Who we are?

Your information will be held by Bank of China Limited, Geneva Branch which is part of the Bank of China Group.

When we refer to 'we', 'us' and 'our' in this Privacy Notice, we mean Bank of China Limited, Geneva Branch (hereinafter called "BOC, Geneva Branch"). If you are an organisation (or a person or person(s) representing an organisation), references to 'you' and 'your' include the organisation, together with the people representing or connected with the organisation (such as proprietors, officers, beneficial owners, settlors and beneficiaries) where this is appropriate referred hereafter as “Data subject”.

More information about the Bank of China Group can be found at www.szbyj.cn

Introduction

We take your privacy seriously and this Privacy Notice tells you how we will look after your personal information. We recommend you read this Privacy Notice very carefully because it contains important information about:

? The personal information we collect about you and how we process it.

? Who we might share your personal information with.

? Your rights in relation to your personal information – for example, how to get a copy of your personal information and how to ask us to correct or remove information.

Our promises to you

We promise:

? To keep your personal information safe and private.

? Not to sell your personal information.

? To give you ways to manage and review your marketing choices at any time.

What personal data do we process?

“Personal data” include any information that makes it possible to identify a natural person directly (e.g. first name, surname) or indirectly (e.g. passport number or data combination).

Personal data of Data subjects we process may include:

? identification data, e.g. names, addresses, telephone numbers, email addresses, business contact information;

? personal characteristics, e.g. date of birth, country of birth, nationalities;

? professional information, e.g. employment and job history, title, professional skills, powers of attorney;

? identifiers issued by public bodies, e.g. passport, identification card, tax identification number, national insurance number, social security number, work permit;

? financial information, e.g. financial and credit history information, bank details, record from the debt collection enforcement office;

? transaction/investment data, e.g. current and past investments, investment profile, investment preferences and invested amount, number and value of shares held, role in a transaction (seller/acquirer of shares), transaction details;

? management and security data, e.g. records of presence on our premises, reputation checks and background checks;

? cookie information, e.g. cookies and similar technologies on websites and in emails will only be used for statistical purposes and for the purpose of improving our website. Such data will subsequently be deleted. We will also use such non-personal information to make your use of our website easier (inter alia, we may use cookies to store your selected country of residence for the duration of a session so that you do not have to repeatedly enter the information).

We also collect and process personal data in connection with compliance, with legal and regulatory obligations to which we are subject, including to:

? provide offering documentation to Data subjects about products and services;

? comply with legal obligations relating to accounting, compliance with legislation on markets in financial instruments, outsourcing, foreign activity and qualified participation;

? carry out any other form of cooperation with, or reporting to, competent administrations, supervising authorities, law enforcement authorities and other public authorities [e.g. in the field of anti-money laundering and combating terrorism financing (AML), for prevention and detection of crime under tax law [e.g. reporting of name, address, date of birth, tax identification number (TIN), account number and account balance to tax authorities under the Common Reporting Standard (CRS) or Foreign Account Tax Compliance Act (FATCA) or other tax legislation to prevent tax evasion and fraud as applicable];

? prevent fraud, bribery, corruption and the provision of financial and other services to persons subject to economic or trade sanctions on an ongoing basis in accordance with our AML procedures, as well as to retain AML and other required records for screening purposes;

? deal with active intra-group risk management pursuant to which risks in terms of markets, credit, default, processes, liquidity and image as well as operational and legal risks must be identified, limited and monitored;

? record conversations with Data subjects (such as telephone and electronic communications), in particular to document instructions or detect potential or actual frauds and other offences

The Processing Operations outlined above may rely on other lawful bases and potentially do substantially rely on the performance of a task carried out in the public interest.

Furthermore, we may process personal data in connection with legitimate interests we pursue in order to:

? assess certain characteristics of the Data subjects on the basis of personal data processed automatically (profiling) (see also below);

? develop our Business Relationship with you;

? improve our internal business organization and operations, including for risk management;

? use this information in BOC Group entities for market studies or advertising purposes, unless Data subjects have objected to use of their personal data for marketing;

? assess our risk and take related business decisions with regard to risk management;

? communicate personal data to other BOC Group entities, in particular to guarantee an efficient and harmonized service and inform Data subjects about services offered by BOC Group entities;

? establish, exercise and/or defend actual or potential legal claims, investigations or similar proceedings;

? record conversations with Data subjects (such as telephone and electronic communications) to verify instructions, enforce or defend our interests or rights, assess, analyse and improve the quality of our services, train our employees and manage risks.

? conduct audits and/or regularly reviews.

Origin of personal data

We collect or receive personal data to the extent that is legally permitted:

? Personal data that is given to us by the Data subject, namely for the account opening, during an advisory discussion, for making an enquiry, as part of a registration on our websites or when using certain products and services, signing up for a newsletter and/or event, participating in discussion boards or other social media functions on our websites or any information relating to a job application registration.

? Personal data that is necessary for the facilitation of products and services and that is transmitted to us via the technical infrastructure (e.g., via our website, login information, e-Banking, apps, payment and trading transactions, or collaborations with financial or IT service providers or market places and stocks).

? Personal data from third parties, such as authorities, sanction lists (e.g., UNO/EU, OFAC), information available through subscription services (e.g. Bloomberg, World Compliance PEP list, Worldcheck), rating agencies, credit report entities (e.g., Swiss Central Office for Credit Information (ZEK), Information Office for Consumer Credit (IK), etc.), analytics providers or search information providers as well as group companies of the Bank of China.

? Personal data that is publicly accessible (e.g., public register information, public social media platforms).

Specific cases for automated individual decisions, including profiling

We may assess certain characteristics of the Data subjects on the basis of personal data processed automatically (profiling) in particular to provide Data subjects with personalized offers and advice or information on our products and services or those of our affiliates and business partners. We may also use technologies that allow us to identify the level of risks linked to a Data subject or to activity on an account. Furthermore, we generally do not use automated decision-making in connection with our Business Relationship and/or Data subjects. Should we do so, we will comply with applicable legal and regulatory requirements.

Disclosure of personal date to third parties

We reserve the right to disclose or make accessible the personal data to the extent legally permitted to the following recipients:

? public/governmental administrations, courts, competent authorities (e.g. financial supervisory authorities) or financial market actors (e.g. third-party or central depositaries, brokers, exchanges and registers);

? BOC Group entities or third-party Processors that process personal data on our behalf and/or to which we outsource certain tasks of ours (outsourcing);

? auditors or legal advisors.

We undertake not to transfer personal data to any third parties other than those listed above, except as disclosed to Data subjects from time to time or if required by applicable laws and regulations applicable to them or by any order from a court, governmental, supervisory or regulatory body, including tax authorities.

Disclosure abroad

In the course of our Business Relationship, we may disclose, transfer and/or store personal data abroad (hereafter “International Transfer”):

(i) in connection with the conclusion or performance of contracts directly or indirectly related to our Business Relationship, e.g. a contract with you or with third parties in your interest; (ii) when the communication is necessary to safeguard an overriding public interest; or (iii) in exceptional cases duly foreseen by applicable laws (e.g. disclosures of certain trades made on an exchange to international trade registers).

International Transfers may include the transfer to jurisdictions that: (i) ensure an adequate level of data protection for the rights and freedoms of Data subjects as regards to Processing; (ii) benefit from adequacy decisions as regards their level of data protection (e.g. adequacy decisions from the European Commission or the Swiss Federal Data Protection and Information Commissioner); or (iii) do not benefit from such adequacy decisions and do not offer an adequate level of data protection. In the latter case, we will ensure that appropriate safeguards are provided, e.g. by using standard contractual data protection clauses established by the European Commission.

Transfer of data via the Internet

Please be advised that data transferred across national borders over the Internet are not subject to any control while in transit even if the sender and recipient are both located in the same country.

We cannot guarantee the security of data transferred over the Internet and accept no liability in respect thereof. Any notices emailed to us by you may not be secure. If you email any confidential information to us, you do so at your own risk. When contacting us, please send data via a secure mechanism, where appropriate, instead of over the Internet.

The sender and recipient can still be identified even when the information transmitted is encrypted. As a result, a third party could – inadvertently or otherwise – infer that there is a commercial relationship between you and BOC, Geneva Branch. Therefore, we recommend avoiding the transmission of any strictly confidential information via open networks.

Data subject rights

You have a right to be informed whether personal data in relation to you is being processed by us. On request, we will disclose you the personal data in our databases, including available details about the origin of the data, the purpose and, where appropriate, the legal basis for the processing and the categories of the processed personal data, the parties involved in the data collection and the data recipients.

You may withdraw your consent to the process of your personal data and/or may wish to opt out of the use of your information for advertising or marketing purposes at any time with future effect. You can exercise further rights, such as the right of rectification and you are also entitled to have any inaccuracies in your personal data corrected, or to have your data blocked or deleted, dependent on the lawful basis under which we are holding particular data.

Please let us also know, if we do not meet your expectations with respect to the processing of personal data or you wish to complain about our data protection practices; this gives us the opportunity to examine your issue and make improvements, where necessary.

In any of these cases, please send us a clear request in writing, together with a clearly legible copy of a valid official identification document (e.g., passport, ID card) so we can be sure as to your identity. We will acknowledge receipt as soon as received, examine your issue and reply in good time.

Even if a Data subject objects to the Processing of personal data, we are nevertheless allowed to continue the same if the Processing is: (i) legally mandatory; (ii) necessary for performance of a contract to which the Data subject is a party; (iii) necessary for performance of a task carried out in the public interest; or (iv) necessary for the purposes of the legitimate interests we pursue, including the establishment, exercise or defense of legal claims.

Retention period

BOC, Geneva branch will only store your personal data for as long as necessary, taking into account our obligation to respond to requests or resolve problems, to provide improved and new services and to act in accordance with applicable laws and regulations.

In particular, this means that we are entitled to keep your personal data for a reasonable period of time after you last contacted us. If the personal data we collect is no longer needed in this way, we are obliged to delete it in a secure manner subject however (i) to any applicable legal or regulatory requirements to store personal data for a longer period; or (ii) to establishing, exercising and/or defending actual or potential legal claims, investigations or similar proceedings, including legal holds, which we may enforce to preserve relevant information.

Contact

Please let us know, if we do not meet your expectations with respect to the processing of personal data or you wish to complain about our data protection practices; this gives us the opportunity to examine your issue and make improvements, where necessary. In any of these cases, please send us a clear request in writing to the following address:

Data Protection officer

Bank of China limited, Geneva Branch

Rue de la Tour-de-l’Ile 1 ; CH-1204 Genève

Telephone: 058 611 68 00

E-mail: dpo.ch@bankofchina.com

Changes to this Privacy Notice

We may change this Notice from time to time. In the case of significant changes, we will inform you by the appropriate means. You should check this Notice occasionally to ensure that you are aware of the most recent version that will apply each time you access the website