The Royal Bank of Scotland Group

We read The Royal Bank of Scotland Group's privacy policy so you don't have to.

  • Find out what they do with data about you
  • Contact them if you have a request about that data
Make a request

Organisation information

Description

Bank

Registration country

United Kingdom

Registration number

SC045551

Data Protection Officer

Organisations that use special categories of data, are public bodies, or do large scale processing must appoint a Data Protection Officer.

Role

Data Protection Officer

Telephone number

03457242424

Data categories collected

Organisations must give details about what categories of data are stored and processed.

Unusual processing purposes

Organisations must provide information about what they do with data. This section highlights less common uses of data.

This privacy notice does not appear to mention any unusual processing purposes.

Third parties

Organisations must give details about other parties that personal data is shared with.

List of third parties

  • Law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world (where required)

  • Other banks and third parties (to recover funds from misdirected payments or fraud)

  • Third parties who provide services to RBS

  • Debt collection agencies

  • Credit reference and fraud protection agencies

  • Third-party guarantors or other companies who provide you with benefits related to your service

  • Parties involved in potential insolvency, mergers, or acquisitions of RBS

  • Unspecified "third parties" (anonymised statistical and aggregate data only)

  • Any third party that provides customers with account information or payment services (with customer consent)

  • Other authorised users who have been added to your account

  • Other members of a customer's "Fee Family" (if that service is used)

How specific is this information?

Third parties are listed as groups

Observations

Some of the parties with which data is being shared are described vaguely or are referred to as unspecified "third parties".

Retention rules

Organisations must give details about how long data is kept.

Summary

We normally keep customer account records for up to six years after your relationship with the bank ends, whilst other records are retained for shorter periods, for example 90 days for CCTV records or 12 months for call recordings.

How specific is this information?

  • Retention rules are given for specific categories of data

  • Specific times are given for how long data is kept

Lawful bases

Organisations must justify collection and use of data under six lawful bases and provide information about their decisions

  • Contract

    * assess and process applications for products or services
    * provide and administer those products and services throughout your relationship with the bank;
    * manage and maintain our relationships with you and for ongoing customer service
    * administer any credit facilities or debts
    * communicate with you about your account(s) or the products and services you receive from us

  • Legal obligation

    * confirm your identity
    * perform checks and monitor transactions and location data for the purpose of preventing and detecting crime
    * assess affordability and suitability of credit and analyse credit data for regulatory reporting;
    * share data with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party
    * share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders
    * deliver mandatory communications to customers or communicating updates to product and service terms and conditions
    * investigate and resolve complaints
    * conduct investigations into breaches of conduct and corporate policies by our employees;
    * manage contentious regulatory matters, investigations and litigation
    * perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality
    * corporate risk management
    * investigate and report on incidents or emergencies on the bank’s properties and premises;
    * coordinate responses to business-disrupting incidents
    * monitor dealings to prevent market abuse.

  • Legitimate interests

    * monitor, maintain and improve internal business processes and services
    * ensure business continuity and disaster recovery
    * ensure network and information security
    * corporate risk management
    * accounting and reporting
    * protecting RBS's legal rights and interests
    * manage and monitor properties for the purposes of crime prevention
    * enable a sale, reorganisation or transfer of the business
    * identify new business opportunities
    * send customers relevant marketing information
    * understand customers' actions and expectations
    * monitor performance and effectiveness of the provided services
    * assess the quality of customer services and to provide staff training
    * analyse customer complaints
    * compensate customers for loss
    * identify our customers’ use of third-party products and services in order to facilitate the uses of customer information detailed above
    * combine your information with third-party data, such as economic data in order to understand customers’ needs better and improve our services
    * carry out financial, credit and insurance risk assessments
    * manage and take decisions about your accounts
    * carry out screening checks on customers and potential customers
    * share data with credit reference, fraud prevention agencies and law enforcement agencies
    * trace debtors and recover outstanding debt

Security standards

Organisations must ensure that data is stored and processed securely.

Security standards URL

https://personal.rbs.co.uk/personal/security-centre/how-we-protect-you.html

How specific is this information?

This organisation provides general details about how they secure data

Data processing addendum

Some organisations offer a data processing addendum that gives data adequate protections when it leaves the EEA.

This privacy notice does not appear to have this information.

Automated decision making

Organisations must give details about how data is used to make decisions without human involvement.

Summary

This organisation uses automated decision making

Observations

Applications to use RBS services may be processed on an automated basis using information taken from credit reference agencies.

How specific is this information?

The organisation mentions use of automated decision making for specific purposes

Complaint information

Organisations must give details about how to make a complaint with a data protection authority.

Summary

This privacy notice contains information about to make a complaint to a data protection regulator

Observations

Complaints are directed to the Data Protection Officer, which is the same generic phone number used in other sections of the policy.

How specific is this information?

This privacy notice contains specific contact details for a data protection regulator

Design recommendations

Organisations are required to provide privacy information in a transparent way. The Article 29 Working Party has provided recommendations on how to do this.

Assessment

This privacy notice:

  • Has language that is easy to understand

  • Is designed in a way that makes it easy to find information

  • Can be easily found on the organisation's website

Make a request

  • See data they hold about you

    You can ask to see what data The Royal Bank of Scotland Group has about you. They usually can’t charge for this, and they must respond to your request within a month.

    Why you might make this request

    You might want a copy of the data about you to understand what data the organisation has collected about you.

    Through their website

    https://www.supportcentre-rbs.co.uk/Searchable/1022957922/How-do-I-submit-a-Subject-Access-Request-SAR.htm

    Template

    Copy template to clipboard

    By phone

    03457242424 (Scotland), 03459000400 (England and Wales)

    By post

    RBS, Subject Access Requests, Manchester Mailroom, 1 Hardman Boulevard, Manchester M3 3AQ

    Observations from contributor

    The Support Centre page appears to indicate that customers can also submit a Subject Access Request by visiting their local RBS branch. Possibly significantly, the link provided to the SAR page in the privacy policy does not work correctly unless the user manually prepends www. before attempting to access it.

  • Change data they hold about you

    You can ask The Royal Bank of Scotland Group to change inaccurate or incomplete data about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    If an organisation is using information about you which is incorrect, you can ask them to correct it.

    By phone

    03457242424

  • Delete data they hold about you

    You can ask that The Royal Bank of Scotland Group delete information about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    You might want to delete data about you if, for example, you have stopped using an organisation’s services.

    By phone

    03457242424

  • Limit how they use data about you

    You can ask that The Royal Bank of Scotland Group only store data about you and not use it. They must respond to your request within a month.

    Why you might make this request

    You might want the accuracy of the data to be verified or you might want the organisation to hold on to data so you can make a legal claim against them.

    By phone

    03457242424

  • Stop their use of data about you

    You can ask The Royal Bank of Scotland Group to stop using your data for particular reasons. They must respond to your request within a month.

    Why you might make this request

    You might want to stop the organisation using your data to for direct marketing.

    By phone

    03457242424

  • Export data they hold about you

    You can ask The Royal Bank of Scotland Group to move data about you to another service or provide it in a format that can be used by another service.

    Why you might make this request

    You might want to move your data to another organisation to get a better deal.

    Through their website

    https://www.supportcentre-rbs.co.uk/Searchable/1022957922/How-do-I-submit-a-Subject-Access-Request-SAR.htm

    Template

    Copy template to clipboard

    By phone

    03457242424 (Scotland), 03459000400 (England and Wales)

    By post

    RBS, Subject Access Requests, Manchester Mailroom, 1 Hardman Boulevard, Manchester M3 3AQ

    Observations from contributor

    Privacy policy suggests customers can exercise this right by submitting a Subject Access Request and specifying that they want the data to be in a portable format. The policy also indicates that RBS can provide the data directly to a third party "if technically feasible".

  • Challenge an automated decision

    You can ask The Royal Bank of Scotland Group to give you information about how they use automated decision making, or ask for a person to review an automated decision.

    Why you might make this request

    You might want to find out about an automated decision if, for example, you were rejected for a bank loan or account.

    By phone

    03457242424

Last updated 2018-09-27 at 09:09:21 • Download as JSONAPI documentationView on GitHubView on OpenCorporates