PRIVACY POLICY

1. Introduction

Ping An OneConnect Credit Reference Services Agency (Hong Kong) Limited, together with its affiliates (“we”, “the CRA” or “PAOC”) are committed to protecting personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (the “PDPO”).

We will only collect, use, transfer or disclose personal data in accordance with the PDPO, our Personal Information Collection Statement (“PICS”) and this Privacy Policy (the “Privacy Policy”).

We may amend this Privacy Policy at any time and for any reason. The updated version will be available on our website. You should check the Privacy Policy regularly for changes.

In this Privacy Policy, “personal data” means any data:

(a) relating directly or indirectly to a living individual;

(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

2. When and what personal data do we collect?

The types of personal data we collect from you will depend on the circumstances in which that information is collected. If the personal data that we request from you is not provided, we may be unable to provide or continue to provide products and services to you.

The personal data collected and compiled by PAOC usually includes your full name, identity card number, date of birth, address, contact details and personal information.

We may collect personal data about you when you:

use our online platform and request for services, product or activities – including your identity and contact details, your biometric data, personal or financial information about you, information about your personal information.
apply to use our service with us and use this service, and during the continuation of the relationship;
send us correspondence – including your contact details in order to respond to you.

3. What do we use personal data for?

The purposes for which your personal data may be used will depend on the circumstances in which that personal data is collected.

We will inform you of the purposes for which we intend to use your personal data and the classes of persons to whom his data may be transferred (among other things) in the PICS at or before the time we collect your personal data.

Generally, we may use your personal data for:

the purpose for which you provided it to us;
purposes which are directly related to the purpose for which you provided it to us;
any other purposes to which you have consented;
complying with any law and regulation binding on us, and any guideline or notice issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations in connection with us and our products and services;
complying with the obligations, requirements or arrangements for disclosing and using personal data that apply to the CRA or that the CRA is expected to comply according to:

(1) any law in or outside Hong Kong, whether existing currently or in the future, including the laws relating to the detection, investigation and prevention of money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions or other unlawful activities, and/or acts or attempts to circumvent or violate these laws ("Crime-countering Matters") (e.g. the Hong Kong Inland Revenue Ordinance requiring automatic exchange of financial account information amongst tax authorities in Hong Kong and overseas);

(2) any guideline, direction, demand or request issued by any local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, self-regulatory or industry bodies of financial institutions, ("Authorities and Organisations"), whether existing currently or in the future, including those relating to any law or Crime-countering Matters (e.g. guideline issued by the Hong Kong Inland Revenue Department on automatic exchange of financial account information);

(3) any present or future contractual or other commitment with any of the Authorities and Organisations that is assumed by or imposed on the CRA by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant Authority or Organisation; and

comparing or matching personal data,whether or not for the purpose of taking adverse action against you.

For example, we may use your personal data when you:

use our online platform – to process and evaluate your application, use our services, verify your identity, provide services to you, and make any disclosure or transfer that is permitted or required by law;
apply or use services with us – to process and evaluate your application, provide services to you, conduct credit checks and make any disclosure or transfer that is permitted or required by law;
send us correspondence – to respond to you.

4. Our use of cookies

By accessing our online platform, you acknowledge that you have been informed of the practice of using cookies and authorise us to use any information collected through our use of cookies in connection with the purpose set out in this Privacy Policy. “Cookies” are data files stored on your electronic devices (such as your computer or mobile phone) after you access certain websites or mobile applications.

Cookies are primarily used to identify visitors when they return to a site, so that certain information already provided by the visitor to a site is not required to be provided again. Cookies are also used to gather data on which areas of a site or app are visited frequently and which are not. Keeping data on which areas of a site are most popular allows a site operator to better plan and enhance the site.

We use the following cookies:

Strictly Necessary Cookies: These are essential for the running of our website and mobile apps. They are required to:

Allow our web server to determine the cookies setting and whether data can be collected from your web browser
Temporarily allow you to carry information between pages in our website to avoid re-enter that information
Temporarily identify your devices after log-in and maintain a dialogue between our web server and your web browser in order to maintain certain activities
We use the following Strictly Necessary Cookies:

Performance Cookies: These cookies are only used to improve our websites and identify issues that you may have when using our services. They help us to improve the customer experience and help us to provide better services to you. The information collected in these cookies are anonymous.

Functionality and Profile Cookies: These cookies help our website to remember your preferences and can help us to provide tailor services and features to you. These cookies may be used to ensure that all our services and communications are relevant to you. The tracking is only within PAOC websites or apps and the information in these cookies collect cannot track your browsing activity on other websites. Our website cannot remember your choices previously made or personalized your browsing experience without these cookies.

Marketing Cookies: These cookies and similar technologies are used to get the information about browsing habits. They remember a previous visit and may share this information with others, such as marketing companies and advertisers in order to deliver contents that are more relevant to your interests. Although these cookies and similar technologies are capable of tracking visits to other websites, they usually do not know who you are.

We acknowledge that you may wish to disable cookies. This can be done by changing your web browser settings, but may result in more limited functionality and you may not be able to utilize or activate certain functions available on our online platform.

5. To whom do we disclose personal data?

Personal data held by us will be kept confidential but we may provide or disclose the personal data to third parties from time to time for the following purposes.

The classes of third parties to whom we may disclose your personal data are set out in the PICS.

Generally, we may disclose your personal data as necessary for:

the purpose for which you provided it to us;
purposes which are directly related to the purpose for which you provided it to us;
and any other purposes to which you have consented.

For example, we may disclose your personal data to:

third party agents, contractors, advisors who provide administrative, communications, computer, payment, security or other services which assist us to carry out the above purposes (including telemarketers, mailing houses, IT service providers, data processors, etc.);
our legal and professional advisors;
our related companies (as that term is defined in the Hong Kong Companies Ordinance);
government agencies and authorities as required by any law, regulation, rule or codes binding on us or our related companies;
and any other person to whom you have consented.

Where personal data is transferred to place(s) outside of Hong Kong in connection with such purposes, such place(s) may or may not offer the same or a similar level of personal data protection as in Hong Kong.

6. How is personal data secured?

We will take all reasonably practicable steps to ensure that your personal data is protected against unauthorised access, disclosure, processing, erasure, loss or use. These steps include restricting access to personal data to the relevant officers and employees of the CRA, providing relevant training to the officers and employees of the CRA regarding proper handling of personal data, and applying encryption or other technology to protect the personal data.

7. Retention of personal data

We will take all reasonably practicable steps to ensure that your personal data is not kept longer than is necessary for the fulfillment of the purposes for which the data is collected.

8. Accessing and correcting your personal data

You may contact us to seek access to or seek to correct the personal data which we hold about you or enquire about our data privacy policies and practices. There are certain exemptions under the PDPO which may apply to personal data access and correction requests. We may require the person making a data access or correction request to provide necessary information to verify his/her identity and right to access or correct the personal data. We may charge an administration fee for complying with a data access request which must not be excessive.

Requests for access or correct personal data or enquiries about our data privacy policies and practices should be addressed to:

The Data Protection Officer
Ping An OneConnect Credit Reference Services Agency (Hong Kong) Limited
Rooms 1603-1604, 16th Floor, NEO Building
123 Hoi Bun Road, Kowloon
Hong Kong

PERSONAL INFORMATION COLLECTION STATEMENT (“PICS”)

This Statement explains why PingAn OneConnect Credit Reference Services Agency (Hong Kong) Limited (“CRA”) collects your personal data, how the CRA uses and handles your personal data, and other matters relating to your personal data or the Personal Data (Privacy) Ordinance, Cap. 486 Laws of Hong Kong (Ordinance).

Collection of personal data

1. The CRA may collect your personal data and the personal data of other individuals connected with you from time to time. If you do not supply the personal data, the CRA may be unable to provide or continue to provide services to you.

2. The CRA may also compile further personal data about you and the other individuals during the continuation of the customer service relationship.

Types of personal data

The personal data collected and compiled by the CRA usually includes full name, identity card number, date of birth, biometric data, address, contact details and information relating to the services.

Use of personal data

The CRA may use the personal data for one or more of the following purposes from time to time:

(i)assessing and processing your applications or requests for products or services;

(ii)providing, maintaining and managing the services, products and activities provided by the CRA, and enabling you to use and operate them;

(iii)establishing and verifying identity as required or appropriate from time to time;

(iv)creating and maintaining the credit scoring and risk management models;

(v)complying with the obligations, requirements or arrangements for disclosing and using personal data that is expected to comply according to:

(1) any law in or outside Hong Kong, whether existing currently or in the future, including the laws relating to the detection, investigation and prevention of money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions or other unlawful activities, and/or acts or attempts to circumvent or violate these laws (Crime-countering Matters) (e.g. the Hong Kong Inland Revenue Ordinance requiring automatic exchange of financial account information amongst tax authorities in Hong Kong and overseas);

(2) any guideline, direction, demand or request issued by any local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, self-regulatory or industry bodies of financial institutions, or stock exchanges (Authorities and Organisations), whether existing currently or in the future, including those relating to any law or Crime-countering Matters (e.g. guideline issued by the Hong Kong Inland Revenue Department on automatic exchange of financial account information);

(vi) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing personal data and information within the group and/or any other use of personal data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities.

Disclosure of personal data

Personal data held by the CRA will be kept confidential but the CRA may provide the personal data to the following persons from time to time for the purposes set out in above section:

-any agent, contractor or third party service provider who provides services or technology to the CRA in connection with the CRA's business and operation, including administrative, telecommunications, data processing, computer, electronic, digital or mobile services or technology, payment services or technology, handling and processing disputes and investigation relating to personal information, customer service centre, or other services or technology to the CRA in connection with the operation of its business;

-any other person under a duty of confidentiality to the CRA including a group company of the CRA which has undertaken to keep the personal data confidential;

-any person to whom the CRA is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the CRA, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any Authorities and Organisations with which the CRA are expected to comply, or any disclosure pursuant to any contractual or other commitment of the CRA with any Authorities and Organisations, all of which may be within Hong Kong and may be existing currently and in the future.