1. INTRODUCTION
- This Statement is adopted as the Privacy Policy Statement (“Statement”) of CREDI AI Limited (“CREDI AI”). The purpose of this Statement is to establish the policies and practices of CREDI AI’s commitment to protect the privacy of personal data of its customer and to act in compliance with all the requirements under the Personal Data (Privacy) Ordinance (the “Ordinance”) and implementation of the guidelines thereon issued by the Licensed Money Lenders Association relating to the Ordinance. CREDI AI will use its best endeavours to adhere to the Ordinance and the relevant governing principles and guidelines in relation thereto and will ensure compliance by our staff with the policies and practices set out in this Statement and the requirements under the Ordinance and the relevant guidelines in relation thereto.
2. PURPOSES OF THE PERSONAL DATA HELD
- From time to time, it is necessary for customers to supply CREDI AI with personal data in connection with the opening and/or continuation of loan accounts, the establishment and/or continuation of credit facilities, and/or provision of other financial services.
- Failure to supply such personal data may result in CREDI AI being unable to open or continue loan accounts, or establish or continue credit facilities, or provide other financial services to customers.
- It is also the case that personal data are collected from customers in the ordinary course of business of CREDI AI, for example, when customers communicate verbally or in writing with CREDI AI, by means of documentation or CREDI AI’s telephone recording system (as the case may be).
- The purposes for which customers’ personal data may be used are as follows:
- the daily operation of loan accounts, credit facilities and other financial services provided to customers;
- conducting credit checks upon an application for credit and when regular or special reviews are conducted from time to time;
- creating and maintaining CREDI AI’s credit scoring models;
- assisting other money lenders and/or financial institutions to conduct credit checks and collect debts;
- ensuring ongoing credit worthiness of customers;
- designing financial services or related products for customers’ use;
- determining amounts owed to or by customers;
- collection of amounts outstanding from customers;
- complying with the obligations, requirements or arrangements for disclosing and using data that apply to CREDI AI or that it is expected to comply according to: any law binding or applicable to it within or outside Hong Kong Special Administrative Region (“Hong Kong”) existing currently or in the future; any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently or in the future; and any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on CREDI AI by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
- complying with any obligations, requirements, policies, procedure, measures or arrangements for sharing data and information within any of the subsidiaries, holding companies, associated companies or affiliates of CREDI AI (the “CREDI AI Limited “) and/or any other use of data and information in accordance with any Group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
- enabling an actual or proposed assignee of CREDI AI, or participant or sub-participant of CREDI AI’s rights in respect of customers to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;
- marketing financial services or products of CREDI AI; and
- other purposes relating to each of the above.
The purposes listed in paragraphs (a) to (k) (inclusive) and any purposes related thereto are “obligatory” purposes, meaning that customers must permit CREDI AI to use their personal data for these purposes if they wish to use CREDI AI’s services. The purposes listed in paragraph (l) and any purposes related thereto are “voluntary” purposes, meaning that customers have a choice whether CREDI AI can use their data for these purposes and if a customer does not want CREDI AI to use his/her personal data for those purposes, he/she can tell CREDI AI and CREDI AI will not use his/her personal data for those purposes.
3. CLASSES OF POSSIBLE TRANSFEREES OF THE PERSONAL DATA
Personal data held by CREDI AI relating to a customer will be kept confidential but CREDI AI may provide such data to the following parties (whether within or outside Hong Kong) for the purposes set out in paragraph 2.4 (all obligatory purposes except paragraph 2.4(12)):
- any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or other services to CREDI AI in connection with the operation of its business;
- any other person under a duty of confidentiality to CREDI AI including a member of the CREDI AI Group Companies which has undertaken to keep such information confidential;
- any person with the express prescribed consent of customers;
- credit reference agencies, and, in the event of default, debt collection agencies;
- any person to whom CREDI AI is under an obligation or otherwise required to make disclosure under the requirements of any law binding on or applying to CREDI AI, or any disclosure under and for the purposes of any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers with which CREDI AI is expected to comply, or any disclosure pursuant to any contractual or other commitment of CREDI AI with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers, all of which may be within or outside of Hong Kong and may be existing currently or in the future;
- as a voluntary purpose, selected persons for use in direct marketing;
- external service providers (including but not limited to mailing houses, telecommunication companies and information technology companies) that CREDI AI engages for the purpose set out in paragraph 4(l) above; and
- any actual or proposed assignee of CREDI AI or participant or sub-participant or transferee of CREDI AI’s rights in respect of the customers.
4. SECURITY OF PERSONAL DATA
It is the policy of CREDI AI to ensure an appropriate level of protection for personal data in full compliance with the requirements under the Ordinance, particularly Data Protection Principle 4 under the Ordinance in order to prevent unauthorized access, processing or other use of that data, commensurate with the sensitivity of the data and the harm that would be caused by unauthorized access to that data. It is the practice of CREDI AI to achieve appropriate levels of security protection by restricting physical access to data by providing secure storage facilities, and incorporating security measures into equipment in which data is held. Measures are taken to ensure the integrity, prudence, and competence of persons having access to personal data. Data is only transmitted by secured means.
5. ACCURACY OF PERSONAL DATA
It is the policy of CREDI AI to ensure accuracy of all personal data collected and processed by CREDI AI in full compliance with the requirements under the Ordinance, particularly Data Protection Principle 2 under the Ordinance. Appropriate procedures are implemented to provide for all personal data to be regularly checked and updated to ensure that it is accurate having regard to the purposes for which that data are or are to be used. In so far as personal data held by CREDI AI consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.
6. COLLECTION OF PERSONAL DATA
- In the course of collecting personal data, CREDI AI will provide the individuals concerned with a Personal Information Collection Statement informing them of, amongst other things, the proposed purposes of collection, proposed classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information.
- In relation to the collection of personal data on-line, the following practices are adopted:
- On-line Security
- CREDI AI will follow strict standards of security and confidentiality to protect any information provided to CREDI AI online. Encryption technology is employed for sensitive data transmission on the Internet to protect individuals’ privacy.
- Cookies
- Cookies are small pieces of data transmitted from a web server to a web browser. Cookie data is stored on a local hard drive such that the web server can later read back the cookie data from a web browser. This is useful for allowing a website to maintain information on a particular user. Cookies are designed to be read only by the website that provides them. Cookies cannot be used to obtain data from a user’s hard drive, get a user’s e-mail address or gather a user’s sensitive information.
- CREDI AI will only use cookies as a session identifier and will not store user’s sensitive information in cookies. Once a session is established, all the communications will use the cookies to identify a user. The cookies will expire once the session is closed. If users try to disable cookies from their web browsers, they may not be able to access CREDI AI’s Internet and other financial services.
- On-line Correction
- Personal data provided to CREDI AI through an on-line facility, once submitted, may not be facilitated to be deleted, corrected or updated on-line. If deletion, correction and update are not allowed online, users should approach relevant departments or branches of CREDI AI.
- On-line Retention
- Personal data collected on-line will be transferred to CREDI AI’s relevant departments or branches for processing. Personal data will not be retained in web server’s database of CREDI AI.
- On-line Security
7. HYPERLINK POLICY
- The availability of hyperlinks or connection to other sites / addresses at CREDI AI’s Website does not mean or imply any authentication, verification, representation, approval or endorsement by CREDI AI of such hyperlinks, connection, or the identity or information relating to such sites / addresses.
- CREDI AI expressly disclaims any responsibility for such hyperlinks, connection, the contents, availability, accuracy or omission of information at other sites/addresses linked to or found on the sites/addresses that link to or from CREDI AI’s Website.
- All hyperlinks or connection to other sites, addresses or resources are accessed and used at customers’ own risks.
8. DATA ACCESS REQUESTS AND DATA CORRECTION REQUESTS
- It is the policy of CREDI AI to comply with and process all data access and correction requests in accordance with the provisions of the Ordinance, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.
- CREDI AI may, subject to the Ordinance, impose a moderate fee for complying with a data access request. If a person making a data access request requires an additional copy of the personal data that CREDI AI has previously supplied pursuant to an earlier data access request, CREDI AI may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy.
- Data access and correction requests to CREDI AI may be addressed to the Data Protection Officer (“DPO”) or other person as specifically advised.
9. DATA RETENTION
It is the policy of CREDI AI to take all practical steps to ensure that personal data are not kept longer than is necessary for the fulfilment of the purposes (including any directly related purposes) for which the data are or are to be used.
10. DIRECT MARKETING
It is the policy of CREDI AI to ensure that it strictly follows the requirements under the Ordinance and the relevant guidelines in relation thereto when collecting or using personal data for direct marketing purposes. CREDI AI will not use personal data for direct marketing purpose without the prescribed consent of the relevant customers.
11. COMPLIANCE WITH THE ORDINANCE
Apart from the above specifically mentioned points, CREDI AI will fully comply with all requirements under the Ordinance and the relevant guidelines in relation thereto regarding the collection, handing, or use of personal data of its customers.
The following are maintained by CREDI AI to ensure compliance with the Ordinance and the relevant guidelines in relation thereto:
- A Log Book as provided for in section 27 of the Ordinance;
- Internal policies and guidelines on compliance with the Ordinance and the relevant guidelines in relation thereto for use by and guidance to staff of CREDI AI.
12. APPOINTMENT OF DATA PROTECTION OFFICER
- To co-ordinate and oversee compliance with the Ordinance and the relevant guidelines in relation thereto, and the personal data protection policies of CREDI AI, a DPO has been appointed by CREDI AI.
- 12.2 The contact details of the DPO are as follows:
CREDI AI Limited