FAQs

It is best to check our contact us page, which will provide you with contact information by product. If you are still unsure or your request relates to multiple products, then you can contact us on 08085 405060. You will hear menu options for various products, In the situation you can’t identify your product or have a multiple product request, then you can select any of the first 3 options and our colleagues will assist you.

What is ‘data protection law’?

Data protection law controls how your personal data is used by organisations, businesses and the government. Everyone responsible for using personal data (a “Data Controller”) has to follow strict rules called ‘data protection principles’. As a general rule, Sainsbury’s Bank will be the Data Controller of any personal data you have provided to us. As a Data Controller, we must make sure the personal data we hold is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • kept safe and secure

The General Data Protection Regulation (“GDPR”) is the biggest change to European data protection law in 20 years and will fully be in force from 25 May 2018. This piece of legislation builds on existing data protection rules by giving additional rights to individuals and placing stricter controls on companies and other bodies in relation to how they can use personal data. GDPR will apply to any personal data held or processed by companies or other bodies who are based within the EU, or who process personal data relating to people who live within the EU.

After Brexit, GDPR will be replicated in UK law by the new UK Data Protection Act 2018.

For more information please visit the UK Information Commissioner’s Office website.

If you are based in the Republic of Ireland, please visit the ROI Data Protection Commissioner website.

What is a ‘Data Protection Officer’ and what do they do?

Under GDPR, we are obligated to appoint a Data Protection Officer. This is someone who has responsibility for ensuring that Sainsbury’s Bank is compliant with data protection law.

How is Sainsbury’s Bank compliant to GDPR / UK Data Protection Act 2018 (“UKPDA18”)?

Sainsburys Bank was engaged in a GDPR preparation programme for over 18 months prior to May 2018, when GDPR / UKDPA18 came into force. As part of that programme to ensure that we are compliant with GDPR / UKDPA18, we have reviewed, and made changes (where appropriate) to:

  • all of our product T&Cs
  • the Sainsbury’s Group Privacy Policy
  • the ways in which we communicate with you (e.g. via email, post, social media)
  • how we keep your personal data secure
  • how we can limit the processing of your personal data where possible
  • how much of your personal data we keep and for how long
  • how any third parties (e.g. our suppliers) handle your personal data and what measures they have in place to keep it safe
  • all of our internal processes and procedures which impact on personal data, to ensure that we are able to fulfil all of your rights under GDPR

Our Data Protection Officer is accountable directly to the regulator, the Information Commissioner’s Office (ICO), to evidence our compliance with the legislation.

How does Sainsburys Bank safeguard my personal data?

This is covered in Group Privacy Policy under ‘Security’.

In terms of Sainsburys Bank marketing how is my personal data used?

This is covered in Group Privacy Policy under ‘How do we use your personal information?’

In terms of Sainsburys Bank profiling, what and how is my personal data used?

This is covered in Group Privacy Policy under ‘How do we use your personal information?’

Who does Sainsburys Bank share my personal data with and why?

This is covered in Group Privacy Policy under ‘Who might we share your personal information with?’

What is a Data Subject Access Request (DSAR)?

This right allows individuals to obtain access to the personal data that organisations hold about them.

Can I see the personal data that you hold about me?

Yes. You may ask us for a copy of the personal data we hold about you. The next FAQ describes how you may exercise this right.

How do I ask for a copy of my personal data as a DSAR?

You can:

  • You’ll find guidance notes on how to download and return our Data Request form online
  • call us on 08085 405060 and we’ll help you to complete the Data Request form; or
  • send a letter to us at Sainsbury’s Bank, PO Box 4955, Worthing, BN11 9ZA. If possible, please enclose a completed copy of the Data Request form along with your letter – this will help us to locate the data you are looking for and provide you with a response as soon as possible

For security reasons, we don’t accept Data Request forms by email.

Before we can send you a copy of the personal data we hold about you, we need to confirm your identity. This allows us to protect our customers’ confidentiality and prevents personal data falling into the wrong hands. In order to confirm your identity for the purpose of fulfilling your DSAR, we may ask you to:

  • answer some security questions over the phone; or
  • send us copies of identification documents, such as your passport or utility bills

How long does it take to get a response to my Data Access request?

This will take between 1 and 3 months. If it will take us longer than 1 month to provide you with the personal data you have requested, we will let you know.

Is there a charge for requesting access to my personal data?

No, we don’t charge for providing a copy of this personal data.

Can I have the response in any format I want?

Yes, we will try to give you your personal data in any reasonable format you may request. When you make a DSAR (e.g. by completing a Data Request form or by sending us a letter), you should tell us how to send the requested personal data back to you. For example, if you want it sent by post, or to collect it from the electronic portal or if you need it to be in braille or larger print. Please note that if you want to collect via the electronic portal, you’ll need to provide us with an email address so we can confirm when it’s ready for you.

How will you deliver my personal data to me?

It is possible for us to deliver your personal data in the following ways:

  • By post: we will send the copy of your personal data to the address we have for you in our records. Therefore, please let us know if this has changed recently, so that we may update your details and ensure that your personal data is sent to the correct address
  • Via our electronic portal: where you have chosen this method, we will send you an email to the email address we hold on file for you to confirm when your DSAR package is available in our electronic portal. The personal data held about you in this portal will be password protected to protect your confidentiality. We will send an access password separately to the postal address we hold in our records for you. This password will arrive in the post in the days following receipt of the confirmation email and can then be used to unlock your personal data on the portal

If I don’t tell you how I would like to receive my personal data, how will you reply to me?

We’ll get back to you using the same method that you used to make your request. For example, if you posted a letter to us and didn’t tell us how to reply, we’ll pop your reply in the post.

I have a joint account and I want all the personal data about both of us. Do I need to ask the other person if that’s ok?

It will depend on which product(s) you hold with us. Please see your T&Cs, which will tell you whether we can share data about both account holders without obtaining permission from both of you. If the T&Cs do not say that we can do this, we will need to ask the other account holder for permission to share this data with you.

What is a Data Portability Request?

This is a new right under the GDPR/UKDPA18. It allows individuals to obtain copies of certain personal data that the individual has provided to a data controller (such as Sainsbury’s Bank or Argos Financial Services) in a structured, commonly used and machine-readable format and to reuse it for their own purposes. Individuals are free to either store the data for personal use or to transmit it to another service provider.

A portability request is likely to return a narrower band of information than a Data Subject Access Request would. A portability request will consist of customer details captured during the application process, including any subsequent rectifications, product details, account details (e.g. start date/end date & balance/limits), account transactions (if relevant).

Can I transfer my data from another company straight to you, to help open a new product?

No, we can’t check if it contains any nasty content before opening the file and therefore we do not currently accept transfers. We have a responsibility to keep the personal data we hold safe and secure, so any files sent to us with an attachment, will be returned unopened to the sender and then deleted.

If I ask you to port my personal data to another company, will you send it?

This will depend on which company you ask us to send your data to and whether we are able to do this safely. If we are unable to do this transfer we will say so at the time and give you the option to receive your data and send it on yourself.

How do I ask for my personal data to be ported?

You can:

  • visit our website. You’ll find guidance notes on how to download and return our Data Request form online
  • call us on 08085 405060 and we’ll help you to complete the Data Request form; or
  • send a letter to us at Sainsbury’s Bank, PO Box 4955, Worthing, BN11 9ZA. If possible, please enclose a completed copy of the Data Request form along with your letter – this will help us to locate the data you are looking for and provide you with a response as soon as possible

For security reasons, we don’t accept Data Request forms by email.

Before we can send you a copy of the personal data we hold about you, we need to confirm your identity. This allows us to protect our customers’ confidentiality and prevents personal data falling into the wrong hands. In order to confirm your identity for the purpose of fulfilling your data portability request, we may ask you to:

  • answer some security questions over the phone; or
  • send us copies of identification documents, such as your passport or utility bills

How long does it take to get a response to my data portability request?

This will take between 1 and 3 months. If it will take us longer than 1 month to provide you with the personal data you have requested to be ported, we will let you know.

I have a joint account and I want to port all the personal data you hold about both of us. Do I need to ask the other person if that’s ok?

It will depend on which product(s) you hold with us. Please see your T&Cs, which will tell you whether we can share data about both account holders without obtaining permission from both of you. If the T&Cs do not say that we can do this, we will need to ask the other account holder for permission to share this data with you.

Can you post my ported data to me?

No, ported data must be electronic and in machine readable format, like an Excel spreadsheet or a PDF. We’ll put your response on a secure portal for you to access directly. We will send you an email to the email address we hold on file for you to confirm when your portable personal data is available in our electronic portal. The personal data held about you in this portal will be password protected to protect your confidentiality. We will send an access password separately to the postal address we hold in our records for you. This password will arrive in the post in the days following receipt of the confirmation email and can then be used to unlock your personal data on the portal.

Is there a charge for requesting access to my personal data?

No, we don’t charge for providing a copy of this personal data.

What does the ‘right to be forgotten’ mean?

You may ask us to delete the personal data we hold about you under certain circumstances. You may want to stop this data being processed where it’s no longer relevant or appropriate. However, this isn’t an absolute right as there are exemptions that apply. For example, where were obliged to keep copies of your data by law or for regulatory purposes for a certain period of time, we will not delete this data until the relevant period is over.

If you have a specific question around our retention policies, please call us on 08085 405060 for more details.

There are instances where we are required to hold data for longer and for shorter periods of time, which is in line with all relevant statutory requirements. We will never keep your data unless it is necessary to do so but we cannot delete your data while you hold a product with us (or during the relevant retention period) without breaking the law.

What are the exemptions which apply to the ‘Right to be Forgotten’?

Some exemptions do apply to the ‘Right to be Forgotten’. These include:

  • where you have an active product with us
  • where we have any legal basis for holding the data
  • where there are other legal or regulatory obligations that we must comply with
  • where data has not yet been retained for the specific periods of time required by law

I no longer have my account/product with you but I’ve noticed from a recent DSAR that you’re still holding my personal data. Why?

As a financial institution, we are governed and regulated by various regulatory bodies and we must comply with various laws, some of which require us to keep records of our business activities, including our dealings with you, for certain periods. We have a data retention schedule which is compliant with all relevant laws, regulations and codes of conduct. This means we won’t delete data when a customer asks if we’re still required by law to keep it. However, we may anonymise this data in such a way that it cannot be tied back to the specific data subject.

We delete all personal data we hold at the end of the relevant retention period, unless there is an additional reason we need to hold the information, such as where you have made a portability or data subject access request. Many of these periods begin on the date a product is closed. This means we won’t action your request to be forgotten until the end of the relevant retention period. You’d need to close all of your open accounts to allow us to do this.

You’ve mentioned above that my data will only be removed when the retention period is reached. How do you make sure this happens?

The timelines differ depending on the type of product(s) you hold and are based on the specific regulations which apply to those products. We have a process in place to delete any data from our systems which we are no longer obliged to keep.

I’m not happy that you’re not willing to remove my personal data. Who do I complain to?

If you’re unhappy with the way we respond to any of your requests, you may make a complaint to us via our Complaints team or directly to the Information Commissioner’s Office.

What is the right to data rectification?

It is a right which allows you to ask us to make changes to your personal data to ensure that it is accurate.

How do I ask you to rectify my personal data?

You can call us, write to us or update your details by logging into your online account.

If you call us to make us aware that your personal data needs to be updated, we’ll have to take you through some security questions to make sure you have the authority to make the change. Once that process is completed, we will discuss the issues with your personal data and fix any inaccuracies. The relevant numbers can be found on our Contact page.

If you’re an online customer, you can log in to your account to update your email address, your home address and your landline number.

Is there a charge for making a change to my personal data?

No, we don’t charge for correcting personal data held.

What is the ‘right to restrict processing’?

This is a very limited right, which applies in restricted circumstances. Usually a ‘request for restriction’ will only be for a short period of time whilst we are looking into something, investigating an issue relating to your personal data or are amending any incorrect or inaccurate personal data we hold about you. When processing is restricted, it means we can store your personal data but not process it.

When can I ask you to restrict the processing of my personal data?

You may ask us to restrict the processing of your personal data where one of the following applies:

  • when you believe the personal data we hold about you isn’t accurate - the processing of your data will be restricted for a period to verify the accuracy of the personal data
  • when you believe the processing is unlawful and you oppose the erasure of your personal data and request the restriction of the processing of your data instead
  • when we no longer need the personal data for the purposes of the processing, but you ask us to keep it for the establishment, exercise or defence of legal claims
  • where we are processing your personal data on the basis of our legitimate interests and you have objected to this processing - we are allowed time to verify whether our legitimate interests override your rights and processing will be restricted until we provide a response

Can I ask you to stop processing the personal data you hold about me for the purpose of automated decisions about me?

Yes. However, we may need to process your personal data using automatic decision-making processes in order to provide our services to you in order to fulfil our contract. If that is the case and you still want to exercise this right, we may have to close your account(s).

Please contact us if you would like to object to this processing and we will decide on a case by case basis whether we can stop this processing in relation to your personal data. If we can stop this processing, we will explain what impact this will have for you.

Can I object to my personal data being used for profiling for marketing purposes?

Yes. You can object to your personal data being used in this way. If you want to exercise this right, we will stop sending marketing to you and we will stop using your personal data for profiling purposes. Please note that once you opt out of marketing, we’ll stop sending you marketing communications but we’ll still contact you with service-related messages every now and then.

How do I stop you sending marketing to me?

If you’re an online customer, you can log in and change your personal preferences through the Customer Preference Management tool via your online account. Or, you can follow the opt-out process in our Privacy Policy on our website. Alternatively, you can call us to let us know you’d prefer not to receive marketing from us. As soon as you tell us, we’ll take action to ensure you are opted out of all Sainsbury’s Bank marketing.

How long does it take to stop marketing being sent out?

As soon as you indicate that you’d prefer not to receive Sainsbury’s Bank marketing, we’ll take action to ensure you are opted out. However, please note that some marketing material may already be in production and we won’t be able to stop this. We will do this as quickly as possible, but it could take up to 8 weeks to update all our systems, which is in line with guidelines from the regulator, the Information Commissioner’s Office (ICO).

Can you stop sending me marketing by email and continue to send me marketing by post?

No. We don’t provide a marketing channel preference selection facility, so a request of this kind will means that you will stop receiving marketing for all types of Sainsbury’s Bank marketing.

Can I choose which products I receive marketing for?

No. We don’t provide a marketing product selection, so a request of this kind will means that you will stop receiving marketing for all Sainsbury’s Bank products.

If I stop marketing just now, can I ask to receive it again at a later date?

Yes, if you want to check your marketing permission status or would like to start receiving marketing again, you can do this via accessing the link on our Privacy Policy which you’ll find on our website.

Why am I receiving marketing from Nectar when I’ve already opted out of Sainsbury’s Bank marketing?

Nectar is a separate company to Sainsbury’s Bank and a Data Controller in its own right. To adjust or opt out of any marketing from Nectar, you will need to contact Nectar directly.

What is ‘sensitive personal data’?

‘Sensitive personal data’ is any data which falls into one of the following categories:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data
  • health data
  • data relating to a person's sex life or sexual orientation

This data is known as ‘Special Categories of Data’ under data protection law. This kind of personal data is subject to tighter controls than other types of personal data and we have specific controls in place to protect any sensitive personal data we may hold about you.

Data relating to criminal convictions is treated separately under data protection law but our sensitive data controls also apply to this type of data.

What happens if I no longer agree to you holding my sensitive personal data?

We only process sensitive personal data where it is necessary for us to provide our products and services to you (e.g. where data relating to your health is required to provide travel insurance). If you want to withdraw your consent to the processing of any sensitive personal data we hold about you, we may have to close your account.