Privacy Policy
Bank of Baroda: Privacy Notice
(Effective from and including 26 January 2026)
1. Our contact details
Bank of Baroda is a company incorporated under the Banking Regulation Act 1969 of India and located at our Head Office, Mandvi, Baroda 390 006, India. We have a branch in the United Kingdom (UK) under establishment number BR002014 (“BOBLB”, “Us” or “We”).
You can reach our Data Protection Officer (DPO) using the contact details below:
Branch Address:
Bank of Baroda, London Branch
32 City Road, London, EC1Y 2BD.
Data Protection Officer:
Data Protection Officer
Email: dpo.uk@bankofbaroda.com
Phone: +44 (0) 20 7448 1528
ICO Registration: We are registered with the Information Commissioner's Office as a data controller under registration number Z4631489. The ICO is transitioning to the Information Commission under the Data (Use and Access) Act 2025.
This Privacy Notice explains how Bank of Baroda London Branch ("BOBLB", "we", "us", "our") collects, uses, shares, and protects your personal data. It applies to individuals whose personal data we process, including:
- Directors, officers, and employees of our corporate clients
- Ultimate beneficial owners (UBOs) and persons of significant control (PSCs)
- Authorized signatories and representatives
- Individuals identified through our due diligence processes
This Privacy Notice is provided in accordance with:
- • UK General Data Protection Regulation (UK GDPR)
- • Data Protection Act 2018 (DPA 2018)
- • Data (Use and Access) Act 2025 (DUAA)
- • Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs)
The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR) mainly applies to personal data about individuals and not data about companies or any other legal entities.
BOBLB takes protecting personal data seriously. We may collect some personal data to help deliver our services and to communicate with you our client.
This Privacy Notice provides anyone whose personal data we may collect with important information such as:
- confirming that BOB UK acts as a data controller;
- how to contact our DPO; and
- the purposes for which BOB UK collect, use, share and retain your personal data defined under the DPA as any information relating to an identifiable natural person.
We will inform you in this Privacy Notice of:
- why we process any personal data;
- what purpose we are processing it for;
- how long we store it for;
- other recipients; and
- any transfer of personal data to another country.
We are committed to protecting and keeping any personal data private - whether we receive it from our client’s directly or from third parties - and we will take all reasonable steps to ensure its security.
We keep this privacy notice up to date, so if there are any changes to the way in which personal data is used this privacy notice will be updated and we will notify our clients of the changes.
Employees of BOB UK should read the relevant Privacy Notice for Employees.
Personal data only relates to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Special category data is a type of personal data that needs more protection because it is sensitive.
We may collect special category data where we or your company has identified someone as vulnerable.
3.1 How do we collect your personal data?
We may collect personal data from various sources including:
- during our relationship with you; or
- from other third parties when we carry out due diligence checks or ongoing monitoring – if we do this, we will inform you of the exact checks that are carried out.
3.2 Data we collect directly from you
| Category | Examples | Purpose |
| Identity Data | Title, Full name (including aliases), date of birth, nationality, place of birth | Client identification; regulatory compliance |
| Contact Data | Postal address, email address, telephone numbers | Communication; service delivery |
| Identity Verification Documents | Passport, driving license, utility bills, bank statements, national ID | KYC/KYB compliance; identity verification |
| Professional Data | Job title, employer, business address, role within client organization | Understanding relationship; authorized signatory verification |
| Financial Data | Bank account details, source of funds, source of wealth | Transaction processing; AML compliance |
| Beneficial Ownership Data | UBO details, shareholding structure, PSC information | KYB compliance; beneficial ownership registers |
| PEP and Sanctions Data | Details of public positions held; sanctions list matches | Regulatory compliance; risk assessment |
| Communication Data | Correspondence, call recordings (where notified), meeting notes | Relationship management; regulatory records |
3.3 Data we obtain from Third Parties
| Category | Data Type | Purpose |
| Companies House | Directorship, PSC, Company Filings | Due diligence verification |
| Credit Reference Agencies | Credit history, financial standing | Customer risk assessment |
| Sanctions Screening Providers | PEP status, sanctions match | Regulatory compliance |
| Adverse Media Screening Providers | Adverse media, risk indicators | Due diligence |
| Other Financial Institutions | Payment originator/beneficiary details | Transaction processing |
| Public Sources | News articles, court records, regulatory registers | Due diligence; ongoing monitoring |
3.4 Special Category Data
We may process special category data in limited circumstances, such as:
- Identifying individuals as vulnerable (for appropriate care and support)
- Health information where relevant to safeguarding obligations
Where we process special category data, we rely on specific conditions under Article 9 UK GDPR and Schedule 1 of the DPA 2018, as detailed in Section 4.
UK data protection law requires us to have a lawful basis for processing your personal data. The table below explains the legal bases we rely on for different processing activities.
Standard Processing (Article 6 UK GDPR)
| Processing Activity | Lawful Basis |
| Opening and administering client accounts | Contractual necessity - necessary to perform our contract with your organization |
| Processing transactions | Contractual necessity |
| KYC/KYB due diligence | Legal obligation - MLRs 2017, PSRs 2017, FCA Handbook |
| Sanctions screening | Legal obligation - UK Sanctions Regulations |
| Ongoing client monitoring | Legal obligation - MLRs 2017 |
| Fraud prevention and detection | Legitimate interests / Recognized legitimate interest (crime prevention under DUAA) |
| Reporting to PRA/FCA | Legal obligation - Financial Services and Markets Act 2000 |
| SAR reporting to NCA | Legal obligation - Proceeds of Crime Act 2002 |
| Tax reporting (FATCA/CRS) | Legal obligation - International Tax Compliance Regulations |
| Internal audit and quality assurance | Legitimate interests - ensuring service quality and compliance |
| Legal claims and disputes | Legitimate interests - establishing, exercising, or defending legal claims |
| Business transfers | Legitimate interests - with appropriate safeguards |
Recognized Legitimate Interests (DUAA, 2025)
Under the Data (Use and Access) Act 2025, certain processing purposes qualify as "recognized legitimate interests" that do not require a balancing assessment:
- Detecting, investigating, or preventing crime (including fraud and money laundering)
- Safeguarding vulnerable individuals
- Protecting public security
Where we rely on these recognized legitimate interests, we will indicate this in our communications.
Special Category Data Processing (Article 9 UK GDPR)
| Processing Activity | Article 9 Condition | DPA 2018 Schedule 1 Condition |
| Identifying vulnerable customers | Vital interest/Substantial public interest | Safeguarding (Sch. 1, Para. 18) |
| Fraud prevention (involving health data) | Substantial public interest | Preventing fraud (Sch. 1, Para. 14) |
| SAR reporting | Substantial public interest | Crime prevention (Sch. 1, Para. 7) |
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks of processing, including:
Technical Measures:
- Encryption of data at rest and in transit
- Secure access controls and authentication
- Firewalls and intrusion detection systems
- Regular security testing and vulnerability assessments
- Secure disposal procedures for electronic and physical records
Organizational Measures:
- Staff data protection training (annual and role-specific)
- Access restrictions on a need-to-know basis
- Confidentiality obligations in employment contracts
- Supplier due diligence and data processing agreements
- Incident response procedures
- Regular compliance audits
Data Breach Procedures:
We maintain procedures to detect, report, and investigate personal data breaches in accordance with UK GDPR requirements and our regulatory obligations to the PRA and FCA. Where a breach poses a high risk to your rights and freedoms, we will notify you without undue delay.
As a general rule we keep personal data for the duration of our relationship with our clients. We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law. As per our Record Retention Policy of BOBLB, following the most stringent of regulations between UK and India, we retain all personal records for 10 years from the closure of your account with us or from the last date of customer induced transaction in the account.
Where we have statutory obligations to keep personal data for a longer period or where we may need personal data for a longer period in case of a legal claim, then the retention period may be longer.
We have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks arising from the processing of any personal data. We are responsible for preventing unauthorized processing or unauthorized interference with the systems used in connection with it.
After the applicable retention period, personal data will be securely destroyed using methods appropriate to the data format, including secure deletion for electronic records and certified destruction for physical documents.
We also ensure that any systems used in connection with the processing of your personal data functions properly and may, in the case of interruption, be restored.
We may share your personal data so that we can comply with our legal and regulatory obligations.
Example: We may need some personal data from you so that we can comply with our legal and regulatory requirements to carry out KYB checks or sanction screening before we can offer our products and services.
We may share your personal data with the following categories of recipients:
Group Entities
| Recipient | Location | Purpose |
| Bank of Baroda, Head Office | Baroda, India | Group administration |
| Bank of Baroda, Corporate Office | Mumbai, India | Centralized operations; group oversight |
Regulators & Authorities
| Recipient | Purpose | Legal Basis |
| Prudential Regulation Authority (PRA) | Regulatory supervision | Legal obligation |
| Financial Conduct Authority (FCA) | Regulatory supervision | Legal obligation |
| National Crime Agency (NCA) | SAR Reporting | Legal obligation |
| HMRC | Tax reporting (FATCA/CRS) | Legal obligation |
| UK Law Enforcement | Crime investigation (upon lawful request) | Legal obligation / Public interest |
| Reserve Bank of India (via Head Office) | Group regulatory requirements | Legal obligation |
We must be satisfied that sharing personal data with a law enforcement authority is lawful. This means we must have a lawful basis under Article 6 of the UK GDPR before we share any personal data as it relates to our relationship with you.
In some circumstances we may have legal obligations to report suspected criminal activities to relevant authorities. This includes where we suspect money laundering or other criminal activities. We will disclose personal data when it is necessary to do so to protect the Bank's interests or to pursue a legal claim.
There might be a legitimate interest in sharing the personal data of an individual working for one of our clients if they are suspected of an offence. This is to ensure a law enforcement authority has all the necessary information for a proper and fair investigation.
We may share any relevant personal data with fraud prevention agencies. If you provide us with false or inaccurate information and fraud is identified, we will pass details of the fraud to prevention agencies.
Service Providers and Business Partners
| Recipient Category | Purpose |
| SWIFT Network | International payment messaging |
| Correspondent banks | Transaction execution |
| UK payment infrastructure (Faster Payments, CHAPS, BACS) | Domestic payments |
| Credit reference agencies | Credit checks; fraud prevention |
| Sanctions screening agencies | Compliance screening |
| External auditors | Statutory audit |
| Legal advisors | Legal advice and disputes |
| IT service providers | System hosting and support |
| Document storage providers | Secure archiving |
Business Transfers
If we sell any part of our business and/or integrate it with another organization, any relevant personal data may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers. If this occurs the new owners of the business will only be permitted to use any relevant personal data in the same or similar way as set out in this privacy notice.
Where we share any relevant personal data with third parties, we ensure that we have appropriate measures in place to safeguard personal data and to ensure that it is solely used for legitimate purposes.
We transfer personal data outside the United Kingdom, including to jurisdictions that do not have UK adequacy status, which means that those countries may not offer an equivalent level of protection for personal data to the laws in the UK. Where we do so, we ensure appropriate safeguards are in place to protect your data.
UK GDPR and the DPA 2018 provide safeguards for when we transfer any personal data abroad or make it available to organizations overseas. If the recipient is in adequate”, then further safeguards will be needed.
We rely on Standard Contractual Clauses (SCCs) when transferring personal data outside the UK to India. The UK ICO considers SCCs as acceptable method to transfer your data out of the UK.
Transfer Risk Assessment
Before transferring personal data to countries without UK adequacy decision, we conduct a Transfer Risk Assessment (TRA) to:
- Evaluate the legal framework in the destination country
- Assess risks to your rights and freedoms
- Identify and implement supplementary measures where necessary
Under the Data (Use and Access) Act 2025, we assess whether the protection in the destination country is “not materially lower” than UK standards.
For transfers to India, we have assessed the legal framework including the Digital Personal Data Protection Act, 2023, which is currently under phased implementation, and Reserve Bank of India regulations. We implement supplementary measures including:
- Encryption of data in transit and at rest
- Access restrictions and audit logging
- Contractual provisions requiring notification of government access requests
- Regular compliance monitoring
You have the following rights regarding your personal data:
- Right of Access: the right to ask us for copies of personal data we retain;
- Right to Rectification: the right to ask us to rectify personal data an individual thinks is inaccurate. Includes the right to ask us to complete data an individual thinks is incomplete.
- Right to Erasure: an individual has the right to ask us to erase personal data in certain circumstances;
- Right to Restriction of processing: an individual may have the right to ask us to restrict the processing of personal data in certain circumstances;
- Right to Object to processing: an individual may have the right to object to the processing of personal data in certain circumstances; and
- Right to Data Portability: you have the right to ask that we transfer the personal data you gave us to another organization, or to you, in certain circumstances; and
- Rights relating to Automated Decision-Making: you have the right to ask not to be subject to decisions based solely on automated processing with significant effects; and right to human review.
How to Exercise Your Rights
You may exercise any of the above rights by contacting our Data Protection Officer using the details in Section 1. You are not required to pay any charge for exercising their rights under law.
We may need to verify your identity before processing your request. If we require additional information to locate your data, we will contact you.
Response Timelines
We will respond to your request within one calendar month. If your request is complex or we receive multiple requests, we may extend this by up to two further months — we will inform you within the first month if this is necessary.
Under the DUAA, if we need you to clarify your request or verify your identity, the response period will pause until you provide the required information.
Exemptions
Certain exemptions may apply, including:
- Corporate finance exemption (Schedule 2, Part 5, DPA 2018) – where disclosure would affect instrument prices or the orderly functioning of financial markets
- Crime prevention exemption – where disclosure would prejudice the prevention or detection of crime
- Legal professional privilege – where data is protected by privilege.
We will inform you if an exemption applies to your request.
You have the right to request copies of the personal data we hold about you.
How to Submit a SAR
By Email:dpo.uk@bankofbaroda.com
Subject Line: Subject Access Request – (Your Name) – (Date in DDMMYYYY)
By Post:
Data Protection Officer
Bank of Baroda, London Branch
32 City Road, London, EC1Y 2BD
Information to Include
To help us respond efficiently, please provide:
- Your full name (including any aliases)
- The organization you work for (if relevant)
- Current contact details
- Description of the data you wish to access
- Relevant dates or search criteria
- Preferred format for receiving information
Please avoid: (1) including other information such as a corporate complaint (2) threatening or offensive language.
If you are unhappy with how we have handled your personal data, you have the right to make a data protection complaint directly to us using the contact details provided within this Privacy Notice.
We take all complaints seriously and will investigate them thoroughly.
If you are not satisfied with our response, or we cannot resolve your complaint, you have the right to complain to the supervisory authority - Information Commissioner's officer (ICO) in the United Kingdom.
Information Commissioner’s Office (transitioning to Information Commission)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk
We use automated systems for certain processing activities, including:
- Sanctions screening — automated matching against sanctions lists
- Transaction monitoring — automated detection of unusual patterns
Where automated processing forms the sole basis for a decision that significantly affects you, you have the right to:
- Receive meaningful information about the logic involved
- Express your point of view
- Contest the decision
- Request human intervention
In practice, our automated systems generate alerts that are reviewed by trained staff before any decision affecting you is made.
We keep this Privacy Notice under regular review and will update it to reflect changes in our processing activities or legal requirements.
Where changes are significant, we will notify clients directly. The current version will always be available on our website.