Key Points of China Minsheng Bank’s Policy for Data Deletion and Data Destruction

Ⅰ. Guiding principles
To minimize compliance and reputation risks while safeguarding customer assets and shareholder value, China Minsheng Bank (the Bank) has formulated the Implementation Rules for Data Deletion and Data Destruction of China Minsheng Bank (Min Yin Ban Fa [2025] No. 821) (the Rules) in accordance with relevant national laws and regulations, regulatory requirements, industry standards, and the Bank’s internal policies. The Rules systematically standardizes the data deletion and destruction of the Bank, clarifies the division of responsibilities and duties, processes and implementation requirements, and ensures adherence to national and industry regulatory mandates, so as to prevent risks such as data breach and misuse and safeguard data security and protect customer privacy.

Ⅱ. Data deletion
1.Data deletion scenarios (Refer to Article 11 of the Rules)
The Rules stipulates that the Bank shall delete data to ensure it is neither retrievable nor accessible under the following circumstances: when the data retention period expires; when the purpose of data processing has been achieved, cannot be achieved, or is no longer necessary; when the data competent entity withdraws consent or actively requests deletion; and when third-party cooperation involving entrusted processing, joint processing, or data sharing is terminated, the third party shall delete the relevant data as required. Where national or industry authorities have specific provisions permitting or requiring data retention, such requirements shall be followed accordingly.

2.Data deletion process and requirements (Refer to Article 13 to Article 17 of the Rules)
The Bank has established a comprehensive data deletion process covering identification, assessment, execution, verification, and documentation to prevent compliance and reputation risks arising from data retention. Firstly, the departments in charge shall identify data deletion requirements within their domains, specify the reasons, scope, and timeline for deletion, and collaborate with the technology- and data-related departments to conduct assessments and complete the Data Deletion Assessment Form. Upon assessment approved, the above departments shall develop a safe and feasible technical plan and implement it, ensuring that the deletion does not affect business operations or the integrity and consistency of other data. After execution, the technical team shall verify that the data is neither retrievable nor accessible at the technical level, while the relevant business departments shall confirm that the deletion has not adversely affected normal operations. For data that cannot be completely deleted for technical constraints, the Bank shall cease all data processing activities except for storage and necessary security protection, and conduct regular reviews to ensure such data remains unusable.

In scenarios involving third-party cooperation such as entrusted data processing, the Bank stipulates the following items in contracts: When the cooperation is terminated, the third party shall promptly delete the data as required by the Bank and cease to retain any data or relevant derivative data obtained from the Bank in any form (unless otherwise specified by national or industry authorities or with specific authorization from the data competent entity). The Bank shall take supervisory measures such as inspections to ensure timely and irreversible deletion within the agreed timeframe upon cooperation termination, thereby mitigating risk of data breach arising from delayed deletion.

3.Data destruction (Refer to Article 18 of the Rules)
The Bank shall destroy data to ensure complete and irretrievable deletion under the following scenarios: when the storage space of the storage media is released and reallocated; when the storage media is damaged or reaches end-of life; and when the storage media is reused or removed from the Bank’s control. Where national or industry authorities have specific provisions permitting or requiring data retention, such requirements shall be followed accordingly.

4.Data destruction process and requirements (Refer to Article 19 to Article 23 of the Rules)
The data destruction of the Bank follows a closed-loop process of “demand identification - operation execution - outcome verification - record retention”. Firstly, the technology department shall identify data requiring destruction, clarify the reasons, scope and timeline, and self-destructed or entrust a service provider with nationally accredited qualification to destruct data, or submit the data to the local administration for the protection of state secrecy for destruction. When engaging service providers, the entire process shall be video-recorded and supervised on-site by designated personnel, so as to ensure compliance with security and confidentiality requirements. Upon completion, the Bank conducts sampling verification to ensure that the data is irrecoverable. A destruction register shall be created to document destruction details including the date, content, method, approver, executor, and reviewer. Records of core data destruction shall be retained for at least three years, while those for important, sensitive, and general data shall be kept for at least one year. This closed-loop management ensures that all destruction activities are compliant, effective, and traceable.

Ⅲ. Management mechanism
1.Division of responsibilities and duties (Refer to Article 8 of the Rules)
Following the principle of “whoever is responsible for the business is also responsible for the business data and data security”, each business line is responsible for data deletion within its respective domain and is responsible for identifying deletion demands, performing business validation, and updating deletion registers. The technology- and data-related departments shall be responsible for technical assessment, solution formulation and implementation. The technology department shall also be responsible for data destruction, undertaking duties including implementing destruction requirements and procedures, as well as establishing and continuously updating the data destruction registers. As the centralized management department, the IT Department shall formulate relevant systems and processes, provide guidance and oversight to all institutions, and conduct inspections and performance evaluations. Such roles and responsibilities create a closed-loop responsibility framework of “business execution - technology support - supervisory implementation”

2.Supervision and evaluation (Refer to Article 24 of the Rules)
The IT Department shall conduct regular inspections on the implementation of data deletion and data destruction across the Bank. Based on the inspection results, the IT Department carries out performance evaluations for all institutions to drive continuous improvement in management practices.