|
Introduction
ICBC Standard Bank Plc respects your privacy and is committed to protecting your personal data.
This Privacy Notice will inform you as to how we look after your personal data in accordance with applicable law, including the UK General Data Protection Regulation (GDPR); the Data Protection Act 2018; and the Singapore Personal Data Protection Act 2012 (PDPA). It also informs you of your privacy rights and how the laws protect you.
1. Important information about us
Purpose of this Privacy Notice
This Privacy Notice aims to give you information on how we collect and process the personal data of individuals outside our organisation with whom we interact, including visitors to our websites, individuals from our corporate customers, third parties, professional advisers and associates, and other recipients of our services. It also informs you of your privacy rights and how the law protects you and how you can contact us for further information or make a complaint.
Controller
We are a "Data Controller" which means that we are responsible for deciding how we collect and use Personal Data.
All references to "ICBC Standard Bank", “ICBCS” or "we", "us" and "our" are references to ICBC Standard Bank Plc, and/or any entity controlled, directly or indirectly, by it (each an "ICBC Standard Bank Group" member).
Contact details
We have appointed a data protection officer to oversee compliance with this Notice. If you have any questions about this Notice or how we handle your personal data, please contact the Data Protection Officer (dataprotectionofficer@icbcstandard.com).
You have the right to make a complaint at any time to the relevant data protection regulator, however we would appreciate the chance to deal with your concerns before you approach the regulators , so please contact us in the first instance.
Changes to the Privacy Notice and your duty to inform us of changes
We reserve the right to update this Notice at any time. We may also notify you in other ways from time to time about the processing of your personal data, such as in specific product documentation and online.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
2. Processing your personal data
Relevant Individuals
We collect personal data about the following individuals outside our organisation with whom we interact:
· Visitors to our websites and all authorised users of our websites (our “Sites”);
· Employees, contractors and consultants of our clients and third-parties;
· Legal representatives, professional advisers and associates and other individuals authorised to act on behalf of our clients and third-parties;
· Individual directors, company secretaries or other equivalent individual office holders and beneficial owners;
· Guarantors; and
· Individuals associated with the directors, beneficial owners and guarantors.
The above individuals are collectively referred to as “you” throughout this Notice.
How we Collect your personal data
We collect Personal Data about you, subject to applicable law, from a variety of sources as follows:
· Direct interaction: We obtain your Personal Data when you provide it to us (e.g. where you contact us via email or telephone, or by any other means). We collect your Personal Data in the ordinary course of our relationship with you (e.g., in the course of managing your relationship with us and in the execution of transactions with us);
· Third parties or publicly available sources: We receive your Personal Data from third parties who provide it to us (e.g. your employer; our clients; credit reference agencies; law enforcement authorities; etc.) and relevant publicly available sources; or
· Website interaction: We collect or obtain Personal Data when you visit any of our Sites or use any features or resources available on or through a Site (e.g. online identifiers and certain technical data, some of which may constitute Personal Data).
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
· Identity Data: given name(s); preferred name; gender; date of birth / age; marital status; Social Security Number; Passport number(s); other Government(s) issued numbers (tax identification number, Driving Licence number); nationality; images of Passports; images of Driving Licences; images of signatures; and photograph and visual images; plus, details relevant to business meetings and travel (e.g. frequent flyer details, dietary requirements);
· Family Data: names and contact details of family members and dependents, including passport numbers;
· Contact Data: address; telephone number; fax number and email address;
· Employment Data: industry; role; business activities; work address; work telephone number; work fax number; work email address;
· Financial Data: bank account numbers; annual income and asset balances, accountholder name and details; instruction records; transaction details; and counterparty details; and
· Profile and Technical Data: communication records by voice, email, chat, videoconference tools from your interactions with us. Device type and IDs, operating system, browser type, browser settings, IP address, authentication data (passwords, challenge/response questions and answers, PINs), language settings, dates and times of connecting to a Site.
Sensitive Personal Data and Criminal Offense Data
We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:
· the Processing is necessary for compliance with a legal obligation (e.g. to comply with know your client (KYC) obligations);
· the Processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law;
· the Processing is necessary for the establishment, exercise or defence of legal rights;
· We have, in accordance with applicable law, obtained your prior explicit consent prior to Processing your Sensitive Personal Data (as above, this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way); or
· Processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.
We only process Criminal Offences Data to the extent required or permitted by applicable law. This will usually be where such processing is necessary to carry out our legal obligations for the purpose of detecting and protecting against fraud.
Purposes for which we will use your personal data
Below is a summary of all the ways in which we may use your personal data, and on which of the legal bases we rely on. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose / Activity |
Type of Data |
Legal basis for processing |
| On-boarding and compliance with our internal compliance requirements, policies and procedures. This includes AML/KYC checks; confirming and verifying your identity (including by using credit reference agencies); and screening against government or law enforcement agency sanctions lists as well as internal sanctions lists and other legal restrictions. |
· Identity · Family · Contact · Employment · Financial |
· The Processing is necessary for compliance with a legal obligation; or · The Processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or · The Processing is based on consent for individuals based in Singapore. |
| Provision of products and services to you or receipt of services from you: administering relationships and related services; performance of tasks necessary for the provision of the requested services; communicating with you in relation to provided or received from you. |
· Identity · Contact · Employment · Financial |
· The Processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Operation of our Sites: operation and management of our Sites; providing content to you; and communicating and interacting with you via our Sites. |
· Identity · Contact · Employment · Profile and Technical |
· The Processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Management of our IT operations, including our systems and applications; communications systems; and IT security controls (including login records and access details, where you access our electronic systems). |
· Identity · Contact · Employment · Profile and Technical |
· The Processing is necessary for compliance with a legal obligation; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Financial management: sales; finance; corporate audit; and vendor management. |
· Identity · Contact · Employment · Financial |
· The Processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Management of physical security of our premises (including records of visits to our premises and CCTV recordings) |
· Identity · Contact · Employment · Profile and Technical |
· The Processing is necessary for compliance with a legal obligation; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Investigations: detecting, investigating and preventing breaches of our internal policies, and criminal offences, in accordance with applicable law. |
· Identity · Family · Contact · Employment · Financial · Profile and Technical |
· The Processing is necessary for compliance with a legal obligation; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Legal proceedings: establishing, exercising and defending legal rights. |
· Identity · Family · Contact · Employment · Financial · Profile and Technical |
· The Processing is necessary for compliance with a legal obligation; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
| Fraud prevention: Detecting, preventing and investigating fraud. |
· Identity · Family · Contact · Employment · Financial · Profile and Technical |
· The Processing is necessary for compliance with a legal obligation; or · We have a legitimate interest in carrying out the Processing for the purpose of providing services to you or receiving services from you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · The Processing is based on consent for individuals based in Singapore. |
3. Disclosures of your personal data
Where necessary we may disclose your Personal Data to other entities within the ICBC Standard Bank, for legitimate business purposes (including providing services to you and operating our Sites), in accordance with applicable law. In addition, we may disclose your Personal Data to:
· Our suppliers, our agents, market participants, exchanges and other financial institutions. Where your personal data needs to be shared we will undertake due diligence, monitoring and assurance activities to ensure that the information is appropriately protected, and contractual clauses have been agreed between the parties to ensure that data protection and confidentiality is maintained;
· Governmental, legal, tax and regulatory, or similar authorities, ombudsmen, and central and/or local government agencies, upon request or where required, including for the purposes of reporting any actual or suspected breach of applicable law or regulation;
· Accountants, auditors, financial and tax advisors, lawyers, notaries and other outside professional advisors to ICBC Standard Bank, in accordance with applicable law;
· Any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights in accordance with applicable law.
As we operate a global business, the recipients referred to above may be located outside the jurisdiction in which you are located.
We take steps to ensure that third-parties and other entities in the group have the appropriate technical and organisational measures in place to protect your personal data in line with our policies which are aligned with EU and UK laws on data protection. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
4. International Transfers
We may transfer the personal data we collect about you between our ICBC Standard Bank offices in the following countries: UK, China, Singapore and the US.
We may also transfer personal data internationally where required for other processing activities set out in the table above where this processing is performed by our third parties, for example to perform due diligence purposes; or to regulators (including self-regulatory organisations), exchanges or trading venues.
Where we transfer your Personal Data to other countries, we will ensure that appropriate safeguards are provided in order to ensure that the data transfers are subject to an adequate level of protection and remain lawful. These safeguards will include:
· Recognition by the United Kingdom or European Commission’s adequacy decisions; or
· Use of contractual terms approved by the United Kingdom or Singapore data protection authorities; or
· other valid transfer mechanisms.
If you want to receive more information about the safeguards applied to international transfers of personal data, please use the contact details provided in this Notice.
5. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have implemented procedures to deal with any suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.
You are responsible for ensuring that any Personal Data that you send to us is sent securely.
6. Data accuracy
We take reasonable steps designed to ensure that:
· your Personal Data that we Process is accurate and, where necessary, kept up to date; and
· any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which it is being Processed) is erased or rectified without delay
From time to time we may ask you to confirm the accuracy of your Personal Data, however please also keep us informed if your personal data changes during your relationship with us.
7. Data minimisation
We take reasonable steps designed to ensure that your Personal Data that we Process is limited to the Personal Data reasonably required in connection with the purposes set out in this Notice.
8. Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which it is collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
We will retain your personal data whilst you have an ongoing relationship with us and also following the cessation of your relationship with us for a period of time which depends on the type of personal data and the purposes for which it was being processed as set out in this Notice.
After your relationship with us has ceased we will only retain your personal data to:
· Maintain business records for analysis and/or audit purposes (for a period of time required under law);
· Comply with record retention requirements under the law (for example, as required under legislation concerning the prevention, detection and investigation of money laundering and terrorist financing);
· Defend or bring any existing or potential legal claims; or
· Deal with any future complaints regarding the services we delivered to you.
The retention period is often linked to the amount of time available to bring a legal claim, which in some jurisdictions can for example be six years following closure of our account with us. Where your data is retained we will continue to ensure your privacy is protected.
9. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including:
· the right to request access to, or copies of, your Personal Data that we Process or control, together with information regarding the nature, processing and disclosure of those Personal Data;
· the right to request rectification of any inaccuracies in your Personal Data that we Process or control;
· the right to request, on legitimate grounds: erasure of your Personal Data that we Process or control; or restriction of Processing of your Personal Data that we Process or control;
· the right to object, to the Processing of your Personal Data by us or on our behalf;
· the right to have your Personal Data that we Process or control transferred to another Controller, to the extent applicable;
· where we Process your Personal Data on the basis of your consent, the right to withdraw that consent; and
· the right to lodge complaints with a Data Protection Authority regarding the Processing of your Personal Data by us or on our behalf.
This does not affect your statutory rights.
To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Notice, or about our Processing of your Personal Data, please use the contact details provided in the Notice.
10. Your obligation to provide personal data
You are not required by law to provide us with your personal data. However, if you refuse to do so we may not be able conduct further business with you and/or the clients or third parties with whom you are associated. For example, in order to satisfy our anti-money laundering obligations, we have to verify the identity of relevant individuals pertaining to your clients and third parties.
11. Cookies
A cookie is a small file that is placed on your device when you visit a website (including our Sites). Cookies record information about your device, your browser and, in some cases, your preferences and browsing habits. We may Process your Personal Data through cookie technology, in accordance with our cookie statement which is available on our website.
12. Glossary
| Compliance with a legal obligation |
Lawful basis: means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to. |
| Consent |
Lawful basis: means processing personal data based on obtaining consent from individuals (deemed or explicit), either directly from the individuals or via contractual representations from organisations that such direct consent has been obtained. |
| Controller |
The entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws. |
| Data Protection Authority |
An independent public authority that is legally tasked with overseeing compliance with applicable data protection laws. |
| Legitimate Interest |
Lawful basis: means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us |
| Necessary in connection with any contract |
Lawful basis: means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. |
| Personal Data |
Information that is about any individual, or from which any individual is identifiable1. |
| Process or Processed or Processing |
Anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Processor |
Any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller). |
| Sensitive Personal Data |
Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, or any other information that may be deemed to be sensitive under applicable law. |
| Criminal Offences Data |
Personal Data about any actual or alleged criminal offences or penalties. |
|
