Issuance Date: 01 Dec 2023

Effective Date: 01 Dec 2023

Hang Seng Bank (China) Limited ("Hang Seng", "the Bank", "we" or "us"), with the register office 34/F, 36/F, Unit 45-031 45F & 46F, Hang Seng Bank Tower, 1000 Lujiazui Ring Road, Free Trade Zone, Shanghai, China, take personal information confidentiality and security very seriously, and strive at all times to protect our customers’ and related parties’ personal information and privacy when we provide our good services with you. We therefore formulate this Personal Information and Privacy Protection Policy (this “Policy”) to comply with the laws, regulations, rules and regulatory requirements.

Important Notice: Please read through this Policy or any other agreement between you and us carefully when you apply for or use any product, service or device of the Bank, handle any business at the Bank or make any transaction with the Bank, sign any agreement, visit, browse, use any website, electronic business platform or mobile device application of the Bank, participate in any marketing events and surveys of the Bank, apply for any position at the Bank, or communicate or liaise with the bank through other methods. If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you and us, such other agreements or terms and conditions shall prevail. You agree and understand the Bank may collect, store, use, process, transfer, provide, disclose, delete or use other methods to process your personal information.

If you have any query, comment or suggestion, please contact us. You may contact us through below contact detail or “contact us” which is stated in our official website （www.hangseng.com.cn）or mobile device application.

Contact Us: DATA PRIVACY OFFICER (DPO)

https://www.hangseng.com.cn/1/2/contact-us-chi/email-us

Hotline：400 830 8008

This Policy include below content：

I. Personal Information and Privacy Protection Policy Overview – How We Protect Your Personal Information

II. How we collect your personal information

III. How we Use Cookies and Other Technologies

IV. Circumstances of use, disposal, disclosure and transfer of Information

V. Your Rights of Personal Information

VI. How we store and cross border transfer your Personal Information

VII. How We Handle Minors' Personal Information

VIII. Update of this Policy

IX. Millenuous

I. Personal Information and Privacy Protection Policy Overview – How We Protect Your Personal Information

1. Overview

To preserve the confidentiality, security and privacy of all personal information you provide to us, we follow the principle of reasonableness, legitimacy rightfulness and honest, and adopt below principle of public and transparent to protect and process your personal information:

(1) We only collect personal information that we believe to be relevant and required for us to comply with law, perform a statutory responsibility or statutory obligation, understand your or relevant client’s needs, build up, review, maintain and develop our relationship with you or relevant clients, provide you with materials of relevant products and services.

(2) We may for specific purposes provide your personal information to other members of the HSBC Group, our agents or other third parties, as permitted by law. We will obtain your consent to comply with the laws.

(3) We will not transfer or provide your personal information to any third party, unless it is made to comply with law, perform a statutory responsibility, statutory obligation or perform the agreement, or in accordance with this Policy or other agreement between you and the Bank.

(4) We may be required from time to time to disclose your personal information to our regulators, other governmental or judicial bodies or agencies, but we will only do so following the requirement of law, performance of statutory responsibility, requirement of regulator and government, performance of statutory obligation or agreement to the extent that we deem necessary.

(5) We will not publicly disclose your personal information and we will obtain your separate consent and inform you the purpose, style and method of the personal information which is publicly disclosed.

(6) We aim to keep your personal information on our records accurate and up-to-date. You can contact us to modify or supplement as per the contact detail stated in this Policy.

(7) We maintain strict security systems and perform necessary inspection and filing procedure to comply with laws to prevent unauthorised access to your personal information by anyone.

(8) All members of the HSBC Group, all our staff and all third parties with permitted access to your personal information are specifically required to take necessary measures to ensure the process of personal data is equivalent to the standard of personal information protection as stipulated in this Policy.

By maintaining our commitment to these policies, we will ensure that we respect the inherent trust that you place in us.

2. Information Security

(1) Information security is our top priority. We will endeavor at all times to safeguard your personal information against unauthorised or accidental access, processing or erasure. We maintain this commitment to information security by implementing appropriate physical, electronic and managerial measures to secure your personal information.

(2) We will strictly comply with the requirements of "Measures for the Administration of Electronic Banking" to keep the personal information provided by the users and customers of the Bank's website and e-banking confidential and store such personal information securely. To enable you to use the Bank's website and e-banking safely, we will provide the bank level information protection. The Bank's website and e- Banking will be accessed to by using encryption mode (such as HTTPs and TLS) and the transfer and encryption of the relevant data should be conducted under the Bank's security standard so as to satisfy the bank level security requirements.

(3) We have a dedicated team for business management, technology support and security protection to operate and manage the Bank's website and e-banking services. The team has clear and specific responsibilities for information security and the team leader will ensure these responsibilities to be performed. In addition, the Bank also sets up a series of management mechanism for system access, data privacy and security safeguard.

(4) The servers of the Bank's website and e-banking services are deployed in the unified data center of our Group. We effectively prevent network attacks by properly setting up and using the firewall and antivirus applications within a highly secured environment. In addition, we catch all abnormal status through real-time monitoring system, such as low disk space, IP attack etc., which will trigger system alerts to administer and security team by SMS and emails to ensure the fast response.

(5) We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and related training offered to staff. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide by our security standards when processing personal information.

(6) For the security of your personal information, you take on the same responsibility as us. You shall keep your personal information secret and confidential, such as your account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, materials, devices or other media that may contain or record or otherwise relate to such information, and shall ensure your personal information and relevant documents, materials, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, materials, devices or other media. Once you think your personal information and/or relevant documents, materials, devices or other media have been disclosed, lost or stolen and may so endanger the relation between you and the Bank or cause your bank account being used for any unauthorised transaction, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.

(7) If unfortunately, personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will report such personal information security incident and our actions in accordance with law and regulatory requirement.

II. How we collect your personal information

1．Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information include name, birth date, ID certificate information (ID card, passport and etc.,), personal biometrics recognition, information, contact information, address, account information, property status, location and etc., Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport and etc.,), personal biometrics recognition, bank account, credit information, property information, transaction information, location, medical and health, biometrics recognition, specific identity, financial account, as well as any personal information of a minor under the age of 14.

For the purpose of providing various products and services to you and related customers, contacting and communicating with you, establishing, reviewing, maintaining and developing business relationship with you or related customers in a fully informed manner, or complying with applicable laws and fulfilling statutory duties or purpose, we receive and store the personal information provided by you or voluntarily by a related party with your authorization during the process when you visit, browse or use any of our website, electronic business platform, mobile device application, apply or use any or our product, facility or service, perform any business or transact with us, enter into related agreements, participate in any of our marketing activity or respond to our questionnaire, apply for any our position, or otherwise contact or liaise with us by whatever means. We will inform you of the necessity for processing the sensitive personal information, its impact to the individual rights and interests, and separately obtain your consent in accordance with applicable laws and regulations before colleting your sensitive information.

The personal information we collect may be recorded in paper, electronic means (for example, including but without limitation to the information we collect by way of automated machine, website, online banking, mobile banking or other mobile device application, email, text message, telephone banking or other channels) or any other means.

2. In order for us to provide you with e-Banking services, you need to provide us or allow us to collect from you the following information necessary for the following purposes or functions. If you fail or refuse to provide the following personal information, we may not provide certain function of e-Banking services:

（1） Registering e-Banking account:
If you hold CAT I settlement account with us, you need to provide your bank card number and password, or your phone banking number and phone banking PIN to register your e-Banking account;
If you hold CAT II settlement account with us, you need to provide Your name, mobile phone number, ID type, ID number and facial biometrics information to register your e-Banking account.
（2） Logging on e-Banking account, retrieving logon username or password:
Logging on e-Banking account: Your e-Banking username, logon password, second password, security code and security password pre- set by you or created or sent via security device, mobile phone number, other equipment or methods (collectively “password”); For retrieving logon username: Your name, Your ID type, ID number, and SMS verification code;
If you hold CAT II settlement account with us, you need to provide your e-Banking username, SMS verification code and facial biometrics information to retrieve your e-Banking logon password.
（3）Maintaining proper and secure operation of e-Banking, preventing and controlling e-Banking related risks:
We may collect the technical information such as your device type, operating system, unique device identifier, software version, International Mobile Equipment Identity (IMEI), logon IP/MAC address, internet service provider (ISP). If above information cannot be used to identify your identity or retrieved to personal information, we will not treat it as your personal information. If the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

3. You may decide, at your free choice, to provide us with your personal biological identification information for the following purpose or functions.

（1） Logon Mobile banking
In order to allow you to logon Mobile banking safely and conveniently, if your device is an Apple mobile device that supports fingerprint/facial recognition functions, you can choose to activate fingerprint/facial recognition to logon Mobile banking. Such information is processed and stored by the mobile phone terminals. We only collect the fingerprint/facial recognition result, rather than keep the raw biometric information. If you do not want to use fingerprint/facial recognition, you can also logon mobile banking via other methods which we provide.
（2） The functions based on fingerprint/facial recognition
In order to allow you to use mobile banking safely, including register e-Banking account for CAT II customers, Mobile Phone Receive Money Settings, update ID information, and update personal information, we need to collect and save your facial information for retention, auxiliary identification and verification during your business process to ensure your normal use of this service. We may encrypt your facial information and send it to the Ministry of Public Security for verification and accept the verification results. We will store the facial information separately from the personal identity information, and take security measures such as encrypted storage. The retention period is an additional five years from the end of your relationship with our bank. Upon expiration of the above retention period, we will delete or anonymize your personal biometric information and transaction information.
4. You may decide, at your free choice, to provide us with your personal information for the following functions. If you fail or refuse to provide the following information, you are not able to use the relevant functions, but your use of other functions of our e-Banking will not be adversely affected.
（1） Transfer and Remittance
To provide you with transfer and remittance service, we need to collect from you the name of payee, beneficiary bank account number（or card number） and the name of beneficiary bank.
If you want to transfer by using “Mobile Phone Number Transfer” function, you need to provide the payee mobile phone number, the payee name and the name of beneficiary bank(optional).
If you want to set “Mobile Phone Receive Money” function, we need to collect your mobile phone number, your receiving account number, and we will use your facial biometrics information and SMS verification code to verify your identity.
To provide you with overseas transfer and remittance service, we need to collect from you the payee’s name and address, the name of beneficiary bank, beneficiary account number, country/region where beneficiary bank is located or transfer purpose.
You need to provide security code via security device or SMS verification code, for approving and processing transaction requests or instructions. We will also collect the records of these transactions for your check or enquiry.
We will collect your account balance information for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
（2） Risk Profiling Questionnaire:
Your age, family assets, income information, investment experience, investment preference and risk tolerance, planned investment products and tenor.
（3） Purchasing and selling foreign currencies, foreign currencies exchanging, purchase of financial products such as deposit and mutual fund:
Your name, ID type, ID number, purpose of purchasing or selling foreign currencies.
You need to provide security code via security device or SMS verification code for approving and processing transaction requests or instructions. We will also collect the records of these transactions for your check or enquiry.
We will collect your payment transactions information for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
（4） Deposit and Structured Deposit
Your name, ID type, ID number, tax residence, taxpayer identification number.
You need to provide security code via security device or SMS verification code for approving and processing transaction requests or instructions. We will also collect the records of these transactions for your check or enquiry.
We will collect your payment transactions information for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
（5） Local Unit Trust Fund，Mutual Recognition Fund, Segregated Account and QDII Products
Your name, ID type, ID number, tax residence, taxpayer identification number, account information (account number, currency type, account balance), funds transaction information and the way of share out bonus, your written signature.
You need to provide security code via security device or SMS verification code for approving and processing transaction requests or instructions. We will also collect the records of these transactions for your check or enquiry.
We will collect your payment transactions information for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
We will collect your payment transactions information for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
（6） Financial Planning Questionnaire:
Relevant information will be collected according to the family structure of your choice, includes: year of birth, annual income (family or individual), total loan amount (family or individual), retirement age, post-retirement expenditure (family or individual), estimated education funds for children.
（7） Insurance application:
Your Name, Date of Birth, Gender, ID type, ID number, Tax Resident Identity and Account Information (account number, currency type, account balance). According to different insurance products, further information will be collected including the information of the insured and policy holder (Name, Date of Birth, Gender, ID type, ID number, the validity of ID, Nationality, Address, Postal code, Email address and mobile phone number , insured amount, both inured and policy holder’s ID Image(both front side and back side) and written signature ).
You need to provide security code via security device or SMS verification code for approving and processing requests or instructions for insurance transactions. We will also collect the electronic policies for your future enquiry.
We will collect your payee’s account number and balance for the purpose of notifying you with your account balance update via SMS or APP Push Notification function.
（8） Update the certificate information:
Photo of front side and back side of your ID certificate, ID information including your name, ID number, date of birth, effective date and tenor of the certificate.
We will also use your facial biometrics information and SMS verification code to verify your identity.
（9） Update personal information
Upon the updated information you provided, we will collect your name, nationality, residential information (including residential country/region, residential address, beginning date of your residence, home phone number); mailing information ( including mailing country/region, address and postcode(optional) ); job information ( including your profession, occupation, industry, company’s name and address, office phone number(optional), country/region you work, income ); and other information ( including marital status, education, and email address (optional) ).
We will also use your facial biometrics information, password sent by the security device or SMS verification code to verify your identity.
（10） Update the information of CAT I account bind with CAT II account
Your name, Debit Card number of CAT I account, the name of CAT I account bank, mobile phone number, you need to provide SMS verification code to verify your identify.
（11） Alipay Service Setting
Your Name, Debit card number, Alipay account number, mobile phone number, and you need to provide SMS verification code to verify your identify.
（12） Privileges and Reward Mall
When you use reward mall service, your name, reward account status, reward balance and the code of gift coupon will be provided to HUGME MARKETING, Reward Mall service provider (contact phone number is 400-608-1001).
（13） Bank Card and Pinless Setting
Your bank card number, bank account type and number.
You need to provide security code via security device or SMS verification code for verifying your identify, approving and processing transaction requests or instructions.
（14） Finding branches nearby:
Your geographic location information for showing the nearby branches
（15） Account opening appointment:
Your name, title, contact number, city you are living in.
（16） Contact us:
Your name, title, contact number, email address, city you are living in, details about what you enquire.

5. In addition, our mobile banking applications may also invite your permissions for the following system functions relating to personal information and will collect and use the information for the permitted functions based on your permission:

For those functions that need your permission, you may, at your free choice, decide whether to additionally grant the permission for the said functions on mobile banking applications. If you refuse to grant permission for a specific function, you are not able to use that specific function, but your use of other functions in our mobile banking will not be adversely affected.
For example, APP may support to cancel your previous function permission. You may choose to turn off relevant system permissions, setting path as below:
For Android: Setting-Application-Permissions
For Apple IOS: Setting-Privacy-Permissions-Application
If you cancel the system permissions, we will no longer process relevant personal information. However, the above cancellation would not impact the processing of your personal information based on your previous system permissions.

6. When you use our Mobile Banking Service, under certain particular scenarios, we will use the software service toolkit provided by third party (“SDK”). To provide the service to you, SDK will collect your information:

If you refuse the listed SDK(s) to collect your information, you may not be able to access these services, but you or relevant party can still access to other functions or services on e-Banking.

7. Subject to the scope allowed by applicable laws, we may collect and use your personal information without your consent under any of the following circumstances:
(1) Where it is necessary for performing a statutory responsibility or statutory obligation;
(2) Where it is directly required for cooperating with authorities to carry out public health activities,
(3) Where it is necessary for protecting the life, health, property safety and other import legitimate rights and interests of you or other natural person(s) and it is difficult to acquire your personal consent ;
(4) Where the personal information, which has already been disclosed to the social public by yourself;
(5) Where the personal information is collected from the information which has been legally disclosed to the public, like news reporting, government published information and other legitimate channels;
(6) Where it is necessary for the conclusion or performance of a contract to which the you are the contracting party;
(7) Any other circumstance as provided by laws.

8. In the case you are a connected person (which means any person with whom our entity customer or business applicant has a relationship, including but not limited to, a legal representative, responsible person, director, supervisor, officer or employee, partners or members of a partnership, any shareholder, substantial owner, controlling person, or beneficial owner, trustee, settler or protector of a trust, account holder of a designated account, payee of a designated payment, representative, agent or nominee of our entity customer or business applicant); or in the case you are a security provider or a connected person of the security provider we may collect following personal information from our entity customer or business applicant or security provider, for the purpose of providing banking products, services, and performing banking business to the relevant customer or business applicant, maintaining proper and secure operation of banking business and services, preventing and controlling related risks, and providing or proposing to provide security for liabilities owed to use by our entity customer or business applicant. But we shall ensure such indirect collection of information is limited to the minimum level which is necessary for the related business. We will require the entity customer or business applicant or security provider to assure the legitimacy of the source of your personal information they provided, and have acquire your authorization for us to process your personal information for above purposes.
(1) Personal identity information, including name, gender, nationality, type/number/validity period of ID certificate, occupation, job position, relationship with relevant customers (such as employment/shareholding/investment relationship), telephone number, e-mail, contact information, birth date, place of birth, place of residence, work address, photo, any relationship with politically exposed person and relevant information etc.;
(2) Personal property information, including personal income, real property, movable property (e.g. vehicle, financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;
(3) Personal biometrics information, such as signature, handwriting, portrait, fingerprint, voice, face recognition information, etc.;
(4) Personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;
(5) Personal credit information, including credit card, loan and other credit transaction information, litigation and investigation information, penalty and any other information about personal credit status;
(6) Personal information arising from customer investigation, e.g. personal information collected during customer due diligence, sanctions or anti-money laundering checks etc.;
(7) Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws and regulatory requirements, e.g. person information included in the customer documentation, personal information arising from any suspicious and unusual activity investigation, correspondence or other communication records(including video or audio records, call log and correspondence records and contents), device identifier and code, hardware type and serial number, operating system version, software version, IP address, network service provider etc.
The aforementioned information is required for the Security, providing products or services to the relevant customer, fulfilling the agreement between you or relevant customer and us, and enabling us to perform our obligation under laws and regulations. If you refuse to provide such information (or the information you provided is incomplete, inaccurate or not real), we may not be able to provide the corresponding product, or service or perform the business for your or any relevant customer.
9. Kindly understand that the services we provide will be continuously updated and developed. If you choose to use the service not covered by this Policy, and we need to collect your information based on the business, we will separately inform you of the matters in relation to the information collection on a real, accurate and complete basis and by means of reminder on the page, communication process or other means prescribed in the agreement, and acquire your consent for the information collection. We will also process your personal information in accordance with this Policy and applicable agreement (if any). If you choose not provide the information, you may unable to use certain or certain part of the services, but without prejudice to your rights to use other services we provided to you.

III. How We Use Cookies and Other Technologies

1．Your visit, browse, use of any website, electronic business platform or mobile device application of the Bank may be recorded for analysis on the number of visitors to the site and general usage patterns, helping you reduce the number and frequency of information entry or assisting determine the security status of your account. Some of this information will be gathered through the use of "Cookies". Cookies can enable us to provide safer and more useful features for website or application users. The information collected by "Cookies" is unidentified aggregated research data, and contains no name or address information or any information that will enable anyone to contact you via telephone, email or any other means. Most browsers and/or applications are initially set to accept Cookies. You can manage or delete Cookies as per your preference. Should you wish to disable Cookies, you may do so by changing the setting on your browser and/or application. However, by disabling them, you may not be able to take full advantage of our website and/or application.

2．The website and/or application may also work with third parties to research certain usage and other activities on the website and/or application. These third parties include without limitation to Adobe, etc. They use technologies such as "Cookies" etc. to collect information for such research. They use the information collected through such technologies (i) to find out more about users, including user demographics and behavior and usage patterns, (ii) for more accurate reporting and (iii) to improve the effectiveness of our marketing. They aggregate the information collected and then share it with us. No personally identifiable information about you is collected or shared by Adobe with us as a result of this research. Should you wish to disable the Cookies associated with these technologies, you may do so by changing the setting on your browser and/or application. However, after changing the setting you may not be able to enter certain part(s) of our website and/or application.

IV． Circumstances of use, disposal, disclosure and transfer of Information

1．How we use your personal information

The information and data we collect might be used for one or multiple of the following purposes, as determined by the relationship between you and us:
(1) to realize the purposes and functions mentioned in above Article II. of this Policy “How We Collect Your Personal Information”; to contact you; and, to review and approve, process, and operate the business requests and transactional orders from you and other customer as related to you;
(2)to comply with applicable laws and regulations (including any and all local and exterritorial legislation, law, regulation, act, rules, court decision, arbitration judgment, self-discipline rules, order, sanction, court order applicable to HSBC group member and any covenant between HSBC group member and authority, and agreement between authorities that is applicable to us or HSBC group member), or orders and requirements of any authority;
(3)to perform our statutory duty or obligation, and perform related policy and procedures set up to perform such duty and obligation;
(4)to maintain and improve E-banking business function, and develop new features (if any new feature will use your personal information for any other purpose and scope than you have agreed, we will seek your further consent before launching any of such use);
(5)to investigate and prevent, as regulated by applicable laws, any current, potential or sceptical financial crime activities (including money laundering, terrorist financing, bribery and corruption, tax evasion, fraud, sanction evasion and/or any action or attempt to breach or evade applicable laws and regulations as related), and manage financial crime risk;
(6)debit collection;
(7)to obtain, verify and provide asset information and credit information for the purpose of assets review and credit review;
(8)to exert or retain the right, and perform the obligation of ours and HSBC group members’, by agreement or by law, including without limitation, the performance of any contract between us and any current or potential assignee, partner, or dealer in any business or assets transaction.
(9)to facilitate the internal operation of us or HSBC group (for purposes including credit and risk management, statistics, data analysis and process, system, service, product development and improvement, planning, insurance, audit and management governance);
(10)communication with you to understand your needs, to create, review, maintain and develop the business relationship with you and with related customers based on sufficient mutual understanding, and review and process your job application to us;
(11)to obtain and use third party goods and services such as management service, consulting, telecom service, payment service, data retention/processing and outsourcing services;
(12) to introduce and demonstrate our services and products that might interest you and improve our understanding on your interest in related services and products, to provide you with business massage and marketing information that you may have interest in, and to conduct market researches and satisfaction surveys. If you would not like to receive any of such information or be involved in any of such activities, we provide instructions to help you refuse them.

2．Entrusted Processing and Sharing

(1) Unless otherwise agreed by you in express, we will not share with, publish or disclose any of your personal information to any third party other than HSBC group member. Only for legislative, reasonable, necessary and specific purpose will we provide related personal information of yours to a third party. When we entrust a third party to process your personal information, we will have binding contract with the third party on the purpose, term, methodology, information type, information security measures, etc., and monitor the third party activities as related to information process. Further delegation will not be allowed by us before we have your prior consent.
(2) For the purposes set out above in this Policy, we may provide or disclose all or part of your personal information to the following recipients provided that we or the recipients inform you of the name of recipient, contact information, purpose of disposal, the type of information that will be disposed and you grant specific consent to do so, and in case any of your personal information is to be disposed in any other methodology or for any other purpose, we will seek your further consent in advance (unless any of such specific consent is exempted by law):
(a) a member of the HSBC Group (for instance, we may engage another HSBC group member to dispose your personal information so as to extend the availability of our service to you);
(b) any contractor, subcontractor, agent, third party product or service provider, licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers) (for instance, we may provider telecom service provider with your mobile phone number, transactional type, transaction amount and account balance information so that the telecom service provider could inform you of such information);
(c) anyone acting on your behalf according to your authorisation or according to law, payment recipients, beneficiaries, account nominees, intermediary, correspondent and agent banks (e.g. for CHAPS, BACS, SWIFT, CIPS and CNAPS), clearing houses, clearing or settlement systems, market counterparts, upstream withholding agents, swap or trade repositories, stock exchanges, companies in which you have an interest in securities (where such securities are held by us for you), or anyone making any payment to you;
(d) any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you receive from the Bank, or any business you handle at the Bank or any transaction you make with the Bank (for example, the person who provides or intends to provide any mortgage or other security for any of your debt to the Bank, or the beneficiary of the insurance product that the Bank distributes to you);
(e) other financial institutions, industrial associations, bank card organizations, credit rating agencies, credit reference agencies (including without limitation, the People’s Bank of China’s credit information database) or information service providers (for instance, we may provide credit reference agencies with such information as related to your application for loans and performance of repayment, to facilitate objective reflection of your credit status);
(f) any third party fund manager providing you with asset management services or insurance companies providing you with insurance services (for instance, we will provide your account information to finance institutes from which you have obtained assets management service or insurance service so as for the institutes to identify your payment);
(g) any third party that provides us with referral, agency or intermediary service, or to whom we provide referral, agency or intermediary service;

3.Transfer

We will not transfer your personal information to any other company, organization or individual, except for the following,

1) Where in compliance with applicable law, upon your request we will transfer in such manner that is available by us, to the recipient you designate;

2) in the case of business/asset transfer, restructure, disposal (including securitization), merger, spin-off, acquisition transactions, dismissal or bankruptcy of us where the transfer of your personal information is necessary. Where any personal information is transferred, we will inform you of the name of recipient and request the recipient to comply with this Policy. Otherwise, they shall require the recipient to obtain separate consent from you.

V. Your Rights of Personal Information

1．You have the right to request us to protect and secure your personal information in accordance with the provisions of the applicable laws and this Policy.

2. When you use mobile device, you have the right to check with the Bank through the following contact detail or “contact us” which is stated in our official website （www.hangseng.com.cn）or mobile device application whether the Bank holds your personal information and to check, correct and update the personal information you have provided to the Bank, except as otherwise provided by applicable law:

Contact us: https://www.hangseng.com.cn/1/2/contact-us-chi/email-us

Hotline: 400 830 8008

3．You have the right to check with the Bank for the Bank's policies on personal information and privacy protection. When you have any query about this Policy, you have the right to seek explanation/interpretation from the Bank to help you understand our practices regarding personal information and privacy protection and their possible consequence, and understand your rights and interests under this Policy in relation to personal information and privacy.
4．You have the right and obligation to update your personal information at the Bank to ensure all information be accurate and up-to-date. You have the right to require the Bank to provide convenience for you to update your personal information at the Bank and to correct any of your information that is inaccurate.
5. You have the right to require the Bank to provide a copy of your personal information. You can contact us by calling our hotline 400 830 8008 or visiting our branches for requesting a copy of your personal information.
6. In relation to personal credit or guarantee, you have the right to request to be informed of your personal information that is disclosed to credit reference agencies by us, so as to enable your request to the relevant credit reference agencies for access to and correction of your information.
7. We will only retain your personal information within the time limit necessary to achieve the purpose of our bank’s services and within the time limit allowed by applicable laws, regulations or separately agreed between our bank and you, unless otherwise required or allowed by the applicable laws. If we will respond to your request of deletion in accordance with applicable laws or regulations, we will also notify the third party which obtained your personal information from us and request them to delete such information in a timely manner, unless otherwise stipulated by laws or regulations, or if the third party has obtained your separate authorization.
When we delete your personal information from our service system, your personal information which stored in backup system might be hard to delete at the same time. However, we assure to delete your personal information when next backup system updates immediately. If one of the following occurs, we will delete your personal information on our own initiative or at your request, unless to comply with the requirements of applicable laws, archives, accounting, auditing and reporting, or to perform the other agreement between you and us, or to clean up the credit and debt relationship between you and us, or to provide information inquiry to you, regulators or other organs to delete your personal information:
(1) the service purpose of the bank has been realized, cannot be achieved or no longer necessary to provide the service;
(2) the bank ceases to provide services, or the storage period has expired or exceed;
(3) you withdraw your consent to us in accordance with the contact information stipulated in the Policy;
(4) we violate laws or regulations or this Policy to deal with your personal information.
8. You have the right to change your authorization scope, or withdraw your consent However, this decision to change or withdraw your authorization will not affect personal information processing upon your previous authorization.
9. When you use the mobile device applications provided by us, you have the right to uninstall the mobile device applications or stop using the mobile device applications to refuse us to further obtain your personal information. Please note that to uninstall the mobile device applications will not close your digital banking account. You have the right to close your digital banking account (by closing your bank account or disabling the digital banking functions of your bank account, for the sake of account safety you should visit our branches or sub-branches in person for such closure. If you hold CAT II settlement account with us, please call 24- hour customer service hotline at 4008-30-8008 for closing your bank account after all funds has been transferred out.) and request for deletion of your personal information in accordance with the applicable law and regulation, this Policy, and other agreement between you and us, we will handle your request within 15 working days after receiving your request. After you close your digital banking account, we will no longer collect your information through relevant channel, and will delete relevant personal information in accordance with the applicable law and regulation, this Policy, and other agreement between you and us.
10. If you have any query, complaint, feedback, suggestion on this Policy or requests for access to, correction, deletion or withdrawal of personal information, please call 24- hour customer service hotline at 4008-30-8008 or visiting our official website www.hangseng.com.cn，“Contact US” on the HANG SENG China APP , our branches or sub- branches to raise your requests. Upon the receipt of your request, we will handle your request and reply to you within 15 working days . Normally the Bank will not charge fees for the processing of your above-mentioned reasonable requests related to personal information. Nevertheless, for the frequently repeated and unreasonable requests, the Bank will charge certain fees as the case may be to the extent allowed by the law and regulation.
Due to the requirements of law and regulation, we may not to be able to respond your requests under any of the following circumstances:
(1) Where the request is in direct relation to personal information controller’s obligations under the law and regulations;
(2) where the request is in direct relation to state security or national defense security;
(3) where the request is in direct relation to public security, public sanitation, or major public benefits;
(4) where the request is in direct relation to investigations into compliance, regulatory requirements, crimes, prosecutions, court trials, execution of rulings, etc.;
(5) where there is sufficient evidence that you are intentionally malicious or abuses your rights;
(6) where the purpose is to protect you or other individual’s life, property and other substantial legal interests but difficult to acquire your consent；
(7) where responses to your request will give rise to serious damage to your or any other individual or organization’s legal rights and interests; and
(8) where the request involves any trade secret.

11. You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or demand compensation according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy. This Policy will be governed by the laws of the People’s Republic of China. Any disputes related to this Policy shall be resolved by consultation. If it could not be resolved, you agree the disputes shall be submitted to the People’s Court of Pudong New District, Shanghai.

12. This Policy will not restrain your right to exercise other rights you are granted by laws and regulations as the subject of information.  

VI. How we store and cross border transfer your Personal Information

1. In principle, the personal information we collected and generated in our domestic operation will be stored within the territory of People's Republic of China (the “PRC”).
2. However, as part of a global financial institution, we provide products or services through globally deployed resources and applications. We also accept the products and services from the HSBC Group and its vendors, or conduct other business with them. Therefore, to realize the purposes described in this Policy and other relevant legal documents, we will cross-border transfer your personal information to offshore jurisdictions where HSBC Group and its vendors are located, or be subject to visits from these areas or jurisdictions. We will provide your personal information to overseas recipients subject to applicable laws or regulations, and notify you of the name and contact information of the specific overseas recipients, the purposes and methods of processing, the types of personal information processed, and the methods and procedures for exercising your rights subject to applicable laws and regulations to overseas recipients. For details, please refer to the List for Personal Information Cross-border Transfer (Individual Version) (see https://www.hangseng.com.cn/1/PA_esf-ca-app-content/content/pws/home/pdf/NLforPIC _en.pdf ) or the List for Personal Information Cross-border Transfer (Entity Version)(see https://www.hangseng.com.cn/1/PA_esf-ca-app-content/content/pws/home/pdf/NLforPIC_Entity_en.pdf for details). The List for Personal Information Cross-border Transfer (Individual Version) and the List for Personal Information Cross-border Transfer (Entity Version) are in addition to this Policy and, together with this Policy, form a complete set of rules for us to process your personal information.
3. We will take necessary measures to your personal information provided to offshore and request offshore recipient to abide by our personal information protection standard stipulated to comply with laws, regulations and this Policy.

VII. How We Handle Minors' Personal Information

1. Using our products and services by minors must be carried out under the supervision of their parents or guardians. We will abide by laws and regulations, this Policy and Provisions on the Cyber Protection of Personal Information of Children to give special protection to minor’s personal information. If you are a parent or guardian of a minor, when you have any questions about the information processing of the minor under your guardianship, please contact us through the contact method stipulated in this Policy.
2. We understand the importance of protecting the minors' personal information with extra caution. If you are under 18 years old, it is suggested that your parents or guardians shall carefully read this Policy and you shall submit your personal information only after seeking consent from them. Meanwhile, it is suggested that your use of our product and service is conducted under the guidance of your parents or guardians. If they do not agree you to submit your personal information or to use any product or service of the Bank, you shall immediately stop submitting your information or using the product and service of the Bank. In addition, please notify such event to us as soon as possible, so as to allow us to take effective measures.
3. If you are under 14 years old, you should and only obtain the consent of your parents or guardians to use any product or services of the bank or provide your personal information to the bank. We will process with personal information of minors in accordance with Provisions on the Cyber Protection of Personal Information of Children and with the permission of laws and regulations and the explicit consent of your parents or guardians. If we find ourselves are processing personal information of minors without the consent of verifiable parents or guardians, we will try to delete such personal information as soon as possible.

VIII. Update of this Policy

This Policy (including the List for Personal Information Cross-border Transfer(Individual Version) and the List for Personal Information Cross-border Transfer (Entity Version)) may be amended or updated from time to time. We will publish such changes at our website and/or relevant applications. You should keep an eye on relevant releases from time to time. We also will inform you of the contents of the publication by means of information push, short message and telephone notification as appropriate. And such amendments and updates will take effect from the expiration of the publication period and replace previous relevant contents. If you don’t agree to modify and update the content of this Policy, you should immediately stop using relevant products and services of the bank. If you continue to use relevant products and services, it will be deemed that you agree to accept the modification. Change of this Policy should not unreasonably reduce or restrict your rights as the personal information subject according to the applicable laws.

IX. Millenuous

1. If you provide the personal information of other third parties to the Bank, we have the right to know the legitimacy of the source of the information and you have obtained authorization of the third party for us to process the personal information for specific purposes. If we need to process the personal information of the third party to carry out business beyond the scope of authorization of the third party, we will obtain the separate consent of the third party again through you. You should ensure that the third party is aware of this Policy (including the List for Personal Information Cross-border Transfer (Individual Version) ,List for Personal Information Cross-border Transfer (Entity Version)) and their subsequent updates from time to time, should specifically inform the third party how the Bank will process its personal information in accordance with this Policy and should ensure that you have obtained the full, informed and valid consent of the third party(including the separate consent and/or written consent as required by applicable laws). You may remind the person to read this Policy beforehand, or you may provide a copy of this Policy to the person.
2. We may use indirect collection to obtain your personal information from third parties, but we will ensure that such indirect collection follows the principle of minimum quantity. We will ask the third party to assure the legitimacy of the source of your personal information provided, and confirm they have obtained your authorization for us to process personal information for specific purposes.
3. When you accept specific products or services provided by a third party through the products or services of our bank, you confirm that the products or services provided by the third party are operated independently by the third party. The third party shall independently assume full responsibility for the disputes arising from the handing of your personal information by the third party, and we will do our best to assist you in business. If a third party processes your personal information when providing you with products or services, you and the third party shall reach a separate agreement in according with applicable laws.
4. The policy is subject to the Chinese version, and the English translation (if any) is for reference only.