CORPORATE CARD DATA PROTECTION NOTICE – HONG KONG
1. Your personal data
Your personal data (such as data that identifies you or can be used to identify you, for example your name, date of birth and contact details) is protected by the Hong Kong Personal Data (Privacy) Ordinance (PDPO). This Data Protection Notice explains how Bank of America, National Association – Hong Kong Branch (“we” or “us”), collect, use and disclose personal data online and offline in connection with your personal data. This includes personal data we obtain from you, your employer or other parties, as well as information about your use of the account and our Global Card Access desktop and mobile application, your card and any transactions made with your card (including the date and amount of such transactions) and our communications with you.
From time to time, it is necessary for you to supply us with personal data in connection with the issue or use of credit cards and the establishment or continuation of banking or credit facilities or provision of related banking or financial services or compliance with applicable laws and regulations. Failure to supply such personal data may result in us being unable to approve the issuing or use of credit cards or continue banking or credit facilities or provide related banking/financial services or comply with applicable laws or regulations.
2. How we use your personal data
We will collect, use or disclose your personal data:
• to administer your card and account and provide online and offline services to you (including our Global Card Access desktop and mobile application);
• to facilitate transactions;
• to comply with the rules of any relevant card scheme;
• to carry out, monitor and analyze our business;
• as part of the sale, merger or similar change of our or any Bank of America Corporation business;
• to detect, prevent and investigate fraud and to protect the security of your card accounts, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification, and anti-corruption and bribery or anti-terrorism activities;
• to comply with any applicable laws, rules or regulations in any country, and to comply with other legal process and law enforcement requirements;
• as otherwise permitted by applicable law, with your explicit consent or authorization
In collecting, using or disclosing your personal data, we may transfer it outside Hong Kong to other countries, including countries which may not have equivalent data protection laws to those in Hong Kong. We are responsible for making sure that any such transfer is made in compliance with the PDPO.
3. Recipients of your personal data
We may disclose your personal data (including details of your transactions) to the following parties for the purposes set out in (2) above:
• any person or company working for us (including professional service organizations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
• any of our group companies, offices or branches;
• your employer or any group company of your employer;
• any person or company that provides products or services to you or your employer in connection your card or account (including but not limited to Mastercard);
• any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer;
• any payment system under which we issue your card or account; and
• any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism.
If you have given false or inaccurate information or we suspect fraud we will record this and may pass this information to fraud prevention and law enforcement agencies.
If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside Hong Kong) in order to detect and prevent terrorism.
4. Collection of other information
“Other Information” is any information that does not reveal a person’s specific identity or does not directly relate to an identifiable individual, such as:
• Browser and device information
• App usage data
• Information collected through cookies, pixel tags and other technologies
• Demographic information and other information provided by you that does not reveal a person’s specific identity
• Information that has been aggregated in a manner that it no longer reveals a person’s specific identity
• Survey responses and similar information that reveals views and preferences, but which does not reveal a person’s specific identity.
If we are required to treat Other Information as Personal Data under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Data as detailed in this Data Protection Notice. We and our service providers may collect Other Information in a variety of ways, including:
• Through a browser or device: Certain information is collected by most browsers or automatically through devices, such as a Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) being used. We use this information to ensure that the Services function properly.
• Using cookies: Cookies are pieces of information stored directly on the computer being used. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other anonymous traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize the user’s experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. We do not currently respond to browser do-not-track signals.
Most browsers allow individuals to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to www.allaboutcookies.org/manage-cookies/index.html for more information. Declining cookies may cause certain parts of the Services to cease working.
• Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Services and response rates.
• We may use Flash LSOs and other technologies to, among other things, collect and store information about your use of the Services. If you do not want Flash LSOs stored on your computer, you can adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel, which can be found by going to www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html. You can also go to the Global Storage Settings Panel at www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html and follow the instructions (which may explain, for example, how to delete existing Flash LSOs (referred to as “information”), how to prevent Flash LSOs from being placed on your computer without your being asked, and how to block Flash LSOs that are not being delivered by the operator of the page you are on at the time). Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications.
• IP Address: An IP address is automatically assigned to a computer by an Internet Service Provider. An IP address may be identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering the Services. We may also derive approximate location from IP address.
Uses and Disclosures of Other Information
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.
5. Whether we will transfer personal data internationally
Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.
By providing us with your Personal Data, you recognize and understand that we may collect, use, transfer, or disclose your Personal Data to the third parties and for the purposes identified in this Data Protection Notice to reasonably provide you with the Services. If you do not provide us with the Personal Data described in this Data Protection Notice, we may no longer be able to provide you with the Services and your receipt of such Services may promptly be discontinued.
6. How long we will keep your personal data
We will retain Personal Data for as long as needed in accordance with our retention schedules or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
7. Your rights in respect of your personal data
You have certain rights under the PDPO, including the right to check whether we hold personal data about you, the right to request access to personal data we hold about you, the right to request correction of such personal data, and the right to ascertain our policies and practices in relation to personal data. We will respond to your request consistent with applicable law.
To exercise your rights under the PDPO including to request access to your personal data, please email Global Card Services at firstname.lastname@example.org. The requested data shall be provided free of charge within the limit of one request per year. We have the right to charge a reasonable fee for the processing of any additional data request access.
In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the Personal Data suppressed from our database or otherwise let us know what limitations you would like to put on our use of the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed, due to other legal obligations.
8. Updates to this data protection notice
We may change this Data Protection Notice, from time to time. The “LAST UPDATED” legend at the top of this Data Protection Notice indicates when this Data Protection Notice was last revised. Any changes will become effective when we post the revised Data Protection Notice. Use of the Services following these changes (or your continued provision of Personal Data to us) signifies acceptance of the revised Data Protection Notice.
If you have any questions about this Data Protection Notice, you may contact on email@example.com. To help us to manage your query, please include your full name and corporate card number.
DPN Hong Kong (v6) January 2021