Home > Data Protection Notice

Data Protection Notice

Home > Data Protection Notice

The following notice provides information relating to the collection and use of personal data by BNP Paribas acting through its Hong Kong branch in connection with (i) the opening or operation of accounts, (ii) the establishment or maintenance of banking facilities or other financial accommodation; (iii) the provision of banking, financial and/or brokerage services or products; and/or (iv) the provision of wealth planning, discretionary portfolio management and/or investment solutions and services, and the continuation of such matters and services.

If you are not a customer or prospective customer of BNP Paribas Hong Kong branch or have not provided personal data in connection with such relationship, please refer to our general personal data protection notice at the following link: Asia Pacific Data Protection Notice – BNP Paribas Asia Pacific.

There may be other notices detailing how BNP Paribas Group entities process your personal data applicable in other territories we operate in. Further information may be provided where necessary when you apply for a product or service. For information about non Asia Pacific territories, please visit the following link: Data Protection Notice – BNP Paribas CIB.

BNP Paribas, acting through its Hong Kong branch – Notice to Customers relating to the Personal Data (Privacy) Ordinance (the “Ordinance”)

  1. COLLECTION OF PERSONAL DATA

    1.1. From time to time, it is necessary for data subjects to supply BNP Paribas (the “Bank”, which expression shall include its affiliates, branches and subsidiaries) with data in connection with (i) the opening or operation of accounts, (ii) the establishment or maintenance of banking facilities or other financial accommodation; (iii) the provision of banking, financial and/or brokerage services or products; and/or (iv) the provision of wealth planning, discretionary portfolio management and/or investment solutions and services, and the continuation of such matters and services.

    1.2. Failure to supply such data may result in the Bank being unable to open or continue accounts or establish or continue banking facilities or provide banking, financial and/or brokerage services or products.

    1.3. It is also the case that data is collected from data subjects in the ordinary course of the continuation of the banking or client relationship, for example, when data subjects write cheques, deposit money or otherwise carry out transactions as part of the Bank’s or the BNP Paribas Group’s services. The Bank may also collect data relating to the data subject from third parties, including without limitation third party service providers with whom the data subject interacts in connection with the marketing of the Bank’s products and services and in connection with the data subject’s application for or using of the Bank’s and/or BNP Paribas Group’s products and services (including receiving personal data from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit reference agencies”)).

    1.4. For the purpose of this Notice:

    (a) “data subjects” means customers and/or other individuals including without limitation: applicants for financial services, brokerage services, and banking facilities, sureties and persons providing security or guarantee for banking facilities, contractual counterparties, and directors, shareholders, beneficial owners, controlling persons, officers and managers of customers, of applicants or of any third party transacting with or through the Bank; and

    (b) “BNP Paribas Group” means each of or collectively the Bank, its group companies and affiliates, and their respective subsidiaries (including each branch or representative office). 
  2. USE OF PERSONAL DATA

    2.1. The purposes for which data relating to data subjects may be used are as follows:

    (a) considering and assessing the data subject’s application for the Bank’s products and services;

    (b) the daily operation of the services and credit facilities provided to data subjects;

    (c) conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;

    (d) creating and maintaining the Bank’s credit scoring models;

    (e) assisting other credit providers in Hong Kong approved for participation in the Multiple Credit Reference Agencies Model (hereinafter referred to as “credit providers” ) to conduct credit checks and collect debts;

    (f) ensuring ongoing credit worthiness of data subjects;

    (g) designing financial services or related products for data subjects’ use;

    (h) marketing services, products and other subjects (please see further details in Section 5 below);

    (i) determining amounts owed to or by data subjects;

    (j) collection of amounts outstanding from data subjects and those providing security or guarantee for data subjects’ obligations;

    (k) complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any member of the BNP Paribas Group, or that it is expected to comply according to:

    i. any law binding or applying to it within or outside the Hong Kong Special Administrative Region (“Hong Kong”) existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);

    ii. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information); or

    iii. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any member of the BNP Paribas Group by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;

    (l) complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the BNP Paribas Group and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;

    (m) in connection with the Bank or any member of the BNP Paribas Group defending or responding to any legal, governmental, regulatory or quasi-governmental related matter, action or proceeding;

    (n) organising and delivering seminars for data subjects;

    (o) enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the Bank’s rights in respect of the data subjects to evaluate the transaction intended to be the subject of the assignment, participation or sub- participation; and

    (p) any purposes relating thereto.
  3. DISCLOSURE OF PERSONAL DATA

    3.1. Data held by the Bank relating to data subjects will be kept confidential but the Bank may provide such information to the following parties for the purposes set out in Section 2:

    (a) any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or electronic signature or other services to the Bank or any member of the BNP Paribas Group in connection with the operation of its business;

    (b) any other person under a duty of confidentiality to the Bank or any member of the BNP Paribas Group;

    (c) the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;

    (d) third party service providers with whom the data subject has chosen to interact with in connection with the data subject’s application for the Bank’s products and services;

    (e) credit reference agencies (including the operator of any centralized database used by credit reference agencies) and, in the event of default, to debt collection agencies;

    (f) any person to whom the Bank or any member of the BNP Paribas Group is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to the Bank or any member of the BNP Paribas Group, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which the Bank or any member of the BNP Paribas Group is expected to comply, or any disclosure pursuant to any contractual or other commitment of the Bank or any member of the BNP Paribas Group with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently and in the future;

    (g) any actual or proposed assignee of the Bank or participant or sub-participant or transferee of the Bank’s rights in respect of data subjects;

    (h) any member of the BNP Paribas Group;

    (i) third party financial institutions, insurers, credit card companies, securities and investment services providers, intermediaries, brokers, payment system operators, trade repositories or exchanges;

    (j) any party giving or proposing to give a guarantee or third party security to guarantee or secure the data subject’s obligations;

    (k) third party reward, loyalty and privileges programme providers;

    (l) co-branding partners of the Bank or any member of the BNP Paribas Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);

    (m) charitable or non-profit making organisations;

    (n) external service providers (including but not limited to mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies and information technology companies) that the Bank or any member of the BNP Paribas Group engages for the purposes set out in Section 2.1;

    (o) birth and death registries or other authorities or organization or entities which provide search services for the Bank to ascertain the status of the data subject and/or his/her money and assets; and

    (p) executors or administrators or potential executors or administrators or personnel acting in such capacities of the estate of the data subject.

    3.2. Such data may be disclosed, transferred to or stored in a place outside Hong Kong. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.

    3.3. If such process is made available by the Bank, the Bank may, in accordance with the customer’s instructions to the Bank or third party service providers engaged by the customer, transfer customer’s data to third party service providers using the Bank’s application programming interfaces for the purposes notified to the customer by the Bank or third party service providers and/or as consented to by the customer.
  4. CREDIT REFERENCE AGENCIES

    4.1. In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data (as defined in Section 6.1(e) may be retained by credit reference agencies until the expiry of five years from the date of final settlement of the amount in default.

    4.2. In the event any amount in an account is written-off due to a bankruptcy order being made against a data subject, the account repayment data (as defined in Section 6.1(e)) may be retained by credit reference agencies, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until the expiry of five years from the date of final settlement of the amount in default or the expiry of five years from the date of discharge from a bankruptcy as notified by the data subject with evidence to the credit reference agency(ies), whichever is earlier.

    4.3. With respect to data in connection with mortgages applied by a data subject (whether as a borrower, mortgagor or guarantor and whether in the data subject’s own name or in joint names with others) on or after 1 April 2011, the following data relating to the data subject (including any updated data of any of the following data from time to time) may be provided by the Bank, on its own behalf and/or as agent, to credit reference agencies:

    (a) full name;

    (b) capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subject’s own name or in joint names with others);

    (c) Hong Kong Identity Card Number or travel document number;

    (d) date of birth;

    (e) correspondence address;

    (f) mortgage account number in respect of each mortgage;

    (g) type of the facility in respect of each mortgage;

    (h) mortgage account status in respect of each mortgage (e.g., active, closed, write-off (other than due to a bankruptcy order), write-off due to a bankruptcy order); and

    (i) if any, mortgage account closed date in respect of each mortgage.

    Credit reference agencies will use the above data supplied by the Bank for the purposes of compiling a count of the number of mortgages from time to time held by the data subject with credit providers, as borrower, mortgagor or guarantor respectively and whether in the data subject’s own name or in joint names with others, for sharing in the consumer credit databases of credit reference agencies by credit providers (subject to the requirements of the Code of Practice on Consumer Credit Data approved and issued under the Ordinance).
  5. USE OF PERSONAL DATA IN DIRECT MARKETING

    5.1. The Bank intends to use a customer’s data in direct marketing and the Bank requires their consent (which includes an indication of no objection) for such purpose. In this connection, please note that:

    (a) the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of a customer held by the Bank from time to time may be used by the Bank in direct marketing;

    (b) the following classes of services, products and subjects may be marketed:

    i. financial, insurance, credit card, banking, brokerage and related services and products;

    ii. reward, loyalty or privileges programmes and related services and products;

    iii. services and products offered by the Bank’s co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and

    iv. donations and contributions for charitable and/or non-profit making purposes; and

    (c) the above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Bank and/or:

    i. any member of the BNP Paribas Group;

    ii. third party financial institutions, insurers, credit card companies, securities and investment services providers;

    iii. third party reward, loyalty, co-branding or privileges programme providers;

    iv. co-branding partners of any member of the BNP Paribas Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and

    v. charitable or non-profit making organisations.

    5.2. In addition to marketing the services, products and subjects described in Section 5.1(b), the Bank also intends to provide the data described in Section 5.1(a) to all or any of the persons described in Section 5.1(c) for use by them in marketing those services, products and subjects; and regarding an individual customer, the Bank requires his/her written consent (which includes an indication of no objection) for that purpose.

    5.3. The Bank may receive money or other property in return for providing the data to the other persons in Section 5.2 and, when requesting the customer’s consent or no objection as described in Section 5.2, the Bank will inform the customer if it will receive any money or other property in return for providing the data to the other persons.

    5.4. If a customer does not wish the Bank to use or provide to other persons their data for use in direct marketing as described in Section 5, he/she may exercise their opt-out right by notifying the Data Protection Officer of the Bank in writing at the address in Section 6. If the Bank receives an opt-out request from any customer as mentioned in this Section, the Bank will without charge cease to use such data for direct marketing as requested by such customer.
  6. DATA ACCESS AND CORRECTION

    6.1. Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any data subject has the right:

    (a) to check whether the Bank holds data about him and of access to such data;

    (b) to require the Bank to correct any data relating to him which is inaccurate;

    (c) to ascertain the Bank’s policies and practices in relation to data and to be informed of the kind of personal data held by the Bank;

    (d) to be informed on request which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of access and correction requests to the relevant credit reference agency(ies) or debt collection agency(ies); and

    (e) in relation to any account data (including, for the avoidance of doubt, any account repayment data) which has been provided by the Bank to a credit reference agency, to instruct the Bank, upon termination of the account by full repayment, to make a request to the credit reference agency to delete such account data from its database, as long as the instruction is given within five years of termination and at no time was there any default of payment in relation to the account, lasting in excess of 60 days within five years immediately before account termination. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Bank to the credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).

    6.2. In accordance with the terms of the Ordinance, the Bank has the right to charge a reasonable fee for the processing of any data access request.

    6.3. If a data subject has given consent to process personal data, a data subject may have a right to withdraw such consent. This shall be subject to the Banks’ requirements to continue to process the previously collected personal data to the extent required by applicable laws, rules or regulations.

    6.4. Requests to exercise the rights in this Section are to be sent in writing to:

    The Data Protection Officer, BNP Paribas, 63/F Two International Finance Centre, 8 Finance Street, Hong Kong.

    6.5. The Bank may have obtained a credit report on data subjects from credit reference agency(ies) in considering any application for credit. In the event data subject wishes to access the credit report(s), the Bank will advise the contact details of the relevant credit reference agency(ies).
  7. GENERAL PROVISIONS

    7.1. Nothing in this Notice shall limit the rights of data subjects under the Personal Data (Privacy) Ordinance.

    7.2. Should there be any inconsistencies between the English and Chinese versions of this Notice, the English version shall prevail.

[December 2022]