Privacy Notice for Cardholders - UK Corporate Card

This notice (Privacy Notice) applies to personal information held by HSBC UK Bank plc (in this notice, “we” or “us”) as a data controller in connection with your Corporate Card (“Card”), and covers our use of your data in respect of such Card.  Your Card is issued under the terms of an agreement between us and your employer, which we refer to as the “Customer” in this notice.

This Privacy Notice describes how we process your personal data. It describes the type of information we collect about you, how we’ll use that information, who we’ll share it with, the circumstances when we’ll share it and what steps we’ll take to make sure it stays private and secure. It continues to apply even if your use of or any agreement in respect of services in relation to the Card end.

The information we collect from you (as described below) is required to provide you with access to our services, to fulfil our agreement with the Customer, and to enable us to fulfil our legal and regulatory compliance obligations, as described below. Failure to provide your information, (or if all personal data submitted to us is not complete, accurate, true and correct) may mean it is not possible to provide you with access to certain products or services which you or the Customer have requested.

We’ll only collect your information in line with relevant regulations and law. The information we collect may include:

• Information that you, or the Customer, provide to us, including personal details (e.g. name, gender, date of birth); contact details (e.g. home or work address, telephone numbers, and bank account details); and other information you may give to us, for example when you contact us in relation to your Card.
• Information that we collect or generate about you, including your transaction records and payment history, information about how you use your Card, and information we need to support our regulatory and risk activity, such as details of suspicious or unusual activity, due diligence, sanctions and anti-money laundering checks.
• Information that we collect from other sources, including information from third party. For example, client user information collected through third party application service providers that we have a mutual relationship with such as accounting software providers who provide you with a service and you have separately agreed that we can share information with.

We’ll only use your information where we have a lawful reason for using it. We do so to fulfil our agreement with the Customer and because it is in our legitimate interest and that of the Customer to do so (for example, to provide and develop our activities).  The purposes we will use your information for include:

• providing services to you and the Customer, including those relating to your Card, and maintaining the overall relationship;
• understanding how you use your Card, and for product and service improvement;
• audit and debt collection, and protecting our legal rights;
• meeting legal, regulatory and policy obligations;
• responding to requests and demands from governmental, public, regulatory, tax, court and similar authorities, which we also do to meet our legal obligations;
• detecting, investigating and preventing financial crime, including obligations relating to fraud, money laundering, tax evasion and sanctions, which we also do to meet our legal obligations; and
• other internal and administrative purposes, security and business continuity, risk management, and system and product development.  This may include combining your information with other information available to us or other members of the HSBC Group, and sharing information on an aggregate or anonymised information (provided you can’t be identified from it).

Tracking or recording what you say or do

To help keep you and your money safe, we may record details of your interactions with us, including phone calls, letters, emails, live chats, video chats and other kinds of communication. We may use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We may also capture additional information about these interactions, such as telephone numbers that you call us from.

Compliance with laws and regulatory compliance obligations

We’ll use your information to meet our compliance obligations, to comply with other laws and regulations (and to share with regulators and other authorities) that HSBC Group companies are subject to. This may include using it to help detect or prevent crime (including terrorism financing, money laundering and other financial crimes). We’ll only do this on the basis that it’s needed to comply with a legal or regulatory obligation or it’s in our legitimate interests and that of others.

Data analytics

When you use your Card, details of expenditure listed on the statement to which the Card payment relates may be sent by the retailer to us via the retailer’s card processor or via Visa International or MasterCard. The details may be analysed by us, or by Visa International or MasterCard on our behalf. If requested to do so by the Customer, we will pass these details to them for their use and further analysis. If you do not want details of expenditure not paid for with your Card to be collected, please ask the retailer for a separate invoice for such expenditure.

We may share your information with others where it is lawful to do so including where we or they:

• need to in order to provide you with products or services you’ve requested, e.g. fulfilling a payment request, sharing information with third parties;
• have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;
• need to in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
• have a legitimate business reason for doing so, e.g. sharing your information with the Customer as part of our provision of service of the Card;
• to manage risk or verify your identity, enable another company to provide you with the services you’ve requested, or assess your suitability for products and services; or
• we have permission to share it.

We may share your information for these purposes with others including:

• other HSBC group companies and any sub-contractors, agents or service providers who work for us or provide services to us or other HSBC Group companies (including their employees, sub-contractors, service providers, directors and officers);
• law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
• other parties involved in any disputes, including disputed transactions;
• fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity; or
• the Customer and anyone else that we’ve been instructed to share your information with by either you or the Customer.

We keep your information in line with our data retention policy. As a general principle, we will not retain your personal data for longer than is necessary for the fulfilment of the purposes (including any directly related purposes) for which the data is or is to be used, unless required by law. For example, we will normally keep transactional data for a period of seven years from the end of our relationship with the Customer. This enables us to comply with legal and regulatory requirements and to use it where we need to for our legitimate purposes such as account management and dealing with any disputes or concerns that may arise. We may need to retain your information for a longer period where we need it to comply with regulatory or legal requirements or where we may need it for our legitimate purposes e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc. If we don’t need to retain information for this period of time, we may destroy, delete or anonymise it more promptly.

Your information may be transferred to and stored in locations outside the European Economic Area (EEA), including countries/territories that may not have the same level of protection for personal information. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer your information in this way to carry out our agreement with the Customer, fulfil a legal obligation, to protect the public interest and/or for our or the Customer’s legitimate interests. In some countries/territories the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we’ll only share your information with people who have the right to see it. You can obtain more details of the protection given to your information when it is transferred outside your jurisdiction or outside the EEA by contacting us using the details in the ‘More details about your information’ section below.

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to access information we hold about you and to obtain information about how we process it;
• in some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so, although this may impact your ability to continue to have access to our products and services;
• the right to request that we rectify your information if it’s inaccurate or incomplete;
• in some circumstances, the right to request that we erase your information. We may continue to retain your information if we are entitled or required to retain it; and
• the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we are entitled to continue processing your information and / or to refuse that request.

You can exercise your rights by contacting us using the details set out in the ‘More details about your information’ section below. You also have a right to complain to the UK Information Commissioner’s Office by visiting ico.org.uk, or to the relevant data protection regulator in the country/territory where you live or work.

We’ll carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide the Card to you. These checks require us to process personal information about you.  We’ll process personal information such as your name, address, date of birth, contact details, financial information, employment details, and device identifiers e.g. IP address. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.  We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. Fraud prevention agencies can hold your personal data for different periods of time. If they’re concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.

If we, or a fraud prevention agency, have reason to believe there is a fraud or money laundering risk, we may refuse to provide the services to the Customer. We may also stop providing existing products and services to you which you receive as our customer. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services to you. The information we hold about you could make it easier or harder for you to get credit in the future.

We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

If you’d like further information on anything we’ve said in this Privacy Notice, or to contact our Data Protection Officer, contact us at P.O. Box 6201, Coventry CV3 9HW, United Kingdom addressed ‘for the attention of the DPO’.

This Privacy Notice may be updated from time to time and the most recent version can be found at the Card online portal MiVision - mivision.hsbc.co.uk.

If you need any of this information in a different format, please let us know. This includes large print, braille, or audio. You can speak with us using the chat service on our website, by visiting one of our branches, or by giving us a call.

There are also lots of other options available to help you communicate with us. Some of these are provided by third parties who are responsible for the service. These include a Text Relay Service and a British Sign Language (BSL) Video Relay Service. To find out more, please get in touch. You can also visit business.hsbc.uk/accessibility or business.hsbc.uk/contact-us.