Sainsbury's Bank Privacy Policy – Processor for NWG

1.1 This privacy notice (the “Privacy Notice”) applies to all information we collect, use and process about you as a customer in relation to the products/services you receive from us carried out by Sainsburys Bank Plc (Sainsbury’s Bank) as a data processor on behalf of National Westminster Bank Plc (NatWest).

1.2 Sainsburys Bank is a data processor in respect of personal information that we process in connection with our business (including the products and services that we provide). In this notice, references to “we”, “us” or “our” are references to Sainsbury’s Bank.

1.3 Our principal address is 1 New Park Square, Edinburgh Park, Edinburgh EH12 9GR and our contact details can be located at SainsburysBank.co.uk

1.4 NatWest is a data controller and is a member of NatWest Group plc. More information about the NatWest group and its brands can be found at NatWestGroup.com.

1.5 We respect individuals’ rights to privacy and to the protection of personal information. The purpose of this Privacy Notice is to explain how we (on behalf of NatWest) collect and use personal information in connection with our business. “Personal information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information).

2.1 We collect and process various categories of personal information at the start, and for the duration, of your relationship with us and beyond (subject to appropriate retention periods as set out in section 12 below). We will limit the collection and processing to information necessary to achieve one or more legitimate purposes as identified in this notice. Personal information may include:

1. basic personal information, including name and address, date of birth and contact details.
2. financial information, including account and transactional information and history, payment and payee details.
3. information about your family, lifestyle and social circumstances and preferences.
4. information about your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, credit and borrowing history and needs and goals.
5. information relating to climate, including utility consumption, property features such as housing certification ratings, vehicle and journey details, and carbon emission data.
6. education, employment and business information.
7. goods and services provided.
8. visual images and personal appearance (such as photos, copies of passports or CCTV images), voice recordings, fingerprints.

online profile and social media information and activity, based on your interaction with us and our websites and applications, including for example your banking profile and login information, Internet Protocol (IP) address, smart device information, location coordinates, our digital services banking security authentication, mobile phone network information, searches, site visits and spending patterns

2.2 We may also process certain special categories of information for specific and limited purposes, such as to make our services accessible to customers or for reporting of complaints for regulatory purposes, or where it is in the wider public interest (for example, to protect customers’ economic wellbeing or to prevent and detect unlawful acts, fraud and financial crime). We will only process special categories of information where we have obtained your explicit consent or are otherwise lawfully permitted to do so (and then only for the particular purposes and activities for which the information is provided as set out in Schedule A). This may include information revealing:

a) racial or ethnic origin,
b) political opinions;
c) religious or philosophical beliefs;
d) trade union membership;
e) biometric data;
f) information concerning health; and
g) data concerning a person’s sex life and sexual orientation.

2.3 Where permitted by law we may process information about criminal convictions, criminal offences, related security details, alleged offences including unproven allegations, spent or previous convictions, or other details provided in relation to a criminal reference check or similar.

2.4 Where we rely on your consent to process your special category data, you can withdraw your consent at any time by contacting us. Please note that in some cases we do not rely on consent to process special category data.

2.5 We may use artificial intelligence models in the course of providing products and services and this may include use of generative artificial intelligence models. We may also use your information to train artificial intelligence models. When you interact with artificial intelligence models further information may be provided to help you understand how the artificial intelligence model has processed your information and reached a particular decision. NB. An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.

3.1 Your information is made up of all the financial and personal information we collect and hold about you/your business and the proprietors, officers and beneficial owners of that business and your transactions. It includes:

1. information you give to us.
2. information that we receive from third parties – including NatWest Group companies,
   (i) third parties who provide services to you or us,
   (ii) credit reference, fraud prevention, law enforcement or government agencies,
   (iii) industry and trade bodies,
   (iv) other banks (where permitted by law); and
   (v) energy companies and energy regulators where we have a legal basis to obtain this data.
3. information that we learn about you through our relationship with you and the way you operate your accounts and/or services, such as the payments made to and from your accounts and payees from your account and where you are identified as a payee.
4. information that we gather, where we have your consent, through cookies or similar tracking tools when you use our websites, internet banking, mobile banking app, email or web chat services. Advertising or targeting cookies or similar technologies may also be used, with your consent, to track your responses to particular adverts, messages or forms, which helps us to ensure we present you with the most relevant content in the future. Cookies may also be set if you click on a link within the email. We track delivery and analyse the click rates of bulk emails in order to:

• Identify delivery problems with Internet Service Providers.
• Provide evidence that regulatory messages are being opened.
• Ensure subject lines and email content are clear and helpful.
• Measure the overall performance of communication campaigns.
• Make our communications more relevant. By default, tracking logs are deleted after 6 months

5. information that we gather from the technology which you use to access our services (for example, device data location, data from your device, or an IP address or telephone number) and how you use it (for example, pattern recognition).
6. information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines. Information that you make public on social media (for example, Facebook, Twitter); and
7. information obtained through remote sensing such as satellite for determining geographical sources of emissions; identifying land uses including for farm use/crops; identifying possible locations for emission reduction actions.

4.1 We want to make sure you are aware of your rights in relation to the personal information we process about you. We have described those rights and the circumstances in which they apply in the table below.

4.2 If you wish to exercise any of these rights, or if you have any queries about how we use your personal information which are not answered here, please contact your private banker.

4.3 Our Data Protection Officer can be contacted by writing to the Data Protection Officer, Sainsbury’s Bank, 1 New Park Square, Edinburgh Park, Edinburgh EH12 9GR or by emailing NWGDPO@sainsburysbank.co.uk. Please note that in some cases, if you do not agree to the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you.

Table A - Your Rights

From time to time we may change the way we use your information. When we do, we will communicate any changes to you and publish the updated Privacy Notice on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it. Where we believe you may not reasonably expect such a change, we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account and/or provide certain products and services to you. Where relevant, we may also include further details or information in relation to a particular service or activity at the point information is collected or the product or service is considered.

We will only use and share your information with other NatWest Group companies where it is necessary for us to lawfully carry out our business activities as a group of companies (for example, to manage our risk, to support our decision-making processes, to provide you with products or services, for marketing services, for internal reporting, or where those companies provide services to us). We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in Schedule A – Purposes of Processing

7.1 We will not share your information with anyone outside NatWest Group except:

1. where we have your permission.
2. where required, whether directly or indirectly, for your product or service, which could include in relation to your welfare or accessibility requirements.
3. with law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory or trade bodies around the world.
4. with other banks and third parties in relation to fraud or financial crime or criminal activities; or in the event of suspected fraud or financial crime or criminal activities; or the monitoring, prevention and investigation of the same; with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party.
5. with third parties providing services to us, such as market analysis and benchmarking, climate and broader environmental impact analysis, correspondent banking, agents and sub-contractors acting on our behalf, such as the companies which print our account statements, where advice or services are required or requested in connection with the bank’s legal, regulatory or contractual rights or obligations relating to products or services provided to you.
6. with social media companies (in a secure format) or other third-party advertisers and marketing companies so they can display or send relevant messages to you and others or compile information relevant to marketing to you about our products and services on our behalf. Third party advertisers may also use information about your previous web activity to tailor adverts which are displayed to you. 
7. with credit reference agencies and with third parties in relation to debt collection and related activities. 
8. with third-party guarantors or other companies that provide you with benefits or services (such as insurance cover) associated with your product or service.
1. where required for a proposed or actual sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business where such data is shared with a third party it is done so under strict duties of confidentiality.
10. in anonymised form as part of statistics or other aggregated data shared with third parties such as companies that provide you with benefits or services; or
11. where permitted by law, it is necessary for our legitimate interests or those of a third party, and it is not inconsistent with the purposes listed above.

7.2 If you ask us to, we will share information with any third party that provides you with services such as account information or payment initiation services. If you ask a third-party provider to provide you with these services, you are allowing that third party to access information we hold. We are not responsible for any such third party’s use of the information shared with your agreement. Their use of the information will be governed by their agreement with you and any privacy statement they provide to you.

7.3 In the event that any additional authorised users are added to your account, we may share information about the use of the account by any authorised user with all other authorised users.

7.4 In the event that you link your assets and liabilities with your immediate family under a Fee Family, the sum of the combined assets and liabilities held within the Fee Family may be shared with other members of the Fee Family. In some instances this may allow other members of the Fee Family to calculate the combined assets and liabilities you hold with us.

7.5 NatWest and the Society for Worldwide Interbank Financial Telecommunications (known as SWIFT) are “joint controllers” of the processing of your personal information. To view our Joint Controller Notice, click here.

8.1 We may transfer your information to organisations in other countries (including to other NatWest Group companies) on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

8.2 In the event that we transfer information to countries outside of the UK and European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where: a) the UK has decided that the country or the organisation we are sharing your information with will protect your information adequately; b) the transfer has been authorised by the relevant data protection authority; and/or c) we have entered into a contract with the organisation with which we are sharing your information (on terms approved by the UK) to ensure your information is adequately protected. If you wish to obtain a copy of the relevant data protection clauses, please contact our Data Protection Officer, Data Protection Officer at Sainsbury’s Bank, 1 New Park Square, Edinburgh Park, Edinburgh EH12 9GR or by emailing NWGDPO@sainsburysbank.co.uk

Where we have appropriate marketing permissions, we will send you relevant marketing information (including details of other products or services provided by us, by NatWest or other NatWest Group companies or other selected third parties which we believe may be of interest to you), by mail, phone, email, text, our digital services and other forms of electronic communication. Sainsbury’s Bank will not share your information with non-NatWest group third parties for their own marketing purposes. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can change your preferences through our online preference centre or can tell us at any time by contacting us at 08085 40 50 60

10.1 We will contact you with information relevant to the operation and maintenance of your account (including updated information about how we process your personal information), by a variety of means including via our digital services, electronic message, post and/or telephone. If at any point in the future you change your contact details you should tell us promptly about those changes.

10.2 We may monitor or record calls, emails, text messages, webchat or other communications in accordance with applicable laws for the purposes outlined in Schedule A – Purposes of Processing. 10.3 We may contact you if we have concerns about your economic wellbeing and offer support. 

11.1 We may access and use information from credit reference and fraud prevention agencies when you open your account and periodically to:

a) manage and take decisions about your accounts, including assessing your creditworthiness and checks to avoid clients becoming over-indebted;
b) prevent criminal activity, fraud and money laundering;
c) check your identity and verify the accuracy of the information you provide to us; and d) trace debtors and recover debts.

11.2 Application decisions may be taken based solely on automated checks of information from credit reference and fraud prevention agencies and internal RBS records. To help us make decisions on when to give you credit, we use a system called credit scoring to assess your application. To work out your credit score, we look at information you give us when you apply; information from credit reference agencies that will show us whether you’ve kept up to date with payments on any credit accounts (that could be any mortgages, loans, credit cards or overdrafts), or if you’ve had any court action such as judgments or bankruptcy; your history with us such as maximum level of borrowing; and affordability, by looking at your available net income and existing debts. You have rights in relation to automated decision-making, including a right to appeal if your application is refused. You can appeal via our normal complaints process which can be found here: https://www.sainsburysbank.co.uk/contact/contact-customer-care

11.3 We will continue to share information with credit reference agencies about how you manage your account including your account balance, payments into your account, the regularity of payments being made, credit limits and any arrears or default in making payments, while you have a relationship with us. This information will be made available to other organisations (including fraud prevention

11.4 If false or inaccurate information is provided and/or fraud is identified or suspected, details will be passed to fraud prevention agencies. Law enforcement agencies and other organisations may access and use this information. Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.

11.5 If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we and others may refuse to provide the services and financing you have requested, to employ you, or we may stop providing existing services to you.

11.6 A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

11.7 If you would like a copy of your information held by the credit reference and fraud prevention agencies we use, or if you want further details of how your information will be used by these agencies, please visit their websites or contact them using the details below. The agencies may charge a fee.

12.1 By providing you with products or services, we create records that contain your information, such as customer account records, activity records, tax records and lending and credit account records. Records can be held on a variety of media (physical or electronic) and formats.

12.2 We manage our records to help us to serve our customers well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.

12.3 Retention periods for records are determined based on the type of record, the nature of the activity, product or service, the country in which the relevant NatWest Group company is located and the applicable local legal or regulatory requirements. We (and other NatWest group companies) normally keep customer account records for up to ten years after your relationship with the bank ends, whilst other records are retained for shorter periods. Retention periods may be changed from time to time based on business or legal and regulatory requirements.

12.4 We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if they are needed.

12.5 If you would like more information about how long we keep your information, please contact us at NWGDPO@sainsburysbank.co.uk

We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. For more information about the steps we are taking to protect your information please visit https://www.sainsburysbank.co.uk/security/security-zone-new

14.1 In the course of providing products and services to you we may process your personal information by automated means, to include profiling. What this means is that we will use computer software or predictive analysis to automatically evaluate your personal circumstances in order to identify risks or to predict certain outcomes. Examples of this type of processing include.

1. 1. automatically calculating loan/credit limits.
   2. obtaining credit reference checks for certain products.
   3. the assessment of account activity to detect and prevent fraud.
   4. the identification of customers in vulnerable situations so that we can offer them support or protection; and
   5. to provide personalised offers and create market insights.

14.2 Profiling is a useful tool as we try to understand our customers and their specific needs in more detail. It gives us the opportunity to use personal information to tailor our marketing and product offering but also to ensure that we achieve fair customer outcomes. However, our customers do have rights and entitlements in relation to automated processing and these are covered in Table A above. You also have the right to opt out of profiling for marketing purposes.

Schedule A – Schedule of Purposes of Processing

We will only use and share your information where it is necessary for us to carry out our lawful business activities. Your information may be shared with and processed by other NatWest group companies. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table below: