Privacy & Cookie Policy

WEBSITE PRIVACY NOTICE

UBL UK (the Bank, we, our) are committed to protecting your privacy. Under Data Protection Laws, UBL UK is classified as a ‘data controller’ which means we are responsible for determining how we hold and process your data that we collect and hold about you. This Privacy Notice explains how UBL UK collects, uses,   and protect your personal information.

This notice has been set out for anyone that uses our website, however, it is also applicable to both personal and business banking customers. If you have made an application on behalf of another individual (as a Power of Attorney), a joint application with another individual, or an application for a business, charity or trust and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to them. We also have a separate Intermediary Privacy Notice that describes how we protect the personal data of lending brokers and introducers, and applicants for loans, which is available on our website.

COOKIES POLICY

The Bank use cookies on all our websites to enhance your user experience, and improve our services. Cookies also help us understand how you use our website, which allows us to make continuous improvements.

What is a cookie?

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

We use two types of cookies on our website:

Strictly Necessary Cookies: These are cookies that help our website function properly, protect the security of your account, and to save your preferences.

Other cookies:

We need your consent before we save cookies to your browser, unless the cookie is ‘strictly necessary’ and not reused for other purposes. So when you first visit our website we invite you to click ‘Accept’ to us saving cookies that are not ‘strictly necessary’. If you click ‘Reject’ we will not save these cookies in your browser, but some aspects of our website might not work as intended.

If you click ‘Accept’ to us using cookies, we will anonymise data about how you use our website  before sharing it with Google Analytics which will give us feedback on how our website is performing. This feedback helps us to fine-tune how our website presents data to customers. Google Analytics is unable to directly identify you from this data, and details of how it safeguards this data is available at: https://support.google.com/analytics/answer/6004245.

On our websites we may include hyperlinks to other organisations’ websites. We would like to advise you that UBL UK has no control over how they deal with your personal data, so we recommend that you read the privacy notice of each website you visit.

This website is not directed towards children, but we understand that it may be accessed by visitors aged under 18. If you are aged 13 or older, you can give consent, just like an adult, to saving cookies on your computer when you first visit our website. Where our website is accessed by a child aged under 13, we assume that consent for placing cookies is provided by their parent or guardian.

You can change your cookie preferences at any time by clearing our cookies from your browser and make your preferences again. Or you can use a different browser, or anonymized browser session to open the website afresh and so change your preferences.

If you would like more information on how we use cookies, please contact the DPO.

 

OUR COMMITMENT TO YOU

Any information about an individual from which that person can be identified is classified as personal data. Where the data is anonymised, and you can no longer be identified from it, it is no longer personal data. We will always comply with the following principles, which means that your personal data will be:

·             Used lawfully, fairly and in a transparent way.

·             Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

·             Relevant to the purposes we have told you about and limited only to those purposes.

·             Accurate and kept up to date.

·             Kept only as long as necessary for the purposes we have told you about.

·             Kept securely.

 

WHAT PERSONAL DATA WE COLLECT AND HOLD ABOUT YOU

If you have not applied for a product and are not a UBL UK account holder, we may still collect the information that you provide to us if you have contacted us. For example, if you have emailed us a query, we will keep record of that correspondence and the information that you provide to us in that correspondence such as your email address. 

When you apply for one of our products or have an existing UBL UK account, we will collect the following personal data from you:

 

·             Information regarding your identity such as your first name, middle name, last name, marital status, nationality, date of birth

·             Your contact details such as your postal address email address, home and mobile telephone numbers.

·             Financial Data including your nominated bank account, details of employment and annual income

·             Transaction data  such as the transactions you made through your account held with the Bank.

·             Your identification data such as copy of your passport, driving license, tax residency or any other type of identification document.

·           Information that you provide to us when you contact us. For example when contacting us by telephone, fill in forms on our website, use any of our products or services, or when you submit queries to us, we will keep a record of that correspondence and the information that you provide to us in that correspondence. Publicly available information such as electoral register or companies house. This may also include details you make public on social media such as Facebook or Twitter and other digital platforms such as Trustpilot.

·           If you tell us about a specific circumstance or a different way in which you require support from us relating to your health, finances or any other circumstance that may affect you, we may make a note of this. We may use this information to help support you in the right way. If you tell us any information regarding your health including physical disabilities, mental health issues, or any type of health-related issues, this is classified as special category data. 

 

ADDITIONAL PERSONAL DATA FOR LOAN PRODUCTS

This additional personal data required for lending products includes data on:

·             Your financial health such as your income and savings, summaries of your expenditure, and data about any other savings or loan accounts.

·             Your existing loans.

·             Your credit history which we obtain from Credit Reference Agencies.

·             Your current employment status and income.

·             Whether you own or rent your current property.

·             Whether you have permanent right to reside in the UK.

·             Your family background if this is relevant to your loan application, and

·             Where relevant, data about any guarantor you provide in a loan application.

We will collect some of this data directly from you, but some may be collected by your lending intermediary, a packager or introducer, and then shared with us as part of your application.

 

CREDIT REFERENCE AGENCIES (CRAs)

To process your application we will perform credit and identity checks on you with one or more credit reference agencies. To do this, we will share your personal information with CRAs. This will include:

·           Your identity data such as your name and date of birth

·           Your contact details such as your home address and post code

·           Your financial information such as the terms of your loan

·           Your business information (for commercial loans), such as your company name and address

We may also perform periodic searches on your financial circumstances to help us manage your account with us. Information held about you by any CRA will be shared to us and we will use this information to manage your loan.

Any searches will be recorded against your name by using a credit reference agency, and further data on this is provided by the main CRAs:

·              https://www.experian.co.uk/legal/crain/

·              https://www.equifax.co.uk/crain/

·              https://www.transunion.co.uk/legal/crain-retention

We do not collect other special categories of personal data about you such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, or genetic and biometric data. Nor do we collect any data about any criminal convictions and offences, although we may process this information as part of our employment background checks.

 

HOW AND WHY WE PROCESS YOUR DATA 

We will collect your personal information directly from you through the following:

·           When you apply for a UBL UK product by Post, in Branch (with one of our employees or relationship managers) or online through UBL UK Mobile & Internet Banking or UBL UK NetRemit

·           When you use our services such as Online Banking or UBL UK NetRemit

·           When you provide us with information through any type of communication channel including ‘contact us’ forms

·           Any information you provide us through the course of our relationship. For example, if you tell us about a specific circumstance or partake in our customer surveys.

 

We will only process your personal data when we have a lawful basis for doing so. Most commonly, we will process your personal data when:

·             To review and process your application.

·             To verify your identify and perform checks at account opening such as credit searches.

·             To maintain your account with us.

·           To comply with the law – We will process your personal data to comply with regulatory obligations which include data protection, financial crime and prevention of fraud.  Where necessary, we will also process your personal data to defend any future legal claims against us.

·             For marketing purposes, or to operate the bank. It is necessary for our legitimate interests, or those of a third party, where our legitimate interests do not override your fundamental rights. 

Less commonly, we may also process your personal data when:

·             We need to protect your, or someone else’s vital interests, if you were to become vulnerable.

·             Where it is needed in a particular public interest, or for particular official purposes, such as for the prevention of financial crime.

Where other lawful bases do not apply, we may ask for your consent to process particular items of your personal data. Consent will only rarely be used as a lawful basis, and you will be entitled to withdraw consent at any time.

Where we process more sensitive ‘special categories’ personal data, we need to have additional justification. We may process this type of personal data when:

·             It is needed in the public interest, such as to prevent fraud, or other criminal activity.

·             It is necessary to protect you or another person from harm.

·             Where it is needed in relation to legal claims.

 

SHARING YOUR DATA WITH THIRD PARTIES

We may collect your personal information indirectly from third parties:

·           Where another person provides your information to us when they apply for a product on your behalf or that is to be held jointly with you; or on behalf of a business, charity, trust or other organisation of which you are a director, shareholder, owner, trustee or beneficiary (as applicable);

·           Information you have asked us (or a third party) on your behalf for example information about your accounts or holdings with other companies including transaction information)

·           Through an intermediaries such as an introducer or lending broker

·           From fraud prevention agencies, credit reference agencies, government bodies and agencies, the electoral roll, Companies House and other sources of publicly available information (e.g. sanctions list, media) when we carry out searches for the purposes of processing your application and/or during your relationship with us;

We may share your personal data with third parties that provide us specialist support services, or with government agencies in order to comply with the law. Each third party will be contractually obliged to provide protections for your personal data to the same level as we provide. They must process your personal data only on our instructions, and cannot process your personal data for any other purpose, unless it is to comply with the law, such as in the prevention of financial crime.

If you would like more information on the third parties that we share your information with, please contact the DPO.

We may also need to share your personal data with other persons or organisations, in the UK and overseas, in order that we, and they too can comply with the law.

 

TO PROTECT YOUR VITAL INTERESTS

If you are assessed as vulnerable, we will also process your personal health data in order to tailor our services to you. However, we will only do this with your consent, and under the exceptional circumstances which are set out by the Data Protection Act 2018.

 

OUR LEGITIMATE INTERESTS

We have a legitimate interest to process your personal data at the application stage and throughout your relationship with us. This processing can include monitoring access to the Bank’s website to prevent cyber crime, market research, or communicating with customers to inform them of better products. However, we cannot do this if it would harm your data protection rights and freedoms, and we need to assess this potential harm carefully. 

In the event that we were to sell or transfer all or part of the Bank, we may need to share customers’ personal data as part of the transaction. In this situation, it would be in our legitimate interest to do so. However, we would ensure that there were adequate protections in place before any transfer of personal data.

YOUR CONSENT

The final legal basis for processing your personal data is your consent for the processing. There are very few situations where your consent is required as we only process customers’ personal data for purposes that are connected directly or indirectly to us providing savings and mortgage products.

However, where we must seek consent, such as for marketing, we will ask for a positive, explicit confirmation of your consent to specific processing, and keep a record of this so that we comply with your consent throughout your dealings with the Bank.

If at any time you wish to withdraw your consent, this can be done easily by contacting the Bank, by email, phone or through the branch.

CHANGES TO OUR LAWFUL BASIS

We will only process your personal data for the original purposes for which it was collected, and any later processing will be compatible with these original purposes. If we need to process your personal data for any purpose that is not compatible with the original purposes, we will inform you about our new lawful basis for doing so before any new processing.

YOUR MARKETING PREFERENCES

Where you have consented to receiving updates on Bank products similar to those that you already have, we may update you by letter, or by email.

We would only ever contact you according to your marketing preferences, so where you have registered with the Mail Preference Service we will not send you marketing information by letter.

Where we are obliged by our regulators to update you about features of your products that may no longer be suitable for you, we will update you by letter or email, according to your preferences.

With every update about our new products, you will have the opportunity to ask us to stop sending these updates. You can also do this easily by contacting the Bank, by email, phone or in the branch.

 

JOINT APPLICATIONS, GUARANTORS, AND POWERS OF ATTORNEY

If you make a joint application with another individual, we will also collect personal data about that other person. We will ask the other applicant to read this privacy notice and confirm that they are aware that their personal data will be shared with us as part of the application. 

Where you have applied for business, charity or trust account and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to them.

If you apply for a loan with a guarantor, we will also ask them to read this privacy notice and confirm that they are aware that their personal data will be shared with us as part of the application.

If someone has power of attorney over your affairs, we will also share this privacy notice with them when we contact them directly.

If we are informed about the death of one of our customers, we may be required to tell the executor(s) with responsibility for the account.

If you are named as an executor in a will, or where you are the confirmed next of kin where there is no will, we can tell you the account balance(s) and interest due up to the date of death. At the request of the executor(s) we will share data with solicitors, HMRC and the customer’s beneficiaries.

 

KEEPING YOUR DATA UP-TO-DATE

We aim to ensure that your personal information is kept up-to-date and accurate. If any of your personal information changes such as your email address or home address, you should let us know without delay so that we can update our records. If you are currently applying for a loan with us through an intermediary, you should also contact them to update your personal data.

 

IF YOU FAIL TO PROVIDE PERSONAL DATA

If you fail to provide certain personal data when requested, we may not be able to open your account, or perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations. 

 

MONITORING AND PROFILING

Where we are required by law, we will monitor your communication with us through calls, emails, in-person or video calls. We will do this for the sole purpose of complying with applicable laws and regulations in addition to our internal policies to prevent or detect crime, quality control and training purposes. 

We may also process your personal images as part of our CCTV coverage if you visit us in branch. We would only do this prevent, detect and prosecute crime. We retain these images for 90 days after which they are deleted.

We may also use your personal data to profile your financial situation, your preferences, interests, or behaviour. We would only do this to help us manage your savings or mortgage products, as part of market research, to comply with the law, or to support the long term financial health of the Bank.

Any profiling that we carry out will never be fully-automated, and will always include staff oversight. Some profiling may use your personal data, but only after it is anonymised, so that you cannot be identified.

HOW WE PROTECT YOUR DATA

We have appropriate security measures to prevent your personal data from being disclosed, corrupted, or lost in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a defined need-to-know. They will only process your personal data on our instructions, and are subject to a comprehensive duty of confidentiality. We have procedures in place  to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

 

HOW LONG DO WE KEEP YOUR DATA FOR?

Where your personal data has been collected as part of an application for a savings or mortgage product, and you decided not to proceed with your application, we will retain your personal data for twelve months from your last communication just in case you later decide to proceed with your application.

Where your application for our products is approved, we will retain your personal data until the end of the product lifecycle i.e. at maturity or account closure and then for an additional period of time to comply with the law.

At the end of the retention period, we will delete your personal data, in accordance with our internal policies in addition to applicable laws and regulations, unless we have a legitimate interest to retain it to defend legal claims against us. Any personal data retained after the end of the retention period will be archived..

If your personal information is shared with third parties, they may have different retention period to delete your data.

 

TRANSFERS OF PERSONAL DATA OUTSIDE THE UK

In order to manage your UBL UK products, we may need to use companies that process your personal data overseas. Where you use our NetRemit service, some of your personal data will be processed in Pakistan. Where personal data is processed in the European Economic Area (EEA) (the EU plus Norway, Iceland, and Liechtenstein), it is protected through the GDPR as in the UK.

Some companies operate outside the EEA, but do so from countries that the UK recognises has equivalent protections over personal data as under the GDPR (including Switzerland, Israel, Japan, and New Zealand).

Companies based in other countries that do not provide equivalent protections to the GDPR, such as the United States or Pakistan, can only process your personal data following an assessment of the potential risks to your personal data.. Where a transfer occurs we will take steps to ensure that your personal information is protected. We will do this by putting in place appropriate contracts. We will use a set of contract wording known as the "standard contractual clauses" which has been approved by the data protection authorities.

 

YOUR RIGHTS OVER YOUR PERSONAL DATA

You have data protection rights over how we use your personal data and you can exercise these rights at any time. You can do this easily by contacting the Bank through post, email, phone or visiting our branch.

Once you ask us to exercise your data protection rights we may need to request specific data from you to help us confirm your identity and to clarify which rights you wish to exercise.

We try to respond to all requests within one month, but if we believe that it may take longer, we will inform you about this in advance. If your request is considered to be clearly unfounded, repetitive or excessive, we may by law be able to refuse your request. Where the law prevents us completing your request in full, we will also explain this to you.

You will not have to pay a fee to exercise your data protection rights, but under certain circumstances we may need to charge a reasonable fee. You have the right to:

·             Be informed about processing

·             Access to your personal data

·             Object to processing of your personal data

·             Restrict processing of your personal data

·             Have your personal data deleted (the right to be forgotten)

·             Obtain a copy of your personal data, and

·             Object to automated decision-making.

 

THE RIGHT TO BE INFORMED ABOUT PROCESSING

You have the right to be informed about how we will process your personal data. We provide this privacy notice to help to inform you about this. You also have the right to have inaccurate personal data corrected, and we have procedures in place to help maintain accurate records for our customers.

 

THE RIGHT OF ACCESS TO YOUR PERSONAL DATA

You have the right to request access to your personal data (commonly known as a ‘data subject access request’ (DSAR). This entitles you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.

 

THE RIGHT TO OBJECT TO PROCESSING OF YOUR PERSONAL DATA

You have the right to request correction of the personal data that we hold about you. This entitles you to have any incomplete or inaccurate data we hold about you corrected.

You also have the right to object where we are processing your personal data for direct marketing purpose where we are relying on a legitimate interest (or those of a third party).

 

THE RIGHT TO RESTRICT PROCESSING OF YOUR PERSONAL DATA

You have the right to request that we restrict processing of your personal data:

·             Where you believe it as inaccurate.

·             Where you have objected to the processing under the legitimate interests for direct marketing and statistical analysis, or

·             Where you believe that the processing is unlawful and where you oppose erasure and request restriction instead.

 

THE RIGHT TO HAVE YOUR PERSONAL DATA DELETED (THE RIGHT TO BE FORGOTTEN)

You have the right to have your personal data deleted, known as ‘the right to be forgotten’. This right entitles you to request that we delete your personal data where there is no lawful reason for its continued processing. We may refuse requests to delete personal data if the personal data has to be retained to comply with the law, or to defend legal claims.

·             This right may be exercised where:

·             The personal data is no longer needed for the purpose for which it was originally collected.

·             The processing was based on consent which you has since been withdrawn.

·             You object to the processing and there is no overriding legitimate interest for continuing it.

·             The personal data is unlawfully processed, or

·             The personal data has to be erased to comply with a legal obligation.

 

THE RIGHT TO OBTAIN A COPY OF YOUR PERSONAL DATA

You have the right to request to have a copy of your personal data in a form that allows you to analyse it, or transfer it to another party under the right to ‘data portability’.

 

THE RIGHT TO OBJECT TO AUTOMATED DECISION-MAKING

You have the right to object to the automated processing of your personal data, if we are processing it on the legal basis of consent or for the performance of a contract. 

This right allows you to request safeguards against the risk that a potentially damaging decision is taken solely without human intervention. You may have the right to obtain human intervention in the processing, and an explanation of any automated decisions, which you may be able to challenge.

HOW TO EXERCISE YOUR RIGHTS

If you have any questions about how we handle your personal data, or wish to exercise any of your data protection rights, you can contact our Data Protection Officer at dpo@ubluk.com , or by writing to:

Data Protection Officer

UBL UK

2 Brook Street

London

W1S 1BQ

You can also make a complaint to the Information Commissioner’s Office at: ico.org.uk or by telephoning 0303 123 113. If you wish to exercise any of your data protection rights against the Credit Reference Agencies, or against an intermediary, you should contact them directly.