(a) From time to time, it is necessary for Customers to supply the Company with data in connection with the opening or continuation of accounts and the establishment or continuation of credit facilities or provision of other services.
(b) Failure to supply such data may result in the Company being unable to open or continue accounts or establish or continue credit facilities or provide other services.
(c) It is also the case that data are collected from Customers in the ordinary course of the business including those given in person or through telephone or internet in processing new or renewal of loan applications or services. This includes information obtained from credit reference agency.
(d) The purposes for which personal data relating to a Customer may be used by the Company or the recipient of such data are as follows:-
(i) the processing of applications for services and credit facilities and the daily operation of the services, credit facilities provided to Customers;
(ii) conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
(iii) assisting other money lenders and/or financial institutions, credit or charge card issuing companies and debt collection agents to conduct credit checks and collect debts;
ensuring ongoing credit worthiness of Customers;
(v) designing financial services or related products for Customers' use;
(vi) marketing services and products and other subjects (please see further details in paragraph (f) below;
(vii) determining the account transactions/balances between the Company and Customers;
(viii) collection of amounts outstanding from Customers, or those providing security for Customers' obligations or other co-borrower(s);
(ix) complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Company or any of its branches or that it is expected to comply according to:
(1) any law binding or applying to it within or outside the Hong Kong Special Administrative Region (“Hong Kong”) existing currently and in the future;
(2) any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the Hong Kong existing currently and in the future;
(3) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Company or any of its branches by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
(x) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within Group of XFB FinTech Company Limited and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(xi) enabling an actual or proposed assignee of the Company, or participant of sub-participant of the Company's rights in respect of the Customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participations;
(xii) conducting matching procedures;
(xiii) creating and maintaining the Company’s credit scoring models; and
(xiv) purposes relating thereto.
(e) Data held by the Company relating to a Customer will be kept confidential but the Company may provide such information to the following parties (whether within or outside the Hong Kong Special Administrative Region) for the purposes set out in paragraph (d):-
(i) any agent, contractor or third party service provider who provides administrative, telecommunications, Electronic Fund Transfer service, computer, payment, debt collection or other services to the Company in connection with the operation of its business;
(ii) any branch, subsidiary, holding company, associated company or affiliate of the Company;
(iii) any other person under a duty of confidentiality to the Company which has undertaken to keep such information confidential;
(iv) credit reference agencies, and, in the event of default, to debt collection agencies or law firms;
(v) any person to whom the Company or any of its branches is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the Company or any of its branches are expected to comply, or any disclosure pursuant to any contractual or other commitment of the Company or any of its branches with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside the Hong Kong and may be existing currently and in the future;
(vi) any party giving or proposing to give a guarantee or third party security to guarantee or secure the Customer's obligations and any co-borrower(s); and
(vii) any actual or proposed assignee of the Company or participant or sub-participant or transferee of the Company's rights in respect of the Customer; and
(1) Any member of XFB FinTech Company Limited;
(2) third party financial institutions, insurers, credit card companies, securities and investment services providers;
(3) third party reward, loyalty or privileges programme providers;
(4) co-branding partners of the Company (the names of such co-branding partners can be found in the application form(s) and/or advertising leaflet(s) / poster(s) for the relevant services and products, as the case may be);
(5) charitable or non-profit making organisations; and
(6) external service providers (including but not limited to mailing houses, telecommunications companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Company engages for the purposes set out in paragraph (d) (vi). Such information may be transferred to a place outside Hong Kong.
(f) USE OF DATA IN DIRECT MARKETING The Company intends to use a Customer's data in direct marketing and the Company requires the Customer's consent (which includes an indication of no objection) for that purpose. In this connection, please note that:
(i) the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a Customer held by the Company from time to time may be used by the Company in direct marketing;
(ii) the following classes of services, products and subjects may be marketed:
(1) financial services and related products including insurance products;
(2) reward, loyalty or privileges programmes and related services and products;
(3) services and products offered by the Company’s branding partners (the names of such co-branding partners can be found in the application form(s) and/or advertising leaﬂet(s) / poster(s) for the relevant services and products, as the case may be); and
(4) donations and contributions for charitable and/or non-profit making purposes;
(iii) the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Company and/or:
(1) Any member of XFB FinTech Company Limited;
(2) third party financial institutions, insurers, credit card companies, securities and investment services providers;
(3) third party reward, loyalty, co-branding or privileges programme providers;
(4) co-branding partners of the Company; and
(5) charitable or non-profit making organisations;
(iv) in addition to marketing the above services, products and subjects itself, the Company also intends to provide the data described in paragraph (f)(i) above to all or any of the persons described in paragraph (f)(iii) above for use by them in marketing those services, products and subjects, and the Company requires the Customer's written consent (which includes an indication of no objection) for that purpose;
(v) The Company may receive money or other property in return for providing the data to the other persons in paragraph (f)(iv) above and, when requesting the Customer's consent or no objection as described in paragraph (f)(iv) above, the Company will inform the Customer if it will receive any money or other property in return for providing the data to the other persons.
If a Customer does not wish the Company to use or provide to other persons his data for use in direct marketing as described above, the Customer may exercise his opt-out right of mail, email, Mobile Message, telephone by notifying the Company without charge.
(g) Practice in collecting personal data on-line:
(i) The Company will follow strict standards of security and confidentiality to protect any information provided by Customers to the Company online. Encryption technology is employed for sensitive data transmission on the Internet to protect individuals' privacy.
(ii) When a Customer visits the Company's website, the Company will record the visit only as a “hit”. The webserver will also make a record of the visit that includes the Customer's IP addresses (and domain names), the types and configurations of browsers, language settings, geo-locations, operating systems, previous sites visited, and time/durations and the pages visited (“Visitor Data”). The Visitor Data are used for the purpose of maintaining and improving the Company's websites such as to determine the optimal screen resolution, which pages have been most frequently visited etc. The Company uses such data only for website enhancement and optimisation purposes. The Company does not use, and has no intention to use the Visitor Data to personally identify anyone.
(iii) Cookies are small pieces of data transmitted from a web server to a web browser. Cookie data are stored on a local hard drive such that the web server can later read back the cookie data from a web browser. This is useful for allowing a website to maintain information on a particular user. At present, the Company will not use cookie files and if it shall in future use cookie files, it will only use the cookie files as a session identifier and will not store the Customer’s sensitive information in cookies.
(iv) The aforesaid data collected will be stored in the webserver but will only be used for the aforesaid purposes. Such data will be destroyed within 6 months after being collected.
(v) Contents of any electronically transmitted communications by a Customer via the website and/or its links, no matter whether they are email messages, text or voice messages etc, will be stored in the Company's server for the purposes as set out in paragraph (d) above. If the Company does not approve the Customer's application for services, such data collected will be destroyed within 6 months. If the application is approved, such data will be kept for 6 years.
(vi) For requests by the Company on its website or in the application forms linked therewith for personal data to be filled in by the Customer in such boxes/fields marked with asterisks, the Company may not be able to offer any services if the Customer does not provide such data as requested. The Customer has the choice to provide or not to provide such requested data in those boxes/fields not marked with asterisks. If a Customer does provide any telephone contact number(s), the Company may contact the Customer through such telephone number(s) to follow up the applicable services provided or to be provided.
(vii) The availability of hyperlinks or connection to other sites / addresses, applications at the Company’s Website does not mean or imply any authentication, verification, representation, approval or endorsement by the Company of such hyperlinks, connection, or the identity or information relating to such sites / addresses. The Company shall have no liability whatsoever for such hyperlinks, connection, applications, the contents, availability, accuracy or omission of information at other sites / addresses linked to or found on the sites / addresses that link to or from the Company's Website. They are accessed and used at the Customer's own risks.
(h) Under and in accordance with the terms of the Personal Data (Privacy) Ordinance (the "Ordinance"), the Code of Practice on Consumer Credit Data and any statutory or regulatory guidelines issued by the Privacy Commissioner or other regulatory bodies, any Customer has the right :-
(i) to check whether the Company holds data about him and the right of access to such data;
(ii) to require the Company to correct any data relating to him which is inaccurate;
(iii) to ascertain the Company's policies and practices in relation to data and to be informed of the kind of data held by the Company;
(iv) to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant credit reference agency or debt collection agency;
(v) in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Company to a credit reference agency, to instruct the Company, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Company to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).
(i) In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph (g)(v) above) may be retained by the credit reference agency until the expiry of five years from the date of final settlement of the amount in default.
(j) In the event any amount in an account is written-off due to a bankruptcy order being made against a Customer, the account repayment data (as defined in paragraph (g)(v) above) may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the Customer with evidence to the credit reference agency, whichever is earlier.
(k) The Company may access the database of credit reference agencies for the purposes of credit review from time to time. Which review may involve the consideration by the Company of any of the following matters:-
(i) an increase in the credit amount;
(ii) the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or
(iii) the putting in place or the implementation of a scheme of arrangement with the Customer.
(l) In accordance with the terms of the Ordinance, the Company has the right to charge a reasonable fee for the processing of any data access request.
(m) The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows :
The Data Protection Officer
XFB FinTech Company Limited
10/F Nine Queen's Road Central,
9 Queen’s Road Central,
Hong Kong. Fax: (852) 2845 2145
(n) The Company may have obtained a credit report on the Customer from a credit reference agency in considering any application for credit. In the event the Customer wishes to access the credit report, the Company will advise the contact details of the relevant entity.
(o) The expression “Customer” includes both borrower and guarantor as individuals or corporations (and the latter’s directors, shareholders or other officers) and unincorporated associations (sole proprietor or partners). Credit means consumer and commercial credit (including Hire Purchase and Leasing). All references to one gender are a reference to all other genders and the singular includes the plural.
(p) Data of a data subject may be processed, kept and transferred or disclosed in and to any country as the Company or any person who has obtained such data from the Company referred to in (e) above considers appropriate. Such data may also be released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.
(q) Nothing herein shall limit the right of Customers under the Ordinance.
(r) This Notice shall upon a Customer's receipt, be deemed an integral part of all contracts, agreements, credit/banking facility letters, and other binding arrangements which the Customer has entered into or intends to enter into with the Company.
(The English version of this Notice shall prevail wherever there is a discrepancy between the English and Chinese version.)
Customers may, at any time and without charge, request our Company cease using their personal data for direct marketing purposes by writing to the Data Protection Officer at the address or fax number provided in paragraph (m).