PERSONAL DATA PRIVACY NOTICE

It is the policy of the ICICI Entities comprising the ICICI Bank Limited, Hong Kong Branch, ICICI Bank Limited, India Branch, their head office, holding company and any of their affiliates, associates, branches or subsidiaries (the “ICICI Entities”, the “Bank”, “we”, “us” or “our”) to respect and protect the privacy of the individuals’ personal data and to observe the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) in the collection, holding, processing and use of personal data. This policy statement (the “Policy”) sets down the policies of the Bank with respect to protection of personal data. The provisions of this Policy shall form part of the account terms and conditions governing and/or agreement/ arrangements that a data subject enters into with the Bank. In the event of any inconsistency between the provisions herein and any such terms, the specific terms in the Applicable Document (as defined below) shall prevail over this Policy.

References to “data subject(s)” in this Policy means the previous, current and potential customer(s) of the Bank, including without limitation, applicant(s) for banking and financial services and facilities.

1. From time to time, it will be necessary for the data subjects to supply the Bank with personal data in connection with the opening, continuation and/or administration of accounts, the establishment and/or continuation of banking and financial services facilities by the Bank to the data subjects, and/or the processing, administration management and/or continuation of our relationship with the data subjects (for example, when the data subjects write cheques, deposit money or give instructions). Such personal data includes the data subject’s name, identification number, address and personal contact details, employment details, transactional and behavioural pattern, financial information and transaction details
2. Failure to supply such personal data may result in the Bank being unable to open or continue the accounts or to establish or continue banking facilities or to provide any of the aforesaid services to the relevant data subjects
3. The purposes for which personal data relating to a data subject may be collected, used, held, disclosed or processed by the Bank will vary depending on the data subject’s relationship with the Bank. Generally they may comprise the following purposes (the “Purposes”):
   
   
   1. operation of the services and credit/banking/financial facilities provided to the data subjects and considering and processing of applications for accounts, banking/financial services and facilities;
   2. considering, negotiating and entering into contracts with the data subjects;
   3. carrying out the data subjects’ instructions or responding to any enquiry and/or complaint given by (or purported to be given by) the data subjects or on their behalf;
   4. contacting the data subjects or communicating with them via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing the data subjects’ relationship with the Bank such as, but not limited to communicating information related to data subjects details or the relationship details. The data subjects acknowledge and agree that such communication by the Bank could be by way of the mailing of correspondence, documents or notices to the data subjects, which could involve disclosure of certain personal data about the data subjects to bring about delivery of the same as well as revelation of the same information on the external cover of envelopes/mail packages;
   5. carrying out due diligence or other screening activities (including background, anti-money laundering (AML) and “know-your-client” (KYC) checks) in accordance with - 2 - legal or regulatory obligations or the Bank’s risk management procedures that may be required by law or that may have been put in place by the Bank;
   6. seeking or obtaining administrative, credit reference, data processing, telecommunications, computer, technical maintenance, payment, debt collection, securities clearing, custodian banking, financing, business consulting, human resources consulting, outsourcing, financial, accounting, auditing, legal, professional or other services in connection with the operation of our business (the “Services”), and provision of credit references/references and confirmations to professional advisors such as auditors;
   7. conducting credit checks and data verification (including but not limited to such at the time of application for banking/financial services and facilities and at the time of regular or special reviews which normally may take place once or more times each year), including carrying out matching procedures whether or not for the purpose of taking adverse action against the data subjects or maintaining a credit history (whether or not the relationship with the Bank is terminated) for the Bank’s present or future reference, subject to any consent from the data subjects where required under the applicable laws
   8. assisting other financial bodies and institutions to conduct credit checks and any dispute investigations and collect debts;
   9. ensuring ongoing creditworthiness of data subjects;
   10. designing financial services and/or related products for the data subjects’ use;
   11. direct marketing of the banking services of the Bank and/or related products (subject to the terms specified in clause 14 below);
   12. determining the amount of indebtedness owed to or by the data subject;
   13. enforcement of data subjects’ obligations, including collection of amounts outstanding from them and from bills providing security to the Bank in respect of obligations of data subjects;
   14. performing treasury functions;
   15. for operational purposes, credit assessment, credit scoring models or statistical analysis (including in each case, behaviour analysis and evaluation on overall relationship with us which includes using such data to comply with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the ICICI Entities and/or any other use of data and information in accordance with any group-wide programmes for compliance with terrorism sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities), whether on the data subjects or otherwise;
   16. satisfying the Bank’s business requirements and operational needs;
   17. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or that we are expected to comply with according to:
       
       
       1. any law binding or applying to us within or outside Hong Kong, existing currently and in the future, including disclosure requirements under any law binding on the Bank and/or for the purposes of any guidelines issued by - 3 - regulatory or other authorities of any relevant jurisdiction, with which the Bank is expected to comply from time to time;
       2. any orders, guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers and/or by securities exchanges, within or outside Hong Kong, existing currently or in the future;
       3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers , securities exchanges or other financial institutions that is assumed by or imposed on us by reason of our financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant authority/body/association or otherwise, including assisting such bodies and institutions to conduct credit checks and any dispute investigations, and collect debts;
       4. any notices/demands/requests/direction for information from any judicial/regulatory/governmental authorities having jurisdiction/authority in any manner over any member of the ICICI Entities, or responding to requests for information from public agencies, ministries, enforcement directorate, statutory boards or other similar authorities having jurisdiction over any member of the ICICI Entities; and
       5. any of the Bank’s internal obligations, requirements, policies, procedures, programmes, measures or arrangements from time to time , including but not limited to sharing of data within the ICICI Entities and any compliance requirements in respect of sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities.
   18. maintaining a credit history of the data subject (whether or not there exists any relationship between the data subject and the Bank), for present and future reference;
   19. enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the Bank’s rights in respect of the data subject, to evaluate and assess the transaction intended to be the subject of the assignment, participation, sub-participation or similar activity;
   20. preventing or investigating any fraud, unlawful activity, omission or misconduct, whether relating to your relationships with the Bank or any other matter arising from your relationships with the Bank, and whether or not there is any suspicion of the aforementioned;
   21. storing, hosting, processing, backing up (whether for disaster recovery or otherwise) of data subjects’ personal data, whether within or outside Hong Kong;
   22. creating and maintaining the Bank's credit and risk related models;
   23. enforcing the rights of the Bank, contractual or otherwise;
   24. initiating, defending, or otherwise managing the Bank’s legal proceedings;
   25. conducting research, analysis and development activities (including but not limited to data analytics, surveys and/or profiling, development of financial services or related products for the data subjects’ use and reviewing, monitoring, improving, designing or launching the Bank’s services) to improve the Bank’s services and/ or facilities in order to enhance your relationship with the Bank, or for your benefit;
   26. complying with contractual arrangements with, by or between financial industry selfregulatory, financial industry bodies, associations of financial services providers or other financial institutions, including assisting such institutions to conduct credit checks and any dispute investigations and collect debts;
   27. enabling the Bank to centralise or outsource its data processing and other administrative operations to ICICI Bank Limited, India and/ or any of its affiliates, branches or subsidiaries, agents or third parties engaged by the Bank (whether within or outside Hong Kong) for any such services/operation;
   54. any other purposes as disclosed by us from time to time in our form(s), agreement(s) or any other document(s) through which the data subject has a relationship with us (the “Applicable Document”), including for example matching procedures (as defined in the PDPO, but broadly includes comparison of two or more sets of the data subject's data, for purposes of taking actions adverse to the interests of the data subject, such as declining an application) subject to any consent from you where required under the applicable laws;
   81. any other purposes permitted by law; and
   108. all other incidental and associated purposes relating to any of the above, including but not limited to seeking professional advice.
4. The Bank shall keep data only for as long as is reasonably required for the Purposes or otherwise required or permitted by applicable law. This includes keeping, for as long as reasonably required, such data as required for handling enquiries and potential or actual legal proceedings relating to any of the Purposes. Where we engage a contractor or service provider to process personal data on our behalf, we will require that they do likewise.
5. Data held by the Bank relating to a data subject will be kept confidential, but the Bank may disclose or transfer the personal data to such third parties for one or more of the Purposes (subject to the terms applicable to direct marketing as specified in clause 14 below). In this regard, the said third parties may subsequently hold, use, disclose and/or process the data subjects’ personal data for any of the Purposes. Such third parties shall include:
   
   
   1. any member of the ICICI Entities, its/their employees, agents, vendors, contractors, debt collection agencies and/or third party service providers (whether in Hong Kong or elsewhere) who provide the Services to us in connection with the operation of our business;
   2. any other person which has expressly or impliedly undertaken a duty of confidentiality to a member of the ICICI Entities;
   3. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
   4. any authorized institution (as defined in the Banking Ordinance (Cap. 155)) or other authorized or regulated entity of similar nature in another jurisdiction with which the data subject has or proposes to have dealings;
   5. credit reference agencies and, in the event of default, debt collection agencies;
   6. any person to whom we are under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to us, or any disclosure under and for the purposes of any orders, guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which we are expected to comply, or any disclosure pursuant to any contractual or other commitment of any member of the ICICI Entities with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside Hong Kong and may be existing currently or in the future;
   7. any actual or proposed assignee of all or any part of the Bank’s business and/or assetsor participant or sub participant or transferee of all or any part of the rights of the Bank in respect of the data subject;
   8. any person providing or proposing to provide a guarantee of or security for the data subject’s obligations to the Bank;
   9. subject to the terms specified in clause 14 below which are applicable to direct marketing, the following persons/bodies/entities (the “Transferees”) for the purposes set out in clause 3(k) above:
      
      
      1. any member of ICICI Entities;
      2. third party agents, financial institutions, insurers, card companies, securities and investment services providers;
      3. third party reward, loyalty and privilege programme providers;
      4. our business and co-branding partners (the names of such partners can be found in the Applicable Document(s) for the relevant Services and Products (as defined below), as the case may be);
      5. charitable and non-profit making organisations; and
      6. external service providers (including but not limited to professional advisers, receivers appointed for the purpose of enforcement and recovery, mailing houses, telecommunication companies, telemarketing and direct sales agents, call centres, data processing companies, information technology companies and market research firms); and
   10. any other persons as disclosed by us from time to time in the Applicable Document.
6. For the purpose of clause 3(g) above, we may from time to time access and obtain consumer credit data of the data subject from a credit reference agency for reviewing any of the following matters in relation to the credit facilities granted:
   
   
   1. an increase in the credit amount;
   2. the curtailing of credit (including the termination of credit or a decrease in the facility amount); or
   3. the putting in place or the implementation of a scheme of arrangement with the data subject.
7. When the Bank accesses consumer credit data about a data subject held with a credit reference agency, it will comply with the Code of Practice on Consumer Credit Data approved and issued under the PDPO (the "Code") and other relevant regulatory requirements.
8. Of all the data which may be collected or held by the Bank from time to time in connection with mortgages applied by the data subjects (whether as a borrower, mortgagor, or guarantor and whether in the data subjects’ sole name or in joint names with others), the mortgage account general data relating to data subjects (including any updated data thereof) may be provided by the Bank to a credit reference agency, including but not limited to full name, capacity in respect of each mortgage (as borrower, mortgagor or guarantor, and whether in the data subjects’ sole name or in joint names with others), Hong Kong Identity Card or travel document number(s), date of birth, address, mortgage account number in respect of each mortgage, type of facility in respect of each mortgage, mortgage account status in respect of each mortgage (e.g. active, closed, write-off), (if any) mortgage account closed date in respect of each mortgage.
9. The credit reference agency will use the above mortgage account general data supplied by us for the purposes of compiling a count of the number of mortgages from time to time held by a data subject, as borrower, mortgagor or guarantor respectively and whether in the data subjects’ sole name or in joint names with others, for sharing in the consumer credit database of the credit reference agency by credit providers (subject to the requirements of the Code).
10. We will take all practicable steps to ensure that the personal data held by us are:-
    1. accurate having regard to the applicable Purposes;
    2. not used where there are reasonable grounds for believing that the personal data are inaccurate when used for the applicable Purposes, unless and until such inaccuracies cease to apply or are rectified.
11. Where we have disclosed personal data to any third party, we will take all practicable steps to ensure that the data thereby disclosed are accurate having regard to the applicable Purposes.
12. We will take all practicable steps to ensure that personal data are protected against unauthorized or accidental access, processing, erasure, loss or use. Subject to business needs and policy adjustments from time to time, the Bank categorizes personal data as ‘Confidential Information’, keeps record of the processing activities enters into non-disclosure and confidentiality agreements with employees and third parties who are privy to the data subjects' personal data and assigns a dedicated Data Privacy team headed by a Data Protection Officer to oversee privacy-related developments for the Bank as a data processor for international banking business and as a data controller / data user for remittance businesses. Where we engage a contractor or service provider to process personal data on our behalf, we will require that they do likewise.
13. Except as provided in paragraph 5 above, the data subjects’ personal data will be accessed only by our employees or contractors who are authorized to do so under a duty of confidentiality and on a need-to-know basis and shall comply with this Policy at all times. Our internal policy also requires all our employees to comply with the PDPO and sign a non-disclosure agreement.

14. DIRECT MARKETING

    
    We intend to use the data subject’s data in direct marketing and we require the data subject’s consent (which includes an indication of no-objection) for that purpose. In this connection, please note that:
    
    
    1. the name, contact details, products and services portfolio information, transaction pattern and behaviour, financial background and demographic data of the data subject held by the Bank from time to time may be used by us in direct marketing;
    2. the following classes of services, products and / or programmes (the “Services and Products”) may be marketed:
       
       
       1. financial, insurance, cards (meaning cards used to withdraw cash or pay for goods and services, including credit cards, debit cards, ATM cards, and stored value cards), banking, securities and related services and products;
       2. reward, loyalty or privilege programmes and related services and products;
       3. services and products offered by the Bank’s business or co-branding partners (the names of such partners can be found in the Applicable Document(s) for the relevant Services and Products, as the case may be); and
       4. donations and contributions for charitable and/or non-profit making purposes;
    3. the Services and Products may be provided or (in the case of donations and contributions) solicited by:
       
       
       1. any member of the ICICI Entities;
       2. third party agents, financial institutions, insurers, card companies, securities and investment services providers;
       3. our business and co-branding partners;
       4. charitable or non-profit making organisations; and
       5. third party reward, loyalty or privilege programme providers supporting us or any of the above listed entities;
    4. in addition to marketing the Services and Products itself, the Bank also intends to provide the data described in paragraph 14(a) above to all or any of the Transferees for use by them in marketing the Services and Products, and we require the data subject’s written consent (which includes an indication of no objection) for that purpose; and
    5. we may receive money or other property in return for providing the data to the Transferees and, when requesting the data subject’s consent or no objection as described in paragraph 14(d) above, we will inform the data subject if we will receive any money or other property in return for providing the data to the other persons.

If a data subject does not wish the Bank to use or provide to other persons his/her data for use in direct marketing as described above, the data subject may exercise his/her opt-out right by notifying the Bank at any time and without charge.

15. Under and in accordance with the terms of the PDPO and the Code, any data subject has the right:
    1. to check whether the Bank holds data about him/her and have access to such data;
    2. to require the Bank to correct any data relating to him/her which is inaccurate;
    3. to ascertain the Bank’s policies and practices in relation to data and to be informed of the kind of personal data held by the Bank; and
    4. in relation to consumer credit data (including data relating to mortgages) which has been provided by the Bank to a credit reference agency:
       1. to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies;
       2. be provided with further information to enable an access and correction request to be made to the relevant credit reference agency or debt collection agency; and
       3. upon termination of the account by full payment, to instruct the Bank to request a credit reference agency to delete any such data from its database, so long as the instruction is given within 5 years of termination and there has been no payment default in excess of 60 days in the 5 years immediately before account termination.
16. In the event of any default of payment relating to an account, unless the amount in default is fully repaid or written off (other than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the account repayment data may be retained by the credit reference agency until expiry of 5 years from the date of final settlement of the amount in default. Account repayment data includes amount last due, amount of payment made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by the Bank to a credit reference agency), remaining available credit or outstanding balance, and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)).
17. In the event any amount in an account is written off due to a bankruptcy order being made against the data subject, the account repayment data may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until expiry of 5 years from the date of final settlement of the amount in default or expiry of 5 years from the date of discharge from bankruptcy as notified by the data subject with evidence to the credit reference agency, whichever is earlier. In the event any amount in an account is written off due to a bankruptcy order being made against the data subject, the account repayment data may be retained by the credit reference agency, regardless of whether the account repayment data reveal any default of payment lasting in excess of 60 days, until expiry of 5 years from the date of final settlement of the amount in default or expiry of 5 years from the date of discharge from bankruptcy as notified by the data subject with evidence to the credit reference agency, whichever is earlier.
18. We may obtain a credit report on or access the database of the data subject from a credit reference agency in considering any application for credit or conducting credit reviews from time to time. In the event the data subject wishes to access the credit report, we will advise the contact details of the relevant credit reference agency. We may obtain a credit report on or access the database of the data subject from a credit reference agency in considering any application for credit or conducting credit reviews from time to time. In the event the data subject wishes to access the credit report, we will advise the contact details of the relevant credit reference agency.
19. Data of a data subject may be processed, kept, transferred or disclosed in and to any country as the Bank or any person who has obtained such data from the Bank referred to in clause 5 above considers appropriate. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country. Data of a data subject may be processed, kept, transferred or disclosed in and to any country as the Bank or any person who has obtained such data from the Bank referred to in clause 5 above considers appropriate. Such data may also be processed, kept, transferred or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.
20. In accordance with the PDPO, we may charge a reasonable fee for the processing of any data access request. Nothing in this Policy shall limit the rights of data subjects under the PDPO. We will need enough information from the data subjects in order to ascertain their identities as well as the nature of their requests, so as to be able to deal with the requests.
21. Any data access request, correction of data request and / or request for information regarding our privacy policies and practices and kinds of data held should be addressed to our Data Protection Officer at:

The Data Protection Officer,
ICICI Bank Limited, Hong Kong Branch,
Unit 1504B – 1506, Level 15, International Commerce Centre,
1 Austin Road West, Kowloon, Hong Kong,
Tele: +852 22342600 Fax: +852 22347613


22. In case of discrepancies between the English and Chinese versions of this Policy, the English version shall prevail.




August 2022

ICICI Bank Limited, Hong Kong Branch