Privacy Statement & Notice

1. OUR COMMITMENT

The Bank of East Asia, Limited, Singapore Branch ("Bank", "we", "us" or "our") is committed to protecting the privacy of personal data and to act in compliance with the provisions of the Personal Data Protection Act ("PDPA") and the guidelines thereon issued by the Association of Banks in Singapore. This Privacy Statement sets out how the Bank may collect, use, process, disclose, share, transfer and/or store your information (including your personal data) when you ("customer", "you" or "your") access the Bank’s web site or use the Bank’s services. By accessing this web site and any of its pages, or using the services provided by the Bank, you are agreeing to the terms set out in this Privacy Statement. If you do not agree to this Privacy Statement, please do not access the Bank’s web site or use the Bank’s services.

This Privacy Statement shall supplement our Accounts and Services Terms and Conditions, our Personal Cyberbanking Terms and Conditions and our Corporate Cyberbanking Terms and Conditions (collectively, the "Terms and Conditions"). If you have agreed to our Terms and Conditions, as the case may be, in the event of inconsistency between such Terms and Conditions and this Privacy Statement, the Terms and Conditions shall prevail.

The Bank wishes to assure you that your privacy is important to us and we respect every individual's right to privacy.

The Bank reserves the right from time to time to amend this Privacy Statement, as it considers appropriate or necessary. Where amendments are made, the Bank will take such steps as it considers appropriate to notify you of the amendments, including by posting the amendments on the Bank’s web site. The amended Privacy Statement will be effective as of the time of posting, or such later date as may be specified in the amended Privacy Statement, and will apply to your access to the Bank’s web site or use of the Bank’s services from that point forward. By accessing the Bank’s web sites and/or using the Bank’s services after such amended Privacy Statement had been notified to you or posted, you agree to be bound by the then-current version of the Privacy Statement. If you do not agree to the amended Privacy Statement, you must stop accessing the Bank’s web sites and/or using the Bank’s services.

2. KINDS OF PERSONAL DATA COLLECTED AND/OR HELD BY THE BANK

2.1 Personal data collected and/or held by the Bank regarding an individual (including the Bank’s customers and customers’ related parties such as the customers’ spouses and children) may include the following:

1. 1. such individual’s name and address, occupation, contact details (including email address and telephone number), date of birth, nationality, photograph, identity card and/or passport numbers and place and date of issue thereof;
   2. such individual’s current employer, nature of position, annual salary and other benefits;
   3. details of properties, assets or investments held by such individual;
   4. details of all other assets or liabilities (actual or contingent) of such individual;
   5. information obtained by the Bank in the ordinary course of the continuation of banking and other financial relationship with such individual (for example, when customers write cheques or deposit money or generally communicate verbally or in writing with the Bank, by means of documentation or telephone recording system, as the case may be);
   6. data collected from third parties, including Bank’s group companies and third party service providers with whom the customer interacts in connection with the marketing of the Branch’s products and services and in connection with the customer’s application for the Bank’s products and services (including receiving personal data from credit reference agencies);
   7. information as to credit standing provided by a referee, credit reference agency or debt collection agency in connection with a request to collect a debt due from such individual to the Bank; and
   8. information which is in the public domain.

3. PURPOSES FOR COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

3.1 It is necessary for customers to supply the Bank with information (including personal data) in connection with the opening or continuation of accounts and the establishment or continuation of banking facilities or provision of banking and other financial services, including handling requests or complaints relating thereto by the Bank.

3.2 It is also the case that information (including personal data) may be collected from customers in the ordinary course of the continuation of banking and other financial relationship.

3.3 The Bank will also be relying on the legitimate interests exception (as defined in the Personal Data Protection Act) to collect, use and disclose customer’s personal data without consent for the purposes of detecting, investigating and preventing fraud, financial crime and other illegal activities including for the purpose of customer’s identity verification as part of fraud prevention or threats to IT and network security. The purposes described in this clause may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.

3.4 The purposes for which information (including personal data) relating to a customer may be collected, used or disclosed are as follows:

1. 1. processing and considering applications for products and services and the daily operation of products, services and credit facilities provided to customers which may involve use of automated decision making (ADM) processes and business management of the Bank Group;
   2. conducting credit checks at the time of application for credit and at the time of regular or special reviews which may take place one or more times each year;
   3. creating and maintaining the Bank’s credit scoring models;
   4. assisting other financial institutions to conduct credit checks and collect debts;
   5. ensuring ongoing creditworthiness of customers;
   6. designing financial services or related products for customers’ use;
   7. marketing services, products and other subjects;
   8. verifying the data or information provided by any other customer or a third party;
   9. determining the amounts owed to or by customers;
   10. enforcing customers’ obligations, including but not limited to the collection of amounts outstanding from customers and those providing security for customers’ obligations;
   11. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Bank or any of its branches or that it is expected to comply according to:
       1. any law binding or applying to it within or outside Singapore existing currently and in the future;
       2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self- regulatory or industry bodies or associations of financial services providers within or outside Singapore existing currently and in the future; and
       3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Bank or any of its branches by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self regulatory or industry bodies or associations
   12. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the group of the Bank and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
   13. enabling an actual or proposed assignee of the Bank, or participant or sub-participant of the Bank’s rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
   14. fulfilling any other purposes for which you had provided the information to the Bank; and
   15. any other incidental purposes relating to or in connection with the above purposes.

3.5 In relation to the use of personal data collected on-line, the following practices are adopted:

1. 1. Any personal data provided by you to the Bank through this web site will be used for the purpose of providing and operating the products and services marketed at this web site and for other related purposes, which may include updating and enhancing the Bank's records, monitoring who is accessing the website or using services offered on the website, understanding your financial needs, conducting credit checks, reviewing creditworthiness and assisting other financial institutions to conduct credit checks, advising you of other financial / insurance / credit card / banking and related products and services, for preventing crime or fraud, meeting the disclosure requirements under any law or regulation binding on the Bank, and planning and monitoring the Bank's business.

3.6 Subject to clause 3.7 below, your personal data will not be disclosed by the Bank to any external party except where the Bank is under either a legal obligation or any other duty to make such disclosure to any other authorised person under the requirements of any laws binding on the BEA group.

3.7 Your personal data may be disclosed to the following parties for the purposes set out in clauses 3.4 and 3.5:

1. 1. other branches or group companies in the BEA group;
   2. any regulatory, supervisory, governmental authority with jurisdiction over any of the group companies of the BEA group;
   3. any agent, contractor or third party service provider, who provides administrative, telecommunications, computer, payment or securities clearing or other services engaged by the Bank in connection with the operation of its business;
   4. any professional adviser or any other person under a duty of confidentiality to the BEA group;
   5. any financial institution with which the Bank has or proposes to have dealings; and
   6. any assignee or transferee of any of the BEA group's rights and/or obligations in relation to you.

3.8 The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).

4. SECURITY OF PERSONAL DATA

4.1 It is the policy of the Bank to ensure an appropriate level of protection for personal data in order to prevent unauthorised or accidental access, processing, erasure, loss or other use of that data, commensurate with the sensitivity of the data and the harm that would be caused by the occurrence of any of the aforesaid events. It is the practice of the Bank to achieve appropriate levels of security protection by restricting physical access to data by providing secure storage facilities, and incorporating security measures into equipment in which data is held. Measures are taken to ensure the integrity, prudence, and competence of persons having access to personal data. Measures may include minimised collection of personal data, authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.), encryption of data, up-to-date antivirus protection, regular patching of operating system and other software, securely erase storage media in devices before disposal, web security measures against risks, usage of one time password (otp)/2 factor authentication (2fa)/multi-factor authentication (mfa) to secure access, and security review and testing performed regularly. Personal data is only transmitted by secure means to prevent unauthorised or accidental access. If the Bank engages a data processor including cloud service providers (whether within or outside Singapore) to process personal data on the Bank's behalf, the Bank would adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor.

Separately, the Bank will adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

4.2 Where personal data is transferred by us to any third parties outside of Singapore, we will ensure that such transfers are compliant with the requirements under the PDPA. In this regard, we will take such necessary measures to ensure that such overseas recipients are bound by legally enforceable obligations to ensure that these overseas recipients provide a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.

4.3 Kindly be informed that the Bank will never ask you for your login password. It is your responsibility to maintain the secrecy of any of your user ID and login password. You should not knowingly or accidentally share, provide or facilitate unauthorised use of your user ID and/or login password.

5. ACCURACY OF PERSONAL DATA

5.1 It is the policy of the Bank to ensure the accuracy of all personal data collected and processed by the Bank. Appropriate procedures are implemented to provide for all personal data to be regularly checked and updated to ensure that it is reasonably accurate having regard to the purposes for which that data is used. In so far as personal data held by the Bank consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.

5.2 As the Bank relies on your personal data to provide products and services to you, you shall ensure that at all times the information provided by you to the Bank is correct, accurate and complete. You shall update the Bank in a timely manner of all changes to the information provided.

6. COLLECTION OF PERSONAL DATA

6.1 When collecting personal data, the Bank will satisfy itself that the purposes for which the data is collected are lawful and directly related to the Bank’s functions or activities. The manner of collection is lawful and fair in the circumstances and the personal data collected is necessary but not excessive for the purposes for which it is collected.

6.2 In the course of collecting personal data, the Bank will provide the individuals concerned with the Bank’s Terms and Conditions and this Privacy Statement on the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information.

6.3 Prior to collection of any personal data from the public domain, the Bank will observe the original purposes of making the personal data available in the public domain (such as the purpose of establishing the public register in the enabling legislation) and the restrictions, if any, imposed by the original data users of the public domain on further users.

6.4 In relation to the collection of personal data on-line, the following practices are adopted:

6.5 Use of Cookies, Tags and Web Logs etc.

Cookies are small pieces of data transmitted from a web server to a web browser. Cookie data is stored on a local hard drive such that the web server can later read back the cookie data from a web browser. This allows a website to maintain information on a particular user.

Cookies are designed to be read only by the website that provides them. Cookies cannot be used to obtain data from a user’s hard drive, get a user’s email address or gather a user’s sensitive information.

The Bank uses cookies, tags and web logs to identify users’ web browser for the following purposes:

1. 1. for session management, e.g. to identify you after you have logged in our online services by storing a temporary reference number in the cookie so that our web server can conduct a dialogue with you while simultaneously dealing with other customers. The cookies will expire once the log-on session is closed. The Bank will not store user’s sensitive information in cookies;
   2. to allow you to carry information across pages of our web site;
   3. to allow you access to stored information if you register for any of our on-line services;
   4. to enable us to evaluate the effectiveness of our advertising and promotion effort;
   5. to track general information on our web servers about visitors to helps us:
      1. Manage our web sites;
      2. Diagnose any technical problems; and
      3. Improve the content of our web sites.
   6. No collected information will be transferred to any third party.

Most web browsers are initially set up to accept cookies. Cookies can be chosen to "not accept" by changing the settings on the web browsers but this may disable access to the Bank’s Cyberbanking services and certain features on the Bank’s website will not work properly. The Bank will retain the collected information for as long as is necessary to fulfil the original or directly related purpose for which it was collected and to satisfy any applicable statutory or contractual requirements.

6.6 You may withdraw your consent for telemarketing purposes by using the prescribed form available at our Branch. Your withdrawal of consent for telemarketing purposes to the Bank to cease using your personal data for direct marketing purpose and such opt-out requests are free-of-charge.

6.7 Closed Circuit Television ("CCTV")

The Bank installs CCTV (with recording mode) systems in the bank’s premise primarily for general security purposes to protect the safety of customers and the staff, business assets, intellectual property or other proprietary rights. Access to and use of the CCTV records will be granted to authorised personnel only. The Bank may disclose the CCTV records to third parties including regulatory authorities and law enforcement agencies where it is necessary in order for it to respond to any legal processes or to investigate any incidents or complaints, etc.

Security measures and retention period of the CCTV records shall be in accordance with the Bank’s policies and guidelines.

7. DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS

7.1 It is the policy of the Bank to comply with and process all data access and correction requests in accordance with the provisions of the PDPA, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.

7.2 The Bank may impose a fee for complying with a data access request ("DAR"). The Bank is only allowed to charge a DAR requestor for the costs which are directly related to and necessary for complying with a DAR. If a person making a DAR requires an additional copy of the personal data that the Bank has previously supplied pursuant to an earlier DAR, the Bank may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy. If the Bank does not hold the data requested by the requestor, the Bank is not allowed to charge a fee for complying with the DAR.

7.3 Data access and correction requests to the Bank may be addressed to the Bank’s Data Protection Officer ("DPO") or another person as specifically advised at the contact details as set out below.

7.4 We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

8. REQUEST TO WITHDRAW CONSENT

8.1 You may withdraw your consent for the collection, use and/or disclosure of your personal data in our possession or under our control at any time by submitting your request to our DPO or another person as specifically advised by us, at the contact details as set out below.

8.2 We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will thereafter refrain from collecting, using and/or disclosing your personal data in the manner stated in your request. In general, we shall seek to process your request within thirty (30) business days of receiving it.

8.3 Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

9. RETENTION OF PERSONAL DATA

9.1 The Bank takes all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which such data is or is to be used, unless required or permitted to retain such personal data by law, after closure of account, termination of service or cessation of employment.

9.2 If the Bank engages a data processor including cloud service providers (whether within or outside Singapore) to process personal data on the Bank’s behalf, the Bank would adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

Important:

If you wish to comment or have any queries regarding this Privacy Statement, contact us:

By writing to our address:

Data Protection Officer

The Bank of East Asia, Limited

60 Robinson Road, BEA Building,

Singapore 068892

By Email:

BEASIN_DPO@hkbea.com.sg