Privacy Policy

Personal data only relates to natural persons who:

• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information.

Special category data is a type of personal data that needs more protection because it is sensitive.

We may collect special category data where we or your company has identified someone as vulnerable.

We may collect personal data from various sources including:

• during our relationship with you; or
• from other third parties when we carry out due diligence checks or ongoing monitoring – if we do this, we will inform you of the exact checks that are carried out.

Table 1. categories of information we may collect about individuals in the course of our relationship with you our client (not exhaustive):

We will ensure we have a lawful basis for relying on processing any personal data. For example, where we must:

• process personal data in relation to the performance of our contractual obligations with you;
• process personal data in compliance with our legal obligations; and
• process personal data for our legitimate interests. For example to ensure the proper administration and management of our products and services.

BOB UK is a Data controller in the UK which is a legal term under the DPA.

We are registered with the Information Commissioner’s Office (“ICO”) in the United Kingdom (“UK”) as a data controller under registration number: Z4631489.

As a data controller we will:

• decides how and why any personal data is collected and processed;
• decides what the purpose or outcome of any processing is;
• decides what personal data should be collected;
• decides which individuals we collect personal data about (for example UBOs); and
• make decisions about our clients as part of or as a result of any processing of personal data.

We exercise professional judgement in the processing of any personal data and as a data controller we have complete autonomy as to how any relevant personal data is processed.

If for any reason we require special category data during our relationship with you as our client, and for any reason we require explicit consent in relation to special category data then we will contact your representatives.

We have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of any personal data. We are responsible for preventing unauthorised processing or unauthorised interference with the systems used in connection with it.

We also ensure that any systems used in connection with the processing of your personal data functions properly and may, in the case of interruption, be restored.

As a general rule we may keep personal data for the duration of our relationship with our clients.

Where we have statutory obligations to keep personal data for a longer period or where we may need personal data for a longer period in case of a legal claim, then the retention period may be longer.

Money Laundering and Data Protection laws:

The Fifth Money Laundering Directive (5MLD) came into force in the UK on 10th January 2020. The 5MLD, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (together, the MLRs) require us to collect and retain significant amounts of personal data for example in relation to performing KYB checks.

We will retain any related personal data for as long as necessary under the UK's MLRs which for in the majority of cases will be for a period of 5 years from the end of a client relationship.

After we are no longer required to store personal data as it relates to our relationship with you our client then it will be destroyed using permanent erasure solutions such as overwriting or degaussing.

We need some personal data so that we can comply with our legal and regulatory obligations.

Example: we may need some personal data from you so that we can comply with our legal and regulatory requirements to carry out KYB checks or sanction screening before we can offer our products and services.

We may share personal data with:

• Bank of Baroda Corporate Office, Mumbai, India; and
• our Parent, Bank of Baroda, Head Office, Mandvi, Baroda 390 006, India.

We may share personal data with the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) when we have a duty to do so.

We may share personal data with UK law enforcement authorities (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. We must be satisfied that sharing personal data with a law enforcement authority is lawful. This means we must have a lawful basis under Article 6 of the UK GDPR before we share any personal data as it relates to our relationship with you.

In some circumstances we may have legal obligations to report suspected criminal activities to relevant authorities. This includes where we suspect money laundering or other criminal activities.

We will disclose personal data when it is necessary to do so to protect the Bank's interests or to pursue a legal claim.

There might be a legitimate interest to share the personal data of an individual working for one of our clients if they are suspected of an offence. This is to ensure a law enforcement authority has all the necessary information for a proper and fair investigation.

We may share any relevant personal data with fraud prevention agencies. If you provide us with false or inaccurate information and fraud is identified, we will pass details of the fraud to prevention agencies.

If we sell any part of our business and/or integrate it with another organisation any relevant personal data may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers. If this occurs the new owners of the business will only be permitted to use any relevant personal data in the same or similar way as set out in this privacy notice.

Where we share any relevant personal data with third parties, we ensure that we have appropriate measures in place to safeguard personal data and to ensure that it is solely used for legitimate purposes.

When personal data is transferred to countries outside of the UK those countries may not offer an equivalent level of protection for personal data to the laws in the UK.

UK DPA provides for safeguards for when we transfer any personal dataabroad or make it available to persons overseas. If the recipient is in the EEA or a country deemed to be “adequate” then no further safeguards will be needed.

We rely on Standard Contractual Clauses (SCCs) when transferring personal data outside the UK to India. The UK Government have ruled that SCCs are acceptable methods to transfer your data out of the UK.

Under the UK’s DPA individuals have certain rights that may include:

• Right of access: the right to ask us for copies of personal data we retain;
• Right to rectification: the right to ask us to rectify personal data an individual thinks is inaccurate. Includes the right to ask us to complete data an individual thinks is incomplete.
• Right to erasure: an individual has the right to ask us to erase personal data in certain circumstances;
• Right to restriction of processing: an individual may have the right to ask us to restrict the processing of personal data in certain circumstances;
• Right to object to processing: an individual may have the right to object to the processing of personal data in certain circumstances; and
• Right to data portability: you have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances:

Individuals are not required to pay any charge for exercising their rights under law. If an individual makes a request, we have one month to respond.

An exemption can apply if we process personal data in connection with a corporate finance service that we are permitted to provide (as set out in the Financial Services and Markets Act 2000).

It exempts an individual from the UK GDPR’s provisions on:

• the right to be informed;
• the right of access; and
• all the principles, but only so far as they relate to the right to be informed and the right of access.

The exemption only applies to the extent that complying with the provisions above would:

• be likely to affect the price of an instrument; or
• have a prejudicial effect on the orderly functioning of financial markets (or the efficient allocation of capital within the economy), and we reasonably believe that complying with the provisions above could affect someone’s decision whether to:
  • deal in, subscribe for or issue a financial instrument, or
  • act in a way likely to have an effect on a business activity (e.g. an effect on an the legal or beneficial ownership of a business or asset or a person’s industrial strategy).

Individuals may have the right to ask us whether or not we are using or storing personal data. If this right does apply them, please ask us for copies of personal data held and process either verbally or in writing.

SARs are useful if you wish to find out:

• what personal data we hold about you;
• how we are using it;
• who we are sharing it with; and
• where we got your data from.

The UK Information Commissioner's Office (ICO) recommends that you put a SAR in writing if possible because this gives you a record of your request.

Please call us or email us with the following information prepared beforehand:

• title, first, middle and last names (including any aliases, if relevant);
• the company you work for;
• up to date contact details for you such as email and best contact number;
• a comprehensive list of what personal data you want to access, based on what you need (for example if you require data relating to a specific period then please state this clearly);
• any details, relevant dates, or search criteria that will help us identify what you want; and
• how you would like to receive the information (e.g., by email or printed out).

Please avoid: (1) including other information such as a corporate complaint (2) threatening or offensive language.

Please email us at: dpo.uksub@bankofbaroda.com. Important: please place the following in the subject line of your email - Subject Access Request alongside your first and last name and the date of your request (DD/MM/YYYY).

We will respond to our SAR within one calendar month.

If you have any complaints about how we use your personal data, please contact us using the contact details provided within this Privacy Notice.

If we cannot resolve your complaint, you have the right to complain to the Information Commissioner’s Officer (ICO) in the United Kingdom.

The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk