本文へスキップ

Privacy Policy(NCH)

  • Home
  • Privacy Policy(NCH)

Privacy Policy

Last updated: 29 May 2026

Your privacy matters to us. This Privacy Policy explains how Norinchukin Hong Kong Limited (NCH) processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Hong Kong Personal Data (Privacy) Ordinance (PDPO). We are committed to handling personal data lawfully, fairly, and transparently.

1. Who This Applies To

This Privacy Policy applies to:

  • individuals connected to NCH’s corporate customers (e.g., legal representatives, authorized signatories, ultimate beneficial owners, directors, shareholders, guarantors, and other persons involved in transactions or services provided by NCH).
  • Visitors to our office.
  • Individuals who communicate with us via email, phone, or other communication channels.
  • Supplier, outsourcing partners, and vendor contacts.
  • Individuals visiting our website.

NCH does not provide retail banking services.

2.What is Personal Data?

“Personal data” means any information relating to an identified or identifiable natural person.

3.Who Controls Your Data

The data controller responsible for the processing of your personal data is:

Norinchukin Hong Kong Limited

Address: Suite 3202, 32/F, Two Exchange Square, 8 Connaught Place, Central, Hong Kong, People's Republic of China

Telephone: +852-2868-2839

4.Contact us

If you have questions about how your personal data is processed, or if you wish to exercise your rights under the GDPR and the PDPO, you may contact NCH representative office at [email protected]

5.What Personal Data We Collect

We process personal data required to meet legal and regulatory obligations, including anti-money laundering (AML), counter-terrorism financing (CFT), tax compliance, fraud prevention, and sanctions screening and other financial regulations. This includes:

1.Identification and Verification / KYC / screening data

  • Name, date and place of birth
  • Gender
  • Address and country of residence
  • Government-issued ID details (including dates of issue/expiration)
  • Nationality
  • Specimen signature
  • Fiscal/tax code
  • Job title
  • Transaction details
  • Corporate information
  • Any identifiers used in internal systems for compliance checks
  • Other data in connection with the operations of the service by NCH

The personal data referenced above is processed in relation to all relevant parties within the customer structure, including ultimate beneficial owners (UBOs), principals, directors, legal representatives, and shareholders.

2.Sensitive Data (AML/CFT Context)

  • Criminal conviction data (only where legally permitted and proportionate)
  • Special categories of data for sanctions screening or risk assessment

3.Audio-Visual Data (Used for fraud prevention, market abuse detection, and responding to competent authorities)

  • Surveillance recordings at premises
  • Recordings of calls, video conferences, and online chats

In addition, we process the following kinds of personal data for operational, contractual, and relationship management purposes:

1.Contact and Communication Details

  • Email address, business address, telephone number
  • Job title

2.Professional Details

  • Signing authority
  • Company mandate

3.Socio-Demographic Data (Business Context)

  • Education and employment details of shareholders, directors, or senior officers

4.Supplier Contact Data

  • Identification and professional details for managing contractual relationships and legal obligations

6.How We Collect Your Personal Data

We collect data:

  • Directly from you (including but not limited to forms, emails, calls, meetings).
  • Indirectly from your employer (including but not limited to KYC documentation, onboarding files).
  • From public sources (including but not limited to company registers, sanction lists, PEP lists).
  • From financial institutions involved in transactions.
  • From regulators and supervisory authorities.
  • From trusted service providers (including but not limited to KYC/AML screening providers, IT service providers).
  • From our use of cookies – for more information on our use of cookies see our cookies policy.

7.Why We Process Your Data

We process personal data for the purposes set out below.

Certain personal data, in particular data required to comply with legal, regulatory, or contractual obligations (including AML/CFT requirements), are mandatory. Failure to provide such mandatory personal data may result in our inability to establish or maintain a business relationship or provide requested services.

Where personal data is collected based on legitimate interests or consent, provision of such data is voluntary, and you may choose not to provide it or withdraw consent where applicable, without adverse consequences unless otherwise required by law or for security or operational reasons.

We process personal data on the following legal bases:

  • To comply with legal and regulatory obligations, including anti-money laundering laws, Foreign Account Tax Compliance Act (FATCA), Common Reporting Standard (CRS), and other banking regulations.
  • To perform contractual obligations with our customers.
  • For our legitimate interests, such as managing business relationships and improving internal processes. In such cases, we conduct a balancing test to ensure these interests do not override your rights and freedoms.
  • With your consent, where required.

8.Purposes of Processing

We use your personal data to:

  • Provide and administer financial products and services.
  • Comply with internal compliance requirements, policies and procedures, including any record keeping requirements required by law (including those imposed from time to time by regulators, law enforcement agencies or courts).
  • Comply with legal and regulatory requirements, including statutory reporting obligations and in respect of the prevention of financial crime and, for example, conducting due diligence, identity verification and integrity checks, and ongoing screening against Government, supranational and law enforcement data and sanctions lists, and against third party collated data in order to identify higher risk relationships.
  • Prevent, detect and investigate crime, including fraud and financial crime, including processing information about a crime or offence and proceedings related thereto.
  • Perform internal audits, compliance controls and other risk management processes including, for example, monitoring of communications for the purposes of detecting, investigating and preventing breaches of policy and criminal offences, and dispute resolution.
  • Maintain secure systems and protect the integrity of the financial system.
  • Respond to inquiries from competent authorities and meet international tax compliance obligations (FATCA, CRS).

9.Sharing of Personal Data

Personal data held by us will be kept confidential, but we will or may share personal data only when necessary and in accordance with legal requirements. The categories of recipients include the following (whether or within or outside of Hong Kong):

  • Regulators and supervisory authorities
  • Other financial institutions involved in transactions.
  • Service providers supporting our operations, such as IT and cloud services.
  • Norinchukin Bank (Japan) and Norinchukin group entities.
  • Auditors, legal advisors, and other professional service providers.
  • SWIFT, as a joint controller for payment processing.

Third-party processing is governed by data processing agreements and technical/organizational safeguards.

10.Transfers Outside the EEA

Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules, are approved by regulators. Transfers may also rely on adequacy decisions by the European Commission, where applicable. These measures guarantee that your data remains protected in line with GDPR. You may request a copy of the transfer safeguards via the contact details in Section 4 above.

11.Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes set out above, or for the period required under applicable laws and regulations, including the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AML/KYC), Hong Kong tax legislation, and requirements relating to general business correspondence.

Unless otherwise agreed, hard copies of any documents containing your personal data that you have provided to us become our property and will not be returned to you. We will destroy any documents we hold in accordance with our internal policy and any applicable laws.

All retention periods are applied consistently with our internal retention schedule.

12.Your Rights

You have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability, where applicable. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal. In Hong Kong, you also have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong.

We encourage you to contact us first so we can address your concerns before you approach the supervisory authority. These rights may be subject to limitations under applicable law.

Identity verification forms part of the rights process, consistent with our internal procedures (e.g., identity checks documented in the access, rectification, and erasure workflows). Requests will be processed within one month, extendable in complex cases, as required by Articles 12 and 15 of GDPR.

Where a request is made under the Hong Kong Personal Data (Privacy) Ordinance, access and correction requests will be handled within 40 days in accordance with statutory requirements.

In accordance with Article 82 of the General Data Protection Regulation (GDPR), you have the right to seek compensation for any material or non-material damage suffered as a result of a breach of data protection law. This right can be exercised through the competent courts.

You can exercise your rights or reach out to us for any questions using the contact details in Section 4.

13.Data Breaches

If a breach poses a high risk to your rights and freedoms, we will notify you promptly, as required by Article 34 of GDPR.

14.Automated Decision-Making

We do not carry out automated individual decision-making that produces legal or similarly significant effects. Any decisions with impact are made by humans.

15.Direct Marketing

We do not use your personal data for direct marketing purposes.

16.Security of Your Personal Data

We apply appropriate technical and organisational measures, including encryption, access controls, and monitoring, to protect your personal data.

NCH’s staff and any relevant person under a duty of confidentiality to NCH shall maintain a strict confidentiality policy on all data and information collected. NCH shall ensure that all staff comply with the security policies and procedures.

17. Updates to This Privacy Policy

NCH maintains internal policies, procedures, and controls to ensure compliance with GDPR and PDPO, including measures for data minimisation, retention, security, and rights management. These are reviewed regularly as part of our governance framework.

We may update this Privacy Policy when necessary to reflect changes in our processing activities, legal requirements, or guidance from the Office of the Privacy Commissioner for Personal Data, Hong Kong or European Data Protection Board.

The latest version will always be available on our website.

We may also separately advise you about the update or change. Subject to obtaining your explicit consent as may be required by any applicable law, the new modified Privacy Policy will apply from that revision date. Therefore, we encourage you to review this policy periodically on our website to be informed about how we are protecting your data.

pagetop