Personal Data (Privacy) Ordinance
Notice to Customers relating to Customers’ Data
This Notice is provided to notify customers of the data policies of Zero Finance Hong Kong Limited (“the Company”). The Company is part of a group of companies under Zero Fintech Group Limited (formerly known as Termbray Industries International (Holdings) Limited) (“the Group”). The Group means Zero Fintech Group Limited (formerly known as Termbray Industries International (Holdings) Limited), its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually).
1. SUMMARY
a) From time to time, it is necessary for customers to supply the Company with data in connection with the opening or continuation of accounts and the establishment or continuation of credit facilities or provision of other services.
b) Failure to supply such data may result in the Company being unable to open or continue accounts or establish or continue credit facilities or provide other services.
c) It is also the case when data are collected from customers in the ordinary course of the business including those given in person or through telephone or internet in processing new or continuation or renewal of loan applications or services. This includes information obtained from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (“CRA”).
2. DATA COLLECTION & PURPOSE
a) From time to time, the Company may collect information about customers and other individuals for the purposes set out in this notice. Such customers and other individuals may include, but are not limited to, the following: (i) Applicants and users of credit, mortgage and related services, products and credits (referred to as “Credit, Products and Services”); (ii) Persons who provide or propose to provide security or security for obligations owed to the Company; and (iii) Other persons involved in the Company’s client relationships. b) In order to provide (or continue to provide) some or all of the Company’s credit, products and services to customers, the Company may collect:
- the customers’ personal data (including but not limited to customer’s name, ID card number, date of birth, residential and mailing address, telephone number and email address);
- financial details (e.g. income, expenses, and/or credit history);
- photographs and images (including images of identification documents, bank cards and documents);
- biometrics data such as facial images, thumbprints, voice and video recordings of the customers, including the conversations with the customers for verification or other purposes;
- employment details (e.g. occupation, directorships and other positions held, employment history, salary, and/or benefits);
- banking information (e.g. account numbers and banking transactions);
- professional and educational background;
- credit-related information;
- and electronic footprints such as customers’ IP address, cookies, activity logs, online identifiers and GPS location etc.
c) Failure to provide the Company with such data may result in the Company’s failure to provide (or continue to provide) some or all of the Company’s credit, products and services to customers or relevant applicants or persons related to customers.
d) The Company may collect data directly or indirectly from customers or someone acting on customer’s behalf in the following circumstances:
(i) In the ordinary course of the Company’s business or in the maintenance of the Company’s relationship with customers, for example the Company may collect information when customers issue a check, make a deposit, conduct a transaction or customers communicate with the Company (verbally, electronically or in writing) ;
(ii) A person acting on behalf of the customers whose data are provided;
(iii) When customers browse or use the Company’s website and mobile applications; and/or
(iv) Collected from other sources such as:
(a) Third parties such as the Company’s business partners (subject to customers giving the Company’s business partners consent to transfer customer’s data to the Company), CRA and third party service providers with whom customers interact in connection with the marketing of the Company’s products and services and/or in connection with the customer’s application for the Company’s products and services.) ; and/or
(b) The public domain, cookies, behavioural or location tracking tools.
Data may also be generated or combined with other data available to the Company or the Group.
3. USE OF DATA
The purposes for which personal data relating to a customer may be used by the Company or the recipient of such data are as follows: a) the processing of applications for services and credit facilities and the daily operation of the services, credit facilities provided to customers; b) conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year; c) assisting other money lenders and/or financial institutions, credit or charge card issuing companies and debt collection agents to conduct credit checks and collect debts; d) ensuring ongoing credit worthiness of customers; e) designing credit facilities, financial services or related products for customers’ use; f) marketing services and products and other subjects (including in connection with direct marketing, please see further details in paragraph 7 below); g) determining the account transactions/balances between the Company and customers; h) collection of amounts outstanding from customers, or those providing security for customers’ obligations or other co-borrower(s); i) meeting the obligations, requirements or arrangements, whether compulsory or voluntary, of the Company or any of its branches or any member(s) of the Group to comply with, or in connection with: (i) any law binding or applying to it within or outside the territory of the Hong Kong Special Administrative Region (“Hong Kong”) existing currently and in the future; (ii) any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside the territory of Hong Kong existing currently and in the future; (iii) any present or future contractual or other commitment with local or foreign legal, regulatory, judicial, administrative, public or body, or governmental, tax, revenue, monetary, securities or futures exchange, court, central bank or other authorities, or self-regulatory or industry bodies or associations of financial service providers or any of their agents with jurisdiction over all or any part of the Group (together with the “Authorities” and each an “Authority”) that is assumed by, imposed on or applicable to the Company or any of its branches or any member(s) of the Group; or (iv) any agreement or treaty between Authorities; j) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the Group and/or any other use of data and information in accordance with any programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities; k) conducting any action to meet obligations of the Company or any member(s) of the Group to comply with Laws or international guidance or regulatory requests relating to or in connection with the detection, investigation and prevention of money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions and/or any acts or attempts to circumvent or violate any Laws relating to these matters; l) meeting any obligations of the Company or any member(s) of the Group to comply with any demand or request from the Authorities; m) enabling an actual or proposed assignee of the Company, or participant or sub- participant of the Company’s rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub- participations; n) conducting matching procedures; o) creating and maintaining the Company’s credit scoring models; p) assisting the Company on comprehensive supervision (for internal audit and risk management); q) providing reference (for status enquires); r) assisting other credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (“credit providers”) to conduct credit checks and collect debts; s) compiling statistical information and customers’ profiles; t) comparing data of the customers or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking action against the customers; u) maintaining a credit history or otherwise, a record of customers (whether or not there exists any relationship between customers and the Company) for present and future reference; v) handling claims and potential claims by and against the Company; w) exercising internal control and managing of data by any member(s) of the Group and/or contractors; and x) purposes relating thereto.
4. DATA CONFIDENTIALITY & SUBSEQUENT USE
Data held by the Company or a member of the Group relating to a customer will be kept confidential but the Company or a member of the Group may provide such information to the following parties (whether within or outside the territory of Hong Kong) for the purposes set out in paragraph 3: a) any agents, contractors, sub-contractors, service providers or associates of the Group (including their employees, directors, officers, agents, contractors, service providers, and professional advisers); b) any third party service provider who provides administrative, telecommunications, Electronic Fund Transfer service, computer, payment, debt collection, information service or other services to the Company or the Group in connection with the operation of its business (including their employees, directors and officers); c) any Authorities; d) any other person under a duty of confidentiality to the Company including a member of the Group which has undertaken to keep such information confidential; e) third party service providers with whom the customer has chosen to interact with in connection with the customer’s application for the Company’s or the Group’s products and services; f) CRA (including the operator of any centralized database used by CRA), and, in the event of default, to debt collection agencies or law firms; g) any person to whom the Company or any of its branches or any member(s) of the Group is under an obligation or required or expected to make disclosure for the purposes set out in, or in connection with, paragraphs 5(i), 5(j) or 5(k); h) any party giving or proposing to give a guarantee or third party security to guarantee or secure the customer’s obligations and any co-borrower(s); i) any actual or proposed assignee of the Company or participant or sub-participant or transferee of the Company’s rights in respect of the customer; and j) the data was collected to provide such information to the following parties: (i) any member(s) of the Group; (ii) third party financial institutions, insurers, credit card companies, securities and investment services providers; (iii) third party reward, loyalty or privileges programme providers; (iv) co-branding partners of the Company and/or any member(s) of the Group (the names of such co-branding partners can be found in the application form(s) and/or advertising leaflet(s) / poster(s) for the relevant services and products, as the case may be); (v) charitable or non-profit making organisations; and (vi) external service providers (including but not limited to mailing houses, telecommunications companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Company engages for the purposes set out in paragraph 5 (f). Such information may be transferred to a place outside Hong Kong.
5. EXISTING CUSTOMER DATA USE
The Company may from time to time access and obtain personal and account information or records and consumer credit data of a customer (including without limitation information about the number of mortgage count, if written consent of the customer has been obtained) from CRA for reviewing any of the following matters in relation to the credit facilities granted to the customer or a third party whose obligations are guaranteed by the customer: a) an increase in the credit amount; b) the curtailing of credit (including the termination of credit or a decrease in the facility amount); or c) the putting in place or the implementation of a scheme of arrangement with the customer.
6.MORTGAGE CUSTOMERS DATA USE
When the Company accesses consumer credit data about a customer held with CRA, it must comply with the Code of Practice on Consumer Credit Data (“the Code”) approved and issued under the Personal Data (Privacy) Ordinance (“the Ordinance”) . With respect to data in connection with mortgages applied by a customer (in any capacity) on or after 1 April 2011, the following data relating to the customer (including any updated data of any of the following data from time to time) may be provided by the Company, on its own behalf and/or as agent, to a CRA: a) full name; b) capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the customer’s sole name or in joint names with others); c) Identity card number or travel document number; d) date of birth; e) correspondence address; f) mortgage account number in respect of each mortgage; g) type of the facility in respect of each mortgage; h) mortgage account status in respect of each mortgage (e.g., active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and i) if any, mortgage account closed date in respect of each mortgage. The CRA will use the above data supplied by the Company for the purposes of compiling a count of the number of mortgages from time to time held by the customer with credit providers, as borrower, mortgagor or guarantor respectively and whether in the customer’s sole name or in joint names with others, for sharing in the consumer credit databases of CRA by credit providers (subject to the requirements of the Code approved and issued under the Ordinance).
7.USE OF DATA IN DIRECT MARKETING
The Company intends to use a customer’s data in direct marketing and the Company requires the customer’s consent (which includes an indication of no objection) for that purpose. In this connection, please note that: a) The Company may use the following categories of data for its direct marketing purposes: (i) the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background, demographic data and mobile device ID of a customer held by the Company from time to time; and (ii) information relating to the customers use of the Company’s websites, mobile apps from time to time, whether through cookies or otherwise; b) the following classes of services, products and subjects may be marketed: (i) financial services and related products including loans, insurance products; (ii) reward, loyalty or privileges programmes and related services and products; (iii) services and products offered by co-branding partners of the Company and/or any member(s) of the Group (the names of such co-branding partners can be found in the application form(s) and/or advertising leaflet(s) / poster(s) for the relevant services and products, as the case may be); and (iv) donations and contributions for charitable and/or non-profit making purposes; c) the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Company and/or: (i) the Group; (ii) third party financial institutions, insurers, credit card companies, securities and investment services providers; (iii) third party reward, loyalty, co-branding or privileges programme providers; (iv) co-branding partners of the Company and/or any member(s) of the Group (the names of such co-branding partners can be found in the application form(s) and/or advertising leaflet(s) / poster(s) for the relevant services and products, as the case may be); and (v) charitable or non-profit making organisations; d) in addition to marketing the above services, products and subjects itself, the Company also intends to provide the data described in paragraph 7 (a) above to all or any of the persons described in paragraph 7 (c) above for use by them in marketing those services, products and subjects, and the Company requires the customer’s written consent (which includes an indication of no objection) for that purpose; e) The Company may receive money or other property in return for providing the data to the other persons in paragraph 7 (d) above and, when requesting the customer’s consent or no objection as described in paragraph 7 (d) above, the Company will inform the customer if it will receive any money or other property in return for providing the data to the other persons.
If a customer does not wish the Company to use or provide to other persons his data for use in direct marketing as described above, the customer may exercise his opt- out right of mail, email, Mobile Message, telephone by notifying the Company without charge.
8.CUSTOMER RIGHT
Under and in accordance with the terms of the Ordinance, the Code and any statutory or regulatory guidelines issued by the Privacy Commissioner for Personal Data or other regulatory bodies, any customer has the right:
a) to check whether the Company holds data about him and the right of access to such data;
b) to require the Company to correct any data relating to him which is inaccurate;
c) to ascertain the Company’s policies and practices in relation to data and to be informed of the kind of data held by the Company;
d) to be informed on request which items of data are routinely disclosed to CRA or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant CRA or debt collection agency;
e) in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Company to a CRA, to instruct the Company, upon termination of the account by full repayment, to make a request to the CRA to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data include amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Company to a CRA), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any).
In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in paragraph 14(e) above) may be retained by the CRA until the expiry of five years from the date of final settlement of the amount in default.
In the event any amount in an account is written-off due to a bankruptcy order being made against a customer, the account repayment data (as defined in paragraph 14(e) above) may be retained by the CRA, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the customer with evidence to the CRA, whichever is earlier.
The Company may access the database of CRA for the purposes of credit review from time to time. Which review may involve the consideration by the Company of any of the following matters:
a) an increase in the credit amount;
b) the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or
c) the putting in place or the implementation of a scheme of arrangement with the customer.
In accordance with the terms of the Ordinance, the Company has the right to charge a reasonable fee for the processing of any data access request.
9.DATA PROTECTION CONTACT
The person to whom requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows: The Data Protection Officer Zero Finance Hong Kong Limited Unit 201, 2/F., Kwong Fat Hong Building No. 1 Rumsey Street, Sheung Wan, Hong Kong Fax: (852) 2531 0300 The Company may have obtained a credit report on the customer from a CRA in considering any application for credit. In the event the customer wishes to access the credit report, the Company will advise the contact details of the relevant entity.
10. The expression “Customer” includes both borrower and guarantor as individuals or corporations (and the latter’s directors, shareholders or other officers) and unincorporated associations (sole proprietor or partners). Credit means consumer and commercial credit (including Hire Purchase and Leasing). All references to one gender are a reference to all other genders and the singular includes the plural.
11. Data of a customer may be processed, kept and transferred or disclosed in and to any country as the Company or any person who has obtained such data from the Company referred to paragraph 4 above considers appropriate. Such data may also be released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.
12. Nothing herein shall limit the right of customers under the Ordinance.
13. This Notice shall upon a customer’s receipt, be deemed an integral part of all contracts, agreements, credit/banking facility letters, and other binding arrangements which the customer has entered into or intends to enter into with the Company.
14. Customers may, at any time and without charge, request the Company cease using their personal data for direct marketing purposes by writing to the Data Protection Officer at the address or fax number provided in paragraph 9.
15. Retention of Personal Data: The Company will take practical steps to ensure that customer’s personal data will not be kept longer than necessary.