1. ABOUT THE BANK OF BARODA
The Bank of Baroda is committed to ensuring that your personal information is used properly and is kept securely. We recognise and acknowledge the responsibility and duty of trust and care that we have to maintain the privacy of your personal data, and comply with the data protection principles which are set out in the Data Protection Act 1998.
The Bank of Baroda's role as 'data controller';
The ways in which we may collect your personal information;
The type of personal information that we may hold about you;
How the Bank of Baroda will use and store your personal information;
Circumstances in which the Bank of Baroda may disclose your personal information to a third party;
Your right to access your information;
Our obligations under the Data Protection Act 1998 (including information about individuals' rights in respect of personal data).About the Bank of Baroda
Any personal information that you provide to us is controlled by the Bank of Baroda. This means that the Bank of Baroda is the organisation that decides the purposes for which your personal information will be used and the way in which it is processed.
The Bank of Baroda is registered as a data controller with the Information Commissioner's Office under reference number: Z4631489.
If you have any queries about the information we hold about you, please contact our Data Protection Officer, Mr.Ravi Kumar, who you may contact at the following address:
Bank of Baroda
32 – 36 City Road
2. COLLECTION OF YOUR PERSONAL INFORMATION
[When we collect information about you we will tell you at the point of collection why we need that information and how we will use it.]
3. WHAT INFORMATION DOES THE BANK OF BARODA COLLECT ABOUT ME?
The type of information we hold about you will depend on the nature of our relationship with you. If you are a customer we will typically hold the following information:
- your name and contact details
- date of birth
- account details
- If you have applied for a loan or mortgage product we will also hold details relating to credit reference checks.
If you are not a customer but you have contacted us about a product or service we may hold your contact details and information about the products or services that you are interested in.
4. USE AND STORAGE OF YOUR PERSONAL INFORMATION
We will use personal information provided by you or gathered by the Bank of Baroda for the following purposes:
- to process and respond to requests, enquiries and complaints received from you;
- to provide products and services requested by you;
- to communicate with you about services provided to you;
- to process payments and bank transfers;
- to assess applications for products and services, which may include carrying out credit checks;
- to update our records;
- to analyse trends and profiles;
- for audit purposes;
- to carry out customer satisfaction research;
- to prevent or detect fraud;
- to recommend products and services that we believe will be of interest to you;
- to enable third parties to carry out any of the purposes above on our behalf.
Any information which you may provide to us will be stored securely. Where personal information is provided to us in the course of our online banking services, we use 128-bit Secure Socket Layer (SSL) encryption to protect this information. This is the highest level of security layer presently available.
5. SHARING OF YOUR PERSONAL INFORMATION
We may share your personal information with third parties in the following ways:
We sometimes use agents and service providers to process personal information on our behalf. Where we use agents and service providers to process your personal information, we will ensure that they have adequate security measures in place to safeguard your personal information.
We will release your personal information when we are required to do so for legal or regulatory purposes or as part of legal proceedings.
We may give information we hold about you to third parties as part of the process of selling one or more of our businesses.
When we carry out credit checks, we pass your information to credit reference agencies. This information may also be accessed by third parties who carry out credit checks on you.
We may transfer your information to our head office in Mumbai, India for various purposes, including [account maintenance, IT services and transferring funds to accounts in India]. As India is outside of the European Economic Area, we will ensure that adequate procedures are put in place to protect your personal information whenever it is transferred.
6. HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?
Subject to any legal requirements we may have in relation to your personal information, we will only hold that information for as long as may be necessary for the purposes for which it was collected.
A cookie is a piece of information that is held on the hard drive of your computer which records how you have used a website. Cookies allow website operators to accumulate useful information, such as whether the computer (and sometimes its user) has visited the site before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit.
By adjusting the settings on your browser, you have the option of accepting all cookies, being notified whenever a cookie is issued, or not receiving some or all of the cookies which we use. You may also wish to visit www.aboutcookies.org, which provides detailed information on how to restrict or block cookies on a variety of different browsers. However, please note that you may not be able to use some of the features on our website or online banking services without cookies.
You can find more information about the cookies we use and the purposes for which we use them by reviewing the table below:
Bank of Baroda
Risk fort Cookie
Used to recognize the user when user is returning the site from same machine.
Used to recognize the machine used before for BoB eBanking site. If the cookie is present, it is recognize the machine as a trusted machine and allow user without step up authentication.
8. ACCESS TO YOUR PERSONAL INFORMATION
We must process your data in accordance with your rights under the Data Protection Act 1998. One of the most important of these rights is your ability to request a copy of the personal information that we hold about you and to have any inaccuracies corrected. We will ask for confirmation of identity before we disclose any personal information and may charge a £10 administration fee to process the request. Please address requests to Mr. Ravi Kumar.
Bank of Baroda
32 – 36 City Road
9. OVERVIEW OF OUR OBLIGATIONS UNDER THE DATA PROTECTION ACT (THE “ACT”)
The Act imposes a number of obligations on any organisation which handles personal information about living individuals and regulates the use of personal data by requiring personal data to be processed in accordance with eight data protection principles. These principles are as follows:
The First Principle: Fair and Lawful Processing
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”
We must also ensure that we meet a Schedule 2 condition. Relevant conditions include:
Where we have the individual’s consent to process their data;
Where we need to process personal information in order to perform a contract with an individual;
Where we have a legal obligation to process personal information;
Where it is in the Bank’s legitimate interests to process personal information and this is not outweighed by the rights and interests of the individual.
The following categories of information are “sensitive personal data”: information relating to an individual’s health, sexual life, religious opinions, political beliefs, trade union membership, racial or ethnic origin, crimes, alleged crimes or criminal proceedings.
The circumstances in which the Bank may process sensitive personal data are more restricted. Normally we will need the individual’s express consent to process sensitive personal data. We must also ensure that we take particular care to keep sensitive personal data secure and prevent unauthorised access.
The Second Principle: Specified and Lawful Purposes
"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
It is a requirement of the Act that we notify the Information Commissioner of the types of personal data that we collect and the purposes for which we process that information. The notification must also cover any disclosures of personal data made to third parties and details of whether we transfer personal data outside the European Economic Area.
We are permitted to process personal data only in accordance with the notification we have provided to the Information Commissioner and in accordance with the purposes set out in the privacy notices provided to individuals.
The Third Principle: Adequate, Relevant and Not Excessive
"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."
This means that we must only collect such personal data as is necessary for the purposes for which we wish to process the personal data. In addition, we must ensure that we have sufficient information in order to be able to carry out the processing properly.
The Fourth Principle: Accurate and Up to Date
"Personal data shall be accurate and, where necessary, kept up to date."
This principle requires us to take steps to ensure that personal information that we collect and store is accurate and to carry out regular reviews to ensure that personal information is kept up to date.
The Fifth Principle: Retention Periods
"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."
This principle requires us to ensure that personal data is kept only for as long as is necessary for the purposes for which it was collected. The Bank has data retention policies in place which categorise different types of personal information and specify the period of time for which they will be retained. When the retention period expires, we must destroy the data securely.
The Sixth Principle: Rights of Individuals
"Personal data shall be processed in accordance with the rights of data subjects under this Act."
Individuals have a number of rights under the Act, which are as follows:
Right of access to personal data - individuals have the right to be informed whether their personal data is being processed and, if so, the purposes for which it is being processed, third parties to whom it is disclosed and to have a copy of the personal data provided to them.
Right to prevent processing likely to cause damage or distress - individuals may request that we cease processing personal data if that processing is likely to cause substantial damage or distress and such damage or distress is unwarranted.
Right to prevent processing for the purposes of direct marketing - individuals are entitled to require us to stop using their personal data for direct marketing purposes. We must comply with such requests as soon as is reasonable in all the circumstances.
Rights in relation to automated decision taking - if we take any significant decisions about individuals solely on an automated basis, then we must notify individuals that the decision was taken on that basis and inform them that they are entitled within 21 days of receiving the notification to require us to reconsider the decision.
Compensation for failure to comply with certain requirements of the Act – if an individual suffers damage because of a breach of the Act, they will be entitled to compensation from the Bank for that damage.
Rectification, blocking, erasure and destruction – individuals have the right to apply to the court to require us to rectify, block, erase or otherwise destroy personal data which is inaccurate.
Any requests or queries received from an individual in relation to their personal data should be directed to Mr. Ravi Kumar
The Seventh Principle: Security
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
This means that we must ensure that our physical security measures are sufficient to protect personal data. We are also required to put appropriate technical security measures in place to ensure that personal data cannot be accessed by unauthorised persons and that it is protected against loss or damage. The Bank's security policies set out in detail the steps that employees must take to ensure that personal information is kept and handled securely.
Where we have instructed third parties to process personal data on our behalf, such third party processors must be audited to ensure they are reputable and have sufficient security measures in place to protect any personal data which we may provide to them. All arrangements with third party processors must be governed by a written contract which specifies the security measures the processor must take and prohibits the processor from using personal data other than in accordance with the Bank’s instructions. We must also regularly monitor third parties to ensure they are complying with security requirements.
The Eighth Principle: Transfers outside of the EEA
"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
We are not permitted to transfer personal data outside the EEA unless one of the following conditions is met:
The individual has given express consent to the transfer;
We have carried out an assessment to ensure that adequate measures are in place to protect personal data and to ensure that all of the individual's rights under the Act can be met (this will usually require a written contract to be put in place with the organisation to whom personal data is being transferred);
We have entered into a model contract with the third party to whom we are transferring the personal data. (The European Commission has approved certain "model clauses" for use when personal data is being transferred outside the EEA which guarantee an adequate level of protection for personal data);
The country to which the personal data is being transferred has been deemed a country with adequate levels of protection by the European Commission.
In relation to transfers to the United States, the organisation to which the personal data is being transferred has signed up to the "safe harbor" principles - under these principles, organisations must comply with a series of requirements which are similar to the requirements set out in the Act.