中银国际证券欢迎您！

BOCI SECURITIES LIMITED AND BOC INTERNATIONAL HOLDINGS LIMITED PRIVACY NOTICE FOR THE PURPOSES OF DATA COLLECTION FROM EU/UK DATA SUBJECTS

1. About this Privacy Notice

2. Who we are

3. How to contact us

4. How we get information and what information we collect

5. Use of our "Online Customer Service" function on our Website

6. Linking to third party websites

7. Why we collect, process and use your information, and the legal bases for processing your information

8. How long we keep your information for

9. Your rights

10. Sharing your information

11. Changes to this Privacy Notice

12. Security

13. Where your information is transferred and stored

			Summary
1.	About this Privacy Notice	BOCI Securities Limited has a Privacy Notice and Statement relating to Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) which is applicable to Services that we provide to customers located in Hong Kong. This can be found at https://www.bocionline.com/en/cust_service/risk_complaints/personal_data/index.shtml. This Privacy Notice is addressed to the customers located in the EU or UK only, in compliance with the European General Data Protection Regulation (the "GDPR") or the UK GDPR (which is the version of GDPR which has been incorporated into the laws of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018) after the UK’s withdrawal from the EU (as applicable)). We provide the services to the following types of individual customers: · Securities trading services to individual customers; · Services in relation to the administering of BOCIS' mobile application relating to trading, social, stock price quotes, market news and other customer service functions ("IBMP App") to individual app users, and process the personal data of these individuals in the course of providing these services. We administer employee share option plans on behalf of our listed company clients and process the personal data of the relevant employee share option plan participants in the course of doing so. We provide sales trading and research services to corporate customers of the BOCI group and process the personal data relating to the personnel of these corporate customers. As such, this Privacy Notice applies to the customers, employee share option plan participants and corporate customer personnel described above. Please note that our processing of personal data relating to corporate customer personnel in the context of sales trading and research services falls within scope of the GDPR and/or UK GDPR because these corporate customers are referred to BOCIS by an affiliate of BOCIS based in the UK and therefore BOCIS' processing of such personal data is conducted in the context of a UK establishment. We care about your privacy and we think it is important that you always know what information we obtain about you in the course of interacting with us and what that information is used for. We use your personal data in order to provide you with our securities trading services, grant you with access to the IBMP App, enable your participation in an employee share option plan and provide you with sales trading and research services. Our back-office functions will also process your personal data when providing services to the front office of the BOCI group and we will process personal data of individuals who visit the BOCIS Website (available at https://www.bocionline.com) (the "Website") (together, our "Activities"). In the Privacy Notice below, we therefore aim to keep you fully informed as to the type, extent and purpose of the collection, storage, use and processing of your personal data by us. Personal data is all information relating to an identified or an identifiable natural person. A person is identified when the identity of a specific person can be deduced from the information itself. A person is identifiable when we can make a connection to a specific person using information available to us. This Privacy Notice applies to your participation in or use of the Activities. Please read this Privacy Notice carefully to understand our practices regarding your personal data and how we will treat it. IF YOU DO NOT AGREE WITH OUR POLICIES AND PRACTICES, DO NOT USE THE SERVICES OR PARTICIPATE IN THE ACTIVITIES. By using our products and services or participating in the Activities, you acknowledge the terms of this Privacy Notice and the use and disclosure of your personal data as set out in this notice.	Our Privacy Notice applies to your interactions with us.


2.	Who we are	We are BOCI Securities Limited whose registered offices are at 20/F Bank of China Tower, 1 Garden Road, Central, Hong Kong (SAR) (hereinafter: “BOCIS") and BOC International Holdings Limited whose registered offices are at 26/F Bank of China Tower, 1 Garden Road, Central, Hong Kong (SAR) ("BOCIH") (hereinafter "we" or "us"). BOCIS is a front office of the BOCI group that provides various securities-related and financial trading services and BOCIH supports front office of the BOCI group (including BOCIS) to provide services to customers and processes the personal data of such customers in the course of doing so. BOCIS and BOCIH are the providers of the Activities and the organisations responsible for the personal data collected about you as part of your use of or participation in Activities within the meaning of applicable data protection and privacy laws and are independent controllers for the purposes of the GDPR and UK GDPR.	We are a provider of various securities-related and financial trading services.
2.	Who we are
3.	How to contact us	If you have any questions about this Privacy Notice or our use of your personal data, if you need to report a problem, or if you would like to exercise one of your rights under data protection and privacy laws you can contact us using the following contact details: The Data Protection Officer BOCI Securities Limited 20/F Bank of China Tower 1 Garden Road Central Hong Kong Telephone: (852) 3988 6000 Fax: (852) 2147 9059	You can get in touch with our dedicated privacy contact with any queries or complaints regarding your data.
4.	How we get information and what information we collect	When you use or participate in the securities trading services, we may collect the following information from you directly and/or from credit reference agencies:: · Identification document details · Contact information · Employment information · Tax details (including tax forms) · Source of wealth information · Financial information (net worth etc.) · Health details · Family details · Account information When you use the IBMP App as a BOCIS customer, we may collect the following information from you directly: · Identification document details · Contact information · Employment information · Tax details (including tax forms) · Source of wealth information · Financial information (net worth etc.) · Health details · Family details · Account information When you use the IBMP App where you are not a BOCIS customer (in relation to which the service will include a more limited functionality than for BOCIS customers), we may collect the following information from you directly: · Email address · Social media identification name When you are an employee share option plan participant in a scheme that we administer on behalf of one our listed company clients, we may collect the following information from you directly or from your employer: · Identification document details · Contact information · Employment information · Tax details (including tax forms) · Source of wealth information · Financial information (net worth etc.) · Family details · Share plan information When you are a member of personnel or a representative associated with one of our corporate customers to whom we provide sales trading and research services, we may collect the following types of personal data from you directly in the course of corresponding with you: · Contact information · Identification document details · Employment information When you visit the Website, we may collect the following information from you directly: · Information you provide whilst visiting the Website · Information you provide while visiting the Website, including your IP address together with the date, time and duration of your visit. An IP address is an assigned number, similar to a telephone number, which allows your computer to communicate over the Internet. It enables us to identify which organisations have visited the Website.	We collect certain information about you when you participate in our Activities.
4.	How we get information and what information we collect
5.	Use of our "Online Customer Service" function on our Website	We provide an "Online Customer Service" function on our Website. You should be aware that personal data that you voluntarily include and transmit online via this function will also be processed in accordance with this Privacy Notice. Please bear this in mind when providing us with information about yourself via the "Online Customer Service" function.	You choose what personal data you share with us when you use our "contact us” function, and we will process that personal data in accordance with this notice.
6.	Linking to third party websites	When visiting the Website, you may be provided with the option to link through to other websites and services. These other domains, apps and websites are subject to their own privacy practices and we encourage you to read the privacy notices of each and every website and application with which you interact. You visit these other websites or applications at your own risk.	Other websites and applications may use your data differently and have their own privacy notices.
		IF YOU DO NOT WANT US TO COLLECT ANY OF THE INFORMATION DESCRIBED IN THIS SECTION, DO NOT USE OR PARTICIPATE IN OUR ACTIVITIES.
7.	Why we collect, process and use your information and the legal bases for processing your information	BOCIS When you use or participate in the securities trading services, we collect, process and use your personal data for the following purposes: To provide services and comply with our contract with you · for the provision and daily operation (including without limitation maintenance and administration) of of the accounts and securities trading services and/or other financial services provided to you and otherwise fulfilling our contract for services; · determining the amount of indebtedness owed to you; · collection of amounts outstanding from you and those providing security in respect of your obligations; · conducting credit checks (including without limitation, upon an application for consumer credit and upon periodic review of the credit) and ensuring your ongoing credit worthiness; · assisting other financial institutions to conduct credit checks and collect debts; and · protecting our business and interests, including investigating any potential violation of our terms and conditions. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is necessary for us to carry out our contractual obligations with you. For example, we need to collect and store your email address and other details so that we can communicate with you in the course of providing you with the services that we have entered into a contract with you to provide. · To comply with our legal and regulatory obligations facilitating our compliance with our anti-money laundering obligations; · making disclosures as required by all applicable laws, rules, regulations, codes or guidelines and enabling us to discharge our obligation to regulators or other authorities; and · conducting vulnerable customer assessments in accordance with our regulatory obligations. When processing your personal data for complying with our legal and regulatory obligations, we are relying on the legal basis of fulfilling our legal obligations. When we conduct vulnerable customer assessments, we may process certain health-related information about you and we will obtain your consent before doing so. In order for your consent to be valid: · it has to be given freely, without us putting you under any type of pressure; · you have to know what you are consenting to – so we'll make sure we give you enough information; · you should only be asked to consent to one thing at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and · you need to take positive and affirmative action in giving us your consent – for example, we could provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion. Before giving your consent you should make sure that you read any accompanying information provided by us so that you understand exactly what you are consenting to. You have the right to withdraw your consent at any time, and details can be found in the "Right to withdraw consent" paragraph in the section on your rights below. For business administrative purposes · to facilitate our internal business administration, including maintaining proper business records. · to investigate or respond to any incidents, complaints or grievances. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is necessary for us to carry out our contractual obligations with you. For communication with you · to update you on information regarding your account; · to respond to any query you have asked us; and · where you request us to do so, to communicate with you regarding of news and events. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is necessary for us to carry out our contractual obligations with you. For marketing and promotion purposes · to carry out direct marketing of other financial, insurance or telecommunications services or products; When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is necessary for our and your legitimate interests, namely for us to provide you with information that we think will be of interest to you. We will generally only seek to send you information about products and services that you have either previously used or expressed an interest in hearing about and will assume that you are happy to receive this information from us until you object or opt out. For other purposes: · evaluating your potential financial needs and conducting market research; · internal data processing, preparation of internal statistical reports, sales revenue reports and rebates/soft dollar arrangement analysis and any other reports; · commencing, defending or otherwise participating in any legal or administrative proceedings or inquiry before any court or competent authority; · enabling an actual or proposed assignee of BOCIS, or participant or sub-participant of the BOCIS' rights to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; · ensuring ongoing accuracy and relevance of your personal data; and · any other incidental or associated purposes to which you may agree to from time to time agree. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is necessary for our legitimate interests, namely for us to process your personal data for purposes ancillary to our Activities.	When you participate in the securities trading services, we use your data: (i) to carry out the Activities; (ii) to comply with our legal and regulatory obligations; (iii) for business administrative purposes; (iv) to provide you with updates on our Activities and other communication; (v) to provide you with details of our new products and services; and (vi) in connection with purposes ancillary to our Activities.
7.		When you are an employee share option plan participant in a scheme that we administer on behalf of one of our listed company clients, we collect, process and use your personal data for the following purposes: To provide services and comply with our contract with you · for the purposes of providing the employee share option plan services to you and otherwise fulfilling our contract for services, as set out above; and For complying with our legal and regulatory obligations as set out above (save that we will not conduct vulnerable customer assessments). For business administrative purposes as set out above. For communication with you as set out above. For other purposes as set out above.	When you participate in an employee share option plan, we use your data: (i) to carry out the Activities; (ii) to comply with our legal and regulatory obligations; (iii) for business administrative purposes; (iv) to provide you with updates on our Activities and other communication; and (v) in connection with purposes ancillary to our Activities
		When you use the IBMP App, we collect, process and use your personal data for the following purposes: To provide services and comply with our contract with you · for the purpose of providing the IBMP services to and otherwise fulfilling our contract for services, and otherwise as set out above. For complying with our legal and regulatory obligations as set out above For business administrative purposes as set out above. For communication with you as set out above. Where you are a BOCIS customer, for marketing and promotion purposes as set out above. For other purposes as set out above.	When you use the IBMP App, we use your data: (i) to carry out the Activities; (ii) to comply with our legal and regulatory obligations; (iii) for business administrative purposes; (iv) to provide you with updates on our Activities and other communication; and (v) to provide you with details of our new products and services; and (vi) in connection with purposes ancillary to our Activities.
		When you are a representative of our corporate customers and interact with us in the administration of the sales trading and research services, we collect, process and use your personal data for the following purposes: To facilitate the provision of services to the organisation you represent: · for the purposes of providing the sales trading and research services to the organisation you represent. When processing your personal data for this purpose, we are relying on the legal basis that we have a legitimate interest in processing your personal data so that we can provide services to your organisation. · For complying with our legal and regulatory obligations as set out above (save that we will not conduct vulnerable customer assessments). For business administrative purposes to facilitate our internal business administration, including maintaining proper business records; · to investigate or respond to any incidents, reports complaints or grievances. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is within our legitimate interests, namely for our business administrative purposes. For communication with you · to update you on information regarding the administration of your account or the account that you hold on behalf of the organisation that you represent); · to respond to any query you have asked us; and · where you request us to do so, to communicate with you regarding news and events. When processing your personal data for these purposes, we are relying on the legal basis that processing is within our legitimate interests, namely to communicate with you about your account, to communicate you about news and events and to respond to queries from you.For other purposes as set out above.	When you are a representative of one of our corporate customers and interact with us in the context of the administration of the sales, trading and research services, we use your data: (i) to carry out the Activities; (ii) to comply with our legal and regulatory obligations; (iii) for business administrative purposes; (iv) to provide you with updates on our Activities and other communication; and (v) in connection with purposes ancillary to our Activities.
		When you visit the Website, to provide you with the Website services: · for the purposes of providing the Website services to you; · protecting our business and interests, including investigating any potential violation of our terms and conditions. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is within our legitimate interests, namely the provision of services to you.	When you visit the Website, we use your personal data: (i) to provide the Website services; and (ii) to communicate with you.
		BOCIH: When you use or participate in the Activities carried out by BOCIS, we collect, process and use your personal data to support BOCIS in a back-office operations management capacity including in relation to our provision of business operations, information technology, legal and compliance and risk management services to BOCIS. When processing your personal data for these purposes, we are relying on the legal basis that processing your personal data is within our legitimate interests, namely to support the provision of services provided and Activities carried out by BOCIS.	We will use your personal data when supporting BOCIS to conduct the Activities.
8.	How long we keep your information for	We store personal information for an appropriate period of time in compliance with our obligations under applicable data protection laws.	We don't keep your data forever.
9.	Your rights	You have various rights in relation to the data which we hold about you as described below. To get in touch with us about any of your rights under applicable data protection laws, please use the contact details set out above. We will seek to deal with your request without undue delay, and in any event within any time limits provided for in applicable data protection law (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise. Right to object This right enables you to object to us processing your personal data where we do so for one of the following reasons: · because it is in our legitimate interests to do so; · to enable us to perform a task in the public interest or exercise official authority; · to send you direct marketing materials; or · for scientific, historical, research, or statistical purposes. Right to withdraw consent If we obtain your consent to process your personal data for any activities, you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition. You can withdraw your consent by using the contact details provided at Section 3 of this notice. Right to access a copy of your data You may ask us for confirmation of the processing of your personal data, or a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so. Right to erasure You have the right to request that we "erase" your personal data in certain circumstances. Normally, this right exists where: · the data is no longer necessary; · you have withdrawn your consent to us using your data, and there is no other valid reason for us to continue; · the data has been processed unlawfully; · it is necessary for the data to be erased in order for us to comply with our obligations under law; or · you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing. We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so. When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data. Right to restrict processing You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data. Right to rectification You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision. Right of data portability If you wish, you have the right to transfer your personal data between service providers and receive a copy of your data. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you. Rights in relation to automated decision making You have the right to object to being subject to a decision based on solely automated processing where this decision adversely affects your legal rights. Where we use your personal data for automated decision making, we will ensure to give you specific information about that processing, and you will have the right to challenge and request a review of the decision.	You have a number of rights regarding your data.



		Right to complain You also have the right to complain to your data protection authority. In the UK the data protection authority is the Information Commissioner's Office. You can contact them in the following ways: · Phone: 0303 123 1113 · Email: casework@ico.org.uk · Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF If the relevant data protection authority is in the EU, please contact the data protection authority in the relevant country.
10.	Sharing your information	In general, your data is processed exclusively by us and we do not pass on any personal user data to third parties unless in the context of our Activities. Where we do share your personal data, we do so with the following categories of recipients: · BOCI group entities and their respective related and affiliated companies (within or outside Hong Kong, in accordance with the PDPO); · any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to us in connection with the operation of our business; · any financial institution with which you have or propose to have dealings; · credit reference agencies, and, in the event of default, to debt collection agencies; · any person or regulatory or other authority to whom we are under an obligation or duty to make disclosure pursuant to any relevant laws, rules, regulations, codes or guidelines binding on us or any BOCI group entities; · any actual or proposed assignee of us or participant or sub-participant or transferee of our rights in respect of you; and · any person providing or proposing to provide security for your obligations. Otherwise, your data will only be disclosed in special exceptional cases, where we are obligated or entitled to do so by statute or upon binding order from a public authority.	We may share your data with certain third parties (e.g. to help us provide the Activities).
10.	Sharing your information
11.	Changes to this Privacy Notice	We will review this Privacy Notice periodically, and reserve the right to modify and update it at any time. You acknowledge that we may make changes to this Privacy Notice and it is your responsibility to check back to this page from time to time to review the Privacy Notice. Changes to this Privacy Notice will come into effect immediately upon such changes being uploaded in the provision of the Activities.	We may make changes to this Privacy Notice from time to time.
12.	Security	We care about protecting your personal data. That’s why we put in place appropriate security measures which are designed to prevent any misuse of the data that you provide to us, including: · Organisational controls on who can access your personal data; · Training our staff and putting organisational procedures in place around data handling and protecting your personal data; · Protective measures to try and minimize damages caused by computer viruses through antivirus software. · Data loss prevention solutions in preparation for any unexpected emergencies. Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet. If you suspect any misuse, loss, or unauthorised access to your personal data please let us know immediately using the contact details set out in this Privacy Notice. We will investigate the matter and update you as soon as possible on next steps.	We take security seriously and put in place measures to protect your information.
13.	Where your information is transferred and stored	In general, your data will be stored in Hong Kong SAR. However, certain of our service providers may be located outside of Hong Kong from time to time. In the event that we transfer your personal data to, or store your personal data in, a country outside of the EU/UK (as applicable), including onward transfers within Hong Kong SAR, and where the country or territory in question does not maintain adequate data protection standards, we will take all reasonable steps to ensure that any such transfers are undertaken in accordance with applicable data protection and privacy laws and that your data is treated securely and in accordance with this Privacy Notice. However, please note that where personal data is stored in another country, it may be accessible to law enforcement agencies in accordance with domestic laws.	We store your data in Hong Kong SAR, but our service providers may be located elsewhere in the world.