RBS Privacy Notice – Long Form
1.1. This privacy notice (the “Privacy Notice”) applies to all personal information processing activities carried on by the The Royal Bank of Scotland plc (RBS) )
1.2. RBS is a data controller in respect of personal information that we process in connection with our business (including the products and services that we provide). In this notice, references to “we”, “us” or “our” are references to RBS
1.3. Our principal address is 36 St Andrew Square, Edinburgh, EH2 2YB and our contact details can be located at www.rbs.com
1.4. We are a member of The Royal Bank of Scotland Group PLC (“RBS group”). More information about the RBS group can be found at www.rbs.com by clicking on ‘About Us’.
1.5. We respect individuals’ rights to privacy and to the protection of personal information. The purpose of this Privacy Notice is to explain how we collect and use personal information in connection with our business. “Personal information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information).
2.1 In order to provide you with the transaction and bank balance aggregation service (“the service”) we will collect and process the following information:
a) the transaction history of any of your RBS Group accounts that you have chosen to be included within the service; and
b) the transaction history of non-RBS Group bank accounts for which you have given us your permission to access.
2.2 Information of any third parties contained within your transaction history.
2.3 If the transaction history data from you RBS and non-RBS accounts contains special categories of information we will only process this information in order to provide the service or where we are otherwise required to do so by law (see Section 7 ). Special categories of data include:
a) information about racial or ethnic origin,
b) religious or philosophical beliefs;
c) trade union membership;
d) physical or psychological health details or medical conditions; and
e) biometric information, relating to the physical, physiological or behavioural characteristics of a person, including for example using voice recognition or similar technologies to help us prevent fraud and money laundering.
2.4 Where permitted by law, we may process information about criminal convictions
or offences and alleged offences for specific and limited activities and purposes,
such as to perform checks to prevent and detect crime and to comply with laws
relating to money laundering, fraud, terrorist financing, bribery and corruption, and
international sanctions. It may involve investigating and gathering intelligence on
suspected financial crimes, fraud and threats and sharing data with law
enforcement and regulatory bodies set out in Schedule A.
3.1 In order to provide the service, we collect and hold information about you in the following ways:
a) information you provide to us to sign up to Mobile Banking;
b) information we already hold on your RBS accounts transactions; and
c) transaction information from other banks, that you have given us permission
Accessing your information
4.1 If you would like a copy of the personal information we hold about you, please
write to: Subject Access Requests Mailroom Manager, The Royal Bank of Scotland Group, 1 Hardman Boulevard,Manchester,M3 3AQ. A fee of £10 is payable.
4.2 If you have permitted us to do so, then we will send you relevant marketing
information (including details of other products or services provided by us or other RBS companies which we believe may be of interest to you), by mail, phone, email, text and other forms of electronic communication. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us at any time by contacting us at on 03457 888 444, through online banking or in branch.
From time to time we may change the way we use your information. Where we believe you may not reasonably expect such a change we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account and/or provide certain products and services to you.
We will only use and share your information where it is necessary for us to lawfully carry out our business activities. Your information may be shared with and processed by other RBS group companies. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table in Schedule A - Purposes of processing.
7. Sharing with third parties
7.1 We will not share your information with anyone outside RBS except:
a) where we have your permission;
b) where required to provide you with the service ;
c) where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;
d) in anonymised form as part of statistics or other aggregated data shared with third parties; or
e) where permitted by law, it is necessary for our legitimate interests or those of a third party, and it is not inconsistent with the purposes listed above.
7.2 RBS will not share your information with third parties for their own marketing purposes without your permission.
8.1 We may transfer your information to organisations in other countries (including to other RBS group companies) on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.
8.2 In the event that we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where:
a) the European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately;
b) the transfer has been authorised by the relevant data protection authority; and/or
c) we have entered into a contract with the organisation with which we are
sharing your information (on terms approved by the European Commission) to ensure you information is adequately protected..
9.1 We will contact you with information relevant to the operation and maintenance of your account (including updated information about how we process your personal information), by a variety of means including via online banking, mobile banking, email, text message, post and/or telephone. If at any point in the future you change your contact details you should tell us promptly about those changes.
We may monitor or record calls, emails, text messages or other communications in accordance with applicable laws for the purposes outlined in Schedule A - Purposes of Processing
10.1 We may access and use information provided by you as part of the service , from credit reference and fraud prevention agencies when you open your account and periodically to:
a) prevent criminal activity, fraud and money laundering;
10.2 If false or inaccurate information is provided and/or fraud is identified or suspected, details will be passed to fraud prevention agencies. Law enforcement agencies and other organisations may access and use this information.
10.3 If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you.
10.4 A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
10.5 When credit reference and fraud prevention agencies process your information, they do so on the basis that they have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect their business and to comply with laws that apply to them.
10.6 If you would like a copy of your information held by the credit reference and fraud prevention agencies we use, or if you want further details of how your information will be used by credit reference agencies please visit their websites or contact them using the details below. The agencies may charge a fee.
Credit reference agency
Post: Callcredit Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP.
Phone: 0330 024 7574
Post: Equifax Ltd, Customer Service Centre
PO Box 10036, Leicester, LE3 4FS.
Phone: 0333 321 4043 or 0800 014 2955
Post: Experian, PO BOX 9000, Nottingham, NG80 7WF
Phone: 0344 481 0800 or 0800 013 8888
11.1 By providing you with the bank balance and transaction aggregated service we will hold transaction information on our live systems for a period of 90 days and in back up for a period of seven years after your relationship with the bank ends in order to defend or make legal claims.
11.2 We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the bank will be able to produce records as evidence, if they're needed.
We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. For more information about the steps we are taking to protect your information please visit
We will only use and share your information where it is necessary for us to carry out our lawful business activities. Your information may be shared with and processed by other RBS group companies. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail in a table below:
In order to provide bank balance and transaction aggregated services we process your information because it is necessary to enter into a contract with you for the provision of the service or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
a) confirm your identity, including using biometric information and voice-recognition technology and other identification procedures, for example fingerprint verification;
b) perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
c) share data with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
d) share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
e) deliver mandatory communications to customers or communicating updates to product and service terms and conditions.
f) investigate and resolve complaints;
g) conduct investigations into breaches of conduct and corporate policies by our employees;
h) manage contentious regulatory matters, investigations and litigation;
i) perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
j) provide assurance that the bank has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
k) investigate and report on incidents or emergencies on the bank’s properties and premises;
l) coordinate responses to business disrupting incidents and to ensure facilities, systems and people are available to continue providing services.
We may process your information where it is in our legitimate interests do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.
a) We may process your information in the day to day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:
(i) monitor, maintain and improve internal business processes, information and data, technology and communications solutions and services;
(ii) ensure business continuity and disaster recovery and responding to information technology and business incidents and emergencies;
(iii) ensure network and information security, including monitoring authorised users’ access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime and protection of your personal data;
(iv) provide assurance on the bank's material risks and reporting to internal management and supervisory authorities on whether the bank is managing them effectively;
(v) perform general, financial and regulatory accounting and reporting;
(vi) protect our legal rights and interests;
(vii) manage and monitor our properties and branches (for example through CCTV) for the purpose of crime prevention and prosecution of offenders, for identifying accidents and incidents and emergency situations and for internal training; and
(viii) enable a sale, reorganisation, transfer or other transaction relating to our business.
b) It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually develop and improve as an organisation. This may require processing your information to enable us to:
(i) identify new business opportunities and to develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
(ii) send you relevant marketing information (including details of other products or services provided by us or other RBS group companies which we believe may be of interest to you).
(iii) understand our customers’ actions, behaviour, preferences, expectations, feedback and financial history in order to improve our products and services, develop new products and services, and to improve the relevance of offers of products and services by RBS group companies;
(iv) monitor the performance and effectiveness of products and services;
(v) assess the quality of our customer services and to provide staff training. Calls to our service centres and communications to our mobile and online helplines may be recorded and monitored for these purposes;
(vi) perform analysis on customer complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
(vii) compensate customers for loss, inconvenience or distress as a result of services, process or regulatory failures;
(viii) identify our customers’ use of third party products and services in order to facilitate the uses of customer information detailed above; and
(ix) combine your information with third party data, such as economic data in order to understand customers’ needs better and improve our services.
We may perform data analysis, data matching and profiling to support decision making with regards to the activities mentioned above. It may also involve sharing information with third parties who provide a service to us.
c) It is in our interest as a business to manage our risk and to determine what products and services we can offer and the terms of those products and services. It is also in our interest to protect our business by preventing financial crime. This may include processing your information to:
(i) carry out financial, credit and insurance risk assessments;
(ii) manage and take decisions about your accounts;
(iii) carry out checks (in addition to statutory requirements) on customers and potential customers, business partners and associated persons, including performing adverse media checks, screening against external databases and sanctions lists and establishing connections to politically exposed persons;
(iv) share data with credit reference, fraud prevention agencies and law enforcement agencies;
(v) trace debtors and recovering outstanding debt;
(vi) for risk reporting and risk management .
Application decisions may be taken based on solely automated checks of information from credit reference agencies and internal RBS records. For more information on how we access and use information from credit reference and fraud prevention agencies see section 10 in this document.