Data privacy for banks and financial institutions


Data privacy for banks and financial institutions


Personal data privacy is concern of paramount importance to banks and financial institutions (collectively as “Financial Institutions”) in Hong Kong as they manage a large volume of information about individuals in their day to day operations and breach of personal data privacy laws can result in dire financial and reputational consequences. With the acceleration of globalization and the advancement in technology, financial transactions can easily be conducted online without geographical limitation. Personal data are often collected, processed, transferred and stored in different countries. In this article, we will briefly discuss the implications of the Personal Data (Privacy) Ordinance (Cap 486, Laws of Hong Kong)(“PDPO”), the European Union (“EU”) General Data Protection Regulation (“GDPR”), the Personal Information Protection Law (“PIPL”) of the People’s Republic of China (the “PRC”) which will be implemented from 1 November 2021, and the United States of America (“US”) Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (“GLBA”)) on the handling of personal data by Financial Institutions in Hong Kong.

Data privacy and security concerns

Data privacy refers to who is allowed access to data provided to institutions with whom they have entered into a relationship. Workers at banks need certain data to verify clients’ identities whereas financial advisors require certain data to enter into transactions on the behalf of those holding an account with them. Problems arise with data security when employees, security officials, and others tasked with protecting personal data fail to provide adequate security protocols.


In Hong Kong, PDPO protects the privacy of individuals in relation to personal data, which is defined as data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and it must be in a form in which access to or processing of the data is practicable. The Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) also issues “Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry” (the “Guidance Note”) on the importance of protecting the confidentiality of customer data and some key control measures for customer data protection. The Guidance Note refers to “financial institutions” and is therefore also relevant for the wider financial services industry and its data protection compliance practitioners. It will be prudent for Financial Institutions to adhere to the rules stipulated therein.

Guidance Note

Financial Institutions (“Data Users”) shall establish a corporate wide privacy strategy which applies in all their business processes and operational procedures to ensure proper handling in the collection, integrity, storage, retention, access, use and transfer of personal data throughout its life cycle. On one hand, they should provide data subjects with an adequate Personal Information Collection Statement which states the purposes for which personal data will be used after collection, whether it is obligatory or voluntary for the individuals to supply their personal data, the consequences for failing to supply the obligatory information, the classes of persons to whom the personal data may be transferred or disclosed, requisite information about the use and/or provision of personal data for direct marketing (if applicable), individuals' rights of access and correction of their personal data and contact details of the data protection officer who will handle such access and correction requests. Data collected should be “fit for purpose”; not excessive; accurate; only retained for the necessary time; and secure (especially when off site). On the other hand, Financial Institutions should also formulate and make available to the public their Privacy Policy Statements and have in place robust privacy and risk management programmes. For instance, data subjects must be notified of any intra-group data sharing or transfer, measures should be taken before disclosing data to enforcement agencies or regulators, data access requests must be dealt with within 40 days and special care must be taken in relation to any “direct marketing” initiatives. 

Data Users are generally liable for the acts of its staff, agents and contractors so they should ensure a high degree of alertness among staff members in protecting personal data. Moreover, Data Users should implement “layers” of security controls (covering both IT and non-IT controls) to prevent and detect any loss or leakage of personal data. Staff should be asked to sign a secrecy or confidentiality agreement recognizing the Data User’s operational expectations. A defence is available if the Data User shows that it has taken precautionary measures (e.g. ongoing training, internal policies) to prevent contravention. For agents and contractors, relevant PDPO requirements should be incorporated into the service contract.


Under PIPL, personal information is referred to as information concerning an identified or identifiable natural personal recorded electronically or in any other manner, excluding the data which has been anonymized. Similar to GDPR, PIPL provides itself with the long-arm jurisdiction beyond the territorial scope of the PRC as it applies to the processing of personal information in the following circumstances based on Article 3 of PIPL: (1) providing products or services to natural person in China, (2) analysing or evaluating the behaviour of natural person in PRC; and (3) other circumstances as prescribed by laws or administrative rules. Articles 5 to 9 sets out the 7 key principles of personal information protection in China: legitimacy; purpose limitation; minimum scope; openness and transparency; accuracy; and, accountability and data security. Articles 4, 13 and 14 stipulate that processing personal information (including collection, storage, use, transfer, provision and disclosure to the public) requires the prescribed consent from the individual and such consent shall be voluntarily and explicitly given by the fully informed individual.

Financial Institutions should pay particular attention to article 23 of PIPL which, as compared with PDPO and GDPR, impose additional obligations on Financial Institutions which engage third party in handling personal information. For instance, they shall notify individuals about the identity of the third party, their contact method, the handling purpose, handling method, and personal information categories, and obtain the separate consent from the individual. Third parties receiving personal information shall handle personal information within the above mentioned scope of handling purposes, handling methods, personal information categories, etc. Where third parties change the original handling purpose or handling methods, they shall notify the individual again and obtain their consent. With the above requirements in mind, Financial Institutions should be extra cautious in preparing contracts for third party engagement in personal information handling.

It is also noteworthy that, unlike the practice under PDPO or GDPR, PIPL further classifies certain types of personal data as “sensitive information” under articles 28-29. Sensitive information is defined as the personal information that, once leaked or illegally used, may cause violation of individual dignity or grave harm to personal or property security, including information on specific status, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, personal information of minors of age under 14, etc. Financial Institutions may handle sensitive personal information only for specific purposes and when sufficiently necessary. Where handling sensitive personal information based on individual consent, Financial Institutions shall obtain separate consent from the individual.

Similar to the GDPR, PIPL also impose heavy penalty on personal information handler. The maximum penalty for breaching the provisions therein is confiscation of revenue obtained from illegal use of personal information, and fine of RMB 50 million or 5% of the sales in the previous year.


Apart from PDPO, Financial Institutions in Hong Kong should also pay attention to GDPR which introduces explicit requirements of compliance by organisations established in non-EU jurisdictions in specified circumstances. PCPD published “An Update on European Union General Data Protection Regulation 2016” which aims at raising awareness among local businesses of the possible impact of the regulatory framework for data protection in the EU stemming from the implementation of GDPR.

Under GDPR, personal data means any information relating to an identified or identifiable natural person which is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Pursuant to Article 3 of GDPR, Financial Institutions in Hong Kong are required to comply with GDPR if it (1) has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless of whether the data is actually processed in the EU; or (2) does not have an establishment in the EU, but offer goods or services to or monitor the behaviour of individuals in the EU. For instance, if Financial Institutions offer banking or investment services to individuals in the EU, it may need to comply with GDPR requirements notwithstanding that they are incorporated outside the EU and have no branch or representative office in the EU. It is noteworthy that Recital 26 of GDPR expressly states that the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable, and therefore GDPR does not concern the processing of such anonymous information. At the core of GDPR are seven key principles laid out in Article 5 of GDPR: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.  Data controllers have to be able to demonstrate they are GDPR compliant and are required to handle data securely by implementing appropriate technical and organizational measures.

Chapter V of GDPR offers several legal bases for the transfer of personal data. Article 44 of GDPR regulates international transfers generally and the “Derogations for specific situations” provided by Article 49 (1) of the GDPR provides that transfers may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

The fines for violating GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher) based on Article 83(5) of GDPR, plus data subjects have the right to seek compensation for damages.


The GLBA is a US federal law focusing on the regulation of Financial Institutions’ handling of customer’s non-public personal information (“NPI”). Pursuant to section 509(4) of GLBA, NPI is any "personally identifiable financial information" that a Financial Institution collects about an individual with regard to providing a financial product or service, unless that information is otherwise "publicly available”. GLBA covers only the NPI of a customer who is an individual obtaining or has obtained a financial product or service from Financial Institutions used primarily for personal, family, or household purposes, but not for business purpose.

As stipulated in section 103 of GLBA, GLBA applies to businesses which are “significantly engaged” in “financial activities” as described in section 4(k) of the Bank Holding Company Act which thus encompasses not just companies which are traditionally known as “financial institutions” but also businesses like real estate appraisers, tax preparers, financial planners, credit reporting agencies, ATM operators and career counselling in relation to employment in the financial services industry. Although unlike GDPR and PIPL which expressly provide for long-arm jurisdiction, Financial Institutions should nevertheless pay attention to the compliance of GLBA where financial activities, products or services are engaged or provided in the US.

Under Title V of GLBA are three principal components to the privacy requirements being (1) the Financial Privacy Rule, (2) the Safeguards Rule, and (3) the pretexting provisions. The Financial Privacy Rule governs Financial Institution’s collection and disclosure of customers’ personal financial information. Financial Institutions must notify customers of their information-sharing practices, are required to issue a privacy notice to customers regardless of whether the customer NPI will be shared or not, and are imposed of the requirement that customers must be provided with a means to opt-out the disclosure of NPI to non-affiliated third parties.

All Financial Institutions, be it one that collects information from clients or one that receives customer information from other Financial Institutions like credit report agencies, are obligated to develop, implement and maintain safeguards to protect customer information in accordance with the Safeguards Rule. A detailed security plan on how the Financial Institution is protecting customers' and previous customers' NPI against risks such as cyberattacks, data leaks and breaches, and unauthorized access of NPI is called for. To comply with the pretexting provisions, Financial Institutions are also required to observe the rules against fraudulent access to NPI by way of social engineering or pretexting.

The financial penalty for non-compliance of GLBA is a fine of up to $100,000 for each violation and a fine of up to $10,000 for officers and directors of Financial Institutions. GLBA may warrant a custodial sentence for more serious violation with knowledge and/or intent, with the maximum imprisonment of up to 5 years as provided in section 523 of GLBA. 


In view of the growing regulatory concern over personal data privacy and the extortionate penalty for violation of the worldwide legal requirements as briefly discussed above, Financial Institutions in Hong Kong are recommended to regularly review their personal data privacy regime and seek professional legal advice if necessary in order to keep up with legal requirements and prevent regulatory actions from the root.


For enquiries, please feel free to contact us at:

E:                                                                       T: (852) 2810 1212
W:                                                                     F: (852) 2804 6311

19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2021

Our People

Ludwig Ng
Ludwig Ng
Senior Partner
Nelson Ho
Nelson Ho
Ludwig Ng
Ludwig Ng
Senior Partner
Nelson Ho
Nelson Ho

Latest Publications

ONC Lawyers published A Concise Guide to Banking and Financial Services Licensing in Hong Kong
ONC Lawyers published A Concise Guide to Banking and Financial Services Licensing in Hong Kong
The regulatory trend for cross-border data transfers: A (temporary) step away from globalisation?
When Australia and Hong Kong entered into a landmark bilateral free trade agreement back in 2019, one of the cornerstone features of the agreement includes both respect jurisdictions declaration of commitments to the policy of free flow of data. Such policies reflect the growing importance of services and investment to trade where the liberalization of trade is no longer just about tariffs, but also has a digital emphasis with the impact of data flows for trading services (e.g. e-commerce) and investing in foreign markets gaining ever greater importance. Suffice it to say, much has happened since the early months of 2019 and with nations around the world backtracking away from globalization (for the time being at least) owing to political intrigues, such divides are echoed in some reversals of cross-border data transfer policies.
Proposed public inspection regime to limit access to company directors’ data in Hong Kong – Potential shortcomings and our recommendations
Recently, the Government has begun its review as to whether personal data contained in the Companies Register (the “Register”) such as information pertaining to addresses of directors should be maintained with the Register. In response, the Financial Services and the Treasury Bureau (the “Bureau”) along with the Companies Registry (the “CR”) submitted a paper to the Legislative Council on 29 March 2021 (the “Proposal”), which proposed to bring into operation a new inspection regime (the “Regime”) that has been included the Companies Ordinance (“CO”) when the legislation was made in 2012.
Back to top