Sumitomo Mitsui Finance and Leasing (Hong Kong) Limited

Privacy Policy Statement of Sumitomo Mitsui Finance and Leasing (Hong Kong) Limited (“SMFL”)

1.COMMITMENT TO PROTECTING PERSONAL DATA PRIVACY

1.1
The purpose of this Privacy Policy Statement is to set out the policies and practices of SMFL’s commitment to protecting the privacy of personal data in accordance with the data protection principles and other provisions of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong, the “Ordinance”).
1.2
SMFL may collect, use and transfer personal data (as defined in the Ordinance) in accordance with the purposes set out in the relevant notices relating to the Personal Data (Privacy) Ordinance or other purposes as specified by SMFL in writing for which such personal data is collected. SMFL will ensure that the personal data is only used and transferred in accordance with such purposes as notified upon collection, unless consent is obtained from the individual (including any of the customers, employees or other individuals) concerned (the “Data Subject”) or such use or transfer is otherwise permitted by laws.

2.KINDS OF PERSONAL DATA HELD BY SMFL

2.1

There are three broad categories of personal data held in SMFL. They are personal data contained in: (i) customer records; (ii) personnel records; and (iii) records of other individuals (other than customer records and personnel records).

2.2

Customer records include records containing information provided by customers (including prospective customers) (in the context of this Privacy Policy Statement, including all or any of the customers’ and prospective customers’ signers, directors, shareholders, officers and managers or individual beneficial owners) and collected in connection with the opening or continuation of accounts, the provision or continuation of finance lease, installment transaction and/or other business permitted by laws and regulations (collectively, the “Finance Services”) or in the ordinary course of the continuation of relationship with the customers (for example, when customers write cheques or generally communicate verbally or in writing with SMFL, by means of documentation or telephone recording system, as the case may be). Personal data contained in the customer records may include the following:

(a)
personal particulars (e.g. name, address, occupation, contact details, date of birth, nationality and/or identity card and/or passport details);
(b)
employment details (e.g. current employer, position, nature of position and/or salary);
(c)
details about financial needs (e.g. investments, risk profile, investment objectives, investment experience, properties and/or assets);
(d)
financial details (e.g. income, expenses, liabilities and/or credit history);
(e)
images of documentation, data in digital or other format and/or voice recordings of conversations captured in telephone recording system;
(f)
specimen signatures;
(g)
banking information (e.g. account numbers and banking transactions); and
(h)
tax and insurance information.
2.3

Personnel records include records containing information provided by or compiled about the employees (including family members of the employees, potential employees and former employees of SMFL, as applicable) relating to employment applications, employment, health data, human resources management and/or monitoring or security control of any facility, equipment or system. Personal data in the personnel records may include the following:

(a)
personal particulars (e.g. name, address, contact details, date of birth, nationality and/or identity card and/or passport details);
(b)
references obtained from current or former employers or other sources;
(c)
records of remuneration and benefits, job postings, transfer and training, employee surveys, medical checks, leave, medical claims, performance appraisal reports and/or disciplinary records;
(d)
conduct related information (including but not limited to (i) breach of legal or regulatory requirements; (ii) incidents which cast doubt on the employee’s honesty and integrity; (iii) misconduct reports filed with regulators; (iv) internal or external disciplinary actions arising from conduct matters; and (v) ongoing internal investigations);
(e)
relevant health and vaccination status (including but not limited to relevant vaccination proof and related records, proof of medical exemption for relevant vaccination, particular test requirements and results, and relevant infection records), travel histories, quarantine requirements, relevant location information and other relevant close contact information;
(f)
biometric data (e.g. facial images or otherwise), or data in digital or other format;
(g)
provident fund schemes participation; and
(h)
tax and insurance information.
2.4

Records of other individuals (other than customer records and personnel records) include records containing information provided by (i) any of SMFL’s group companies (as defined in paragraph 3.1(h) below) and (ii) suppliers, contractors, sub-contractors, agents, professional advisors, third party service providers, business partners, landlords, tenants, visitors and other contractual counterparties of SMFL and any SMFL’s group companies (including the employees and other representatives of the abovementioned parties (as applicable)) in connection with the provision of supplies or services to support SMFL’s or any SMFL’s group company’s business, operations and office administration, and the provision of operational, administrative and/or other service support by SMFL or any SMFL’s group company in the course of business collaboration amongst SMFL and/or SMFL’s group companies. Personal data contained in the records of other individuals (other than customer records and personnel records) may include the following:

(a)
personal particulars (e.g. name, address, contact details and/or identity card and/or passport details);
(b)
employment details (e.g. employer, position and nature of position);
(c)
education and professional qualifications and other information required by SMFL to satisfy the requirements under applicable laws, rules, regulations, policies, codes, circulars, directives, guidelines, guidance and other similar documents;
(d)
relevant health and vaccination status (including but not limited to relevant vaccination proof and related records, proof of medical exemption for relevant vaccination, particular test requirements and results, and relevant infection records), travel histories, quarantine requirements, relevant location information and other relevant close contact information;
(e)
records of access to SMFL’s premises, computers and/or system servers; and
(f)
other operational and administrative records that contain personal data.
2.5
In addition to the above, SMFL may also collect and hold other kinds of personal data which it needs in the light of experience and the specific nature of its business.

3.MAIN PURPOSES OF KEEPING PERSONAL DATA

3.1

The purposes for which personal data held in the customer records may be collected and used are as follows:

(a)
considering and processing applications for the Finance Services and the daily operation of such Finance Services provided to customers/data subjects;
(b)
conducting credit checks at the time of application of credit and at the time of regular or special reviews which normally will take place one or more times each year;
(c)
creating and maintaining SMFL’s credit scoring models;
(d)
assisting other financial institutions or credit reference agencies to conduct credit checks and collect debts;
(e)
ensuring ongoing credit worthiness of customers/data subjects;
(f)
arranging for insurance coverage relevant to the Finance Services provided to customers/data subjects;
(g)
designing or improving the Finance Services for customers/data subjects’ use;
(h)
marketing and/or providing the Finance Services or other services or products of SMFL, SMFL’s holding company and/or its subsidiaries or associated companies or affiliates (each “SMFL’s group company” and collectively, “SMFL’s group companies”), third party financial institutions and/or selected companies (in respect of which SMFL may or may not be remunerated);
(i)
determining the amount of indebtedness owed to or by customers;
(j)
collection of amounts outstanding from customers and those providing security for customer’s obligations;
(k)

complying with the obligations, requirements or arrangements for disclosing and using data that apply to SMFL and/or any SMFL’s group company or that it is expected to comply according to:

(1)
any laws, rules or regulations binding or applying to it within or outside the Hong Kong Special Administrative Region (“Hong Kong”) existing currently and in the future (including without limitation, the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
(2)
any policies, codes, circulars, directives, guidelines, guidance or other similar documents given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (including without limitation, guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);
(3)
any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on SMFL and/or any SMFL’s group company by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
(l)
enabling any actual or proposed participant or sub-participant in, or assignee, novatee or transferee of any of SMFL’s rights and/or obligations in relation to the customer/data subject, to evaluate the proposed transaction;
(m)
complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information among SMFL and SMFL’s group companies and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(n)
monitoring for quality or security control and/or for compliance with legal, regulatory and professional standards; and
(o)
all other incidental and associated purposes relating to the above.
3.2

The purposes for which personal data held in the personnel records may be collected and used are as follows:

(a)
daily operation of SMFL;
(b)
processing employment applications and assessing performance and suitability of continuance in employment;
(c)
determining and reviewing salaries, bonuses, compensation and other benefits;
(d)
consideration for promotion, training, staff development, job posting (including but not limited to secondment or transfer) and better employees engagement;
(e)
arranging staff training, and administering and processing employee training records and results;
(f)
global budget and expenses management, planning and development of business and operational strategies;
(g)
consideration of eligibility for and administration of staff loans, compensation, awards and other benefits and entitlements;
(h)
administering payroll, allowances, reimbursements, insurance, provident fund scheme, tax returns, leave applications and other benefits;
(i)
providing employment references and for background screening;
(j)
user identification or verification of any facilities, equipment and/or systems provided by SMFL and/or any SMFL group company (including but not limited to remote access system);
(k)
safeguarding health of employees, occupants and visitors at SMFL’s office during pandemic or where necessary, deploying epidemic prevention and control measures in the workplace and making suitable business and operational arrangements;
(l)
monitoring for quality or security control and/or for compliance with legal, regulatory and professional standards and the internal policies, procedures and rules of SMFL;
(m)
detecting and/or investigating breaches of any relevant law or regulation;
(n)
complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information among SMFL and SMFL’s group companies and/or any other use of data and information in accordance with any group-wide programmes for compliance with any relevant laws and regulations and/or for enhancing employees engagement;
(o)
the purposes as referred to in paragraphs 3.1(k) and 3.1(m) above; and
(p)
all other incidental and associated purposes relating to the above.
3.3

The purposes for which personal data held in the records of other individuals (other than customer records and personnel records) may be collected and used are as follows:

(a)
establishing or maintaining business relationship with SMFL or any SMFL’s group company;
(b)
receiving supplies or services from or by SMFL or any SMFL’s group company;
(c)
providing supplies or services (including SMFL’s premises, equipment, computers and/or system servers, supporting facilities, operational and/or administrative arrangements (for example, during disasters recovery and business contingency planning and drill)) to any SMFL’s group companies;
(d)
assessing, engaging, managing, monitoring and evaluating the suppliers, contractors, sub-contractors, agents, professional advisors, third party service providers, insurers, business partners and/or other contractual parties;
(e)
managing, monitoring and assessing the landlord and tenant relationship and/or the licensor and licensee relationship with the relevant parties;
(f)
arranging for insurance coverage relevant to the services, facilities or premises provided in accordance with the service agreements, engagement, collaboration, operational and administrative arrangements concerned;
(g)
facilitating SMFL’s daily operation, administration, security and access controls;
(h)
safeguarding health of employees, occupants and visitors at SMFL’s office during pandemic or where necessary, deploying epidemic prevention and control measures in the workplace and making suitable business and operational arrangements;
(i)
conducting any action to meet SMFL’s obligations or those of SMFL’s group companies to comply with any regulatory requests from the authorities;
(j)
complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information among SMFL and SMFL’s group companies and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
(k)
the purposes as referred to in paragraphs 3.1(k) and 3.1(m) above; and
(l)
all other incidental and associated purposes relating to the above.
3.4
Other kinds of personal data are collected and kept by SMFL for various purposes in accordance with the relevant terms and conditions, and/or other relevant agreements which govern the relationship between the individual concerned and SMFL.

4.SECURITY OF PERSONAL DATA AND OUTSOURCING ARRANGEMENTS

4.1
It is the policy of SMFL to ensure an appropriate level of protection for personal data in order to prevent unauthorized or accidental access, processing, erasure, use or transfer of such data.
4.2
If SMFL engages a data processor (whether within or outside Hong Kong) to process personal data on SMFL’s behalf, SMFL will adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss, use or transfer of the personal data transferred to the data processor for processing.

5.DISCLOSURE AND SHARING OF PERSONAL DATA

5.1
Personal data held by SMFL will be kept confidential, but SMFL may provide such information to any SMFL’s group companies or to third parties, whether within or outside Hong Kong, for the purposes set out in paragraph 3 above.
5.2

The third parties with whom SMFL may share personal data is mainly divided into four broad categories:

(a)
third parties related to the Finance Services, including but not limited to suppliers, manufacturers, repurchasers, guarantors, insurance companies and other entities;
(b)

third parties related to SMFL:

(1)
SMFL’s group companies;
(2)
parties related to SMFL’s business activities, including but not limited to law firms, accounting firms, consulting firms, business investment companies, credit reference agencies, debt collection agencies (in the event of default), maintenance service companies and other service providers related to business system provided by us and/or our group companies, any actual or proposed participant or sub-participant in, or assignee, novatee, transferee of any SMFL’s rights in relation to the customer/data subject, and any other person under a duty of confidentiality to SMFL or the relevant SMFL’s group company (as the case may be) including (in the case of SMFL) a SMFL’s group company or (in case of the relevant SMFL’s group company) SMFL or any other SMFL’s group company which has undertaken to keep such information confidential and other service providers related to business system provided by SMFL and/or SMFL’s group companies;
(3)
other third parities related to SMFL;
(c)

third parties related to customers:

(1)
customer’s relatives including but not limited to spouse, parents, children, siblings, grandparents, maternal grandparents, grandchildren, maternal grandchildren;
(2)
parties with whom customers have established (or intend to establish) a cooperative relationship, including but not limited to law firms and other service providers;
(3)
other third parities related to customers; and
(d)
government authorities, including but not limited to legal, regulatory, governmental, tax, law enforcement or other authority.

6.RETENTION OF PERSONAL DATA

Personal data kept by SMFL is retained as long as the purpose for which it was collected remains and until it is no longer necessary for the fulfillment of the purpose for which it is or is to be used. Different retention periods apply to the various kinds of personal data collected. As a general rule, the retention period is 7 years after the date of full repayment of customer’s debts to SMFL (if there are multiple debts, it means all debts to SMFL) or termination of employment, business collaboration, servicing and/or contractual relationship (as the case may be) with SMFL unless otherwise expressly specified in relevant notices or the other relevant documents.

7.DATA ACCESS AND CORRECTION

7.1

Under and in accordance with the terms of the Ordinance, any Data Subject, or a “relevant person” (as defined in the Ordinance) on behalf of a Data Subject, has the right, where applicable, by way of a data access request (as defined in the Ordinance):

(a)
to check whether SMFL holds personal data about such Data Subject and if so, to require SMFL to provide a copy of the relevant personal data;
(b)
to require SMFL to correct any personal data relating to such Data Subject which is inaccurate; and
(c)
to ascertain SMFL’s policies and practices in relation to personal data and to be informed of the kind of personal data held by SMFL.
7.2
Except where there are valid grounds for refusal in accordance with the Ordinance, SMFL shall comply with a data access request within 40 calendar days after receiving it. In accordance with the terms of the Ordinance, SMFL has the right to charge a reasonable fee for the processing of any data access request.
7.3

The person to whom requests for access to personal data or correction of personal data or for information regarding policies and practices and kinds of personal data held are to be addressed is as follows:

Data Protection Officer
Sumitomo Mitsui Finance and Leasing (Hong Kong) Limited
Units 4206-08, 42/F, Dah Sing Financial Centre
248 Queen’s Road East
Wanchai
Hong Kong

Nov 2023

Note: In case of discrepancies between the English and Chinese versions, the English version shall prevail.

Pagetop