Data Privacy Message

CORPORATE CARD DATA PROTECTION NOTICE – SINGAPORE

1. Your personal data

Your personal data (such as information that identifies you or can be used to identify you, for example your name, date of birth and contact details) is protected by the Singapore Personal Data Protection Act 2012 (the PDPA). This Data Protection Notice explains how Bank of America, National Association - Singapore Branch (“we” or “us”), collect, use and disclose personal data online and offline in connection with your personal data. This includes personal data we obtain from you, your employer or other parties, as well as information about your use of the account and our Global Card Access desktop and mobile application, your card and any transactions made with your card (including the date and amount of such transactions) and our communications with you.

2. How we use your personal data

We will collect, use or disclose your personal data:

• to administer your card and account and provide online and offline services to you;
• to facilitate transactions;
• to comply with the rules of any relevant card scheme;
• to carry out, monitor and analyze our business;
• as part of the sale, merger or similar change of our or any Bank of America Corporation business;
• to detect, prevent and investigate fraud and to protect the security of your card accounts, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification, and anti-corruption and bribery or anti-terrorism activities;
• to comply with any applicable laws, rules or regulations in any country, and to comply with other legal process and law enforcement requirements; and
• as otherwise permitted by applicable law, with your explicit consent or authorization.

In collecting, using or disclosing your personal data, we may transfer it outside Singapore to other countries. We are responsible for making sure that any such transfer is made in compliance with the PDPA.

3. Recipients of your personal data

We may disclose your personal data (including details of your transactions) to:

• any person or company working for us (including professional service organizations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
• any of our group companies, offices or branches;
• your employer or any group company of your employer;
• any person or company that provides products or services to you or your employer in connection your card or account (including but not limited to Mastercard);
• any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer;
• any payment system under which we issue your card or account; and
• any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism.

If you have given false or inaccurate information or we suspect fraud we will record this and may pass this information to fraud prevention and law enforcement agencies.

If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside Singapore) in order to detect and prevent terrorism.

4. Collection of other information

“Other Information” is any information that does not reveal a person’s specific identity or does not directly relate to an identifiable individual, such as:

• Browser and device information
• App usage data
• Information collected through cookies, pixel tags and other technologies
• Demographic information and other information provided by you that does not reveal a person’s specific identity
• Information that has been aggregated in a manner that it no longer reveals a person’s specific identity
• Survey responses and similar information that reveals views and preferences, but which does not reveal a person’s specific identity.

If we are required to treat Other Information as Personal Data under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Data as detailed in this Data Protection Notice.

We and our service providers may collect Other Information in a variety of ways, including:

• Through a browser or device: Certain information is collected by most browsers or automatically through devices, such as a Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) being used. We use this information to ensure that the Services function properly.
• Using cookies: Cookies are pieces of information stored directly on the computer being used. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other anonymous traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize the user’s experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. We do not currently respond to browser do-not track signals.
  Most browsers allow individuals to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to www.allaboutcookies.org/manage-cookies/index.html for more information. Declining cookies may cause certain parts of the Services to cease working.
• Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Services and response rates.
• Analytics: We may use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners.
• We may use Flash LSOs and other technologies to, among other things, collect and store information about your use of the Services. If you do not want Flash LSOs stored on your computer, you can adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel, which can be found by going to www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html. You can also go to the Global Storage Settings Panel at www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html and follow the instructions (which may explain, for example, how to delete existing Flash LSOs (referred to as “information”), how to prevent Flash LSOs from being placed on your computer without your being asked, and how to block Flash LSOs that are not being delivered by the operator of the page you are on at the time). Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications.
• IP Address: An IP address is automatically assigned to a computer by an Internet Service Provider. An IP address may be identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering the Services. We may also derive approximate location from IP address.

Uses and Disclosures of Other Information

We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.

5. Whether we will transfer personal data internationally

Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.

For transfers from Singapore to countries not considered adequate, we have put in place adequate measures, such as standard contractual clauses to protect Personal Data. Transfers may also be made pursuant to contracts in your interest or at your request. By providing us with your Personal Data, you recognize and understand that we may collect, use, transfer, or disclose your Personal Data to the third parties and for the purposes identified in this Data Protection Notice to reasonably provide you with the Services. If you do not provide us with the Personal Data described in this Data Protection Notice, we may no longer be able to provide you with the Services and your receipt of such Services may promptly be discontinued.

6. How long we will keep your personal data

We will retain Personal Data for as long as needed in accordance with our retention schedules or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

7. Your rights in respect of your personal data

You have certain rights under the PDPA, including the right to access, update or correct the personal data we hold about you or withdraw your consent to the use, collection and disclosure of your personal data (subject to certain exceptions). If you wish to access, update or correct your personal data or withdraw your consent to the use, collection and disclosure of your personal data in accordance with this Data Protection Notice, please email Global Card Services at asiacardsupport@bofa.com. The requested information shall be provided free of charge within the limit of one request per year.

For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed, due to other legal obligations.

Please note that if you withdraw consent, we may still be permitted to hold, use or disclose some of your information as required or permitted by law. Additionally, upon your withdrawal of such consent, we will immediately terminate your card.

8. Updates to this data protection notice

We may change this Data Protection Notice, from time to time. The “LAST UPDATED” legend at the top of this Data Protection Notice indicates when this Data Protection Notice was last revised. Any changes will become effective when we post the revised Data Protection Notice. Use of the Services following these changes (or your continued provision of Personal Data to us) signifies acceptance of the revised Data Protection Notice.

If you have any questions about this Data Protection Notice, you may contact our Data Protection Officer on connect.dpo@bofa.com. To help us to manage your query, please include your full name and corporate card number.

DPN Singapore (v6) January 2021