Notice to Customers Relating to the Personal Data (Privacy) Ordinance (the ‘Ordinance’)
This Statement is made by Money Concepts (Asia) Holdings Limited (the ‘Company’) in accordance with the Personal Data (Privacy) Ordinance of the Hong Kong Special Administrative Region (‘the Ordinance’) and . European Union General Data Protection Regulation (GDPR) of the European Union (‘the Regulation’) The Statement is intended to notify you why personal data is collected, how it will be used and to whom data access requests are to be addressed.
a. From time to time, it is necessary for customers to supply the Company with data in connection with the opening or continuation of accounts or compliance with any laws or guidelines issued by regulatory or other authorities.
b. Failure to supply such data may result in the Company being unable to open or continue accounts, provision financial services or comply with any laws or guidelines issued by regulatory or other authorities.
c. It is also the case that data are collected from customers in the ordinary course of the continuation of the business relationship, for example, when customers write cheques, deposit money or apply for credit. This includes information obtained from credit reference agencies.
d. The purposes for which data relating to a customer may be used are as follows:
i. the daily operation of the services and credit facilities provided to customers;
ii. conducting credit checks (including without limitation upon an application for consumer credit (including mortgage loans) and upon periodic or special reviews of the credit which normally will take place one or more times each year);
iii. creating and maintaining the Company’s credit and risk related models;
iv. assisting other financial institutions to conduct credit checks and collect debts;
v. ensuring ongoing credit worthiness of customers;
vi. designing financial services or related products for customers’ use;
vii. marketing the following services and products (in respect of which the Company may or may not be remunerated):
1. financial, insurance and related services and products;
2. reward, loyalty or privileges programmes and related services and products; and
3. services and products offered by the Company’s co-branding partners (the names of such co-branding partners will be provided during the application of the relevant services and products, as the case may be); and
these services or products may be provided and/or marketed by:
1. the Company;
2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
3. third party reward, loyalty or privileges programme providers; and
4. co-branding partners of the Company;
viii. determining the amount of indebtedness owed to or by customers;
ix. collection of amounts outstanding from customers and those providing security for customers’ obligations;
x. meeting the requirements to make disclosure under the requirements of any law binding on the Company or under and for the purposes of any guidelines issued by regulatory or other authorities with which the Company is expected to comply;:
xi. enabling an actual or proposed assignee of the Company, or participant or sub-participant of the Company’s rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; and
xii. purposes relating thereto.
e. Data held by the Company relating to a customer will be kept confidential but the Company may provide such information to the following parties (whether within or outside the Hong Kong Special Administrative Region) for the purposes set out in paragraph (d):
i. any agents, contractors or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to the Company in connection with the operation of its business;
ii. any other person under a duty of confidentiality to the Company which has undertaken to keep such information confidential;
iii. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
iv. a person making any payment into the customer’s account (by providing a copy of a deposit confirmation slip which may contain the name of the customer);
v. credit reference agencies, and, in the event of default, to debt collection agencies;
vi. any person to whom the Company is under an obligation to make disclosure under the requirements of any law binding on the Company or under and for the purposes of any guidelines issued by regulatory or other authorities with which the Company are expected to comply;
vii. any actual or proposed assignee of the Company or participant or sub-participant or transferee of the Company’s rights in respect of the customer; and
1. the Company;
2. third party financial institutions, insurers, credit card companies, securities and investment services providers;
3. third party reward, loyalty and privileges programme providers;
4. co-branding partners of the Company (the names of such co-branding partners will be provided during the application of the relevant services and products, as the case may be); and
5. external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centers, data processing companies and information technology companies) that the Company engages for the purposes set out in paragraph (d) (vii).
Such information may be transferred to a place outside Hong Kong.
ix. In connection with (viii) above, if you apply for new products or services, the Company may perform credit and identity checks on you (and certain individuals connected to your business) with one or more credit reference agencies. When you use our financial services, the Company may also make periodic searches at the credit reference agencies to manage your account with us.
A. of all the data which may be collected or held by the Company from time to time in connection with mortgages, the following data relating to the customer (including any updated data of any of the following data) may be provided by the Company, on its own behalf and/or as agent, to the credit reference agency:
i. full name;
ii. capacity in respect of each mortgage (as borrower, mortgagor or guarantor);
iii. Hong Kong Identity Card Number or travel document number or certificate of incorporation;
iv. date of birth or date of incorporation;
v. correspondence address;
vi. mortgage account number in respect of each mortgage;
vii. type of the facility in respect of each mortgage;
viii. mortgage account status in respect of each mortgage (e.g. active, closed, write-off); and
ix. if any, mortgage account closed date in respect of each mortgage.
The credit reference agency will use the above data supplied by the Company for the purposes of compiling a count of the number of mortgages from time to time held by the customer (as borrower, mortgagor or guarantor respectively, whether in sole name or joint names with others) for sharing in the consumer credit database of the credit reference agency by credit providers. the Company may use this information to:
i. assess if the Company can offer you products and services and whether you can afford to take the products and services you applied for;
ii. verify the accuracy of the data you have provided to us;
iii. prevent criminal activity, fraud and money laundering;
iv. manage your account(s);
v. ensure any offers provide to you are appropriate to your circumstances.
The Company will continue to exchange information about you (and individual connected to your business) with the credit reference agencies while you have relationship with us. The information may be supplied to other organizations by credit reference agencies.
B. before the right referred to in (f) (v) below may be exercised, in the event of any default in payment where the amount in default is not fully repaid before the expiry of 60 days as measured by the Company from the date such default occurred, the customer is liable to have his account repayment data retained by the credit reference agency at least until the expiry of five years from the date of final settlement of the amount in default . Account repayment data include amount last due, amount of payment made during the last reporting period, remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in material default (if any))
f. Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any individual has the right:
i. to check whether the Company holds data about him and of access to such data;
ii. to require the Company to correct any data relating to him which is inaccurate;
iii. to ascertain the Company’s policies and practices in relation to data and to be informed of the kind of personal data held by the Company;
iv. in relation to consumer credit, to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant credit reference agency or debt collection agency; and
v. upon satisfactory termination of the credit by full repayment and on condition that there has been, within five years immediately before such termination, no material default under the credit as determined by the Company, to instruct the Company to make a request to the relevant credit reference agency to delete from its database any account data relating to the terminated credit.
vi. in some circumstances, the right to withdraw their consent to our processing of their information, which they can do at any time. the Company may continue to process their information if the Company have another legitimate reason for doing so;
vii. in some circumstances, the right to receive certain information they have provided us in an electronic format and/or request that the Company transmit it to a third party;
viii. in some circumstances, the right to request that the Company erase their information. the Company may continue to retain their information if the Company are entitled or required to retain it; and
ix. the right to object to, and to request that the Company restrict, our processing of their information in some circumstances. Again, there may be situations where individuals object to, or ask us to restrict, our processing of their information but the Company are entitled to continue processing their information and/or to refuse that request.
x. the right to erasure (also known as the “right to be forgotten”) under the GDPR gives an individual a right to require us to delete his personal data without undue delay under specified circumstances, including
i. where the personal data is no longer necessary in relation to the purposes for which it is collected,
ii. where the individual withdraws the consent (which forms the basis of processing),
iii. where there is no overriding legitimate interest, or
iv. the personal data collected is about children in relation to an information society service, etc.
xi. A data controller who has made public disclosure of personal data (e.g. disclosure on the Internet) has to take reasonable steps (taking account of available technology and implementation cost) to inform the other controllers (e.g. a search engine) which are processing the data about a data subject’s request for erasure of any links to or copy of the data. The GDPR explicitly recognizes certain exceptions where retention of the data is necessary:
i. for exercising the right of freedom of expression and information;
ii. for compliance with a legal obligation, or performance of a task carried out in the public interest or in the exercise of official authority;
iii. for reasons of public interest (e.g. in the area of public health, management of health or social care systems and services, etc.);
iv. for archiving, scientific or historical research purposes or statistical purposes in the public interest; or
v. for the establishment, exercise or defense of legal claims.
g. In accordance with the terms of the Ordinance, the Company has the right to charge a reasonable fee for the processing of any data access request.
h. The requirement of keeping record of your processing activities, including the types of data processed, the purposes for which the data is used, the transfer of personal data to a third country or an international organization / business etc. will be exempted unless
i. The processing the Company carry out is likely to result in a risk to the rights and freedoms of data subjects
ii. Our core activities involve processing sensitive personal data, personal data relating to criminal convictions and offences or large scale systematic monitoring activities.
i. The Company will not process of special categories of personal data, which is reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation, and genetic data or biometric data processed for the purpose of uniquely identifying a natural person. Unless one of the specified conditions is satisfied. The conditions include:
i. the data subjects have given explicit consent to the processing; or
ii. where the processing is necessary for reasons of substantial public interest, which is proportionate to the aim pursued, etc.
j. The bases for lawful processing of personal data under the GDPR include:
i. consent of the data subject to the processing for one or more specific purposes; or
ii. performance of a contract with the data subject or to take steps preparatory to such a contract;
iii. compliance with a legal obligation;
iv. protecting the vital interests of a data subject or another person where the data subject is incapable of giving consent;
v. performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
vi. purposes of legitimate interests.
k. The GDPR provides the right to object at any time to the processing including profiling*, of one’s personal data which is based on the following grounds:
i. the performance of a task carried out in the public interest or in the exercise of an official authority vested in the data controller;
ii. the legitimate interests pursued by the data controller or third party;
iii. direct marketing purposes; or
iv. scientific or historical research purposes or statistical purposes.
*”Profiling” is defined under Article 4(4) of the GDPR, as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyses or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.
Upon receipt of the objection to the processing activities which are based on the above grounds (i) and (ii), the data controller must cease the processing of the personal data (including profiling) unless it can demonstrate compelling legitimacy grounds which override the individual’s interests, rights and freedom, or for the establishment, exercise or defense of legal claims in order to maintain the processing of personal data (including profiling). In relation to processing personal data for the above ground (iv) (i.e. scientific or historical research purposes or statistical purposes), an individual may object by relying on his or her particular situation unless the processing is necessary for the performance of a task carried out in the public interest68. However, no exception shall apply to processing of personal data purely for direct marketing purpose. Under the PDPO, an individual in Hong Kong is not generally given the right to request us to stop “processing” his personal data. Nevertheless, the Company are required to provide notification to and obtain consent from an individual before using his personal data for direct marketing purpose. In addition, an individual is given the right to opt-out from the use or provision for use of his personal data in direct marketing under Part 6A of the PDPO.
l. Under the GDPR, in the circumstances mentioned below, an individual is given the right to restriction of processing of his personal data from a data controller who may then store the data only for an interim period if:
i. an individual contests the accuracy of his personal data, the data controller is required to restrict processing for a period of time enabling the controller to verify the accuracy;
ii. the processing is unlawful and the individual opposes the erasure of the personal data and requests restriction on the use instead;
iii. the personal data is no longer needed for the processing, but required by the individual for the establishment, exercise or defense of legal claims; and
iv. the individual has objected to the processing of the personal data pending verification as to whether the legitimacy grounds of the controller can override those of the individual.
In response to a data correction request, the Company are required under the PDPO to take reasonably practicable steps to notify the third party to whom the inaccurate data has been supplied during the last 12 months if there is no reason to believe the third party has ceased to so use the data.
m. Under the GDPR, the Company are required to advise the supervisory authority in the EU member states of a data breach without undue delay (and where feasible, no later than 72 hours after becoming aware of it) unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Notification to the affected individuals is required if the data breach is likely to result in a “high risk to the rights and freedoms” of individuals unless under exempted circumstances. The prescribed contents to be included in a data breach notification to the supervisory authority:
i. nature and likely consequences of the breach;
ii. categories and approximate number of data subjects and personal data concerned;
iii. measures taken or intends to be taken to mitigate any adverse effects of the breach; and
iv. contact details of DPO of us or other contact point.
n. Under the GDPR, the right to data portability entitles an individual to obtain from a data controller, and to transmit to another data controller, a copy of his personal data in a structured, commonly-used and machine-readable format, where:
i. the legal basis of processing is either the individual’s consent or the performance of a contract; and
ii. the processing is carried out by automated means.
This right is confined to personal data which has been provided by the individual to the data controller. Explained in the Guidelines on the Right to Data Portability, this right facilitates individuals’ ability to move, copy or transmit their personal data held by one data controller to another. That said, the two controllers are not obliged to make their technically incompatible systems compatible. The PDPO in Hong Kong does not provide equivalent right to restrict processing of personal data or right to data portability. Nonetheless, the Company are required to comply with data access and correction requests from individuals for their personal data.
o. The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows:
The Data Protection Officer
Money Concepts (Asia) Holdings Ltd
17/F Yam Tze Commercial Building, No. 23 Thomson Road, Wanchai, Hong Kong
p. The Company may have obtained a credit report on the customer from a credit reference agency in considering any application for credit. In the event the customer wishes to access the credit report, the Company will advise the contact details of the relevant credit reference agency.
q. You are responsible for making sure the information you give us, information which is provided by individuals connected to your business, or information which is otherwise provided on your behalf is accurate and up to date, and you must tell us if anything changes as soon as possible.
r. The Company use a range of measures to keep information safe and secure which may include encryption and other forms of security. the Company require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
s. Nothing in this Notice shall limit the rights of customers under the Personal Data (Privacy) Ordinance
Note: In case of discrepancies between the English and Chinese versions, the English version shall apply and prevail.
IMPORTANT: By accessing this web site and any of its pages you are agreeing to the terms set out above. Thank you for choosing MCAH