Online Applications
Trade Finance
Personal Loan
Credit Cards
Chong Hing Securities
Form Download
Service Charges
CH Securities
Apply Now
Privacy Policy Statement

Privacy Policy Statement

1. Interpretation
  In this Policy Statement, unless the context otherwise requires:
  "HKSAR" refers to "Hong Kong Special Administrative Region of the People's Republic of China"
  "Bank" refers to "Chong Hing Bank Limited"
  "DPO" refers to the Bank's "Data Protection Officer"
  "PCPD" refers to "Privacy Commissioner for Personal Data"
  "HKMA" refers to "Hong Kong Monetary Authority"
  "HKAB" refers to "Hong Kong Association of Banks"
  "Staff" refers to all the employees of the Bank
  "PICS" refers to the Bank's "Personal Information Collection Statement" as may be varied or updated from time to time, which is available at the Bank's branches and website
  "Ordinance" refers to the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong)
  "Other Relevant Rules and Guidelines" include those stipulated by Office of the Privacy Commissioner for Personal Data, the HKMA and the HKAB from time to time
2. Introduction
2.1 This Policy Statement provides information on the policies of the Bank under the Ordinance and Other Relevant Rules and Guidelines. The Bank applies, where practicable, those principles and processes set out herein to its operations. This Policy Statement will be taken into consideration by the Bank when formulating all data protection measures and initiatives. For the avoidance of doubt, this Policy Statement only sets out the Bank's policy on personal data privacy in relation to the operation of its Hong Kong branches and subsidiaries.
3. Company Corporate Policy in relation to Data Protection Strategy
3.1 The Bank respects personal data, and strives for protection of personal data privacy, confidentiality and security, and compliance with the provisions of the Ordinance and Other Relevant Rules and Guidelines.
3.2 Proper and adequate control measures are in place to protect the personal data of individuals and other persons, and its Staff members are timely reminded of the importance of protecting personal data. The data security policies are persistently communicated to the Staff and promoted within the Bank on an on-going basis.
3.3 The Bank employs good practice in all business processes and operational procedures to protect personal data privacy of individuals and other persons by minimising data protection risk. The Bank endeavours to meet the reasonable expectations of integrity, security and fairness in the collection and use of personal information.
3.4 The Bank's management takes the lead to inculcate the Staff through effective communication and due reinforcement with the importance of personal data privacy and shares work norms which emphasise compliance with requirements under the Ordinance and Other Relevant Rules and Guidelines.
3.5 Where the individual legitimately requests access to or correction of his or her personal data held by the Bank, the Bank provides or corrects that data in accordance with the time and manner in compliance with the requirements under the Ordinance.
3.6 The Bank will not provide personal data of individuals and other persons to third parties for direct marketing or other unrelated purposes for monetary gains without consent of individuals and other persons or otherwise in breach of the Ordinance.
4. Appointment of Data Protection Officer
4.1 The Bank appoints DPO to oversee the compliance with the Ordinance, Other Relevant Rules and Guidelines and personal data protection policies of the Bank.
4.2 The contact details of the DPO are as follows:
  Address : G. P. O. Box 2535, Hong Kong
  Telephone : (852) 3768 6888
  Facsimile : (852) 3768 1688
  Email :
5. Kinds of Personal Data Held by the Bank
5.1 There are mainly two broad categories of personal data held in the Bank. They are personal data related to customers and employment of the Bank.
5.2 Personal data held by the Bank regarding customers, which are necessary for customers to supply to the Bank from time to time for the purposes stated in Section 7 of this Policy Statement, may include but not limited to the following:
  (a) name and address, occupation, contact details, date of birth and nationality of customers, and their identity card and / or passport numbers and place and date of issue thereof;
  (b) current employer, position and personal income of customers;
  (c) details of all assets and wealth held by customers;
  (d) information obtained by the Bank in the ordinary course of the continuation of the business relationship;
  (e) information as to credit standing provided by a referee, credit reference agency, or debt collection agency in connection with a request to collect a debt due from any customer to the Bank; and
  (f) personal information in the public domain.
5.3 Personal data relating to employment held by the Bank may include but not limited to the following:
  (a) name, address, contact details, date of birth, nationality, resumes, qualifications and working experience of Staff and potential employees, and their identity card and / or passport numbers and place and date of issue thereof;
  (b) additional information compiled about potential employees to assess their suitability for a job in the course of the recruitment selection process which may include references obtained from their current or former employers or other sources;
  (c) additional information compiled about Staff which may include records of remuneration and benefits paid to Staff, records of job positions, job particulars, transfer and training, records of medical checks, sick leave and other medical claims, group medical insurance records, mandatory provident schemes participation, disciplinary matters and performance appraisal reports of Staff;
  (d) relevant personal data pertaining to former employees for the Bank to fulfill its obligations to the former employees and its legal obligations under certain ordinances; and
  (e) personal information in the public domain.
5.4 The Bank may hold other kinds of personal data which it needs in the light of specific nature of its business.
6. Collection of Personal Data
6.1 The Bank only collects necessary, adequate but not excessive personal data, and collection of personal data is in lawful and fair manner. Individuals and other persons shall supply data in connection with the opening or continuation of operation of accounts, and / or the establishment or continuation of provision of banking facilities and / or the provision of banking, financial services (which is defined as including but not limited to credit card, fiduciary, securities and / or investment services) and / or insurance services. If individuals and other persons do not supply data, the Bank may not be able to provide / continue providing services to them.
6.2 In the course of collecting personal data, the Bank provides the individual concerned with PICS informing him or her of the purposes of collection, consequences of failure to supply his / her personal data, classes of persons to whom the data may be transferred, his or her right to access and correct the data, direct marketing policy and a response channel, contact person for requesting access or correction and other relevant information.
6.3 Save for the purposes for the opening or continuation of accounts, or provision of banking services, the Bank will not collect personal data from minors (particularly those who are incapable of making an informed decision) without prior consent from a person with parental responsibility or guardianship for the minors.
6.4 Prior to collecting and obtaining any personal data from public domain, the Bank will observe the original purposes of making the personal data available in the public domain and the restrictions (if any and if they have reasonably come to the Bank's notice) imposed by the original data users on further users.
6.5 In relation to the collection of personal data online, the following practices are adopted:
  (a) The Bank follows adequate standards of security and confidentiality to protect any information provided to the Bank online by customers. Encryption technology is employed for sensitive data transmission on the Internet to protect personal data privacy.
  (b) The Bank uses cookies on the Bank's website in order to enable the Bank to evaluate and improve its website by tracking how users navigate through the website. A cookie is a small file that can be placed on users' computer hard disk. Users are not obliged to turn on "Cookies" of their browser for the website, and users can disable "Cookies" by changing the setting of web browser. When users visit the Bank's website, the Bank's server will record their data such as IP address together with the date, time and duration of visit. The Bank uses the information obtained to compile statistical data on the use of the Bank's website, but such information is used on an anonymous and aggregated basis, and users cannot be identified from the compiled data. The cookies will expire once the session is closed. The information collected will not be disclosed to classes of entities other than those provided in Section 8 of this Policy Statement.
6.6 In relation to personal data relating to employment, the Bank only collects personal data for purposes stated in Section 7 of this Policy Statement.
6.7 Closed Circuit Television ("CCTV") cameras are positioned in the vicinity of ATM machine and inside the area of branches of the Bank for security and safety purposes with CCTV recording system in operation. Conspicuous notices are posted inside these areas to notify persons the purposes of personal data collection.
6.8 The Bank endeavours to ensure that its Staff abide by "Code of Conduct for Employees" all the times in the use and confidentiality of information during their employment or after their cessation of employment.
7. Purposes of Using Personal Data
7.1 The Bank intends to use the personal data collected from a customer and / or an individual for the purposes including:
  (a) processing applications for banking and financial services;
  (b) daily operation of banking and financial services;
  (c) regular credit checks and debt collection;
  (d) marketing services, products and other programmes; and
  (e) compliance with any requirements for disclosure and use of data that are applicable to the Bank, any of its holding company, subsidiary of any such holding company, controller of the Bank, its subsidiary companies and any of the Bank's branches.
  For details, please refer to the Bank's PICS available at its website:
7.2 All the information and personal data sent to the Bank via the Bank's website shall remain and be deemed the property of the Bank and shall be free to use by the Bank for any lawful purpose subject to the compliance with the Ordinance.
7.3 The purposes for which personal data relating to Staff members and potential employees may be used by the Bank are as follows:
  (a) Human resources management
  (1) processing employment applications;
  (2) determining the terms and conditions of staff employment;
  (3) considering eligibility for and administration of staff loans and benefits / entitlements;
  (4) providing and maintaining the payroll, compensation and benefits for the Staff and their family members;
  (5) maintaining a database of the Staff's personal data;
  (6) conducting performance management process, promotion, transfer, job rotation, training, demotion, secondment, relocation and termination of employment, wherever applicable;
  (7) considering reorganisation of the Bank, when necessary;
  (8) facilitating communication between the Staff and the Bank; and
  (9) maintaining daily operation of the Bank and any other lawful purposes which are related to the Staff employment with the Bank such as providing employee references and compiling tax returns.
  (b) Compliance with internal rules, statutory and / or legal requirements
  (1) registering Staff members as intermediaries or licences with statutory authorities / institutions;
  (2) conducting credit checks on staff creditworthiness;
  (3) conducting checking as part of the Bank's anti-money laundering and counter terrorist financing controls;
  (4) monitoring connected lending activities;
  (5) conducting surveys and generating data for analysis, statistics and audits; and
  (6) meeting the regulatory requirements applicable to the Bank.
  (c) Any other purposes relating or incidental to any of the above.
8. Disclosure of Personal Data
8.1 Personal data held by the Bank relating to individuals and other persons will be kept confidential but the Bank may provide or transfer such information to the following major classes of persons within and / or outside the HKSAR for any purposes set out in Section 7 above or for other purposes specified in the Bank's PICS:
  (a) the Bank's officers, Staff and / or agents;
  (b) the Bank's agents, contractors or third party service providers;
  (c) credit reference agencies and debt collection agencies;
  (d) local or foreign legal, regulatory, tax, governmental, law enforcement or other authorities; and
  (e) any holding company, subsidiary of any such holding company and controller of the Bank.
  For details, please refer to the Bank's PICS available at its website:
8.2 CCTV is installed and used in the vicinity of ATM machines and inside the area of the branches of the Bank for general security and to monitor any possible wrongful, illegal and / or unlawful activity. CCTV may capture images of individuals and other persons or information relating to such individuals and other persons. Personal data may be collected from the CCTV and may prospectively be used and transferred as per the relevant sub-paragraphs under paragraphs 4 and 5 of the PICS for security, investigation, prevention of and / or enforcement of the Bank's rights in any criminal, unlawful, or other wrongful activities. Personal data collected from the CCTV in the form of recorded images will not be used by the Bank for any direct marketing nor will it be provided to any entity for direct marketing purposes.
8.3 For Staff members and potential employees, the Bank may disclose and transfer their personal data as specified in Section 5.3 within as well as outside the HKSAR, to the individuals and parties including but not limited to the Bank's subsidiaries and associate companies; any other branches, offices or centres of the Bank; the Bank's insurers and bankers; medical practices providing medical cover for the Staff; administrators or managers of the Bank's retirement schemes; any relevant provident fund managers; any agents, contractors, or third party service providers who provide administrative, telecommunications, computer or other services to the Bank in connection with the operation of the Bank's business; persons seeking employee references in respect of Staff with the prescribed consent of the Staff concerned; any actual or proposed purchaser of all or part of the business of the Bank or, in case of any merger, acquisition or other public offering, the purchaser or subscriber for shares in the Bank; third parties in the form of directories of names and office telephone numbers of key officers of the Bank for promotional and administrative purposes; government and other legal or statutory / regulatory bodies; and other companies engaged in contractual activities on the Bank's behalf; for the purposes set out in Section 7.3 of this Policy Statement.
9. Accuracy of Personal Data
9.1 The Bank takes practical steps to ensure that personal data it collects, uses or discloses are accurate, complete and up to date, having regard to the purposes (including any directly related purposes) for which the personal data are or are to be used.
9.2 The Bank mails all correspondence to a customer's latest address in the Bank's record. Customers shall, as soon as practicable, notify the Bank of any change of personal particulars provided to the Bank which may affect the provision of the banking services to them by completing the Bank's standard forms or by other duly signed written instruction.
9.3 In relation to personal data relating to employment, Staff who wish to update their personal data can do so by completing the "Employee Information Update Form" or by accessing to the relevant system in the Bank's intranet.
10. Retention of Personal Data
10.1 The Bank takes practicable steps to ensure that personal data will not be kept longer than necessary for the fulfillment of the purposes (including any directly related purpose) for which the data are or are to be used and the compliance of all applicable statutory and regulatory requirements and contractual obligations. Different retention periods apply to the various kinds of personal data collected and held by the Bank in accordance with internal customer document retention and destruction policy subject to the legal and regulatory requirements.
10.2 Recorded images captured by CCTV described in Section 8.2 above are retained for 90 days and are safely deleted as soon as practicable once the purpose of collection is fulfilled unless (i) notice in writing is received from authority requiring to keep the records for a longer period which are related to an ongoing criminal or other investigation, or to any other purposes as specified in the notice; or (ii) it is necessary or justified for the Bank to keep the recorded images for a longer period for purposes set out in Section 8.2 above.
10.3 The Bank retains the personal data of unsuccessful job applicants for future recruitment purposes for a period of 2 years from the day on which the recruitment period ends, unless there is subsisting and adequate reason that obliges the Bank to retain the data for a longer period.
10.4 For personal data of successful job applicant, the Bank retains their personal data during their employment and after they cease to be employed by the Bank, but such data will be retained for not longer than 7 years after their cessation of employment, unless there is subsisting and adequate reason that obliges the Bank to retain the data for a longer period.
11. Security of Personal Data
11.1 The Bank ensures an appropriate level of protection for personal data in order to prevent unauthorised or accidental access, processing, erasure, loss or other use of that data.
11.2 The Bank restricts physical access to data by providing secure storage facilities, and incorporates security measures into equipment in which data are held with a view to achieving appropriate levels of security protection.
11.3 Computer data are stored on computer systems and storage media to which access is controlled.
11.4 Where the Bank holds, uses and transmits personal data, steps will be taken to protect them from accidental or unauthorised disclosure, change or destruction.
11.5 Recorded images captured by CCTV are kept in safe custody. Hard disks and any devices storing the recorded images are securely protected from unauthorised access and only viewed, retrieved or handled upon proper authorisation for the intended purposes.
11.6 Other security measures of the Bank include:
  (a) educating Staff members as to their obligations with regard to personal information;
  (b) encrypting data transmitted from customers' computer to its systems;
  (c) employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering its systems; and
  (d) ensuring security controls in place to protect against unauthorised access to buildings by any person.
12. Data Breach Handling
12.1 The Bank will ensure any material breaches of personal data protection requirements or loss or leakage of customer data are properly handled in a timely manner according to relevant guidelines and reported to the relevant authorities where appropriate.
13. Handling of Personal Data in Debt Collection
13.1 The Bank may use an individual's personal data for recovery of any debts due and owing from the customer who is in default of payment, including transfer of the data of the customer and security providers concerned to debt collectors for debt collection purposes. Such use is directly related to the original purpose of data collection.
13.2 Unless there is a real need to do so, the Bank will not disclose sensitive data including information showing the financial problems of a customer to any third parties.
13.3 The Bank will act according to "Code of Practice on Consumer Credit Data": by contractual means requiring its debt collection agent to follow such conduct as stipulated by the "Code of Banking Practice" in relation to debt collection activities; restricting the kinds of debtor's data that may be disclosed to the agent to identification and location data, the nature of the credit and the amount to be recovered and goods to be repossessed; checking the accuracy of the data before providing it to the agent.
14. Outsourcing Personal Data Processing
14.1 When the Bank engages a data processor, whether within or outside the HKSAR, to process personal data on the Bank's behalf, the Bank adopts contractual or other means with a view to (i) preventing any personal data transferred to the data processor from being kept longer than is necessary for processing of the data; (ii) preventing unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. Personal data may include specified account information and personal particulars of the customers and individuals depending on the nature of the process.
14.2 The Bank may incorporate additional contractual clauses in the service contract or enter into a separate contract with the data processors. The types of obligations to be imposed on data processors by contract may include the following:
  (a) security measures required to be taken by the data processor to protect the personal data entrusted to it and obligating the data processor to protect the personal data by complying with the data protection principles;
  (b) timely return, destruction or deletion of the personal data when it is no longer required for the purpose for which it is entrusted by the Bank to the data processor;
  (c) prohibition against any use or disclosure of the personal data by the data processor for a purpose other than the purpose for which the personal data is entrusted to it by the Bank;
  (d) absolute prohibition or qualified prohibition on the data processor against sub-contracting the service that it is engaged to provide;
  (e) where sub-contracting is allowed by the Bank, the data processor's agreement with the sub-contractor should impose the same obligations in relation to processing on the sub-contractor as are imposed on the data processor by the Bank; where the sub-contractor fails to fulfill its obligations, the data processor shall remain fully liable to the Bank for the fulfilment of its obligations;
  (f) immediate reporting of any sign of abnormalities or security breaches by the data processor;
  (g) measures required to be taken by the data processor to ensure that its relevant staff members will carry out the security measures and comply with the obligations under the contract regarding the handling of personal data;
  (h) the Bank's right to audit and inspect how the data processor handles and stores personal data; and
  (i) consequences for violation of the contract.
14.3 The Bank may engage non-contractual monitoring and auditing mechanisms to monitor its data processors' compliance with data protection requirements, such as through the adoption of the following measures:
  (a) The Bank will endeavour to select reputable data processors offering sufficient guarantees in respect of the technical competence and organisational measures governing the processing to be carried out, and with a good track record on data protection.
  (b) The Bank shall endeavour to be satisfied that the data processors have robust policies and procedures in place, including adequate training for their staff and effective security measures, to ensure that the personal data in their care are properly safeguarded at all times and are not kept for longer than necessary.
  (c) The Bank shall have the right to audit and inspect how the data processors handle and store personal data, and exercise the right to audit and inspect when warranted.
15. Access and Correction of Personal Data
15.1 Under the terms of the Ordinance, individuals have the right to:
  (a) ascertain whether the Bank holds any personal data relating to them and, if so, obtain copies of such data by means of a data access request;
  (b) require the Bank to correct personal data in its possession which is inaccurate for the purpose for which it is being used by means of a data correction request; and
  (c) ascertain the Bank's policy and practices in relation to personal data, which are those policies set out in their entirety therein.
15.2 The Bank will impose a fee for complying with a data access request. The cost of compliance may vary with the scope and complexity of the data access request in question. Individual can make reference to the Bank's latest "Bank Service Charges Schedule" accessible at its website for the fee in relation to a data access request. The Bank is entitled to refuse to comply with a data access request unless and until the fee imposed has been paid.
15.3 Individuals may exercise their right of access by:
  (a) completing the "Data Access Request Form" (Form OPS003 specified by the PCPD) in Chinese or English; and
  (b) sending the completed form, along with appropriate proof of identity (a copy of the applicant's Hong Kong Identity Card or Passport), and the applicable fee to the DPO of the Bank or any of the Bank's branches.
15.4 The Bank will, upon satisfying itself of the authenticity and validity of the access request, comply with a data access request within 40 calendar days after receiving the request.
15.5 The Bank may withhold personal data under exemption provisions of the Ordinance.
15.6 Staff who wish to access and correct their personal data can complete "Employee Information Update Form" and forward it to Head of Human Resources Department or amend the data through the relevant system in the Bank's intranet.
16. Direct Marketing and Opt-out Requests
16.1 The Bank will use the personal data of an individual or other person in direct marketing but will not do so unless it has received the consent of an individual and other person (which includes an indication of no objection) to the intended use.
16.2 The Bank on the first occasion uses an individual's or other person's personal data for direct marketing by telephone, mail or any means informs the individual or other person that he / she may, on a no charge basis, request the Bank to cease to use his / her personal data in direct marketing. This arrangement is generally described as "direct marketing opt-out".
16.3 An individual or other person may also require the Bank to cease using his or her personal data for direct marketing at any time by filling in the "Instruction on Direct Marketing" available at the Bank's website at or by contacting any of the Bank's branches or Customer Services Hotline at 3768 6888. To make an enquiry about their direct marketing opt-out records, customers may visit any of the Bank's branches or contact the said Customer Services Hotline.
16.4 The Bank accepts an unsubscribe request made from individuals and other persons during person-to-person marketing calls, and will not make person-to-person marketing calls to the individuals and other persons on the unsubscribe list.
16.5 The Bank does not retrieve personal data from public registers for direct marketing.
17. Off-site Marketing Campaign
17.1 The Bank during off-site marketing activities will take practicable steps to ensure the safe storage and secure transmission of the personal data so collected:
  (1) the personal data is not seen by or accessible to irrelevant parties during and after the collection process;
  (2) forms and documents collected ("application documents") will be properly logged;
  (3) the application documents are securely stored in a locked container under the custody of a designated officer;
  (4) adequately security protection is provided by encryption of any such personal data stored in portable storage devices;
  (5) specific precautionary measures are implemented to ensure secure transmission of the application documents to the Bank;
  (6) the Staff are prohibited from bringing home any of the application documents; and
  (7) a designated officer is appointed to oversee security of the application documents.
August 2017