1. Introduction: IDFC FIRST Bank, (hereinafter referred to as “Bank”, “us”, “our”, or “we”), is committed to protect the privacy and security of your data (Personal Data (“PD”) / Sensitive Personal Data (“SPD”)). Bank shall process data collected from you in compliance & accordance with the General Data Protection Regulation (GDPR) 2016, UK Data Protection Act 2018 and the provisions of this notice.

General Data Protection Regulation (GDPR) requires that data controller (Bank) provide notice to data subjects (customers), before they collect, process, and use the data. This privacy notice is an approach to fulfil Bank’s obligations under EU GDPR and UK DPA.

This privacy notice applies to data, processed by the bank as a controller (or) for the Bank (by third parties/vendors), whether in physical (or) electronic mode. This notice is the Bank’s attempt to inform prospective customer/s, what the Bank does with data collected, why & how we process it and what it ultimately means to you.

2. Information collected from Customer/s: Bank will collect and process your personal data provided through application forms, mobile apps, devices like ATM, and data collected from public domain like social media, GST portal, face-to-face and electronic communication (including telephone conversations), etc. in order to provide our services to you.

We may collect information about you from others (as mentioned below), and the Bank after ascertaining the genuineness of the same may add it to the Data it already holds and use in the manner described in this Privacy Notice.

If data is collected from Third Party providers to provide relevant marketing, offers, services to you, the same would be used & processed with your consent only. The third-party providers include email service providers, public data bases, social media sites as well as other third parties as deemed appropriate.

If data is collected from Credit Information agencies/companies, risk management and  fraud prevention agencies, national & government data bases, the same would be retained & used as deemed legally appropriate.

3. Information from Online Activities: Bank collects information from your internet activity through cookies, which are controlled through internet browsers. While using the bank’s website through your digital and electronic devices, the Bank performs various checks designed to ascertain your identity/accuracy/residential status to ensure compliance with regulatory obligations. The checks include identifying the IP address, information about use of website/mobile app, which includes device type, operating system, screen resolution etc.

4. When & how the Bank collects PD/SPD: The Bank collects PD/SPD from its customers/prospective customers:

i. When you request for & use products/services. Further during your transactions with us.

ii. When you apply for products, enquire about products (or) engages with us (or) our representative who is involved in the transaction concerning you.

iii. When you use the Bank’s website & online services like mobile application and visit our branch/offices.

iv. When you email/call/respond to our email/call or during meetings with our bank staff or our service providers/ representatives.

v. When you provide PD/SPD in writing. The PD/SPD may be on application forms, records of your transactions, etc.

vi.  When you make available information publicly.

5. Information we process about Customers include:

i. Personal details such as name, address, signatures, date of birth, father’s name, mother’s name, email address, nationality, marital status, gender, your occupation, education and qualifications, annual income, and source of income     and phone numbers.

ii. Copies of photographs, current overseas residential address and permanent residential address proof, viz. visa, passport, driving license, utility bills, bank statements, national ID cards, PAN card, overseas tax-identification number, and overseas country-specific unique identifiers.

iii. Transaction details

iv. Financial information/objectives and experience,

v. Details of nominee, witnesses, guardians which includes their addresses and relationship with you.

vi. IP addresses

6. Lawful grounds for processing Personal Information: Bank will process your personal data in compliance with GDPR/UK DPA by relying on one or more of the following lawful grounds:

i. You have agreed to our processing for a specific reason.

ii. Allow us to take required actions to provide product/service and/or to make/receive payments.

iii. The processing is necessary to perform the agreement we have with you.

iv. The processing is necessary for compliance with legal obligations under certain laws.

v. The processing is necessary for the purposes of a legitimate interest pursued by us, which might be:

a) to ensure that our customer accounts are well-managed.

b) to prevent, detect, investigate, and prosecute fraud and alleged fraud, money laundering and other crimes.

c) to protect our business and to comply with laws that apply to us and/or where such processing is a contractual requirement of the services or financing you have requested.

d) to provide services to you and protect our business interests.

e) to ensure that complaints are investigated.

f) to evaluate, develop or improve our services; or

g) to keep our customers informed about the relevant services unless you have indicated at any time that you do not wish us to do so.

7. Purposes of collecting and processing your Personal Data:

Before processing your personal data, the Bank places robust safeguards to ensure your privacy is protected and prior to collecting your PD/SPD, we ensure that your interests/fundamental rights & freedoms are protected at all costs.

8. Implementation of adequate physical & technical security controls: The Bank is responsible for implementing suitable security measures to protect data against loss or theft as well as unauthorised access, disclosures, copying, use or modification.

Bank shall adopt/assess/review/update appropriate physical, technical & administrative measures to ensure the security of data, including the prevention of their alteration, damage and loss, unauthorized processing or access having regard to the nature of the data and the risks to which they are exposed by virtue of human action or the physical/ natural environment.

9. Storage of PD/SPD and Data Security: All information you provide to us is stored/saved in a secure manner. Where we have given you (or where you have chosen) a password/pin which enables you to access certain parts of our website/services, you are responsible for keeping such password/pin confidential. We advise you not to share your password/pin with anyone.

In addition, we limit access to your data to those employees, agents, contractors and other third parties on a need-to-know basis. Third parties processing your PD/SPD will only process on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you of a suspected breach, where we are legally required to do so.

10. Automated decision making: Bank carries out automated anti-money laundering and sanction checks. The monitoring of your transactions might reveal a money laundering (or) fraud risk to the Bank. This might result in the Bank calling for additional information/details from you. Subsequent to your revert, if the Bank decides that your transactions pose a fraud (or) money laundering risk and/or is inconsistent with your previous submissions, Bank has the right to restrict/block operations in the account (consistent with regulatory guidelines issued).

11. Sharing of Information: To help us provide/ improve services, your data may be processed internally and externally by other third parties. We may use third parties for processing, servicing, monitoring of your data. We may outsource some services to third parties having expertise in performing the required processing activities ensuring no drop in the service standard. However, the data transfers would take place after signing of data transfer agreements incorporating due safeguards. Due to the size and complexity of our operations, it is not possible for us to name each of our data recipients in this notice.

12. Data Retention: We will keep the information in our systems or with third parties for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. or as required to comply with any legal obligations to which we/you are subject to.

13. Communication: We may communicate with you via letter, telephone, text (or similar) messages, e-mail or other electronic means.

When you contact us through any of our communication channels including visiting a  local branch or calling the telephone banking service, we will verify your identity by asking you of questions based on information known to us about you and the transactions on your account. We may record your calls for training, quality, and security purposes.

14. Marketing Information: We and other members of our group may use your information from time to time to inform you by letter, telephone, text (or similar) messages, email or other electronic means, about similar services which may be of interest to you or them. You may opt out of marketing communication at any time.

15. Rights of Data Subjects (DS): You are entitled under the GDPR to the following rights in respect of your personal data:

i. You may request to access your data provided by you (or) processed by us. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

ii. You may request to correct/update/amend PD/SPD, particularly if found to be inaccurate. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us

iii. You may request deletion of your PD/SPD, if you think the Bank does not have the right to process it, which would be subject to effective regulatory requirements and Bank’s policies/procedures in this regard.

iv. You can withdraw a given consent at any time, without affecting the lawfulness of earlier processing based on consent before such withdrawal in specific cases.

v. Be informed about the processing of your personal data (i.e., for what purposes, what types, to which recipients it is disclosed, storage periods, any third-party sources from which it was obtained).

vi. You have right to object to processing for a particular purpose or to request that we stop using your information when processing is based on necessity (or) for the purposes of legitimate interests pursued by us or third parties including profiling. After such request objecting to processing your PD/SPD, we shall no longer process the data unless we demonstrate compelling legitimate grounds, like establishment, exercise, or defence of legal claims.

vii. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.

Upon receipt of such a request, Bank shall ensure that the requests are addressed in  a timely manner and in compliance with the applicable laws and regulations. If we determine that the request cannot be fulfilled, the bank will respond with a reasonable justification for denial of such request. Further we will inform you, the necessary recourses available. We will maintain records of all such requests and any such statements from you, irrespective of their status of processing. As per GDPR or similar foreign regulation, any request for withdrawing data storage consent shall not be valid due to Reserve Bank of India (RBI) regulations wherein the customer data must be maintained for the period of 5 years post the termination of the business relationship.

16. Changes to this privacy notice: We reserve the right to update this Privacy Notice at any time. Any changes made to this Privacy Notice in future will be posted on the web page and where appropriate, may be notified to you by email.

17. Disclaimer: The internet is an open system, and the Bank does not guarantee that data, which the registered user furnishes will not be intercepted or accessed by others and decrypted. IDFC FIRST Bank or its vendors/partners/employees/directors/agents & representatives shall not be liable or responsible, should any confidential or other information provided by you or pertaining to the visitor (including bank account information, passwords, credit/debit card details, transaction details) are intercepted and subsequently misused by an unintended recipient.

IDFC FIRST Bank is responsible for data only on its own domain and not on the redirect ones.