The European Union is changing its data protection regulation.
The European Union General Data Protection Regulation (EU GDPR) establishes a uniform data protection law across the European Economic Area (EEA) and aims to protect the privacy and use of EEA resident’s personal data in an increasingly digital world. As such, we (National Australia Bank, including UBank as a division of National Australia Bank) are required to comply with the EU GDPR since we process personal data relating to EEA residents.
The EU GDPR became effective 25 May 2018.
We take the protection of your personal data very seriously and are pleased to provide you with our amended EU GDPR Privacy Statement as outlined below:
We respect your personal information and this privacy notice explains how we handle it and your privacy rights. We take appropriate measures to ensure NAB can engage securely with and for our customers.
This notice applies to the collection and processing of your personal information (including credit information) if you are in a country that is a member of the European Economic Area (EEA) by or on behalf of National Australia Bank Ltd ABN 12 004 044 937 and its related companies (‘we’, ‘us’, ‘NAB’, the ‘Group’). This includes all the banking, financing, funds management, financial planning, superannuation, insurance, broking and e-commerce organisations in the Group. For further information about these Group members see www.nab.com.au.
This notice tells you how we collect and process your personal information and the legal basis for processing it, what we use it for and who we share it with. It also explains particular rights you have in relation to the processing of your personal information and reflects some key features of our Privacy Policies available at www.ubank.com.au/privacy.
We are grateful for the trust and confidence you have in us to safeguard your privacy.
We care about your privacy and welcome your feedback. Please contact us if you have any questions or comments about this notice, our Group privacy policies and procedures, or you wish to exercise the rights you have under applicable privacy laws, which are explained further below.
You can contact us by:
Users who are deaf, or have a hearing or speech impairment can call through the National Relay Service:
NAB’s ‘Office of the Data Protection Officer’ monitors and advises on compliance with the EU General Data Protection Regulation 2016/679 (the ‘GDPR’) which applies to NAB when processing the personal information of individuals (data subjects) who are in countries in the EEA in relation to offering them NAB’s products or services or monitoring their behaviour when in those countries.
The contact details of NAB’s ‘Office of the Data Protection Officer’ are as follows:
The Office of the Data Protection Officer,
National Australia Bank Limited
395 Bourke Street,
Victoria 3000 Australia.
The NAB Group is a data controller for our website and services provided through our website at the address shown above.
The categories of information that we collect from other sources include:
Sometimes we collect information about you from other sources. We may collect information about you that is publicly available (for example from public registers or social media) or made available by third parties.
For instance, we do this where:
We may use or disclose information about you in order to combine the information that we hold with information collected from or held by external sources. We do this in order to enable the development of customer insights about you so that we can serve you better. This includes being able to better understand your preferences and interests, personalise your experience, enhance the products and services you receive, and to tell you about products and services that may be of interest to you.
Where those insights are provided to others, such insights are based on aggregated information and do not contain any information that identifies you. We may also use service providers to undertake the process of creating these consumer insights.
We may use and process your information to:
We may use your information for our legitimate interests (where we have considered these are not overridden by your rights and which you have the right to object to as explained below) in:
We may also use and process your personal information where we are required by applicable laws, regulations or codes that bind us, in particular as a financial institution. These include company and tax law and Australian anti-money laundering law which require us to verify your identity.
Where required under GDPR, we will only use your personal information for the purpose for which you have given your valid or explicit consent for, which we will ensure we have obtained before we process your information.
Some information you provide us in connection with your application for or the administering of a product or service we provide you, may be more sensitive and therefore falls within a special category of personal information, such as health information. We will collect and process this information only with your explicit consent.
With your consent where required by law, we may communicate with you (through the preferred communication channel(s) you have selected, which may include by email, telephone, SMS, iM, mail, or any other electronic means including via social networking forums) to:
If you have provided your consent to receive direct marketing, you can withdraw it at any time without detriment, we will process your request as soon as practicable.
Where you have subscribed to something specific (like hearing from one of our sponsored organisations) then these subscriptions will be managed separately.
If you no longer wish to receive these emails, you may log into Internet Banking and update your preferences.
Otherwise, click the unsubscribe link included in the footer of our emails, or call us.
In addition to the basis on which we use and process your personal information described above, we may also use and process your credit information (which may be for our legitimate interest, or with your consent or to perform a contract we have with you) to:
We may collect information about you via application forms, online, or in person, because we are required or authorised by law to collect it, or where a contractual requirement exists, or the collection is necessary in order to enter into a contract with you.
There are laws that affect financial institutions, including company and tax law which require us to collect personal information.
For example, we require personal information to verify your identity under Commonwealth Anti-Money Laundering law.
If you don’t provide your information to us, we may not be able to:
You have the right not to be subject to a decision by NAB made solely by automated processing. NAB may use automated processing (including profiling) but does not make decisions about you only on this basis.
We may share your information with other organisations consistent with the purposes for which we use and process your information as described above. This includes with the entities described below.
We may share your personal information with other Group members. This could depend on the product or service you have applied for and the Group member you are dealing with. Where appropriate we integrate the information we hold across the Group to provide us with a complete understanding of you and your needs in connection with the product or services we are providing you, including giving you access to the Group or related products you hold via Internet Banking.
NAB acts for MLC Limited ABN 90 000 000 402 (described as MLC Life Insurance) in distributing their life insurance products.
MLC Limited is no longer part of the NAB Group of companies.
We may exchange your personal information with MLC Limited or their service providers in order to administer and manage your life insurance products that are issued by them and respond to your requests for assistance which includes to ensure:
At your request, we will share your personal information with your representative or any person acting on your behalf (for example, financial advisers, lawyers, settlement agents, accountants, executors, administrators, trustees, guardians, brokers or auditors) and your referee such as your employer (to confirm details about you).
When we’re checking your credit worthiness and at other times, we might share information about you with credit reporting bodies who may retain a record of that check.
When we give your information to a credit reporting body, it may be included in reports that the credit reporting body gives other organisations (such as other lenders) to help them assess your credit worthiness.Some of the information that we give to credit reporting bodies may reflect adversely on your credit worthiness, for example, if you fail to make payments or if you commit a serious credit infringement (like obtaining credit by fraud). That sort of information may affect your ability to get credit from other lenders.
Your personal information may also be shared with credit reporting bodies or other approved third parties who are authorised to assess the validity of identification information. These checks help us verify whether your identity is real and are not a credit check.
As outlined above, when we’re checking your credit worthiness and at other times, we might collect information about you from and give it to one or more credit reporting bodies.
The contact details of the credit reporting bodies we use are outlined below.
Each credit reporting body has a credit reporting policy about how they handle your information.
You can obtain copies of these policies at their websites.
Dun & Bradstreet Australia www.checkyourcredit.com.au
Dun & Bradstreet’s credit reporting policy is set out at http://dnb.com.au/privacy-policy.html
Phone: 1300 734 806
Mail: Public Access Centre Dun & Bradstreet Australia, PO Box 7405 St Kilda Road VIC 3004
Experian Australia www.experian.com.au
Experian’s credit reporting policy is set out at www.experian.com.au/credit-services-privacy
Phone: 1300 783 684
Mail: Consumer Support Experian Australia, PO Box 1969, North Sydney NSW 2060
We may disclose your personal information to third parties outside of the Group including to help us run our sites, many of whom are based outside the EEA with the majority based in Australia. These third parties include:
We run our business in Australia and overseas.
We will not share any of your credit information with a credit reporting body unless it has a business operation in Australia.
We are not likely to share credit eligibility information (that is, credit information we obtain about you from a credit reporting body or that we derive from that information) with organisations unless they have business operations in Australia. In the event that NAB seeks assistance from a related company to manage defaulting loans, we may need, as a consequence, to disclose credit eligibility information to the Bank of New Zealand, located in New Zealand. In this instance we are likely to share other credit information about you with organisations outside Australia.
We may need to share some of the information (including credit information) we collect about you from the EEA with organisations both inside and outside Australia, sometimes we may need to ask you before this happens.
You can view a list of the countries in which those overseas organisations are located at this overseas country list.
We may store your information in cloud or other types of networked or electronic storage. As electronic or networked storage can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be accessed or held.
If your information is stored in this way, disclosures may occur in countries other than those listed.
If you wish to know whether or not the country to which the overseas disclosure is intended to be made has been deemed adequate by the European Commission, please refer to the European Commission's website.
Overseas organisations may be required to disclose information we share with them under an applicable foreign law.
We’ll only keep your information for as long as we require it for our purposes.
We’re required to keep some of your information for certain periods of time under law, such as the Corporations Act, the Anti-Money Laundering & Counter-Terrorism Financing Act, and the Financial Transaction Reports Act for example. When we no longer require your information, we’ll ensure that your information is destroyed or de-identified.
We are required to keep your information for 7 years from the closure of accounts, or 10 years from the termination of superannuation facilities, or otherwise as required for our business operations or by applicable laws.
We may need to retain certain personal information after we cease providing you with products or services to enforce our terms, for fraud prevention, to identify, issue or resolve legal claims and/or for proper record keeping.
We may also retain a record of any stated objection by you to receiving Group marketing for the purpose of ensuring we can continue to respect your wishes and not contact you further, including if you hold MLC Limited products and you are excluded from NAB Group campaigns marketing MLC Limited products.
How to access your information
Subject to applicable laws, you have the right to access your personal information and to receive a copy of that information.
You can also ask that personal information provided by you to us is transmitted to another party.
See ‘Contact Us’ if you would like a copy of the form to be sent out to you.We may need to verify your identity to respond to your request. We will respond to any request within a reasonable period permitted under applicable privacy laws and will generally give access unless an exemption applies to certain information.
We will give you access to your information in the form you want it where it’s reasonable and practical (for example we can give you a disk recording of a phone call you had with us). We may charge you a small fee under certain circumstances to cover our costs when giving you access but we’ll always confirm this with you first.
If we can’t give you access, we will tell you why in writing and how you can make a complaint about our decision.
If you have concerns, you can complain. See ‘Contact Us’.
You have the right to correction (rectification) of personal information and can contact us if you think there is something wrong with the information we hold about you.
If you are worried that we have given incorrect information to others, we will tell them about the correction. If we can’t, then we’ll let you know in writing.
You also have in certain circumstances the right to request that the personal information that NAB collects from you is erased. If we refuse any request you make in relation to this right, we will tell you why in writing and how you can make a complaint about our decision.
You may also request that further processing of your personal information is restricted in certain circumstances, including while we investigate your concerns with this information.
Where you request access to credit information that NAB obtained from credit reporting bodies or which it based on that information, we will:
If we can’t give you access, we will tell you why in writing and how you can make a complaint about our decision. If you have concerns, you can complain to our external dispute resolution scheme, the Financial Ombudsman Services (FOS) or the Australian Information Commissioner or the relevant data protection authority such as the Office of the UK Information Commissioner.
Whether we made the mistake or someone else made it, we are required to help you correct the information within 30 days. If we can’t make a correction in that timeframe, we will ask you for extra time. We also might need to talk to others in order to process your request. The most efficient way for you to make a correction request is to ask the organisation which made the mistake.
Whether we’re able to correct the information or not, we’ll let you know within five business days of deciding to do this. If we can’t we will provide reasons. We’ll also let the relevant third parties know as well as any others you tell us about. If there are any instances where we can’t do this, then we’ll let you know in writing. If you have any concerns, you can access the Australian Financial Complaints Authority or make a complaint to the relevant data protection authority such as the Office of the UK Information Commissioner.
You also have in certain circumstances the right to request that the further processing of your information is restricted or to object to its processing and the right to data portability (to receive and have transferred the information you provided). If we refuse any request you make in relation to this right, we will write to you to explain why and how you can make a complaint about our decision.
You can let us know at any time if you no longer wish to receivedirect marketing updates from the Group. We will process your request as soonas practicable. Where you have subscribed to something specific (like to hearfrom one of our sponsored organisations) then these subscriptions will bemanaged separately.
You may also withdraw your consent where provided or object to the furtherprocessing of your personal information under certain circumstances. If werefuse any request you make in relation to this right, we will write to you toexplain why and how you can make a complaint about our decision.
The withdrawal of your consent will not affect the processing ofyour information that you had consented to.
If you have a complaint about how we handle your personal information, we want to hear from you. You are always welcome to contact us. We are committed to resolving your complaint and doing the right thing by our customers. We aim to resolve complaints as quickly as we can, and you should hear from us within five business days (see ‘Contact Us’).
If you still feel your issue or request hasn't been resolved to your satisfaction, then you can escalate your privacy concern (see ‘Contact Us’) and you have the right to make a complaint to the relevant data protection authority (for example in the place you reside or where you believe we breached your rights).
We will let you know how we will deal with your complaint within seven days.
If we can’t fix things within 30 days, we’ll let you know why and how long we think it will take. We will also ask you for an extension of time to fix the matter. If you have any concerns, you may choose to complain to the Australian Financial Complaints Authority or the relevant data protection authority such as the Office of the UK Information Commissioner.
If your complaint relates to how we handled your access and correction requests you may take your complaint directly to the Australian Financial Complaints Authority or the Office of the Australian or UK Information Commissioner. You are not required to let us try to fix it first.
Need more help?
Phone: 1800 931 678
In writing to:
Australian Financial Complaints Authority
GPO Box 3
Melbourne VIC 3001