Data Policy Notice | DBS Hong Kong

Data Policy

This Notice sets out the data policies of DBS Bank Ltd¹ and all its direct and indirect subsidiaries in the Hong Kong Special Administrative Region (“Hong Kong”), save and except for DBS Vickers (Hong Kong) Limited², (each a “Company”). For the avoidance of doubt, this includes DBS Bank (Hong Kong) Limited³. The provisions of this Notice form part of the account terms and conditions and/or the agreement or arrangements that a data subject enters into with the Company. If any inconsistency is found, the provisions of this Notice shall prevail.For the purposes of this Notice, “DBS Group” means DBS Bank Ltd and its branches, holding company, representative offices, subsidiaries and affiliates (including branches or offices of such subsidiary or affiliate).References to “data subjects” in this Notice means the customers of the Company and various other persons, including without limitation, applicants for banking/financial services and facilities, sureties and persons providing security or guarantee or any form of support for obligations owed to a Company, shareholders, directors, corporate officers and managers, sole proprietors, partners, suppliers, contractors, service providers and other contractual counterparties supplying data (including personal data as defined in the Personal Data (Privacy) Ordinance (the “Ordinance”)) to the Company.

From time to time, it is necessary for data subjects to supply the Company with data in connection with various matters such as the opening or continuation of accounts, the establishment or continuation of banking facilities, the provision of banking and other financial services, or the provision of supplies or services to the Company and data subjects.

Failure to supply such data may result in the Company being unable to open or continue accounts or establish or continue banking facilities or provide banking or other financial services, or accept or continue with the provision of supplies or services.

It is also the case that data are collected from data subjects in the ordinary course of the continuation of the relationships with them, for example, when data subjects write cheques, deposit money, give instructions or otherwise carry out transactions as part of the Company's services. The Company will also collect data relating to the data subjects from third parties, including third party service providers with whom the data subjects interact in connection with the marketing of the Company's products and services and in connection with the data subjects’ application for the Company's products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit reference agencies”)).

The purposes for which data relating to a data subject may be used will vary depending on the nature of the data subject's relationship with the Company. Broadly, they may comprise any or all of the following purposes:

considering, assessing and processing of applications for banking and/or other financial services and facilities;
operation of the services and credit facilities provided by or to the Company or to data subjects;
provision of references (status enquiries);
conducting credit and other status checks;
assisting other credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit providers”) to conduct credit checks and collect debts;
ensuring ongoing credit-worthiness of data subjects;
researching and/or designing financial services or related products for data subjects' use;
marketing services, products and other subjects (please see further details in paragraph (j) below);
operating internal controls including determining the amount of indebtedness owed to or by data subjects;
performing treasury functions;
provision of investment management services, dealing and advisory services, custody services and other services under the terms and conditions of the accounts a data subject holds with the Company;
the enforcement of data subjects' obligations, including without limitation the collection of amounts outstanding from data subjects and those providing security for data subjects' obligations;
for operational purposes, credit assessment, credit scoring models or statistical analysis (including in each case, behaviour analysis and evaluation on overall relationship with the DBS Group which includes using such data to comply with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within DBS Group and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities), whether on the data subjects or otherwise;
complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Company or any other member of DBS Group or that it is expected to comply according to:
1. any law binding or applying to it within or outside Hong Kong existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information); and
3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Company or any other member of DBS Group by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self- regulatory or industry bodies or associations;
enabling an actual or proposed assignee of the Company or any other member of DBS Group, or participant or sub-participant of the rights of the Company or those of any other member of DBS Group in respect of the data subject, to evaluate, enter into and administer the transaction intended to be the subject of the assignment, participation or sub-participation;
purposes specifically provided for in any particular service or facility offered by the Company. Such procedures include matching procedures (as defined in the Ordinance, but broadly includes comparison of two or more sets of the data subject's data, for purposes of taking actions adverse to the interests of the data subject, such as declining an application); and
all other incidental and associated purposes relating to any of the above, including seeking professional advices.

The Company keeps data only for as long as is reasonably required for the above purposes or as required by applicable law. This includes keeping, for as long as reasonably required, such data as required for handling enquiries relating to any of the above purposes.

Data held by the Company relating to a data subject will be kept confidential but, subject to the data subject’s separate consent (insofar as the Personal Information Protection Law of the People’s Republic of China (“PIPL”) is applicable to the Company’s process and/or use of the data subject’s data), the Company may provide such information to the following parties (whether within or outside Hong Kong) for any of the purposes set out in paragraph (d):

any member of DBS Group, agent, contractor or third party service provider (or a subsidiary, holding company or related company thereof) who provides administrative, telecommunications, computer, payment, debt collection or securities clearing, data processing or other services to the Company or any other member of DBS Group in connection with the operation of its business;
any other person which has undertaken expressly or impliedly to the Company or any other member of DBS Group to keep such information confidential;
any authorized institution (as such term is defined in the Banking Ordinance) or other authorised or regulated entity of similar nature in another jurisdiction with which the data subject has or proposes to have dealings;
the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
third party service providers with whom the data subject has chosen to interact with in connection with the data subject’s application for the Company’s banking and/or other financial products and services;
credit reference agencies (including the operator of any centralized database used by credit reference agencies), and, in the event of default, to debt collection agencies;
any person to whom the Company or any other member of DBS Group is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the Company or any other member of DBS Group, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Company or any other member of DBS Group are expected to comply, or any disclosure pursuant to any contractual or other commitment of the Company or any other member of DBS Group with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently and in the future;
any actual or proposed assignee of the Company or any other member of DBS Group, or participant or sub-participant or transferee of the rights of the Company or those of any other member of DBS Group in respect of the data subject; and
1. any member of DBS Group;
2. third party financial institutions, insurers, card companies, securities and investment services providers;
3. third party reward, loyalty and privilege programme providers;
4. co-branding partners of the Company and any other member of DBS Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
5. charitable and non-profit making organisations; and
6. external service providers (including but not limited to professional advisers, mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies, information technology companies and market research firms), that the Company engages for the purposes set out in paragraph (d)(viii).
Such information may be transferred to a place outside Hong Kong. Insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data, the Company will obtain the data subject’s separate consent in relation to such international transfers.

To the extent required under the PIPL, the Company will, prior to sharing the data subject’s personal data with third parties, notify the data subject of the name and contact details of the recipients, the purposes and means of processing and provision of the data subject’s personal data, and the types of personal data to be provided and shared, and obtain the data subject’s separate consent to the sharing of the data subject’s personal data. The foregoing data recipients will use the personal data to the extent necessary for the specific purposes set out in this Notice and store the personal data for the minimum length of time required to fulfil the purposes, or insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data, in accordance with the PIPL.

For the purpose of (d)(iv) above, the Company may from time to time access and obtain consumer credit data of the data subject from credit reference agencies for reviewing any of the following matters in relation to the credit facilities granted:

an increase in the credit amount;
the curtailing of credit (including the termination of credit or a decrease in the facility amount); or
the putting in place or the implementation of a scheme of arrangement with the data subject.

When the Company accesses consumer credit data about a data subject held with credit reference agencies, it must comply with the Code of Practice on Consumer Credit Data approved and issued under the Ordinance (the “Code”) and other relevant regulatory requirements.

Of all the data which may be collected or held by the Company from time to time in connection with mortgages, the mortgage account general data relating to data subjects (including any updated data thereof) may be provided by the Company to credit reference agencies.

Such mortgage account general data means the following data of the data subject: full name, capacity in respect of each mortgage (as borrower, mortgagor or guarantor), Hong Kong Identity Card or travel document number, date of birth, address, mortgage account number in respect of each mortgage, type of facility in respect of each mortgage, mortgage account status in respect of each mortgage (e.g. active, closed, write-off), (if any) mortgage account closed date in respect of each mortgage.

Credit reference agencies will use the mortgage account general data supplied by the Company for the purposes of compiling a count of the number of mortgages from time to time held by a data subject, as borrower, mortgagor or guarantor respectively, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code).

Some of the data collected by the Company may constitute sensitive personal data under the PIPL. The Company will only process sensitive personal data if strict protection measures are put in place and there is sufficient necessity to justify the processing. Insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data, such sensitive personal data will be processed with the data subject’s separate consent.

USE OF DATA IN DIRECT MARKETING

The Company intends to use the data subject’s data in direct marketing and the Company requires the data subject’s consent (which includes an indication of no objection) for that purpose. In this connection, please note that:

the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of the data subject held by the Company from time to time may be used by the Company in direct marketing;
the following classes of services, products and subjects may be marketed:
1. financial, insurance, cards (meaning cards used to withdraw cash or pay for goods and services, including credit cards, debit cards, ATM cards, Cashline cards and stored value cards), banking and related services and products;
2. reward, loyalty or privilege programmes and related services and products;
3. services and products offered by the Company’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
4. donations and contributions for charitable and/or non-profit making purposes;
the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Company and/or:
1. any other member of DBS Group;
2. third party financial institutions, insurers, card companies, securities and investment services providers;
3. third party reward, loyalty or privilege programme providers;
4. co-branding partners of the Company and any other member of DBS Group; and
5. charitable or non-profit making organisations;
in addition to marketing the above services, products and subjects itself, the Company also intends to provide the data described in paragraph (j)(i) above to all or any of the persons described in paragraph (j)(iii) above for use by them in marketing those services, products and subjects, and the Company requires the data subject’s written consent (which includes an indication of no objection) for that purpose;
the Company may receive money or other property in return for providing the data to the other persons in paragraph (j)(iv) above and, when requesting the data subject’s consent or no objection as described in paragraph (j)(iv) above, the Company will inform the data subject if it will receive any money or other property in return for providing the data to the other persons.

If a data subject does not wish the Company to use or provide to other persons his/her data for use in direct marketing as described above, the data subject may exercise his/her opt-out right by notifying the Company at any time and without charge. (To opt-out, please complete and return to us an opt-out form available on our website: www.dbs.com.hk or from any of our branches.)

Transfer of personal data to data subject’s third party service providers using the Company application programming interfaces (“API”)

The Company may, in accordance with the data subject’s instructions to the Company or third party service providers engaged by the data subject, transfer the data subject’s data to third party service providers using the Company’s API for the purposes notified to the data subject by the Company or third party service providers and/or as consented to by the data subject in accordance with the Ordinance.

Under and in accordance with the terms of the Ordinance and (insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data) the PIPL, and the Code, any data subject has the right:

to check whether the Company holds data about him/her and access to such data;
to require the Company to correct any data relating to him/her which is inaccurate;
to ascertain the Company's policies and practices in relation to data and to be informed of the kind of personal data held by the Company; and
in relation to consumer credit data (including data relating to mortgages) which has been provided by the Company to credit reference agencies:
1. to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies;
2. be provided with further information to enable access and correction requests to be made to the relevant credit reference agency(ies) or debt collection agency(ies); and
3. upon termination of the account by full payment, to instruct the Company to request the credit reference agency(ies) to delete any such data from its database, so long as the instruction is given within 5 years of termination and there has been no payment default in excess of 60 days in the 5 years immediately before account termination.
insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data:
1. to request the Company to delete the data subject’s personal data;
2. be object to certain uses of the data subject’s personal data;
3. request an explanation of the rules governing the processing of the data subject’s personal data;
4. to ask that the Company transfer personal data that the data subject has provided to the Company to a third party of the data subject’s choice under circumstances as provided under the PIPL;
5. to withdraw any consent for the collection, processing or transfer of the data subject’s personal data (the data subject should note that withdrawal of consent may result in the Company being unable to open or continue accounts, or establish or continue banking facilities, or provide banking and other financial services, or provide supplies or services to the Company and data subjects); and
6. to have decisions arising from automated decision making (ADM) processes explained and to refuse to such decisions being made solely by ADM;

In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data may be retained by credit reference agencies until expiry of 5 years from the date of final settlement of the amount in default. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Company to the credit reference agency), remaining available credit or outstanding balance, and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).

In the event any amount in an account is written off due to a bankruptcy order being made against the data subject, the account repayment data (as defined in paragraph (m) above) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until expiry of 5 years from the date of final settlement of the amount in default or expiry of 5 years from the date of discharge from bankruptcy as notified by the data subject with evidence to the credit reference agency(ies), whichever is earlier.

The Company may obtain credit report(s) on or access the database of the data subject from credit reference agency(ies) in considering any application for credit or conducting credit reviews from time to time. In the event the data subject wishes to access the credit report, the Company will advise the contact details of the relevant credit reference agency(ies).

Data of a data subject may be processed, kept, transferred or disclosed in and to any country as the Company or any person who has obtained such data from the Company referred to in paragraph (e) above considers appropriate. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country, may be subject to a lower standard of protection. The relevant overseas authorities may have a right to access such data.

The data may be outsourced to and/or processed by the agents, contractors or service providers (including other members of the DBS Group) whether within or outside Hong Kong. When using service providers, the Company will ensure that its service providers have appropriate business qualifications and capabilities, and will require that they adhere to security standards mandated by the Company. The Company may do this through contractual provisions, including any such provisions approved by a privacy regulator, and oversight of the service provider. Regardless of where personal data is transferred, the Company takes all steps reasonably necessary to ensure that personal data is kept securely.

The Company may charge a reasonable fee for the processing of any data access request.

Nothing in this Notice shall limit the rights of data subjects under the Ordinance and the PIPL.

In accordance with the Ordinance and (insofar as the PIPL is applicable to the Company’s process and/or use of the data subject’s data) as permitted under the PIPL, data subjects may make data access or data correction requests or request information regarding policies and practices and kinds of data held. Such requests should be addressed to:
The Data Protection Officer
DBS Bank Ltd., Hong Kong Branch / DBS Bank (Hong Kong) Limited
73/F The Center
99 Queen’s Road Central
Central
Hong Kong
Facsimile: 2536 4307

In case of discrepancies between the English and Chinese versions, the English version shall prevail.

July 2023 ¹ A company incorporated in Singapore with limited liability.
² A company incorporated in Hong Kong with limited liability.
³ A company incorporated in Hong Kong with limited liability.Please click here to download the Data Policy Notice

If you have already provided your opt-out request to us, please do not send the same request to us again to avoid duplication.If you are customer of DBS Bank Ltd, Hong Kong Branch, please click here to download the Opt-out Processing Request Form for Customers of DBS Bank Ltd, Hong Kong Branch.If you are customer of DBS Bank (Hong Kong) Limited, please click here to download the Opt-out Processing Request Form for Customers of DBS Bank (Hong Kong) Limited.

About Us

Quick Links

Others

Need help?

Markets