HSBC UK

We read HSBC UK's privacy policy so you don't have to.

  • Find out what they do with data about you
  • Contact them if you have a request about that data
Make a data request

Organisation information

Description

Bank

Registration country

United Kingdom

Registration number

09928412

Data Protection Officer

Organisations that use special categories of data, are public bodies, or do large scale processing must appoint a Data Protection Officer.

Role

Data Protection Officer

Postal address

FAO DPO, P.O. Box 6201, Coventry CV3 9HW

Data categories collected

Organisations must give details about what categories of data are stored and processed.

HSBC UK's privacy policy says they collect the following categories of data:

  • Bank account details

  • Bank transactions

  • Criminal recordsSpecial category

  • Date of birth

  • Email address

  • Gender

  • HealthSpecial category

  • Identity documents

  • Location

  • Names

  • Postal address

  • Social security number

  • Telephone number

Unusual processing purposes

Organisations must provide information about what they do with data. This section highlights less common uses of data.

This privacy notice does not appear to mention any unusual processing purposes.

Third parties

Organisations must give details about other parties that personal data is shared with.

HSBC UK's privacy policy says they share data with the following third parties:

List of third parties

  • Other HSBC Group companies and any sub-contractors

  • Joint account holders, trustees, beneficiaries or executors

  • Guarantors

  • Customer beneficiaries or intermediaries

  • Other financial institutions

  • Asset managers

  • Brokers who introduce you to HSBC

  • Entities with an interest in products or services HSBC provides to you

  • Any people or companies where required for mergers and acquisitions

  • Law enforcement, government, courts, dispute resolution bodies, regulators, or auditors

  • Other parties involved in disputes

  • Fraud prevention agencies

  • Anyone who provides instructions or operates accounts on your behalf

  • Card processing suppliers

  • Other parties involved in providing your insurance policy or administering insurance claims

  • Medical experts and rehabilitation providers (for the purposes of insurance claims)

  • Research groups, universities, or advertisers (aggregated or anonymised information only)

How specific is this information?

Third parties are listed as groups

Retention rules

Organisations must give details about how long data is kept.

Summary

HSBC indicate that they will normally keep banking data for a period of 7 years after the end of a relationship with a customer.

The policy also indicates that some information may be kept for longer where needed for legitimate purposes.

How specific is this information?

  • Retention rules are given without mentioning specific categories of data

  • Specific times are given for how long data is kept

Lawful bases

Organisations must justify collection and use of data under six lawful bases and provide information about their decisions

HSBC UK's privacy policy says they use the following lawful bases to collect and use data:

  • Contract

    * need to process the information to carry out an agreement we have with you;

  • Legal obligation

    * need to process the information to comply with a legal obligation;

  • Public task

    * believe the use of your information as described is in the public interest, e.g. for the purpose of preventing or detecting crime;

  • Legitimate interests

    * need to pursue our legitimate interests;
    * need to establish, exercise or defend our legal rights;
    * need to use your information for insurance purposes.

Our Observations

Unlike some other policies, HSBC only offer a generic overview of the lawful bases they use for processing data, but do not describe in detail what data is processed under each basis.

Security standards

Organisations must ensure that data is stored and processed securely.

Our Observations

The privacy policy offers a vague description of how information is secured.

"We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards."

How specific is this information?

This organisation provides general details about how they secure data

Data processing addendum

Some organisations offer a data processing addendum that gives data adequate protections when it leaves the EEA.

This privacy notice does not appear to have this information.

Automated decision making

Organisations must give details about how data is used to make decisions without human involvement.

Summary

This organisation uses automated decision making

Our Observations

The policy indicates that HSBC use automated decision making to make credit decisions and to carry out fraud and money laundering checks.

How specific is this information?

The organisation mentions use of automated decision making for specific purposes

Complaint information

Organisations must give details about how to make a complaint with a data protection authority.

Summary

This privacy notice contains information about to make a complaint to a data protection regulator

Our Observations

The privacy policy does not offer information on how to complain to HSBC, but does include information about submitting a complaint to the ICO.

How specific is this information?

This privacy notice contains specific contact details for a data protection regulator

Design recommendations

Organisations are required to provide privacy information in a transparent way. The Article 29 Working Party has provided recommendations on how to do this.

Assessment

This privacy notice:

  • Has language that is easy to understand

  • Is designed in a way that makes it easy to find information

  • Can be easily found on the organisation's website

Make a data request

You have rights to control data about you. Click on the rights to see why you might want to use each one.

We've also prepared email templates to help you contact HSBC UK to use the rights.

  • See data they hold about you

    You can ask to see what data HSBC UK has about you. They usually can’t charge for this, and they must respond to your request within a month.

    Why you might make this request

    You might want a copy of the data about you to understand what data the organisation has collected about you.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Change data they hold about you

    You can ask HSBC UK to change inaccurate or incomplete data about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    If an organisation is using information about you which is incorrect, you can ask them to correct it.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Delete data they hold about you

    You can ask that HSBC UK delete information about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    You might want to delete data about you if, for example, you have stopped using an organisation’s services.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Limit how they use data about you

    You can ask that HSBC UK only store data about you and not use it. They must respond to your request within a month.

    Why you might make this request

    You might want the accuracy of the data to be verified or you might want the organisation to hold on to data so you can make a legal claim against them.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Stop their use of data about you

    You can ask HSBC UK to stop using your data for particular reasons. They must respond to your request within a month.

    Why you might make this request

    You might want to stop the organisation using your data to for direct marketing.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Export data they hold about you

    You can ask HSBC UK to move data about you to another service or provide it in a format that can be used by another service.

    Why you might make this request

    You might want to move your data to another organisation to get a better deal.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

  • Challenge an automated decision

    You can ask HSBC UK to give you information about how they use automated decision making, or ask for a person to review an automated decision.

    Why you might make this request

    You might want to find out about an automated decision if, for example, you were rejected for a bank loan or account.

    Copy template to clipboard

    Contact the organisation by post

    FAO DPO, P.O. Box 6201, Coventry CV3 9HW

    Use this template message above to help you write a letter to the organisation.

Last updated 2019-07-17 at 22:07:55 • Download as JSONAPI documentationView on GitHubView on OpenCorporates