Privacy Citi.com
Policy Statement relating to the Personal Data (Privacy) Ordinance (the "Ordinance")

It is the corporate policy of each of Citibank, N.A. Hong Kong Branch, Citibank (Hong Kong) Limited, Citicorp International Limited and Diners Club International (Hong Kong) Ltd. (each a "Citi Entity") to respect and safeguard the privacy of an individual’s personal data. Compliance with the Ordinance is not only the responsibility of the management but also direct responsibility of every employee of each Citi Entity. This policy statement stipulates clearly (1) our purposes of data collection, (2) the important controls employed by each Citi Entity for protection of personal data, (3) the classes of persons we can transfer personal data to, and (4) the data access and correction right of customers, guarantors and security providers (each a "Data Subject").

  1. From time to time, it is necessary for a Data Subject to supply a Citi Entity with personal data ("data") in connection with the opening or continuation of accounts and / or the establishment or continuation of banking / credit facilities or provision of banking / financial services.

  2. Failure to supply such data may result in the relevant Citi Entity being unable to open or continue accounts or establish or continue banking / credit facilities or provide banking / financial services to the Data Subject.

  3. It is also the case that data are collected from a Data Subject in the ordinary course of the continuation of the banking / financial relationship, for example, when a Data Subject writes cheques, transfers funds, deposits money, effects transactions through cards or discusses / arranges banking / credit facilities for himself / herself or for any third party.

  4. The purpose for which data relating to a Data Subject may be used by a Citi Entity or any person who has obtained such data from the relevant Citi Entity are as follows:-

    1. the daily operation of the services and credit / financial facilities provided to the Data Subject or any third party when the Data Subject is a guarantor or security provider for such facilities;

    2. conducting credit checks and carrying out matching procedures (as defined in the Ordinance);

    3. assisting other financial institutions to conduct credit checks and collect debts;

    4. ensuring ongoing credit worthiness of a Data Subject;

    5. designing credit / financial services or related products for a Data Subject’s use;

    6. marketing services or products of the Citi Entity and / or such selected persons;

    7. determining the amount of indebtedness owed to or by a Data Subject;

    8. collection of amounts outstanding from a Data Subject;

    9. meeting the requirements to make disclosure under the requirements of any law binding on the relevant Citi Entity or its group company or under and for the purposes of any guidelines issued by regulatory or other authorities with which the relevant Citi Entity or its group company is expected to comply;

    10. enabling an actual or proposed assignee of the relevant Citi Entity or participant or sub-participant of the relevant Citi Entity’s rights in respect of the Data Subject to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation;

    11. comparing data of the Data Subject or other persons for credit checking, data verification or otherwise producing or verifying data, whether or not for the purpose of taking adverse action against the Data Subject;

    12. maintaining a credit history of the Data Subject (whether or not there exists any relationship between the Data Subject and the relevant Citi Entity or the recipient of the data) for present and future reference; and

    13. purpose relating thereto.

  1. Data held by a Citi Entity relating to a Data Subject will be kept confidential. Physical records and properly locked and computer data are stored in a mainframe system located within a restricted area. Access to these records / data are prohibited unless with authorization or password. The information security system of each Citi Entity has the following features:-

  1. The records of the Citi Entity are under the control of assigned information officers who are responsible to ensure the transfer of or access to information is legitimate and is in compliance with the Ordinance;

  2. Access authorization to records or data is granted on a need to know basis and is subject to periodic review by the management;

  3. Proper audit trails are produced to validate any data modification for data integrity;

  4. There is a violation logging process for investigation of any unauthorized attempt to access information;

  5. Encryption technology is employed for sensitive records;

  6. Confidential information that is no longer required will be destroyed in accordance with the internal retention period.

  1. Data held by a Citi Entity relating to a Data Subject will be kept confidential but it may provide such information to:-

  1. any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment, debt collection or securities clearing or other services to it in connection with the operation of its business;

  2. any of the branches, subsidiaries, holding company, associated company or affiliates of or companies controlled by or under common control with Citibank, N.A., Citibank (Hong Kong) Limited, Citicorp International Limited and Diners Club International (Hong Kong) Limited or the company operating the relevant Citi Entity;

  3. any other person or entity under a duty of confidentiality to it including its group company which has undertaken to keep such information confidential;

  4. the drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;

  5. credit reference agencies, and, in the event of default, to debt collection agencies;

  6. any person or entity to whom the relevant Citi Entity or its group company is under an obligation to make disclosure under the requirements of any law binding on the relevant Citi Entity or its group company or under and for the purposes of any guidelines issued by regulatory or other authorities with which the relevant Citi Entity or its group company is expected to comply;

  7. any financial institution and charge or credit card issuing companies with which the Data Subject has or proposes to have dealings;

  8. any other person or entity (including its associated companies or affiliates) who has established or proposes to establish any business relationship with it or recipient of the data;

  9. any actual or proposed assignee of the relevant Citi Entity or participant or sub-participant or transferee of the rights of the relevant Citi Entity in respect of the Data Subject or all or any part of the assets or business of the relevant Citi Entity; and

  10. any party giving or proposing to give a guarantee or third party security to guarantee or secure the Data Subject’s obligations.

  11. selected companies for the purpose of informing Data Subjects of services which the Citi Entity believes will be of interest to Data Subjects.

  1. For the purpose of (f)(v) above, the Citi Entity shall access and obtain from the credit reference agencies such personal and account information or records of the Data Subject held by a credit reference agency in accordance with the Ordinance. Without prejudice to the foregoing, the Citi Entity may from time to time access the personal and account information or records of the Data Subject held by a credit reference agency for reviewing any of the following matters in relation to the existing credit facilities granted to the Data Subject or to a third party which obligations are guaranteed by the Data Subject:

  1. an increase in the credit amount;

  2. the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or

  3. the putting in place or the implementation of a scheme of arrangement with the Data Subject or the third party.
  1. In the event of any default by the Data Subject in any of his / her repayment to a Citi Entity, unless the amount in default is fully repaid before the expiry of 60 days from the date such default occurred, otherwise the Data Subject shall be liable to have his / her account data retained by the credit reference agency until the expiry of 5 years from the date of final settlement of the amount in default.
  1. Under and in accordance with the terms of the Ordinance and the Code of Practice on Consumer Credit Data approved and issued under the Ordinance, any individual has the right:-

  1. to check whether a Citi Entity holds data about him / her and access to such data;

  2. to require a Citi Entity to correct any data relating to him / her which is inaccurate;

  3. to ascertain policies and practices in relation to data and to be informed of the kind of personal data held by the relevant Citi Entity;

  4. in relation to consumer credit, to request to be informed which items of data are routinely disclosed to credit reference agencies or debt collection agencies, and be provided with further information to enable the making of an access and correction request to the relevant credit reference agency of debt collection agency;

  5. where the credit facility applied for does not involve a residential mortgage loan, upon termination of the account, instruct the Citi Entity to request the credit reference agencies to delete from their database any account data relating to his / her terminated account provided the account has been settled by full payment and there has not been, within 5 years immediately before account termination, any material default on the account. In the event the account has had a default of payment lasting in excess of 60 days the data may be retained by the credit reference agency until the expiry of five years from the date of final settlement of the amount in default or five years from the date of discharge from a bankruptcy as notified to the Citi Entity, whichever is earlier.

  1. Data of a Data Subject may be processed, kept and transferred or disclosed in and to any country as the Citi Entity or any person who has obtained such data from Citi Entity referred to in (f) above considers appropriate. Such data may also be released or disclosed in accordance with the local practices and laws, rules and regulations (including any governmental acts and orders) in such country.

  1. In accordance with the terms of the Ordinance, a Citi Entity has the right to charge a reasonable fee for the processing of any data access request.

  1. In respect of each Citi Entity, requests for access to data or correction of data or for information regarding policies and practices and kinds of data held are to be addressed as follows:

The Data Protection Officer
Citibank, N.A., Hong Kong Branch
33/F Citibank Tower
Citibank Plaza
3 Garden Road
Central, Hong Kong

 

The Data Protection Officer
Citibank (Hong Kong) Limited
8/F Dorset House
Taikoo Place
979 King's Road
Quarry Bay, Hong Kong


The Data Protection Officer
Diners Club International (Hong Kong) Limited
8/F Dorset House
Taikoo Place
979 King's Road
Quarry Bay, Hong Kong


The Data Protection Officer
Citicorp International Limited
33/F Citibank Tower
Citibank Plaza
3 Garden Road
Central, Hong Kong
 

  1. Nothing in this Policy Statement shall limit the rights of Data Subjects under the Ordinance.

  1. You may, at any time, choose not to receive our promotional materials. Please let us know in writing in case of such a request.
Jun 2007