  1. 引言

    1. 此聲明乃採納為 Oyster Pie Solutions Limited(下稱「本公司」)的私隱政策聲明(下稱「本聲明」)。訂立本聲明的目的,是為確立本公司全力執行保障個人資料的政策及實務,以遵守個人資料(私隱)條例(下稱「該條例」)各項條款及條文,及由個人資料私隱專員就該條例而頒布的指引。
    2. 本公司的控股公司或附屬公司,亦會因應所在國家或地區的特定法規或監管條文而自行制定合適的政策及實務,以確保遵守適用於有關地區的個人資料保障法規或監管要求。
  2. 本公司持有的個人資料的種類

    1. 概括而言,本公司持有的個人資料有兩大類,包括客戶的個人資料及與僱傭有關的個人資料。
    2. 本公司持有的客戶個人資料可能包括下列各項:

      1. 客戶及其配偶的姓名和地址、職業、聯絡詳情、出生日期和國籍、其身份證及/或護照號碼及證件發出日期和地點;
      2. 客戶及其配偶現時的僱主、職位性質、年薪及其他福利;
      3. 客戶及其配偶持有的物業、資產或投資的詳情;
      4. 客戶及其配偶所有的其他資產或負債(實有或或然)的詳情;
      5. 本公司在延續與客戶正常業務關係中獲得的資料(例如,當客戶開出支票或在一般情況下以口頭或書面形式與本公司溝通時,本公司亦會收集客戶的資料,當中可能以文書形式或電話錄音系統收集);
      6. 就要求追收任何客戶拖欠本公司款項而由諮詢人、信貸資料服務機構或收數公司提供的信用狀況資料;及
      7. 可透過公共領域取得的資料。
    3. 本公司持有與僱傭有關的個人資料可能包括下列各項:

      1. 僱員或準僱員及其配偶的姓名和地址、聯絡詳情、出生日期和國籍、其身份證及/或護照號碼及證件發出日期和地點;
      2. 在遴選過程中進一步匯集的求職者資料,可能包括從其現任僱主或前僱主或其他來源取得的評介,藉以評估求職者是否勝任有關職位;
      3. 本公司在延續僱傭關係收集更多關於僱員的資料,可能包括向僱員發放的工資及提供福利的記錄,僱員所擔任的職位、調職及培訓記錄,體格檢驗、病假及其他醫療補償申索記錄及僱員的工作表現評核報告;
      4. 本公司為履行對前僱員的責任或履行某些條例所規定的法律責任而可能保留前僱員的相關個人資料;及
      5. 可透過公共領域取得的資料。
    4. 本公司或會持有鑑於經驗及其業務特別性質所需的其他種類的個人資料。
  3. 使用個人資料的目的

    1. 客戶在開立或延續戶口、建立或延續信貸或其他相關服務時,需要不時向本公司提供有關的資料。
    2. 客戶與本公司在延續日常業務或其他金融關係中,本公司亦會收集客戶的資料。
    3. 客戶的資料可被用作下列用途:

      1. 處理及考慮產品及服務的申請及為客戶提供產品、服務和信貸融通所涉及的日常運作;
      2. 在客戶申請信貸時進行的信貸調查,及通常每年進行一次或以上的定期或特別信貸覆核;
      3. 設立及維持本公司的信貸評分模式;
      4. 協助其他財務機構作信用檢查及追討債務;
      5. 確保客戶持續維持可靠信用;
      6. 設計供客戶使用的財務服務或有關產品;
      7. 推廣服務、產品及其他標的(詳情請參閱《個人資料收集(客戶)聲明 》第(7)段);
      8. 核實任何其他客戶或第三方所提供的數據或資料;
      9. 確定本公司對客戶或客戶對本公司的欠債金額;
      10. 執行客戶向本公司之應負責任,包括但不限於向客戶及為客戶的責任提供抵押的人士追收欠款;
      11. 履行根據下列適用於本公司或其任何分行或本公司或其任何分行被期望遵守的就披露及使用資料的義務、規定或安排:

        1. 不論於香港特別行政區(下稱「香港」)境內或境外及不論目前或將來存在的對其具法律約束力或適用的任何法律(例如稅務條例及當中的條款);
        2. 不論於香港境內或境外及不論目前或將來存在的任何法律、監管、政府、稅務、執法或其他機關,或金融服務供應商的自律監管或行業組織或協會作出或發出的任何指引或指導(例如稅 務局作出或發出的指引或指導);
        3. 本公司或其任何分行因其位於或跟相關本地或外地的法律、監管、政府、稅務、執法或其他機關,或自律監管或行業組織或協會的司法管轄區有關的金融、商業、業務或其他利益或活動,而向該等本地或外地的法律、監管、政府、稅務、執法或其他機關,或金融服務供應商的自律監管或行業組織或協會承擔或 被彼等施加的任何目前或將來的合約或其他承諾;
      12. 遵守與本公司屬同一集團之公司為符合制裁或預防或偵測清洗黑錢、恐 怖分子融資活動或其他非法活動的任何方案就於與本公司屬同一集團 之公司內共用資料及資訊及/或資料及資訊的任何其他使用而指定的 任何義務、要求、政策、程序、措施或安排;
      13. 讓本公司的實際或建議承讓人,或就本公司對客戶享有的權利的參與人或附屬參與人評核其擬承讓,參與或附屬參與的交易;及
      14. 與上述有關的用途。
    4. 僱員及可能成為本公司僱員的人士的資料,可被用作下列用途:

      1. 處理受聘申請;
      2. 釐定及檢討工資、獎金及其他福利;
      3. 根據本公司僱部政策或監管規定進行適當人選評估或考慮升職、培訓、調用或調職;
      4. 評審員工貸款及其他福利和享有權的資格及有關的管理;
      5. 為員工出具諮詢証明書;
      6. 為員工申領與僱傭直接有關/相關的中介人或持牌資格;
      7. 監察遵守本公司僱部規則的情況;
      8. 本公司為履行根據下列適用於本公司或其任何分行或本公司或其任何分行被期望遵守的就披露及使用資料的義務、規定或安排:

        1. 不論於香港境僱或境外及不論目前或將來存在的對其具法律約束力或適用的任何法律;或
        2. 論於香港境僱或境外及不論目前或將來存在的任何法律、監管、政府、僱務、執法或其他機關,或金融服務供應商的自律監管或行業組織或協會作出或發出的任何指引或指導;
      9. 就懷疑詐騙案、不當行為及犯罪活動進行調僱;及
      10. 作人力資源管理或與上述有關的用途。
  4. 個人資料的保安

    1. 本公司的政策是為確保個人資料的保安及防止資料被未獲准許或意外的查閱、處理、刪除、喪失或使用,就個人資料因應其敏感程度及考慮如此等事情 發生便能做成的損害程度提供適度的保障。為達到適當程度的保安,本公司的一貫做法是透過提供安全的儲存設施(包括在資料存置設備實施保安措施) 來嚴格限制資料被查閱及處理。本公司亦會採取措施以確保能查閱該等資料的人士具備良好操守、審慎態度及辦事能力。個人資料只會以妥善保安的方式傳送,從而防止資料被未獲准許或意外的查閱。如本公司聘用(不論是在香港或香港以外聘用)資料處理者,以代本公司處理個人資料,本公司將採用合約規範方法或其他方法,以防止轉移予該資料處理者作處理的個人資料 被未獲准許或意外的查閱、處理、刪除、喪失或使用。
  5. 個人資料的準確性

    1. 本公司的政策是採取所有切實可行的步驟以確保所有經由本公司收集及處理的個人資料在顧及有關的個人資料被使用於或會被使用於的目的下均為準確。本公司會實施適當的程序以定期核對及更新所有個人資料。倘若本公司所持有的個人資料含有意見聲明,本公司會採取一切合理切實可行的步驟, 以確保任何聲言是支持該項意見聲明的事實,均屬正確。
  6. 個人資料的收集

    1. 在收集個人資料的過程中,本公司會向有關人士提供一份個人資料收集聲明,述明收集資料的目的、將獲轉交資料的人士的身分類別、查閱及改正資料的權利,以及其他有關資料。
    2. 本公司於使用取自公共領域的個人資料前,會留意該等資料存放於公共領域的原來使用目的(例如法例訂明設立某公共登記冊的目的)、相關使用限制(如有)及有關人士在個人資料私隱方面的合理期望。
    3. 有關本公司從互聯網收集個人資料,本公司會採納以下實務:

      1. 網上保安
      2. 網上保安網上改正資料
        透過網上設施提供給本公司的個人資料一經呈交,便未必能在網上刪除、 改正或更新。使用者如未能在網上作出刪除、改正或更新,便須聯絡本公司。
    4. Cookies、Tags 及Web Logs的使用


      Cookies 被設計成只可讓發出的網站讀取,但不能用作取得使用者的硬碟資料、電郵地址或收集使用者的敏感性資料。基於以下目的,本公司使用 Cookies、Tags 及 Web Logs 來識別使用者的網頁瀏覽器:

      1. 身份識別
      2. 資料分析
        使用者瀏覽本公司的網站時,本公司可能透過 Cookies/Tags/Web Logs 等技術收集有關瀏覽記錄以提供資料分析。該等記錄是不記名的集體統計資料,並不包括任何個人身份資料。本公司收集有關記錄資料, 主要用於更好地瞭解使用者統計數據、興趣及使用模式,及提高本公司網上推廣的效率。

        資料可能會經本公司轉移至第三方公司(例如,網頁流量追蹤及報告、 網上廣告刊登等的外部服務供應商)或由第三方公司代本公司收集以進行以上用途。而第三方公司不會把該記錄再轉移予其他各方。該等記錄是不記名的集體統計資料,並不包括任何個人身份資料。

        大多數網絡瀏覽器初始設定均為接受 Cookies。使用者可以透過變更網絡瀏覽器的設定選擇『不接受』Cookies,但此舉可能導致使用者無法使用本公司的網上服務,及本公司網站上的某些功能無法正常運作。本公司保留所收集資料的時間取決於收集該資料的原始目的或與其直接相關的目的,以及為滿足任何適用法例及合約要求。
  7. 查閱資料要求及改正資料要求

    1. 本公司的政策為按照該條例的規定,依從及處理一切查閱資料及改正資料要求;及讓所有有關職員熟悉有關的規定,以協助各人士作出有關要求。
    2. 本公司或會在符合該條例或由個人資料私隱專員就該條例而頒布之指引的規定下,就查閱資料要求徵收費用。本公司只可收取與依從查閱資料要求直接有關及必須之費用。倘若任何提出查閱資料要求的人士要求本公司提供按早前的查閱資料要求提供過的個人資料的額外複本,本公司或會收取費用以全數彌補因提供該額外複本而涉及的行政成本或其他成本的費用。
    3. 有關查閱資料及改正資料的要求,可向本公司資料保障主任或其他相關指定人員提出。
  8. 個人資料之存檔

    1. 本公司會採取所有一切合理切實可行的步驟,以確保個人資料的保存時間不超過將其保存以貫徹該資料被使用於或會被使用於的目的所需的時間。本公司在結束帳戶、終止服務或員工離職後一般會持有有關客戶及僱員的資料 7 年或按照有關法律和法規所規定的期限。
    2. 有關本公司收集求職者的個人資料,除非有具體理由規定本公司必須保留該等資料一段較長期間(例如按照有關法律和法規所規定的期限),本公司或會為日後招聘的用途在求職者落選後保留該等資料 2 年。
    3. 如本公司聘用(不論是在香港或香港以外聘用)資料處理者,以代本公司處理個人資料,本公司將採用合約規範方法或其他方法,以防止轉移予該資料處理者作處理的個人資料的保存時間超過處理該資料所需的時間。
  9. 資料保障主任的委任

    1. 本公司已委任資料保障主任,以負責統籌及監察該條例及本公司保障個人資料政策的遵守情況。
    2. 資料保障主任的聯絡資料如下︰

      地址: Oyster Pie Solutions Limited
      電話: (852) 3893 9999
      傳真: (852) 2598 8305
      網址: www.oysterpie.com.hk
    1. This Statement is adopted as the Privacy Policy Statement (the "Statement") of Oyster Pie Solution Limited (the "Company"). The purpose of this Statement is to establish the policies and practices of the Company's commitment to protect the privacy of personal data and to act in compliance with the provisions of the Personal Data (Privacy) Ordinance (the "Ordinance") and the relevant guidelines issued by the Privacy Commissioner for Personal Data (the "Privacy Commissioner").
    2. For the Company's subsidiaries and holding companies, they are required to establish their own policies and practices to ensure full compliance with the applicable legal and regulatory requirements in their respective jurisdictions relating to personal data protection.

    1. There are two broad categories of personal data held in the Company. They are personal data related to customers and (potential) employees of the Company.
    2. Personal data held by the Company regarding customers may include the following:

      1. name and address, occupation, contact details, date of birth and nationality of customers and spouses of customers and their identity card and/or passport numbers and place and date of issue thereof;
      2. current employer, nature of position, annual salary and other benefits of customers and spouses of customers;
      3. details of properties, assets or investments held by customers and their spouses;
      4. details of all other assets or liabilities (actual or contingent) of customers and their spouses;
      5. information obtained by the Company in the ordinary course of the continuation of the business relationship (for example, when customers write cheques or generally communicate verbally or in writing with the Company, by means of documentation or telephone recording system, as the case may be);
      6. information as to credit standing provided by a referee, credit reference agency or debt collection agency in connection with a request to collect a debt due from any customer to the Company; and
      7. information which is in the public domain.
    3. Personal data relating to employment held by the Company may include the following:

      1. name and address, contact details, date of birth and nationality of employees and potential employees and their spouses and their identity card and/or passport numbers and place and date of issue thereof;
      2. additional information compiled about potential employees to assess their suitability for a job in the course of the recruitment selection process which may include references obtained from their current or former employers or other sources;
      3. additional information compiled about employees in the ordinary course of the continuation of the employment relationship which may include records of remuneration and benefits paid to the employees, records of job postings, transfer and training, records of medical checks, sick leave and other medical claims and performance appraisal reports of the employees;
      4. relevant personal data pertaining to former employees may be required by the Company to fulfill its obligations to the former employees and its legal obligations under certain ordinances; and
      5. information which is in the public domain.
    4. The Company may hold other kinds of personal data which it needs in light of its experience and the specific nature of its business.

    1. It is necessary for customers to supply the Company with data in connection with the opening or continuation of accounts and the establishment or continuation of facilities or provision of financial services.
    2. It is also the case that data is collected from customers in the ordinary course of the continuation of the business relationship.
    3. The purposes for which data relating to a customer may be used are as follows:

      1. processing and considering applications for products and services and the daily operation of products, services and credit facilities provided to customers;
      2. conducting credit checks at the time of application for credit and at the time of regular or special reviews which normally will take place one or more times each year;
      3. creating and maintaining the Company's credit scoring models;
      4. assisting other financial institutions to conduct credit checks and collect debts;
      5. ensuring ongoing credit worthiness of customers;
      6. designing financial services or related products for customers' use;
      7. marketing services, products and other subjects (please see further details in paragraph (7) of the Company's Personal Information Collection (Customers) Statement);
      8. verifying the data or information provided by any other customer or third party;
      9. determining amounts owed to or by customers;
      10. enforcing customers' obligations, including but not limited to the collection of amounts outstanding from customers and those providing security for customers' obligations;
      11. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Company or any of its branches or that it is expected to comply according to:

        1. any law binding or applying to it within or outside the Hong Kong Special Administrative Region ("Hong Kong") existing currently and in the future (e.g. the Inland Revenue Ordinance and its provisions);
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future (e.g. guidelines or guidance given or issued by the Inland Revenue Department);
        3. any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers that is assumed by or imposed on the Company or any of its branches by reason of its financial, commercial, business or other interests or activities in or related to the jurisdiction of the relevant local or foreign legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry bodies or associations;
      12. complying with any obligations, requirements, policies, procedures, measures or arrangements for sharing data and information within the same group of the Company and/or any other use of data and information in accordance with any group-wide programmes for compliance with sanctions or prevention or detection of money laundering, terrorist financing or other unlawful activities;
      13. enabling an actual or proposed assignee of the Company, or participant or sub-participant of the Company's rights in respect of the customer to evaluate the transaction intended to be the subject of the assignment, participation or sub-participation; and
      14. purposes relating thereto.
    4. The purposes for which data relating to employees and potential employees may be used are as follows:

      1. processing employment applications;
      2. determining and reviewing salaries, bonuses and other benefits;
      3. conducting fit and proper assessment according to internal policy or regulatory requirements or consideration for promotion, training, secondment or transfer;
      4. consideration of eligibility for and administration of staff loans and other benefits and entitlements;
      5. providing employee references; 
      6. registering employees as intermediaries or licensees with statutory authorities /institutions for purposes directly related or associated to the employment;
      7. monitoring compliance with internal rules of the Company;
      8. complying with the obligations, requirements or arrangements for disclosing and using data that apply to the Company or any of its branches or that it is expected to comply according to:

        1. any law binding or applying to it within or outside Hong Kong existing currently and in the future; or
        2. any guidelines or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong existing currently and in the future;
      9. conducting investigation regarding any suspicious fraud cases, misconduct or criminal activities; and
      10. for human resources management or purposes relating thereto.

    1. It is the policy of the Company to ensure an appropriate level of protection for personal data in order to prevent unauthorised or accidental access, processing, erasure, loss or use of that data, commensurate with the sensitivity of the data and the harm that would be caused by occurrence of any of the aforesaid events. It is the practice of the Company to achieve appropriate levels of security protection by restricting physical access to data by providing secure storage facilities, and incorporating security measures into equipment in which data is held. Measures are taken to ensure the integrity, prudence, and competence of persons having access to personal data. Personal data is only transmitted by secure means to prevent unauthorised or accidental access. If the Company engages a data processor (whether within or outside Hong Kong) to process personal data on the Company's behalf, the Company would adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

    1. It is the policy of the Company to ensure that all practicable steps have been taken to maintain the accuracy of all personal data collected and processed by the Company having regard to the purpose for which the personal data is or is to be used. Appropriate procedures are implemented such that all personal data is regularly checked and updated. In so far as personal data held by the Company consists of statements of opinion, all reasonably practicable steps are taken to ensure that any facts cited in support of such statements of opinion are correct.

    1. In the course of collecting personal data, the Company will provide the individuals concerned with a Personal Information Collection Statement informing them of the purpose of collection, classes of persons to whom the data may be transferred, their rights to access and correct the data, and other relevant information.
    2. Prior to using any personal data from public domain, due regards will be given by the Company to observe the original purposes of making the personal data available in the public domain (such as the purpose of establishing the public register in the enabling legislation). The restrictions, if any, imposed by the original data users on further uses, and the reasonable expectation of personal data privacy of the individuals concerned will be observed by the Company.
    3. In relation to the collection of personal data online, the following practices are adopted:

      1. Online Security
        The Company will follow strict standards of security and confidentiality to protect any information provided to the Company online. Encryption technology is employed for sensitive data transmission on the Internet to protect individuals' privacy.
      2. Online Correction
        Once personal data provided to the Company through an online facility is submitted, it may not be able to be deleted, corrected or updated online. If deletion, correction and updates are not allowed online, users should approach the Company.
    4. Use of Cookies, Tags and Web Logs etc

      Cookies are small pieces of data transmitted from a web server to a web browser. Cookies data is stored on a local hard drive such that the web server can later read the cookie data from a web browser. This is useful for allowing a website to maintain information on a particular user.

      Cookies are designed to be read only by the website that provides them. Cookies cannot be used to obtain data from a user's hard drive, obtain a user's email address or gather a user's sensitive information. The Company uses cookies, tag and web logs to identify user's web browser for the following purposes:

      1. Session Identifier
        The Company will not store user's sensitive information in cookies. Once a session is established, all the communications will use the cookies to identify a user.
      2. Analytical Tracking
        Users' visit to the Company's websites will be recorded for analysis and information may be collected through technologies such as cookies, tags and web logs etc. The information collected is anonymous research data and no personally identifiable information is collected. The Company mainly collects the information to understand more about our users including user demographic, interests and usage patterns, and to improve the effectiveness of our online marketing.

        Information may be transferred to or collected by third parties on our behalf (for example, providers of external service like web traffic tracking and reporting, online advertisement serving) for the above uses. And the information would not be further transferred to other parties by the third parties. The information collected is anonymous research data, and no personally identifiable information is collected or shared by third parties.

        Most web browsers are initially set up to accept cookies. Cookies can be chosen to "not accept" by changing the setting on the web browsers, but this may disable the access to the Company's Internet service, and certain features on the Company's website will not work properly. The Company will retain the collected information for as long as is necessary to fulfill the original or directly related purpose for which it was collected, and to satisfy any applicable statutory or contractual requirements.

    1. It is the policy of the Company to comply with and process all data access requests ("DARs") and data correction requests ("DCRs") in accordance with the provisions of the Ordinance, and for all staff concerned to be familiar with the requirements for assisting individuals to make such requests.
    2. The Company may, subject to the Ordinance and the guidelines thereon issued by the Privacy Commissioner, impose a fee for complying with a DAR. The Company is only allowed to charge a DAR requestor for the costs which are directly related to and necessary for complying with a DAR. If a person making a DAR requires an additional copy of the personal data that the Company has previously supplied pursuant to an earlier DAR, the Company may charge a fee to cover the full administrative and other costs incurred in supplying that additional copy.
    3. DARs and DCRs to the Company may be addressed to the Company's Data Protection Officer ("DPO") or another person as specifically advised.

    1. The Company takes all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which such data is or is to be used. The Company usually holds data relating to the customer(s) and employee(s) for a period of 7 years or such other period as prescribed by applicable laws and regulations after closure of account, termination of service or cessation of employment.
    2. Regarding personal data collected from job applicants, unless there is subsisting reason that the Company is obliged to retain the data for a longer period (such as other period as prescribed by applicable laws and regulations), the Company may hold the data of unsuccessful applicants for future recruitment purpose for a period up to 2 years after rejecting the applicants.
    3. If the Company engages a data processor (whether within or outside Hong Kong) to process personal data on the Company's behalf, the Company would adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

    1. The DPO has been appointed by the Company to coordinate and oversee compliance with the Ordinance and the personal data protection policies of the Company.
    2. The contact details of the DPO are as follows:

      Address: Oyster Pie Solutions Limited
      Unit 1705A2, 17/F, Tower 1, Silvercord, 30 Canton Road, Tsim Sha Tsui, Kowloon, Hong Kong
      Telephone: (852) 3893 9999
      Facsimile: (852) 2598 8305
      Website: www.oysterpie.com.hk
(Should there be any discrepancy between the English and Chinese versions, the English version shall prevail.)
