Privacy Policy Statement

Statement of Policy and Practices

The purpose of this Privacy Policy Statement is to set out the policies and practices of the commitment of Bank of Shanghai (Hong Kong) Limited (“the Bank”) to protecting personal data privacy in accordance with the provisions of the Personal Data (Privacy) Ordinance.


Kind of Personal Data Held by the Bank

There are two broad categories of personal data held by the Bank. They are personal data related to customers and (potential) employees of the Bank.

Personal data held by the Bank regarding customers may include the following:

a. name and address, occupation, contact details, date of birth and nationality of customers and marital status of customers and their identity card and/or passport numbers and place and date of issue thereof;
b. current employer, nature of position and annual salary of customers;
c. information obtained by the Bank in the ordinary course of the continuation of the business relationship (for example, personal data collected when customers deposit money or generally communicate verbally or in writing with the Bank, by means of documentation or telephone recording system, as the case may be);

Personal data relating to employment held by the Bank may include, but not limited to, name, information of identification documents, address, contact information, educational background, career history, medical records, curriculum vitae and relevant personal data of family members of employees.

The Bank may hold other kinds of personal data which it needs in the light of experience and the specific nature of its business.


Collecting, processing and use of your personal data

In the course of collecting personal data, the Bank will provide the individuals concerned with a Personal Data (Privacy) Ordinance Notice (“PDPO Notice”) informing them of the purpose of collection, classes of persons to whom the data may be transferred/disclosed, their rights to access and correct the data, and other relevant information.

The purposes for which data relating to a customer may be used are as follows:

a. the processing of applications for, and the daily operation of, the services and credit facilities provided to customers;
b. conducting credit checks (including without limitation upon an application for consumer credit and upon periodic review of the credit) and data verification;
c. assisting other financial institutions to conduct credit checks;
d. ensuring ongoing creditworthiness of customers;
e. designing and marketing financial services and/or related products for the customers’ use;
f. determining the amount of indebtedness owed to or by customers;
g. collection of amounts outstanding from customers;
h. meeting the requirements to make disclosure under the requirements of any law, rule, regulation, order, ruling, judicial interpretation or directive (whether or not having the force of law) applicable to the Bank;
i. any other purposes permitted by law; and
j. purposes relating to any of the above.

The purposes for which data relating to employees and potential employees may be used are as follows:

a. processing employment applications;
b. determining and reviewing salaries, bonuses and other benefits;
c. consideration for promotion, training, secondment or transfer;
d. consideration of eligibility for employee benefits and entitlements;
e. providing employee references;
f. monitoring compliance with internal rules of the Bank;
g. meeting the requirements to make disclosure under the requirements of any law binding on the Bank and for the purposes of any guidelines issued by regulatory or other authorities with which the Bank are expected to comply;
h. administering any affairs or benefits relating to the retirement and insurance plan of employees and their family members;and
i. purposes relating thereto.

The Bank’s website does not enable cookies. However, when users visit the Bank’s website, some information may be recorded, such as IP address, date and time of the visit, the pages users visited, type of browsers used, etc. The Bank may use the information obtained to compile statistical data in the future, but such information will only be used on an anonymous and aggregated basis, and users cannot be identified from the compiled data.

CCTV is installed and used inside the area of the Bank for general security and to monitor any possible wrongful, illegal and/or unlawful activity.  CCTV may capture images of individuals and other persons or information relating to such individuals and other persons.  Personal data may be collected from the CCTV and may prospectively be used and transferred as per the Bank’s PDPO Notice. Personal data collected from the CCTV in the form of recorded images will not be used by the Bank for any direct marketing nor will it be provided to any entity for direct marketing purposes.


Retention of Personal Data

The Bank takes practicable steps to ensure that personal data will not be kept longer than necessary for the fulfillment of the purposes (including any directly related purpose) for which the data are or are to be used and the compliance of all applicable statutory and regulatory requirements and contractual obligations.  Different retention periods apply to the various kinds of personal data collected and held by the Bank in accordance with internal customer document retention and destruction policy subject to the legal and regulatory requirements.

Recorded images captured by CCTV described above are retained for 90 days and are safely deleted as soon as practicable once the purpose of collection is fulfilled unless (i) notice in writing is received from authority requiring to keep the records for a longer period which are related to an ongoing criminal or other investigation, or to any other purposes as specified in the notice; or (ii) it is necessary or justified for the Bank to keep the recorded images for a longer period for purposes set out in the section above.

The Bank may retain:

the data of unsuccessful applicants for future recruitment purposes up to two years from the date of receipt;
the data of employees for a period of no longer than seven years after their cessation of employment;
a written consent is received from concerned individual for the data to be retained for a longer period; or
there is a subsisting reason that obliges the Bank to retain the data for a longer period or the data is necessary for the Bank to fulfill any applicable statutory or contractual obligations.


Security of Personal Data

The Bank ensures an appropriate level of protection for personal data in order to prevent unauthorized or accidental access, processing, erasure, loss or other use of that data.

The Bank restricts physical access to data by providing secure storage facilities, and incorporates security measures into equipment in which data is held.

Computer data are stored on computer systems and storage media to which access is controlled.

Data is only transmitted by secure means to prevent unauthorized or accidental access.

Recorded images captured by CCTV are kept in safe custody. Hard disks and any devices storing the recorded images are securely protected from unauthorized access and only viewed, retrieved or handled upon proper authorization for the intended purposes.


Access and Correction

It is the policy of the Bank to comply with and process all data access and correction requests in accordance with the provisions of the Ordinance, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.

Data access and correction requests to the Bank may be addressed to the Bank’s Data Protection Officer or other person as specifically advised.



You have the right to access and update your information and contact us. If you have any question about our Privacy Policy Statement, please write to us at:

Data Protection Officer
Bank of Shanghai (Hong Kong) Limited
34/F, Champion Tower, Three Garden Road, Central, Hong Kong