The HKMA issued guidance to AIs in November 2021 to strengthen the protection of personal data of banking customers. When sharing customers’ personal data collected through online channels (including mobile apps) with third parties for the purposes of direct marketing by the third parties, AIs should either (i) ask customers to approach the third parties directly so that the customers can provide their personal data and/or consent directly to the third parties; or (ii) redirect the customers from the AIs’ websites / mobile apps to the websites / mobile apps of the third parties so as to provide their personal data and/or consent for direct marketing by such third parties directly.
For the avoidance of doubt, third parties include group companies of AIs.
Under the redirection approach, apart from complying with the relevant provisions of the Personal Data (Privacy) Ordinance and the data protection principles, AIs should also be mindful of the following:
- Provision of reminder message before the redirection is performed to alert customers to the fact that there will be a redirection and explain the purpose(s) of the redirection.
- Reminder messages should be clear and readily readable (e.g. with a reasonable font size and layout).
- AIs should not bundle the redirection and/or any transfer of personal data of customers to third parties in the process of bank account opening or provision of banking services.
- AIs should carefully assess what kinds of data the third parties require, and only share a minimum amount of customer personal data on a “need-to-know” basis.
- Explicit consent for sharing the customers’ personal data to third parties should be obtained by the AIs before the redirection and additional consent is required for using the personal data for direct marketing purposes by the third parties.
To access a full version of the Guidance, please see here.
Authored by: Simon Deane and Natalie Chan
For further information, please contact:
Simon Deane, Partner, Deacons
simon.deane@deacons.com