提供擔保或第三方擔保以保證或擔保資料當事人責任的任何當事方;
(h) 本公司或其他寶灃集團成員根據對其具約束力或適用的任何法例規定下有責任或被要求向其作出披露,或按照及為實施預 期適用於本公司或其他寶灃集團成員的、由任何法定、監管、政府、稅務、執法或其他機構或金融服務提供者之自律監管 或行業機構或組織所提供或發出的指引或指導而需對其作出披露,或根據與本地或海外之法定、監管、政府、稅務、執法 或其他機構或金融服務提供者之自律監管或行業機構或組織之間的任何合約承諾或其他承諾而需對其作出披露之任何人士 ,不論處於香港境內或境外及不論現在或將來存在;
(i) 本公司的任何實質或建議承讓人或就本公司對資料當事人的權利的參與人或附屬參與人或受讓人;及
(j) 為向下列人士提供信息而收集的資料:
(i) 任何寶灃集團成員;
(ii) 第三方金融機構、承保人、信用卡公司、證券、商品及投資服務供應商;
(iii) 第三方獎賞、客戶忠誠、品牌合作及優惠計劃供應商;
(iv) 本公司及寶灃集團成員的品牌合作夥伴;
(v) 本公司及寶灃集團成員的聯營商戶;
(vi) 慈善或非牟利組織;及
(vii) 就上述第3段所述目的而聘用之第三方服務供應商(包括但不限於代寄郵件公司、電訊公司、電話促銷及直銷 代理人、電話服務中心、數據處理公司、資訊科技公司及電子身份認證服務的承辦商),不論其所在地。

7. 個人資料的準確性

7.1 本公司的政策是採取所有切實可行的步驟以確保所有經由本公司收集及處理的個人資料在顧及有關的個人資料被使用於或會被 使用於的目的下均為準確。本公司會實施適當的程序以定期核對及更新所有個人資料。倘若本公司所持有的個人資料含有意見 聲明,本公司會採取一切合理切實可行的步驟,以確保任何聲言是支持該項意見聲明的事實,均屬正確。

8. 個人資料的收集

8.1 就個人資料的收集,本公司會確認有關資料是為了直接與本公司的職能或活動有關的合法目的而收集。個人資料是以合法及公 平的方法收集,資料的收集對收集目的而言是必需的,及所收集的資料屬足夠但不超乎適度。

8.2 在收集個人資料的過程中,本公司會向資料當事人提供一份《個人資料收集(客戶)聲明》,述明收集資料的目的、將獲轉交 資料的人士的身分類別、查閱及改正資料的權利,以及其他有關資料。本公司會採取切實可行步驟以確保有關人士會被告知他 們是有責任或是可自願提供個人資料;如屬有責任提供,則沒有提供資料的後果。

8.3 本公司於使用取自公共領域的個人資料前,會留意該等資料存放於公共領域的原來使用目的(例如法例訂明設立某公共登記冊 的目的)、相關使用限制(如有)及有關人士在個人資料私隱方面的合理期望。

8.4 有關本公司從互聯網收集個人資料,本公司會採納以下實務:
(i) 網上保安
本公司會按照嚴格的保安及保密標準保障在互聯網提供給本公司的任何資料。並已採用加密法在互聯網上傳輸敏感性的資料, 以保障個人的私隱。
(ii) 網上改正資料
透過網上設施提供給本公司的個人資料一經呈交,便未必能在網上刪除、改正或更新。使用者如未能在網上作出刪除、改正或 更新,便須聯絡本公司有關部門尋求協助。
(iii) 網上保留資料
在網上收集的個人資料會被轉送到本公司有關部門處理。個人資料一般不會存置於網站伺服器。
8.5 「曲奇」檔案是由網站伺服器傳送至瀏覽器的小段資訊,這些資料儲存於電腦硬碟中,使網站伺服器能於稍後再從瀏覽器內讀 取。這有助網站保存某些使用者的資料。
「曲奇」檔案被設計成只可讓發出的網站讀取,但不能用作取得使用者的硬碟資料、電郵地址或收集使用者的敏感性資料。 基於以下目的,本公司使用「曲奇」來識別使用者的網頁瀏覽器:
(a) 身份識別
本公司不會把使用者的敏感性資料存置於「曲奇」內。當使用者瀏覽本公司網站時,所有聯系將會利用「曲奇」去識別使用者 身份。
(b) 資料分析
使用者瀏覽本公司的網上平台及社交網絡(包括但不限於本公司網站、 Facebook及Instagram)時,本公司可能透過「曲 奇」等技術收集有關瀏覽記錄以供資料分析。該等記錄是不記名的集體統計資料,並不包括任何可識別個人身份的資料。本公 司收集有關記錄資料,主要用於更好地瞭解使用者的統計數據、興趣及使用模式,及提高本公司網上推廣的效率。
有關資料可能會被本公司轉移至第三方公司(例如,網頁流量追蹤及報告、網上廣告刊登等的外部服務供應商)或由第三方公 司代本公司收集以進行以上用途。而本公司授權的第三方公司不會把該記錄再轉移予其他第三者。該等記錄是不記名的集體統 計資料,並不包括任何可識別個人身份的資料。
大多數網絡瀏覽器初始設定均為接受「曲奇」。使用者可以透過變更網絡瀏覽器的設定選擇『不接受』「曲奇」,但此舉可能 導致使用者無法瀏覽本公司的網頁以及使本公司網上平台及社交網絡上的某些功能無法正常運作。本公司保留所收集資料的時 間取決於收集該資料的原始目的或與其直接相關的目的,以及為滿足任何適用法例、法規及合約要求。
透過「曲奇」等技術收集的資料一般不會保留超過3年。

8.6 本公司為一般保安目的於本公司範圍安裝錄影模式閉路電視系統以保障客戶及員工人身安全、業務資產、知識產權或其他財 產。有關閉路電視系統記錄只會由被授權人士查閱或使用。本公司可能在有需要對任何法律程序作出回應,或對任何事故或投 訴等情況作出調查時,披露有關閉路電視系統記錄予第三方,例如監管機構或執法機關。 除上文所述情況外,本公司會按照 相關保留政策及指引刪除閉路電視系統記錄,並根據本聲明採取合適的保安措施保障有關記錄。

9. 查閱資料要求及改正資料要求

9.1 本公司的政策為按照該條例的規定,依從及處理一切查閱資料及改正資料要求;及讓所有有關職員熟悉有關的規定,以協助各 人士作出有關要求。

9.2 本公司或會在符合該條例及個人私隱專員公署發出之指引的規定下,就查閱資料要求徵收費用。本公司只可收取與依從查閱資 料要求直接有關及必需之費用。倘若任何提出查閱資料要求的人士要求本公司提供按早前的查閱資料要求提供過的個人資料的 額外副本,本公司或會收取費用以全數彌補因提供該額外副本而涉及的行政成本或其他成本的費用。

9.3 有關查閱及改正資料的要求,可向資料保障主任或其他相關指定人員提出。

10. 個人資料之存檔

10.1 本公司會採取所有切實可行的步驟,以確保個人資料的保存時間不超過為達致該資料被使用於或會被使用於按其目的所需的時 間。本公司在結束賬戶後一般會持有有關客戶的資料 7 年或按照有關法律和法規所規定的期限。

10.2 如本公司聘用(不論是在香港或香港以外聘用)資料處理者,以代本公司處理個人資料,本公司將採用合約規範方法或其他方 法,以防止轉移予該資料處理者的個人資料的保存時間超過處理該資料所需的時間。

11. 其他實務

11.1 為確保依從該條例所載的規定,本公司備有:
(a) 資料記錄簿,即該條例第27條所規定的記錄簿;
(b) 內部政策及指引以供本公司員工使用,以確保各員工遵守該條例的規定。
(c) 查閱資料要求表格(DARF)、及改正資料要求表格(DCRF)及資料刪表格(DDRF),供任何人士申請查閱、改正或刪除本公司所持有關於他們的個人資料。

11.2 本公司會定期審閱及於當有需要時更新本聲明。本聲明的最新版本將載於本公司之網站內。

12. 資料保障主任的委任

12.1 本公司已委任資料保障主任,以負責統籌及監察該條例及本公司保障個人資料政策的遵守情況。

12.2 資料保障主任的聯絡資料如下︰

寶灃信貸有限公司
地址:九龍觀塘創業街15號萬泰利廣場32樓E室
電話:2886 5500
傳真:2886 5508
電郵:cs@pofungfinance.com
網址:www.pofungfinance.com

(本聲明之中英文版本如有歧異,以英文版本為準。)
最後更新 2023年11月

PRIVACY POLICY STATEMENT IN RELATION TO PERSONAL DATA OF CUSTOMERS
1. INTERPRETATION
"Statement" This Privacy Policy Statement
"Company" Po Fung Finance Limited
"Po Fung Group" It includes: - the Company or its successors; and - any related company, associated company and parent company ultimately controlled by the same controlling shareholder(s).
"Ordinance" Personal Data (Privacy) Ordinance
"MCRA" Multiple Credit Reference Agencies Model
"Credit Reference Agencies" credit reference agencies approved for participation in the MCRA
"Customers" Potential or existing (1) individual customers, or (2) shareholders, directors, officers, and managers of corporate customers, or (3) sole proprietors or partners of sole proprietorship or partnership customers.

2. INTRODUCTION

2.1 This Statement is adopted by the Company which is a member of Po Fung Group. The purpose of this Statement is to establish the policies and practices of the Company’s commitment to protect the privacy of personal data and to act in compliance with the provisions of the Ordinance and the relevant guidelines issued by the Office of the Privacy Commissioner for Personal Data. The Company is equally committed to ensuring that all its employees and agents uphold these obligations.

2.2 This Statement addresses only the privacy policy for personal data held by the Company in relation to its customers. Privacy policy for personal data held by the Company in relation to personal data which is unrelated to its customers (e.g. employees of the Company) are not addressed in this Statement but in a separate document.

3. KINDS OF PERSONAL DATA HELD BY THE COMPANY

3.1 Personal data held by the Company regarding customers may include the following:
(a) name and address, occupation, contact details, date of birth and nationality of customers and spouses of customers and their identity card and/or passport numbers and place and date of issue thereof;
(b) name and contact details of customers’ referee;
(c) current employer, nature of position annual salary and other benefits of customers and spouses of customers;
(d) details of properties, assets and investments held by customers and spouses of customers;
(e) details of other assets and liabilities (actual or contingent) of customers and their spouses;
(f) household expenses and number of dependents of customers;
(g) information obtained by the Company in the ordinary course of the continuation of the customer relationship (for example, when customers write cheques or deposit money or otherwise carry out transactions as part of the Company’s services, or when customers communicate verbally or in writing with the Company, by means of, including but not limited to, documentation, telephone recording system or web-based system, as the case may be);
(h) data collected from third parties, including third party service providers with whom the customer interacts in connection with the marketing of the Company’s products and services and in connection with the customer’s application for the Company’s products and services (including receiving personal data from Credit Reference Agencies);
(i) information as to credit standing provided by a referee, Credit Reference Agency or debt collection agency in connection with a request to collect a debt due from any customer to the Company; and
(j) information which is in the public domain.

3.2 The Company may hold other kinds of personal data which it needs in the light of experience and the specific nature of its business.

4 PURPOSES THE PERSONAL DATA IS HELD

4.1 All personal data collected will only be used for purposes which are directly related to the Company’s functions or activities. Personal data collected may be transferred to third parties when necessary for the same purposes. The individuals concerned would be informed of the possible transferees of their personal data when their personal data is collected.

4.2 It is necessary for customers to supply the Company with data in connection with the opening or continuation of accounts and the establishment, maintenance, or continuation of the provision of loans and related financial products and services.

4.3 Data will also be collected from customers in the ordinary course of the continuation of the customer relationship.

4.4 The purposes for which data relating to customers may be used are as follows:
(a) processing, considering and assessing the customer’s application for the Company’s products and services;
(b) the daily operation of the products, services and credit facilities provided to customers;
(c) conducting credit checks at the time of application for credit and regular or special reviews which normally will take place once or more than once each year;
(d) creating and maintaining the Company’s credit scoring models;
(e) assisting other credit providers in the Hong Kong approved for participation in the MCRA to conduct credit checks and collect debts;
(f) ensuring ongoing credit worthiness of customers;
(g) designing financial services or related products for customers’ use;
(h) marketing services, products and other subjects (please see further details in Paragraph 11 of the Company’s Personal Information Collection (Customers) Statement);
(i) verifying the data or information provided by any other customer or third party;
(j) determining amounts owed to or by customers;
(k) conducting, assessing and analyzing any insurance claims and assist insurance companies to conduct claim checks;
(l) enforcing customers’ obligations, including but not limited to the collection of amounts outstanding from customers and those providing security for customers’ obligations;
(m) enabling an actual or proposed assignee of the Company, or participant or sub-participant of the Company’s rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
(n) complying with the obligations, requirements or arrangements for disclosing and using data that apply to or are expected to be complied with by a member of Po Fung Group or any service provider of a member of Po Fung Group according to;
(i) any law binding or applying to it within or outside the Hong Kong existing currently and in the future;
(ii) any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the Hong Kong existing currently and in the future; and
(iii) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Company or any member of Po Fung Group by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
(o) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within Po Fung Group or any other use of data and information for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(p) operational or internal control purposes, including credit assessment or statistical analysis;
(q) comparing data of customers or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking adverse action against the customers;
(r) maintaining a credit history of customers for present and future reference;
(s) reasonable internal management purposes (including security controls, investigations, risk management, fraud prevention, the defence of claims and the monitoring of the quality and efficiency of services offered or provided by the Company); and
(t) purposes relating thereto.
5. SECURITY OF PERSONAL DATA

5.1 It is the policy of the Company to ensure an appropriate level of protection for personal data to prevent unauthorised or accidental access, processing, erasure, loss or use of that data, commensurate with the sensitivity of the data and the harm that would be caused by occurrence of any of the aforesaid events. It is the practice of the Company to achieve appropriate levels of security protection by restricting physical access to and processing of data by providing secure storage facilities (including incorporating security measures into equipment in which data is held) to strictly restrict the access and processing of personal data. The Company also takes measures to ensure the integrity, prudence and competence of persons having access to personal data. The access to the personal data is granted on a need-to-know basis only. Personal data is only transmitted by secured means to prevent unauthorised or accidental access. If the Company engages a data processor (whether within or outside Hong Kong) to process personal data on the Company’s behalf, the Company would adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

6. DISCLOSURE OF PERSONAL DATA

6.1 The Company follows strict privacy procedures in regard to protection of personal data. No disclosure of personal data to third parties is allowed unless the relevant individual has already been informed or has provided the consent (where required) or the disclosure is permitted or required by any law binding on the Company.

6.2 The possible transferees (whether within or outside Hong Kong) of personal data of customers as referred to in Paragraph 5.1 includes:
(a) any agent, auditor, contractor or third party service provider who provides administrative, general supporting, auditing, data management, credit control, analytic, product review, fraud review and investigation, compliance, monitoring, telecommunications, computer, payment or securities clearing, electronic identity authentication, data processing, debt collection, insurance, professional or other services to the Company in connection with the operation of its business, wherever situated;
(b) any other person under a duty of confidentiality to the Company including different departments within the Company and/or any other members of Po Fung Group which has undertaken to keep such information confidential;
(c) the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
(d) any person making payment into the customer’s account;
(e) any person receiving payment from the customers, the banker of such person and any intermediaries which may handle or process such payment;
(f) Credit Reference Agencies (including the operator of any centralized database used by Credit Reference Agencies), and, in the event of default, to debt collection agencies;
(g) any party giving or proposing to give a guarantee or third party security to guarantee or secure the customer’s obligations;
(h) any person to whom the Company or any members of Po Fung Group is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the Company or any members of Po Fung Group, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Company or any members of Po Fung Group are expected to comply, or any disclosure pursuant to any contractual or other commitment of the Company or any members of Po Fung Group with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside the Hong Kong and may be existing currently and in the future;
(i) any actual or proposed assignee of the Company or participant or sub-participant or transferee of the Company’s rights in respect of the customers; and
(j) wherever situated:
(i) any members of Po Fung Group;
(ii) third party financial institutions, insurers, credit card companies, securities, commodities and investment services providers, with which the customer has or proposes to have dealings;
(iii) third party reward, loyalty, co-branding and privileges programme providers;
(iv) co-branding partners of the Company and members of Po Fung Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
(v) affiliated merchants of the Company and members of Po Fung Group (the names of such affiliated merchants can be found on the Company’s website for the relevant services and products, as the case may be);
(vi) charitable or non-profit making organisations; and
(vii) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies, information technology companies and companies providing electronic identity authentication services) that the Company engages for the purposes set out in Paragraph 3 above, wherever situated.

7. ACCURACY OF PERSONAL DATA

7.1 It is the policy of the Company to ensure that all practicable steps have been taken to maintain the accuracy of all personal data collected and processed by the Company having regard to the purpose for which the personal data is or is to be used. Appropriate procedures are implemented such that all personal data is regularly checked and updated. In so far as personal data held by the Company consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.

8. COLLECTION OF PERSONAL DATA

8.1 When collecting personal data, the Company will satisfy itself that the purposes for which the data is collected are lawful and directly related to the Company’s functions or activities. The manner of collection is lawful and fair in the circumstances and the personal data collected is necessary but not excessive for the purposes for which it is collected.

8.2 While collecting personal data, the Company will provide the individuals concerned with the Personal Information Collection (Customer) Statement informing them of the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information. The Company will take practicable steps to ensure that the individuals concerned are informed of whether it is obligatory or voluntary for them to supply the data and, if obligatory, the consequences for them if they fail to do so.

8.3 Prior to using any personal data from public domain, the Company will give due regards to observe the original purposes of making the personal data available in the public domain (such as the purpose of establishing the public register in the enabling legislation). The restrictions, if any, imposed by the original data users on further uses and the reasonable expectation of personal data privacy of the individuals concerned will be observed by the Company.

8.4 In relation to the collection of personal data online, the following practices are adopted:
(i) Online Security
The Company will follow strict standards of security and confidentiality to protect any information provided to the Company online. Encryption technology is employed for sensitive data transmission on the Internet to protect individuals’ privacy.
(ii) Online Correction
Personal data provided to the Company through an online facility, once submitted, it may not be facilitated to be deleted, corrected, or updated online. If deletion, correction, and updates are not allowed online, users should approach the Company’s relevant departments for assistance.
(iii) Online Retention
Personal data collected online will be transferred to the relevant departments for processing. Personal data will normally not be retained in the Company’s internet systems’ database.

8.5 Cookies are small pieces of data transmitted from a web server to a web browser. Cookie data is stored on a local hard drive such that the web server can later read back the cookie data from a web browser. This is useful for allowing a website to maintain information on a particular user. Cookies are designed to be read only by the website that provides them. Cookies cannot be used to obtain data from a user’s hard drive, get a user’s email address or gather a user’s sensitive information. The Company uses cookies to identify users’ web browser for the following purposes:-
(a) Session Identifier
The Company will not store user’s sensitive information in cookies. Once a session is established, all the communications will use the cookies to identify a user.
(b) Analytical Tracking
Users’ visit to the Company’s online platforms and social networks (including but not limited to the Company’s websites, Facebook and Instagram) will be recorded for analysis and information may be collected through technologies such as cookies. The information collected is anonymous research data and no personally identifiable information is collected. The Company mainly collects these information to understand more about our users including user demographics, interests and usage patterns, and to improve the effectiveness of our online marketing.

The information may be transferred to or collected by third parties on our behalf (for example, providers of external services like web traffic tracking and reporting, online advertisement serving) for the above use. The information would not be transferred to other parties by the third parties engaged by the Company. The information collected is anonymous research data and no personally identifiable information is collected or shared by the third parties.

Most web browsers are initially set up to accept cookies. Users can choose to “not accept” cookies by changing the settings on the web browsers but this may disable the access to the Company’s Internet Companying and certain features on the Company’s online platforms and social networks will not work properly. The Company will retain the collected information for as long as is necessary to fulfil the original or directly related purpose for which it was collected and to satisfy any applicable statutory, regulatory or contractual requirements.

The information collected through technologies such as cookies, tags and web logs etc. will be retained for a period of no longer than 3 years.

8.6 The Company installs closed circuit television (“CCTV”) (with recording mode) systems at Company premises primarily for general security purposes to protect the safety of customers and the staff, business assets, intellectual property, or other proprietary rights. Access to and use of the CCTV records will be granted to authorised personnel only. The Company may disclose the CCTV records to third parties including regulatory authorities and law enforcement agencies where it is necessary for it to respond to any legal processes or to investigate any incidents or complaints, etc. Subject to the aforesaid, all CCTV records will be erased according to the Company’s policies and guidelines. The security measures that apply to the CCTV records will be consistent with this Statement.

9. DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS

9.1 It is the policy of the Company to comply with and process all data access requests and data correction requests in accordance with the provisions of the Ordinance, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.

9.2 The Company may, subject to the Ordinance and the guidelines issued by the Office of the Privacy Commissioner for Personal Data, impose a fee for complying with a data access request. The Company is only allowed to charge a person making a data access request for the costs which are directly related to and necessary for complying with a data access request. If a person making a data access request for an additional copy of the personal data that the Company has previously supplied pursuant to an earlier data access request, the Company may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy.

9.3 Data access requests and data correction requests to the Company may be addressed to the Company’s Data Protection Officer or other specified person.

10. RETENTION OF PERSONAL DATA

10.1 The Company takes all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which such data is or is to be used. The Company usually holds data relating to the customers for a period of 7 years or such other period as prescribed by applicable laws and regulations after closure of account or termination of service.

10.2 If the Company engages a data processor (whether within or outside Hong Kong) to process personal data on the Company’s behalf, the Company would adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

11. OTHER PRACTICES

11.1 The following are maintained by the Company to ensure compliance with the Ordinance:
(a) A log book as provided for in section 27 of the Ordinance; br (b) Internal policies and guidelines on compliance with the Ordinance for observance by staff of the Company; and
(c) Data Access Request Form (Form DARF), Data Correction Request Form (Form DCRF) and Data Deletion
Request Form (Form DDRF) for individuals’ requests for access to, correction of and deletion of personal data held by the Company.

11.2 This Statement is subject to review and change from time to time. The latest version of this Statement is contained on the Company’s website.

12 APPOINTMENT OF DATA PROTECTION OFFICER

12.1 The Company has appointed a Data Protection Officer to co-ordinate and oversee compliance with the Ordinance and the personal data protection policies of the Company.

12.2 The contact details of the Data Protection Officer are as follows:
Po Fung Finance Limited
Address:Office E, 32/F, Montery Plaza, 15 Chong Yip Street, Kwun Tong, Kln
Telephone:2886 5500
Facsimile:2886 5508
Email:cs@pofungfinance.com
Website:www.pofungfinance.com

(In case of discrepancies between the English and Chinese versions of this Statement, the English version shall prevail.)

Last update Nov 2023