Before we begin
This notice (Privacy Notice) is provided in the context of the banking relationship existing between you and us and in relation to the Services we provide you and covers the processing of Corporate Data and Personal Data (as defined below) and applies to information processed by members of the HSBC Group as data controllers, as described below.
This Privacy Notice explains what information we collect about you, or individuals such as Connected Individual(s), how we’ll use that information, who we’ll share it with, the circumstances when we’ll share it and what steps we’ll take to make sure it stays private and secure.
Where we provide you with separate or further information about how we collect and use your information for particular products or services, that information will also apply.
This Privacy Notice should also be read alongside your banking terms and conditions, as these also include terms and conditions relating to the use and disclosure of information.
Some of the links on our websites lead to other HSBC or non-HSBC websites with their own privacy and information protection policies, which may be different to this notice. You’ll need to make sure you’re happy with their privacy notices when using other sites.
You must direct any individuals whose Personal Data we may collect and process, including Connected Individuals, to this Privacy Notice and make sure they are aware, prior to providing their Personal Data to us or our obtaining their Personal Data, that we are using their Personal Data as described. You should also draw their attention to the section on their rights.
Whenever we use the term “you” or “your” or “customer”, this means your business and “Corporate Data” means data pertaining to your business, to include, but not limited to, information relating to your financial status, corporate activity, payment transactions.
Wherever we use the term “Connected Individual”, this means individual(s) connected to your business and could be any guarantor, a director or officer of a company, partners or members of a partnership, any substantial owner, controlling person, or beneficial owner, trustee, settlor or protector of a trust, account holder of a designated account, recipient of a designated payment, your attorney or representative, agent or nominee, or any other persons or entities with whom you have a relationship that's relevant to your relationship with the HSBC Group.
Wherever we use the term “Personal Data”, this means any personal information allowing the identification of individuals such as Connected Individuals, including but not limited to name, previous names, postal address, e-mail address, telephone number, gender, date and place of birth, passport ID, other photo ID, signatures and nationality.
Wherever we use the term “Data”, this refers collectively to Corporate Data and Personal Data.
Wherever we use the term “we” or “our” “us”, we mean HSBC Group companies which act as a data controller in respect of your personal data. Unless otherwise stated below, the data controller for the purposes of this notice will be HSBC Continental Europe, Ireland.
What Data we collect
We’ll only collect Data in line with relevant regulations and law. We may collect it from a range of sources. Some of it will come directly from you or from others, such as Connected Individual(s), we may generate some of it or obtain it from publicly available sources. The information we collect may include:
Personal Data of individuals(including Connected Individual(s)) that may be provided by you or on your behalf, e.g.:
- personal details, e.g. name, previous names, gender, date and place of birth, photo ID, passport information, national Insurance number, national ID card and nationality;
- contact details, e.g. address, email address, landline and mobile numbers;
- market research, e.g. information and opinions expressed when participating in market research;
- user login and subscription data, e.g. login credentials for phone and online banking;
- information we use to identify and authenticate individuals who act on your behalf (e.g. their signature, additional information that we receive from external sources for authentication that we need for compliance purposes)
Information we collect or generate about you or others (including Connected Individual(s)) may include:
- your financial information and information about your relationship with us, including the products and services you hold, the channels you use, your ability to get and manage your credit, your payment history, transactions records, market trades, payments into your accounts and information concerning complaints and disputes;
- information included in customer documentation;
- records about executed transactions (e.g. payment order), payment information including full beneficiary name, address and details of the underlying transaction and information about products offered ;
- marketing and sales information, such as details of the services you receive and your preferences;
- credit risk ratings and risk identification information, predicted transactional behaviour, customer due diligence and periodic review results, financial crime risk management rating, external intelligence reports, screening alerts
- investigations data, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among you, us and other organisations or individuals, including emails, voicemail, live chat;
- records of correspondence and other communications between us, including with individuals who act on your behalf;
- information relating to complaints, including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts);
- information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you.
Information we collect from other sources may include:
- information you have asked us to collect for you, e.g. information about your accounts or holdings with other companies including transaction information;
- information from third party providers, e.g. information that helps us to combat fraud (including your communications between organisations, prospects and other stakeholders acquired from companies that collect combined information);
- information relating to third party companies connected to you such as affiliates, their activity and business.
How we will use your Data
We will process your Data only where we have a lawful reason to do so. For Personal Data, these reasons include where:
- we need to process Personal Data to pursue our legitimate business interest(s);
- we need to process Personal Data to perform our contract with you;
- we need to process Personal Data to comply with a legal obligation;
- the use of Personal Data is in the public interest, such as for the purpose of preventing or detecting crime;
In particular, where we have a lawful basis for doing so, Data may be processed, used and stored by us and/or by third parties for the following purposes:
- the provision of Services and to approve, manage, administer or effect any transactions that you request or authorise and allowing us to undertake data analytics to gather insights on your business;
- the meeting of Compliance Obligations as well as compliance with other Laws that the HSBC Group may be subject to;
- the conducting of Financial Crime Risk Management Activity and other risk management activities,
- the enforcement or defence of our rights or those of a member of the HSBC Group;
- the pursuit of our legitimate business interest(s) such as to ensure compliance with our internal operational requirements or those of the HSBC Group (including credit and risk management, system or data base development, enhancement and planning, insurance, audit and administrative purposes);
- the maintenance of HSBC or other members of the HSBC Group’s overall relationship with you, including reviewing historical customer transactional behaviour or comparison of customer activity so we can provide more targeted products and services, telling you about our products, or carrying out market research.
In addition, in case of failure to supply any Data required by law or under a contract and reasonably requested by HSBC, we may refuse to provide the Services you have requested or we may stop providing existing Services to you.
See Appendix for further details of how we will use your Data.
Compliance with laws and regulatory compliance obligations
We’ll use your Data to meet our compliance obligations, to comply with other laws and regulations and to share with regulators and other authorities that HSBC Group companies are subject to. This may include using it to help detect or prevent crime (including terrorism financing, money laundering and other financial crimes). We’ll only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others.
Marketing and market research
We may use Data for marketing purposes. We may send you marketing messages in different ways (e.g. post, email, online and mobile banking or secure e-messages) with information about our products and services. We will ask for your permission if required, and you can change your mind on how you receive marketing messages or if you choose to stop receiving them at any time.
If you, or anyone whose Personal Data we hold, ask us not to send you marketing materials, it may take us a short period of time to update our systems and records to reflect your request, during which time you may continue to receive marketing messages.
We may use your Data for market research and to identify trends. Market research agencies acting on our behalf may get in touch with you by post, telephone, email or other methods of communication to invite you to take part in research. Any responses that you provide whilst participating in market research will be reported back to us anonymously unless you give us permission for your details to be shared.
Tracking or recording what you or individuals connected to your business say or do
We may record and keep track of conversations you or anyone who acts on your behalf, including Connected Individual(s), have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging. We use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We may capture telephone numbers that you call us from and information about the devices or software that you use.
Fraud Prevention Checks
We will carry out fraud prevention checks which may include the use of relevant software, systems and agencies for the purposes of preventing fraud and money laundering, and to verify your identity , before we provide services, goods or financing to you.
These checks also require us to process the Data we hold for you.
The Data you provide or which we have collected from you, or received from third parties will be used to carry out these checks in order to prevent fraud and money laundering, and to verify the identity of the Individual(s) connected to your business. In addition, we may need to process Data of third party companies which are connected to you for the same purpose.
Who we might share your Data with
We may share your Data for the above purposes to the following data recipients:
- other HSBC Group companies and any sub-contractors, agents or service providers who work for or provide services to us or other HSBC Group companies (including their employees, sub-contractors, directors and officers);
- anyone acting on your behalf, payment recipients, beneficiaries, account nominees, intermediary, correspondent and agent banks clearing houses, clearing or settlement systems, market counterparties, and any companies in which you have an interest in securities;
- any party to a transaction acquiring interest in or assuming risk in or in connection with the Services;
- other financial institutions, as necessary to conduct or assist other financial institutions to conduct credit checks, and/or credit reference agencies for the purposes of obtaining or providing credit references;
- other financial institutions, lenders and holders of security over any property you charge to us, Tax Authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
- any fund managers who provide asset management services to you and any brokers who introduce you to us or deal with us for you;
- any companies where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
- law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
- other companies who do marketing or market research for us (unless you have asked us not to);
- other parties involved in any disputed transactions;
- fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
- anyone who provides instructions or operates any of your accounts on your behalf;
- anybody else that we’ve been instructed to share your Data with by either you or anybody else who provides instructions or operates any of your accounts on your behalf;
- fraud prevention agencies who’ll also use it to prevent money-laundering and to verify your or the identity of a Connected Individual(s) or any other third party which is connected with you. If fraud is detected, you could be refused certain services or finance;
- Any member of HSBC Group in connection with or arising from any reporting obligations to any competent Authorities of suspicious transactions by or involving you or the Connected Individual(s) or other third connected parties.
Transferring Personal Data overseas
Personal Data may be transferred to and stored in locations outside the European Economic Area (EEA), including in countries that may not have the same level of protection. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. We may need to transfer Personal Data in this way to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for legitimate business interests.
In some countries the law might compel us to share certain information, e.g. with tax authorities. Even in these cases, we will only share your information with people who have the right to see it.
You can obtain more details of the protection given to Personal Data when it is transferred outside the EEA by contacting us.
Sharing Aggregated or Anonymised Information
We may share aggregated or anonymised information outside of HSBC Group with partners such as research groups, universities or advertisers. For example, we may share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.
How long we will keep your Data
We keep your information in line with our data retention policy. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.
We may need to retain Data for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.
If we don’t need to retain Personal Data information for this period of time, we may destroy, delete or anonymise it more promptly.
Rights of individuals
Individuals whose Personal Data we process, including Connected Individuals, have a number of rights in relation to their Personal Data. These rights include:
- the right to access Personal Data we hold about them and to obtain information about how we process it;
- in some circumstances, the right to withdraw their consent to our processing of their Personal Data. In this case, we may continue to process Personal Data if we have another legitimate reason for doing so;
- the right to request that we rectify their Personal Data if it’s inaccurate or incomplete;
- in some circumstances, the right to request that we erase their Personal Data. We may continue to retain Personal Data if we’re entitled or required to retain it;
- the right to object to, and to request that we restrict, our processing of their Personal Data in some circumstances. Again, there may be situations where we may be entitled or required to continue processing and / or to refuse that request.
Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and credit you have requested or we may stop providing existing products and services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services to you.
What we expect from you
You are responsible for making sure the Data you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. For Personal Data, you’ll need to direct relevant individuals to this notice and make sure they understand how we use their information as described in it prior to providing their Personal Data to us, or our obtaining their Personal Data from other sources. You should also draw their attention to the section on their rights.
How we keep your Data secure
We use internal technical and organisational measures to keep your Data safe and secure which may include encryption, and other forms of security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
More details about us
For the purposes of this privacy notice the Data Controller is HSBC Continental Europe, Ireland, with registered office in Ireland at 1 Grand Canal Square, Grand Canal Harbour, Dublin 2.
If you would like further information on any of the information above, or to contact our Data Protection Officer, write to The Data Protection Office, HSBC Continental Europe, Ireland, 1 Grand Canal Square, Grand Canal Harbour, Dublin 2.
This Privacy Notice may be updated from time to time and the most recent version can be found online at http://www.business.hsbc.ie/en-gb/ie/generic/GDPR.
“Authorities” includes any judicial, administrative, public or regulatory body, any government, any Tax Authority, securities or futures exchange, court, central bank or law enforcement body, or any of their agents, with jurisdiction over any part of the HSBC Group.
“Compliance Obligations” means obligations of the HSBC Group to comply with: (a) Laws, or international guidance and internal policies or procedures, (b) any demand and/or requests from Authorities or reporting, regulatory trade reporting, disclosure or other obligations under Laws, and (c) Laws requiring HSBC to verify the identity of our customers.
“Financial Crime Risk Management Activity” means any action that HSBC, and members of the HSBC Group, are required, and may take as they consider appropriate in their sole and absolute discretion, to meet Compliance Obligations in connection with the direction, investigation and prevention of Financial Crime, including but not limited to: (a) screening, intercepting and investigating any instruction, communication, drawdown request, application for Services, or any payment sent to or by you or on your behalf, (b) investigating the source of or intended recipient of funds, (c) combining Personal Data with other related information in the possession of the HSBC Group, and/or (d) making further enquiries as to the status of a person or entity, whether they are subject to a sanction regime, or confirming your identity and status.
“Financial Crime” means money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions, and/or violations, or acts or attempts to circumvent or violate any Laws relating to these matters.
“Laws” means any applicable local or foreign statute, law, regulation, ordinance, rule, judgement, decree, voluntary code, directive, sanctions regime, court order, agreement between any member of the HSBC Group and an Authority, or agreement or treaty between Authorities and applicable to HSBC or a member of the HSBC Group.
“Services” includes, without limitation, (a) the opening, maintaining and closing of your bank accounts, (b) providing you with credit facilities and other banking or investment products and services (including, for example, securities dealing, investment advisory, broker, agency, custodian, clearing or technology procuring services), processing applications, ancillary credit assessment and product eligibility assessment, and (c) the maintenance of HSBC’s overall relationship with you, including promoting financial services or related products to you , market research, insurance, audit and administrative purposes.
“Tax Authorities” means domestic or foreign tax, revenue, fiscal or monetary authorities.
Appendix – How we use your Data
This appendix sets out purposes we may use Data for. It also sets out the processing condition we apply when processing Personal Data about individuals related to you, including Connected Individuals, for these purposes.
- Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfil our legal obligation and for internal risk strategy purposes. For Personal Data, we’ll do this as required in our legitimate interest.
- Risk Management: we’ll use your Data to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This includes credit risk, traded risk, operational risk and insurance risk. For Personal Data, we’ll do this to fulfil our legal obligation and also because we have a legitimate interest in using your information for these purposes.
- Online Banking, Mobile Apps and other online product platforms: we’ll use your Data to allow us to provide you with access to HSBC online platforms and mobile apps. The platform may allow you to directly or indirectly communicate with us through mobile apps, such as using Online Banking, or applying for products and services online. The lawful basis for using Personal Data for this purpose is to perform our contract and because it is in your and our legitimate interest.
- Product and Service Improvement: we’ll use your Data to identify possible service and product improvements by analysing information. The lawful basis for processing Personal Data for this purpose is our legitimate interests. We do this to improve our products and services to best meet the need of our customers.
- Data Analytics for tailored services: we’ll perform analysis on your Data to identify relevant opportunities to promote our products and services to existing or prospective customers. This may include reviewing historical customer transactional behaviour or comparison of customer activity so we can provide more targeted products and services. The lawful basis for using Personal Data in this way is our legitimate interest.
- Marketing: we’ll use your Data to provide you with information about HSBC products and services, and also products and services from our partners and other relevant third parties. The lawful basis for processing Personal Data in this context is our legitimate interest. We may need your consent, or that of related individuals including Connected Individuals, to communicate by certain channels and we’ll get this where we need to. You and related individuals can change your mind on how you receive marketing messages or choose to stop receiving them at any time. To make that change, contact us in the usual way.
- Protecting our legal rights: we may need to use your Data to protect our legal rights such as in the case of defending or the protection of legal rights and interests (e.g. collecting money owed; enforcing or protecting our security or defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition. This may be in connection with action taken against you or other persons (e.g. joint borrowers or persons who give a guarantee or other security for your obligations to us) We would use Personal Data here on the basis of legitimate business interests.