Our Privacy Notice

As an HSBC personal banking customer, we’ll naturally collect different information about you, such as your name, address, date of birth, email address, over time. This Privacy Notice (the ‘notice’) explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. It applies to any account, products or services you have with us. This policy continues to apply even if the agreement for banking or other products and services between us ends. This notice applies to any personal products or services you have with us, including savings, loans, credit cards, mortgages, investments.

If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will also apply. If you interact with us in a different context, for example as a non-retail customer or in a country or region outside the Kingdom of Bahrain separate terms will apply to that interaction.

Wherever we’ve said ‘you’ or ‘your’, this means you, any authorised person on your account – including joint account holders, anyone who does your banking or deals with us for you (e.g. trustees, attorneys or executors), beneficiaries in the context of trust accounts, and other people in your organisation (including authorised signatories, partners, members and trustees).

We will collect personal data about you for various reasons as set out in this notice when you apply for or use any of our products and services or when you interact with us. For example, we need to ask you for certain personal information in order to fulfil our legal obligations and comply with our contractual obligations. In some cases, giving us your personal data is a requirement to enter into a contract with you or to provide you with products and services, e.g. when you apply for a mortgage. In such cases, if you do not provide the personal data we ask for, we will not be able to provide you with the services or product that you have requested or we may suspend or stop any existing products and services. Please see the ‘What we expect from you’ section below for more information.

Wherever we’ve said ‘we’ or ‘our’, this means any HSBC Group company which acts as a data manager in respect of your personal data. Unless otherwise stated below, the data manager for the purposes of this notice is HSBC Bank Middle East Limited Bahrain Branch.

The address for the HSBC Group companies set out in this notice is P.O. Box 57, Manama, Kingdom of Bahrain.

The information we collect or have about you might come from different sources. Some of it will come directly from you or from your broker or mortgage intermediary. Some of it might come from other HSBC companies. Some of it we might find from publicly available sources (e.g. debtor registers, electoral registers, land registers, press and the internet), which we have lawfully accessed. And some of it might come from other organisations (credit reference agencies, for example). We may also collect information about you when you interact with us, e.g. visit our websites or mobile channels, call us or visit one of our branches, or ask about any of our products and services. We may also collect information by combining data (e.g. location data if you have a mobile app, where you have switched on your location permissions).

We’ll only collect relevant information about you in line with applicable regulations and law. This includes:

• your contact details (name, address and other contact details, date and place of birth, and nationality);
• data concerning your identity (e.g. passport data, and national ID);
• authentication data (e.g. template signature and your biometric information, such as your voice for HSBC’s voice ID). This might also extend to order data (e.g. payment order);
• data from the fulfilment of our contractual obligations (e.g. sales data in payments processing);
• information regarding your financial situation (e.g. data regarding your creditworthiness, credit scoring/ratings, tax status or the source of your assets),
• location data (about which branches/ ATMs you use);
• marketing and sales information (including information and opinions expressed when participating in market research);
• other information about you that you give us by filling in forms or by communicating with us, whether face-to-face, by phone, email, online, or otherwise,
• user login and subscription data, e.g. login credentials for phone and online banking and mobile banking apps;
• information regarding any complaint you may have, including any correspondence between attorneys and stakeholders and transcripts or minutes) in relation to a dispute or litigation concerning a product or service we provide to you; and
• social data (e.g. data pertaining to social interactions between individuals, organisations, prospects and other stakeholders acquired from external data aggregators.

When providing you with our banking services [including where we provide you with a mortgage, credit card or personal loans, we may make decisions about you by automated means. For example, we use technology that helps us identify the level of risk involved in customer or account activity (e.g. for credit, fraud or financial crime reasons).

You have a right to specific information about how the decision is made; you may also have a right to request human intervention and to challenge the decision. Please refer to ‘Your rights’ section below, for more information. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested or we may stop providing existing products and services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

We’ll keep your information to enable us to continue to provide you with products and services and to assist us in managing our relationship with you, including verifying your identity when you contact us or when you apply for products or services, preventing fraud and assessing your suitability for products or services you have applied for.

We will keep this information for as long as you keep banking with us and using our platforms (e.g. our website and mobile apps). We may keep this information after you stop banking with us or stop using our platforms, for instance, to respond to enquiries and complaints, as required by law and regulations or to protect our interests. We won’t keep any information for longer than is necessary and when we no longer need the information we will securely destroy it in accordance with our policies or fully anonymise it.

We will only use your personal data where we have a lawful basis for using it. These lawful bases include where we need to process the data to:

• enter into or perform our contract with you;
• comply with a legal obligation;
• process where needed for the purposes of our legitimate interests or those of a third party with whom we may share your information;
• we have a public duty to disclose (e.g. if we believe you may have tax obligations in other jurisdictions we may have to disclose that information directly to tax authorities or for the purpose of detecting or preventing fraud and financial crime);
• protect your vital interests; and/or
• where we have your consent.

When you withdraw your consent for us to use your personal information for a particular purpose we will stop using your information for that purpose, but we may continue to use your information for purposes for which we are not relying on consent. Where you withdraw your consent for us to use your personal data we may be unable to continue to provide all or part of our products and services to you and we may need to end our relationship with you.

We will use your information for a number of reasons including to:

• deliver our products and services, or process your transaction;
• check you are who you say who are;
• gather insights from data through data analytics;
• carry out your instructions, improve our products and services;
• keep track of our conversations with you (by phone, in person, by email or any kind of communication);
• manage our relationship with you – including telling you about our products, or carrying out market research;
• prevent or detect crime including fraud and financial crime;
• corresponding with lawyers, conveyancers and third party intermediaries;
• manage our internal operational requirements for credit and risk management, system or product development and planning, insurance, audit and administrative purposes.

If you apply for a current account or credit (such as where you apply for a mortgage, loan or credit card), we will obtain details of your credit history from a credit reference agency and use this information to work out how much you can afford to borrow or pay back. We may also carry out further credit checks on you while you remain our customer to maintain an accurate and up-to-date record of your credit history. Whenever you apply for any kind of account or credit, the credit reference agencies may record that in your credit history – even if you decide not to accept it or if your application is declined. If you apply for credit several times in a short space of time, that may make it harder for you to get credit for a while.

To comply with the law and for our own legitimate interest to enable us to assess and manage risk, we can share details about any current accounts or credit you have with us with credit reference agencies, fraud prevention agencies, law enforcement agencies, debt recovery agencies, other lenders and other organisations – including:

• how you manage your current accounts or credit

• if you owe us money

• if you haven’t kept up with your payments or paid off what you owe us (unless there’s a genuine dispute over how much you owe us) – or if you’ve agreed and stuck to a repayment plan.

This could make it easier or harder for you to get credit in the future.

If you apply for a joint current account or credit with someone else and you either tell us you’re financially connected to them or the credit reference agencies already know that you are, the credit reference agencies will link your records together. If so, whenever we ask a credit reference agency about you, they can also tell us things about anyone you’re linked to. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services to you.

We may send you marketing messages with information about our products and services.

You can tell us at any time if you would like to receive or not receive marketing messages.

You can adjust your marketing preferences by contacting us through our contact center numbers or visiting one of our branches. You can also object to your personal data being used for marketing purposes. It may take us a short period of time to update our systems and records to reflect your request, during which time you may continue to receive marketing messages. Even if you tell us not to send you marketing messages, we will continue to use your contact information to provide you with important information about your products and services, such as changes to your terms and conditions and account statements, or where we’re required to do so by law

We may share information about you, your transactions, products or services you have with HSBC companies, or how you use them with our marketing agents outside HSBC.

When you visit our websites and you have consented to cookies, we will make sure that the ads and content you see on our websites are about products and services we think are most likely to be relevant, useful and interesting for you.

We may use your personal data for market research and statistical purposes. We may share information about you, your transactions, what products or services you have with our market research partners outside HSBC.

Market research agencies acting on our behalf may get in touch with you (by post, telephone, email or any other form of messaging) to invite you to take part in research.

We may share your information where:

• we need to for the purposes of providing you with products or services you have requested e.g. opening an account for you, or performing our contract with you, for example to fulfil a payment request;
• we have a public or legal duty to do so e.g. to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
• we have a legitimate reason for doing so e.g. to manage risk, verify your identity, or assess your suitability for products and services; or
• we have asked you for your permission to share it, and you’ve agreed.

• other HSBC group companies;
• any sub-contractors, agents or service providers who work for us or other HSBC group companies (including their employees, directors and officers);
• any joint account holders, trustees, beneficiaries or executors where appropriate for trust accounts, the people who do your banking for you, the people you make payments to, your beneficiaries, accounts nominees, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (for example, stocks, bonds or options);
• other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies or credit bureaux and debt recovery agents;
• any fund managers who provide asset management services to you and any brokers who introduce you to us or deal with us for you;
• any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
• any prospective or new HSBC companies (for example: if we restructure or acquire or merge with other companies) – or any businesses that buys part or all of any HSBC company;
• to auditors, regulators or dispute resolution bodies and to comply with their requests;
• other companies who do marketing or market research for us (but not without your permission);
• if there’s a dispute over a transaction, anyone else who’s involved;
• government, courts, or our regulators – but only if they have the right to see it, for legitimate reasons;
• fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.

If you have a card with us, we share your information with our card processing supplier(s), so they can carry out credit, fraud and risk exposure checks, process your payments and manage your card.

Where we have made your information anonymous, we may share it outside of HSBC with partners such as research groups, universities, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services; however, you won’t be able to be individually identified from this information.

We may transfer your information outside the Kingdom of Bahrain or to an international organisation where the data protection laws aren’t as strict with the permission of Bahrain’s Personal Data Protection Authority. In some countries/regions the law might compel us to share certain information, for example with [tax authorities], or apply different levels of security. Even in these cases, we’ll only share your information with people who have the right to see it. We need to transfer your information in this way to perform our contract with you, to fulfil a legal obligation, to protect the vital interests of individuals, in certain circumstances to protect the public interest and for our legitimate business interests.

Where we transfer information about you outside the Kingdom of Bahrain we will always take appropriate measures aimed to ensure that your information is protected. To do this we will ensure that all transfers of your information are subject to appropriate or suitable safeguards (such as encryption and contractual commitments to protect your information).

You can ask us to:

• give you a free copy of the information we hold about you. Please visit one of our branches.
• update or correct any inaccurate information;
• delete, block or ‘forget’ it, make it anonymous, or restrict, stop using or sharing it (unless that would be against the law or in order to defend or establish our legal rights);
• not to use certain automated decision processes that impact you (unless we have to do this to perform our contract with you, it’s fraud related, or you have given us consent to do so);
• transfer your information either to you or to another company;
• object to our processing of your information, including direct marketing information (see Marketing section above);
• lodge a complaint with Bahrain’s Personal Data Protection Authority;
• where our processing of your data is based on your consent, you have a right to withdraw your consent at any time. We will stop processing your data for that purpose, but your withdrawal of consent will not affect the lawfulness of any processing that we have carried out based on your previous consent.

Whenever you visit one of our websites – on a computer, tablet, smartphone or any other device – we’ll use ‘cookies’ and similar technologies to recognise you, remember your preferences and show you content we think you’re interested in (unless you’ve turned cookies off in your web browser settings).

And if you get any emails from us (whether we send it to you directly, or one of our partners does it for us) they may use technologies to track things like whether you opened it, which links you clicked on, and so on. We’ll use this information to:

• give you a better experience;
• make our websites work better, or our security tighter;
• tell you about products and services we think you’ll be interested in (if you’ve agreed we can);
• carry out market research (if you’ve agreed we can);
• understand how people actually use our websites, or how they find us.

You have a right to withdraw your consent to our use of cookies at any time. You will be given the opportunity to record your preferences on our web pages. Cookies are often used to enable and improve certain functions on our website, if you choose to switch certain cookies off, it is likely to affect how our website works and your browsing experience.

We may also periodically record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people or to prevent and detect fraud and other crimes. We use closed circuit television (CCTV) in and around our branches and offices for security purposes and so we may collect photos or videos of you, or record your voice through CCTV.

We have a legitimate interest in using your information in this way. You have a right to object to the processing of your personal data in this way. In such cases, we can only continue to process the data if we can show that our legitimate interest overrides your interests or if we need the information for the establishment, exercise or defence of legal claims.

In particular, by using our services you are giving up your right to secrecy by unequivocal consent pursuant to Article 371-2 of the Bahrain Penal Code (Law No. 15 of 1976) as amended or replaced from time to time. You expressly agree not to hold us or any member of the HSBC Group (including any officers, staff and third party agents) liable in relation to such law, unless we have acted fraudulently or with wilful misconduct or gross negligence

Some of the links on our websites lead to non-HSBC websites, with their own privacy and data protection policies, which may be different to ours. It’s your responsibility to read and understand their policies.

We implement internal technical and organisational measures to keep your information safe and secure including encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with strict compliance standards including agreeing to contractual obligations to protect any data.

The responsibility for your data is with the HSBC data controller: HSBC Bahrain P.o. box 57, Manama, Bahrain. If you have any questions about our Privacy policy, please email HSBC Bank Middle East Limited at customerexperiencebh@hsbc.com

[Version Published Date / Last Updated: 1 Dec 2019]