1. Statement of policy
We respect personal data privacy and are committed to complying with the requirements of the Personal Data (Privacy) Ordinance (PDPO). In doing so, we strive to ensure compliance by our staff with the strictest standards of security and confidentiality.
2. Statement of practice on personal data held by us
We may collect and hold personal data as an employer, a financial regulator and in performing our statutory functions under the relevant laws and regulations. When we collect personal data from individuals, we will provide them with a Personal Information Collection Statement (PICS) on or before the collection in an appropriate format and manner. The PICS will state (among other matters) the purpose of the collection.
The broad categories of personal data held by us, and the main purposes of use are:
(a) personnel records, used for recruitment and human resources management purposes;
(b) licensing / registration application records and related returns and notifications, and submissions in response to public consultation papers, used for the purposes set out in the PICS for the relevant document;
(c) enquiry, complaint, inspection, supervisory, investigation and enforcement records, used for responding to enquiries and complaints, and performing our statutory and administrative functions and activities;
(d) records collected via our websites, used for the purposes stated in section 3 below;
(e) other administration and operational records, used for various purposes depending on the nature of the record (e.g. for administration of functions and activities, organizing and delivering promotional, educational and training activities, subscription of publications etc.).
Such personal data may include sensitive personal data (e.g. health information). The provision of personal data is generally voluntary unless otherwise specified. A failure to provide the requested personal data, or the provision of inaccurate or incomplete information may result in us not being able to process your request, application, submission, enquiry, complaint or matter (as the case may be), or for us to perform our statutory and administrative functions under the relevant laws and regulations.
In performing our statutory and administrative functions under the relevant laws and regulations, personal data held by us may be disclosed to relevant courts, panels, tribunals and committees, and/or other local and/or overseas regulatory / government / judicial bodies as permitted or required under the law, pursuant to any regulatory / supervisory / investigatory assistance arrangements between us and other regulators (local / overseas), or persons engaged by us to assist us in the performance of our statutory functions. Information collected in response to public consultation papers may be disclosed to members of the public in Hong Kong or elsewhere.
Where personal data is transferred to place(s) outside of Hong Kong in connection with such purposes, such place(s) may or may not offer the same or a similar level of personal data protection as in Hong Kong.
3. Personal data collected via forms / sections of our website
Without prejudice to our statement of practice on personal data held by us as mentioned above, generally:
(a) The information you provide in the "Contact us" section, the "Fintech Contact Point" or other similar section / function on this website is used by us to respond to or handle your enquiries, comments, suggestions or matter. The personal data will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.
(b) Personal data collected from subscribers of the subscription service is used by us to alert you, to send you copies of the requested information and to compile statistics of our readership. The personal data will not be used for any other purposes, disclosed or transferred without your consent unless such use, disclosure or transfer is permitted or required by law.
(c) Personal data collected through online forms (including applications for licence, statement of personal information, annual return, notification of change of information) is used, disclosed or transferred for the purposes as set out in the PICS for the relevant forms.
(d) Personal data collected through submissions in response to public consultation papers is used, disclosed or transferred for the purposes as set out in the PICS for the relevant consultation paper.
(e) Personal data provided in the "Complaint form" will be used, disclosed or transferred only for those purposes related to the complaint (for example, it may need to be disclosed to the person / company against whom a complaint has been made), for discharging our statutory functions or where permitted or required by law. If the information provided is inaccurate or incomplete, consideration of the complaint may be affected.
If necessary, we will request a complainant to provide written authority to allow us to release information provided in his/her complaint, by sending him/her an "Authorization to the SFC to release information" Form for signature and return to us. If no response is received from the complainant, it may not be possible for any further action to be taken to process the complaint (see Note below).
A complainant must inform us by writing to the Data Privacy Officer, at the address set out below, if he/she would like to keep his/her identity confidential or if he/she does not want his/her personal data used for purposes related to the complaint. In such a case, it is possible that no further action may be taken to process the complaint (see Note below).
(f) Personal data collected from job applicants who respond to a recruitment advertisement posted on our website is used for consideration of the applicants' job application, and for recruitment related purposes, and will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.
4. Information collected when you visit our website
(a) When you visit our website, a record of your visit is made as a "hit", which may show your Internet Protocol (IP) address and the pages you have visited. No personally identifiable information is collected under this circumstance. We use such information for statistical purposes, and for the purposes of maintaining and improving our website.
The cookies used in connection with our website does not collect or store personally identifiable information. You may refuse to accept cookies on your browser by modifying the settings in your browser or internet security software. However, if you do so, you may not be able to utilize or activate certain functions available on our website (e.g. user surveys).
Different retention periods apply to the various kinds of personal data collected and held by us. We take all reasonably practicable steps to ensure that personal data will not be kept longer than is necessary for the fulfilment of the purposes (or any directly related purpose) for which the data is or is to be used, unless the retention is otherwise permitted or required by law.
In relation to the personal data collected via this website:
(a) Personal data provided under the "Contact us" section will be automatically deleted 90 days after any follow-up action has been completed, unless it is a complaint to us, in which case it will be retained for such period as may be necessary for the proper discharge of our functions. Personal data provided under the "Fintech Contact Point" or other section / function on this website similar to the "Contact us" section or "Fintech Contact Point" is retained for such period as may be necessary for the proper discharge of our functions.
(b) Personal data provided when you sign up for the subscription service will automatically be deleted 90 days after you unsubscribe from the service.
(c) Personal data provided (whether submitted electronically or physically via forms available on this website) in any licensing application form, statement of personal information, annual return, notification on change of information and any other form of request for information is retained for such period as may be necessary for the proper discharge of our functions.
(d) Personal data provided in submissions in response to public consultation papers is retained for such period as may be necessary for the proper discharge of our functions.
(e) Personal data provided in the "Complaint Form" is retained for such period as may be necessary for the proper discharge of our functions.
(f) In relation to personal data collected from job applicants who respond to a recruitment advertisement posted on our website, where the application is unsuccessful, all such personal data will be destroyed after six months from the date of the application deadline.
6. Public registers
We are required to maintain public registers containing specified data relating to licensed or registered persons and to publish such specified data in the Gazette (or in such manner as we consider appropriate), pursuant to the relevant provisions of the Securities and Futures Ordinance or any rules or regulations made thereunder. In this connection, such public registers may contain certain personal data of licensed or registered persons, and the public in Hong Kong or elsewhere may inspect such public registers. Please see "Important legal information about the Public Register of Licensed Persons and Registered Institutions".
We take appropriate steps to protect personal data we hold against loss, unauthorized access, use, modification or disclosure. All personal data you provide to us on this website is secured on our website.
8. Access and correction / enquiries
You have the right to request access to and correction of your personal data held by us about you in accordance with the provisions of the PDPO. Please note that all data access requests should be made using the form specified by the Privacy Commissioner for Personal Data which is accessible from the following link "Data Access Request Form".
When handling a data access or correction request, we will check the identity of the requestor to ensure that he/she is the person legally entitled to make the data access or correction request. We have the right to charge a fee for processing of any data access request.
We do not provide online facilities for you to delete or correct personal data held by us.
Any enquiries regarding personal data, or requests for access to personal data or correction of personal data, should be addressed in writing to:
The Data Privacy Officer
Securities and Futures Commission
54/F, One Island East
18 Westlands Road, Quarry Bay
Note: Please note however, that where a complainant discloses information to us, and notwithstanding our policy that wherever possible the identity of complainants should not be revealed to outside parties, if the information is held or used for certain purposes related to law enforcement and regulation, we are exempt from the application of data protection principles 3 and 6 (use of personal data and access to personal data) by section 58 of the PDPO. The information can then be used for these purposes whether or not a complainant gives authority. The purposes include the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, and protecting the public from financial loss arising from dishonesty, incompetence, malpractice or seriously improper conduct by persons concerned in the provision of financial services.
Last update: 6 Jul 2020