State Bank of India
External Privacy Notice
1. Who we are and what we do
Who we are
We are State Bank of India (UK) Ltd ("SBI UK", "us", "we", "our"). We are a limited company registered in England and Wales under registration number Company Number 10436460 and we have our registered office at 15 King Street, London, EC2V 8EA. We are registered with the UK supervisory authority, Information Commissioner's Office ("ICO") in relation to our processing of Personal Data under registration number ZA295911.
SBIUK is part of the State Bank of India group of companies (the "SBI Group"). Details of the SBI Group can be found at >https://www.sbiuk.com/footer/about-sbi/about-us. Personal data provided may be stored on a SBI Group database and may be used by us, any SBI Group company or third party for the purposes set out in this Privacy Notice.
What we do
We are in the business of providing banking services including personal banking, business banking, loans and mortgages, We are committed to protecting the privacy and security of the Personal Data we process about you.
Controller
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.
2. Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the 'How to contact us' section.
3. Who this privacy notice applies to
This privacy notice applies to you if:
- You visit our website
- You use any of our products and/or services
- You enquire about our products and/or services
- You use our YONO SBI UK mobile banking App (see also our privacy notice specifically for users of our YONO App which is available when you log into the YONO App)
- You sign up to receive newsletters and/or other promotional communications from us
- You are a business associate of ours
4. What Personal Data is
'Personal Data' means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier
Personal Data we collect
The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the list below. For details of how we use this data see the section entitled 'Purposes, lawful bases and retention periods'.
We may collect, use, store and transfer different types of personal data about you (or those associated with you such as dependents, other close family members and joint account holder(s)) which you may provide or which we may collect from other parties. These can broadly be grouped together as follows:
Contact Data includes billing address, physical address, email address and telephone number(s).
Correspondence Data includes all of the above category groups of Personal Data which are contained in, or relating to, any communication with you (including telephone conversations, if applicable, where we notify you such conversations are recorded), which may also include the communication content and metadata associated with the communication
Enquiry Data includes Identity, Contact and Financial Data contained in any enquiry you submit to us regarding services and products
Financial Data includes bank accounts details, payment card details, salary and other income, expense, asset and liability details
Identity Data includes first name, maiden name, last name, user-name orsimilaridentifiers(including reference numbers we have allocated to identify you), marital status, title, date of birth, gender and job title
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences
Profile Data includes your username and password, transactions made by you, your interests and preferences
Regulatory Data includes personal data involving credit and identification checking and validation, money-laundering checks and information about criminal convictions and offences
Transaction Data includes details about payments to and from you and other details of services and products we provide to you such as the date, amount, currency and the name and type of supplier (for example, supermarketservices, medical services, transactions in assets, retailservices) and from the payments which are made to and from your account(s) with us.
Technical Data a includes internet protocol (IP) address, your log-in data, browser type and version, time zone and location settings, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Site and the online services provided by us
Usage Data includes information about how you use our website and services, including but not limited to, traffic data, location data, web-logs and other communication data, whether this is required for our own purposes or otherwise, and the resources that you access
Vulnerability Data includes any information which may suggest you are vulnerable to some degree. Characteristics could include physical or mental illness or disability, illiteracy, lack of financial skills, poor hearing etc
We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. For example, to provide you with goods or services. In this case, we may have to cancel a product or service you have with us but, if this is the case, we will notify you at the time.
6. How we collect your Personal Data
We collect most of the Personal Data directly from you in person, by telephone, text or email and/or via our website and YONO App. For example, we collect your Personal Data when you complete forms, use our website, use our YONO App, correspond with us and have conversations with us.
We may receive information about you from third parties or publicly available sources. For example, we receive Personal Data about you from third parties,such as employers, joint account holders, credit reference agencies, fraud prevention agencies or other organisations when you apply for an account with us or for any of our other products or services. We may also collect Personal Data about you from publicly available sources such as social media sites and Government registers and information that you provide on social media websites such as Twitter, LinkedIn and YouTube.
We use automated technologies to collect your Personal Data. For example, as you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We may collect this data by using cookies and other similar technologies. We also collect data from you when you use our YONO App.
We collect and create an analysis and management of your accounts and servicesWe learn about you from the way in which your accounts with us are administered and managed, from the transactions made, such as the date, amount, currency and the name and type of supplier (for example, supermarket services, medical services, transactions in assets, retail services) and from the payments which are made to, and from, your account(s) with us
Where you provide personal and financial information to us about others (such as dependents, other family members and joint account holder(s)), you confirm that you have their consent or are otherwise lawfully entitled to provide this data to us and for it to be used in accordance with this Privacy Notice.
7. We may also collect information about you if we observe that you may benefit from extra support from us. See the section below entitled "Accessibility".
We want to make banking with us as easy as possible, so if you are suffering from any physical or mental condition that affects your ability to manage your finances, please let us know so that we can find ways to support you. For example, if you struggle with hearing loss, we will speak to you more loudly or if you are facing an upsetting life experience, we will be sensitive to this.
If you do not tell us about something you are struggling with, we may, nonetheless, notice this when you engage with us. In these circumstances, we will do whatever we reasonably can to assist you in dealing with your finances. We may also keep a note of what we observe so that we are more able to quickly and easily assist you in an appropriate way the next time you interact with us.
8. Use of our YONO App
Our YONO ("You only need one") App is a mobile banking App that offers banking services. To see our full privacy notice relating to your use of YONO App, please log in to your YONO App.
9. Purposes, lawful bases and retention periods
We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:
Categories of individuals | Purpose of Processing | Categories of Personal Data | Lawful Basis | Retention Period |
---|---|---|---|---|
New customers | To register you as a new customer, process your application and set up your accounts |
|
Contract | 7 Years from the date of closure of the account |
New customers and existing customers | To verify your identity and make financial risk assessments including anti-money laundering checks and for crime and fraud prevention purposes. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at: https://www.cifas.org.uk/fpnhttps://nhunter.co.uk/privacy-policy/For more information about how credit referencing agents generally use your personal data, visit the Credit Reference Agency Information Notice (CRAIN) which can be found here: https://www.experian.co.uk/legal/crain/ For specific information on how our credit reference agency uses your data, visit: https://www.experian.co.uk/consumer/privacy.html |
|
Depending on the situation:
|
7 Years from the date of closure of the account |
Existing customers | To deliver the services to you including:
|
|
|
7 Years from the date of closure of the account |
Existing customers | To manage, develop and improve our relationship with you which will include: notifying you about changes to our terms or privacy policy or our services, providing you with professional assistance as required, developing and improving our servicesto you. |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance,support,reporting and hosting of data) |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To use data analyticsto improve our website, products/services, marketing, customer relationships and experiences |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To enable us to carry out assessment and analysis (including credit and/or behaviour scoring, market and product analysis) |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To enforce any of our rights against you |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To meet our regulatory compliance and reporting obligations including to prevent and detect fraud, money laundering and other crime and carry regulatory checks |
|
|
7 Years from the date of closure of the account |
Website users, existing customers, new customers and potential new customers | To provide you or permit selected third parties to provide you with information, products or services that you request from us or which we or they consider may be of interest to you, where you have consented to be contacted for such purposes |
|
|
Until you withdraw consent |
Business associates | To engage with you for the purposes of the services we may be able to provide to each other |
|
|
3 years from the date of our last meaningful contact |
Users of our YONO App | To administer your account on the YONO App and provide you with the services you request |
|
|
7 years from the date of account closure |
We'll only use your information if we have your permission, or we have another legal reason for using it. These reasons include:
- if we need to pursue our legitimate interests
- if we need to process the information to enter into or carry out an agreement, we have with you
- if we need to process the information to comply with a legal obligation
- where we believe it's in the public interest for us to do so (for example, to help prevent or detect crime)
- to establish, exercise or defend our legal rights
Where Personal Data is processed because it is necessary forthe performance of a contract to which you are a party, we will be unable to provide our services without the required information.
10.Use of your Personal Data for marketing
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
Promotional offers from us
We may use your Identity, Contact, Technical, Usage, Profile Data and Marketing and Communications Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you.
We will send you marketing communications if you have requested information or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving marketing
Opting-out - you can ask us to stop sending you marketing messages at any time by logging into the relevant website and checking or unchecking relevant boxes to adjust your marketing preferences, by selecting the unsubscribe options in email correspondence received, by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of a product/service request, product/service experience or other transactions.
Third-party marketing - we will only share your Personal Data with a company outside the SBI UK Group of companies for marketing purposes if we have your prior express opt-in consent.
11. Sharing your Personal Data
We may share your Personal Data with:
- any member of the SBOI Group (which means our subsidiaries, our ultimate holding company and its subsidiaries) insofar as is reasonably necessary for the purposes set out in this Privacy Notice;
- any prospective buyer of our business or assets or any prospective seller of another business or business assets that we are interested in buying. We will ensure that the prospective seller or buyer treats your data as confidential;
- our insurers, lawyers, accountants, auditors and professional advisers insofar as is reasonably necessary for the purposes of obtaining and maintaining insurance cover, obtaining legal and other advice, managing legal disputes, managing risks and meeting reporting, regulatory and compliance obligations;
- our business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- analytics and search engine providers that assist us in the improvement and optimisation of our website;
- third parties we use to process your Personal Data on our behalf, for example, third parties used to host the website, maintain our IT systems or approved third party brokers. Where we use third parties to process your data on our behalf we will ensure that they have provided appropriate safeguards required in relation to such processing;
- We and fraud prevention agencies may also enable law enforcement agenciesto access and use your Personal Data to detect, investigate and prevent crime. If we, or a fraud prevention agency,determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested or we may stop providing existing services to you;
- Credit reference agencies for the purpose of verifying your identity and suitability for an account and assessing your credit score where this is a condition of us entering into a contract with you. Credit reference agencies keep a record of our enquiries and may record, use and provide such information to other financial institutions, insurers and other organisations. Information held about you by the credit reference agencies may already be linked to records relating to your partner ormembers of your household where a financial "association" has been created. Any enquiry we make at a credit reference agency may be assessed with reference to any associated records. Another person's record will be associated with yours when (i) you make a joint application, (ii) you advise us of a financial association with another person, or (iii) if the credit reference agencies have existing linked or "associate" records. This "association" will be taken into account in all future applications by either or both of you and shall continue until one of you applies to the credit reference agencies and is successful in filing a "disassociation". For more information on how credit reference agents process data, visit the Credit Reference Agency Information Notice (CRAIN) which can be found here: https://www.experian.co.uk/legal/crain/ . For more information on how our credit reference agent processes your personal data, please visit: https://www.experian.co.uk/consumer/privacy.html;
- identity and address verification agencies who may record and use your Personal Data, especially if fraud and/or dishonesty is suspected, and disclose it to other organisations and law enforcement agencies (including internationally) for purposes of debt tracing and recovery, fraud and money laundering prevention and prosecution. Further details can be found at https://www.sbiuk.com/personal-banking/personal/credit-reference;
- HM Revenue & Customs;
- UK and overseas financial regulators to meet our regulatory, compliance and reporting obligations;
- other financial service organisations (including lenders and operators of card schemes) both within the UK and abroad;
- other third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal or regulatory obligation, or as part of legal proceedings, or in order to enforce any of our rights against you under your contract with us or to protect the property, safety or vital interests of SBIUK, or of another natural person;
- to other parties connected to your account (e.g. a joint account holder);
- your advisers (including but not limited to accountants, lawyers or other professional advisors) where authorised by you;
- to carefully selected third parties for marketing purposes when you have consented to be contacted for such purposes; and
- providers of Approved Third Party Service as set out in our General Terms and Conditions.
12. International transfers
Your Personal Data may be processed outside of the UK in the following circumstances:
- SBIUK has outsourced the storage of a large part of its customer data to State Bank of India in India and their databases are located in India;
- processing international payments by international electronic transfer;
- disclosures to foreign authorities, regulators and law enforcement agencies to reduce financial crime and terrorism;
- picture based, human verified, identification checksfor online account opening; or
- the data generated by cookies about your use of our web application (including your IP address but no other personal data).
Where we processinternational payments outside the UK at yourrequest, we do so through the SWIFT (the international payments) System. When we do this your data will be processed and stored abroad by other banks or financial institutions involved in completing the payment. Those banks and financial institutions may have to release the information to foreign authorities and other third parties, including those outside the UK (in which case your personal data may not be protected in line with data protection laws).
Whenever we transfer your data outside the UK we will take appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
- Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
- We enter into an International Data Transfer Agreement ("IDTA") with the receiving organisation and adoptsupplementary measures, where necessary. (A copy of the IDTA can be found here internationaldata-transfer-agreement.pdf (ico.org.uk)) or
- In the case of transfers to the US, we ensure that the US organisation receiving your Personal Data is signed up to the UK-US Data Bridge.
13. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including to:
- Right to be informed
You have the right to know what Personal Data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this - Right of access (commonly known as a "Subject Access Request")
You have the right to receive a copy of the Personal Data we hold about you. - Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected. - Right to erasuree (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data - Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material. - Right to restrict processing
You have the right to restrict our use of your Personal Data - Right to portability
You have the right to ask us to transfer your Personal Data to another party. - Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you
- Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so. - Right to lodge a complaint
If you are concerned about the way in which we are handling your Personal Data, please let us know in order that we can address your concerns. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office who can be contacted online at: Contact us | ICO Or by telephone on 0303 123 1113
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances
If you wish to exercise your rights, you may contact us using the details set out below within the section called 'How to contact us and our Data Protection Officer'. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
14. Automated processing
As part of the processing of your Personal Data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our automated processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or isinconsistent with your previous submissions, or you appearto have deliberately hidden your true identity. You have rights in relation to automated decision making (see above).
15. Children's Privacy
This website is not intended for children. However, we do offer bank accounts for children. Please contact us should you wish to see our privacy notice for children.
16. Your duty to inform us of changes.
It is important that the Personal Data we hold about you is accurate and up to date. Please keep us informed if your Personal Data changes during your relationship with us.
17. How to contact us and our Data Protection Officer
If you wish to contact us or our Data Protection Officer in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:
State Bank of India (UK) Limited
FAO: Data Protection Officer
15-17 King Street
London
EC2V 8EA
Email: dataprotection.sbiuk@statebank.com
18. Third-party links
This website may include links to third-party websites, advertisers and affiliates, plug-ins and applications. Clicking on those links or enabling those connections may allow third partiesto collect orshare data about you. We do not control these third-party websites and we do not accept any responsibility or liability for their privacy policies. We encourage you to read the privacy notice of every website you visit before you submit any Personal Data to them.
19. Changes to this Privacy Notice
We may update this notice (and any supplemental privacy notice), from time to time asshown below. We will notify of the changes where required by applicable law to do so
Last modified: 19th October 2023.