Privacy notice

Most of our data comes directly from you, our customer, for example, when you apply for a product. This will include the following:

• personal details (e.g., name, title, date of birth, gender, marital status, passport information or other identification information);

• contact details (e.g., phone number, email address, postal address and mobile number);

• financial information (e.g., bank account number, credit or debit card numbers, financial history);

• details about your health (e.g., to meet our regulatory obligations, including responsible financing);

• religious beliefs (e.g., we may ask for information about these from you to help us decide whether to recommend Sharia compliant products that meet your financial needs (such as Home Purchase Plan) to you);

• information about criminal convictions and offences (e.g. for Home Purchase Plan applications); and

• information about any other Al Rayan Bank products and services you currently have, you have applied for, or you have previously held.

If you do not provide personal data that we request, it may mean that we may be unable to provide you with the services and/or perform all of our obligations under our agreement with you.

We will also hold information we collect about you from other sources. This may include:

• the way you are using our branches, telephone services, websites or mobile applications;

• your interactions with us, for example through our branches, telephone services, websites, mobile applications, social media or other channels;

• the way you use your accounts, including information about payments you make or receive, including the details of the payee or payer (for example, retailers or other individuals);

• our parent company, which is based in Qatar, for example if they refer you to us;

• our own records about any other accounts or products you have with us or other providers;

• information from credit reference agencies and fraud prevention agencies;

• publicly available information about you which is available online or otherwise;

• organisations that provide their own data, or data from other third parties, to enable us to enhance the personal data we hold, and then provide more relevant and interesting products and services to you;

• criminal record checks and information;

• employers;

• joint account holders;

• people appointed to act on your behalf (such as independent financial advisers, accountants etc).

We also collect personal data automatically when you use the website and when you navigate through the website. Data collected automatically may include usage details, geo-location data, IP addresses and other data collected through cookies and other tracking technologies. For more information on our use of these technologies, see our Cookie Notice https://www.alrayanbank.co.uk/cookies-policy.

We may monitor or record phone calls with you in case we need to check we have carried out your instructions correctly, to resolve queries or issues, for regulatory purposes, to help improve our quality of service and to help detect or prevent fraud or other crimes. Conversations may also be monitored for staff training purposes.

We may also receive data from publicly availably sources such as Companies House and the Electoral Register.

If you give us personal data about other people, then you confirm that they are aware of the information in this Notice about how we will use their personal data and that you have explained this to them. This may happen if you supply us information about your dependents or joint account holders.

If we collect personal information relating to children (under 13 years old) as part of their application for a savings account for example, or as a dependant of an applicant for a Home Purchase Plan, we ensure a parent or guardian is aware of the information being provided.

We are can only process your personal data on a basis permitted by law. The legal basis will usually one of the following:

• Contractual: to allow us to provide you with the product and services we have contracted with you to provide when you completed your application for example, to make and receive payments;

• necessary to allow us to comply with our legal obligations; for example, complying with the PRA/FCA Rules;

• necessary for our or your legitimate interests (or those of a third party. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

• where we have your consent to do so, which you may withdraw at any time; or

• that it is in the substantial public interest. It is in the public interest for us to assist with the prevention of Money Laundering, Fraud, and Terrorist Financing. This may involve checking your personal information against the various databases available to the financial services industry, including the UK government and Credit Reference Agencies.  These databased enable us to identify you, any potential issues and where necessary report to the appropriate enforcement agencies.  We use the services of a Credit Reference Agency in order to validate your identity.  This is an identity check and does not affect your credit rating.

We have set out below, in a table format, a description of all the ways we use the various types of personal information and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are using your data. Where we are relying on a legitimate interest, these are also set out below:

Special categories of data

Some of the information we collect are special categories of personal data (also known as sensitive personal data).

In particular, we may process personal data that relates to your health (such as medical history), for example where we believe you may require additional effort on our part to ensure you understand our communications to you, or where you may have a reduction in physical or mental capacity that we should take account of, or where health issues are a debilitating factor for you.  We also process criminal convictions and offences (for due diligence reasons). We may also obtain information about religious beliefs (we may ask for information about these from you to help us decide whether to recommend to you Sharia compliant products that meet your financial needs, such as Home Purchase Plan). We may encourage the use of biometric information (fingerprint, palmprint, voice and/or facial recognition) as a way of enhancing the security of, for example, your digital interactions with us, or your use of safe deposit boxes.

Where we process such special category data or criminal records, we will usually do so on the basis that it is necessary for reasons of substantial public interest, to establish, exercise or defend any legal claims, or in some cases, with explicit consent. In any case, we will carry out the processing in accordance with applicable laws.

We collect certain special categories of personal data about employees and prospective employees who should refer to the Al Rayan Bank Staff Privacy Notice.

Where we have your consent

Automated Decision Making

The way we analyse personal data in relation to our services may involve profiling, which is processing your personal data using software that is able to evaluate your personal aspects and predict risks or outcomes. We may also use profiling, or otherwise employ solely automated means, to make decisions about you that relate to:

• credit limit decisions;

• credit and affordability assessment checks to determine whether your application will be accepted;

• identify and verification checks;

• anti-money laundering and sanctions checks;

• transaction monitoring for fraud and other financial crime, to prevent you committing fraud, or becoming a victim of fraud; and

• screening of individuals who may be classed as “politically exposed”.

This is known as “automated decision-making” and is only permitted when we have a legal basis for this type of decision-making. We may make automated decisions about you:

• where such decisions are necessary for entering into a contract. For example, we may decide not to offer our services to you, or we may decide on the types of services that are suitable for you, or how much to charge you for our products based on your credit history and other financial information we have collected about you;
• where such decisions are required or authorised by law, for example for fraud prevention purposes; or
• where it is a reasonable way of complying with government regulation or guidance, such as our high-level obligation to treat customers fairly.

You have rights in relation to automated decision making, for example you can request that an automated decision is reviewed by a human being: if you want to know more please contact us using the details set out in the Contact Us section at the beginning of this Privacy Notice.

We may send you messages (by telephone, post, text and email and other digital means) to help you manage your account, to comply with regulatory obligations (such as contract changes) and to keep you informed about features of the products and services you use (including those of others that may be of interest to you). Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).We may rely upon legitimate interests if you are an existing customer, but we will always give you the ability to request we stop providing marketing communications. If you are a prospective or new customer we will only send you marketing communications if you have provided your consent. 

You can ask us to stop or start sending you marketing messages at any time by contacting us (see Contact Us at the beginning of this Privacy Notice) or by following the unsubscribe instructions in our marketing messages.

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you opened an account or asked for information from our services or (ii) you agreed to receive marketing communications and, in each case, you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However, you can still opt out of receiving marketing emails from us at any time.

Before we share your personal data with any third party for their own marketing purposes, we will get your express consent.

You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences OR by following the opt-out links on any marketing message sent to you.

If you opt out of receiving marketing communications this opt-out does not apply to personal data provided as a result of other transactions, such as purchases, warranty registrations etc. 

In certain circumstances we may need to request your consent to collect and use certain types of personal data when we are required to do so by law (for example, sometimes when we process special category data or when we place cookies or similar technologies on devices or browsers). If we ask for your consent to process your personal data, you have the right to object and you may withdraw your consent at any time by following the unsubscribe instructions in our communications with you or by contacting us using the details set out in the Contact Us section at the beginning of this Privacy Notice or, if in relation to cookies or similar, via the Cookie Policy on https://www.alrayanbank.co.uk/cookies-policy.

Should you not wish to provide your consent, any services directly related to this data may not be provided.

For some information we do not need to seek your consent to process it as it is part of the performance of a contract. When you open an account with the Bank, you enter a legal relationship with us.  Data collected as part of this falls under what is classified as our legal obligation.  Other information is processed as part of our due diligence checks, which is known as the legitimate interest principle relating to personal data processing.

We will treat all your personal information as private and confidential (even when you are no longer a customer). We will not reveal your name, address or any details of your relationship with us to anyone including other companies in our own group, other than in the following cases:

• In some circumstances with our parent company in Qatar when it has referred you to us, to let them know the services we are providing. Where we do this, your personal information will not be used by them for the purpose of marketing without your express consent;

• our third-party service providers. These may include for example:

  • those we engage to host and maintain the website and IT systems;

  • analytics and search engine service providers that assist us in the improvement and optimisation of this website;

  • Operation, administration, management and security of the Mobile Banking App.

  • payment processing service providers, including strong customer authentication (SCA) providers and those supporting confirmation of payee (CoP);

  • those who print statements and marketing materials, and who make credit and debit cards;

  • those who assist us with or partner with us in marketing campaigns;

  • standby servicer for credit refinancing;

  • SMS/Telephony provider;

  • Surveyors and similar professional services firms we use for example in connection with our Home Purchase Plan;

  • Companies you have paid from your account if they request our help with a payment;

• Introducers of business to us (such as independent financial advisers and home finance brokers);
• Potential guarantors;
• Credit reference agencies (see below at Section 6);
• Your advisers (such as lawyers, accountants and other professional advisers) if you have asked them to represent you or have for example given them a Power of Attorney;
• Other financial institutions you ask us to contact (such as a bank you are switching from);
• Fraud prevention agencies (for example if you give us false information) to help them detect and prevent fraud and other crimes;
• HMRC and other government agencies (for example to validate the income and other financial information you provide to us for Home Purchase Plan and other applications);
• law enforcement bodies, Courts of law or as otherwise required or authorised by law; and
• regulators, trade associations or government bodies for the purposes of resolving complaints or disputes both internally and externally or to comply with any investigation by one of those bodies. Details (consistent with what is said in this Privacy Notice) of how we use your personal information are also summarised in our Terms and Conditions for Consumer Banking (para 12) and in our Terms and Conditions for Business Banking (clause 14).

We may also disclose personal data to third parties if we are under a duty to disclose or share personal data relating to you in order to comply with any legal obligation, or in order to enforce or apply our website Terms of Use https://www.alrayanbank.co.uk/legal/ and other agreements; or to protect the rights, property, or safety of us, our clients, or others. For example, we may be required by law or regulation to share information about your accounts with the UK or relevant tax authorities, either directly or via the local tax authority. The tax authority we share the information with could then share that information with other appropriate tax authorities.

Before we disclose personal data to a third party, we take steps to ensure that the third party will protect personal data in accordance with applicable privacy laws and in a manner consistent with this Notice. Third parties are required to restrict their use of this personal data to the purpose for which the data was provided.

Sometimes the third party will be outside the EEA, in which case see section 9 for more information.

We perform credit and identity checks on you with one or more credit reference agencies and fraud prevention agencies. We will supply your personal data to the credit reference agencies and fraud prevention agencies, and they will provide us with information about you.

We will also continue to exchange information about you with credit reference agencies while you have a relationship with us. The credit reference agencies may in turn share your personal data with other organisations, which may be used by those organisations to make decisions about you. This may affect your ability to obtain credit.

We may also continue to collect information from credit reference agencies about you after your account is closed. The agency that we approach will keep details of the type of search we request, even if your application with us does not proceed or you later close the account.

When you open any account with us, it is a contractual obligation on you to enable us to access, process and retain any information you make available to us for the purposes of providing payment services to you. This does not affect any rights and obligation you or we have under data protection legislation.

Other organisations may subsequently use the records and information held by the credit reference agency that we approach to carry out a credit search, including the details of a credit decision made about you or other persons associated with your application.

As well as using outside agencies to carry out credit and identity checks we will need to carry out our own credit checks to assess your applications for products or services with us or to check details relevant to your existing account with us. Where we do this, we may also use our own credit-scoring methods and carry out our own identity checks, including searching the Electoral Register.

We need to make these searches so that we obtain sufficient credit information to make a proper assessment of which of our products and services are most suited to your needs and to help verify your identity. Carrying out these searches enables us to open an account more quickly and helps to lessen the risk of fraud or other criminal activity taking place.

To help us form an accurate view of your existing financial commitments, searches made by us, or a credit reference agency, may “link” to the records of others that have entered into joint financial obligations with you (such as business partners and, if relevant, husbands, wives or other family members). Existing information held by credit reference agencies about you may be “linked” to other persons in this way. If so, you may be treated as financially “linked” for the purposes of any application you make to us, which means that you may be assessed in relation to joint obligations as well as those for which you are solely responsible.

If you apply for one of our products or services with another person or persons (for example in a joint account)  we carry out a search through a credit reference agency and  a “link” will be created by the agency between you and the other person or persons. By making the application you and the other person or persons understand that each other’s information will be considered in future applications by any of you.

We may give details of the services and products that you have, and the way that you manage your account, to a credit reference agency. If you fail to comply with the conditions or the special conditions, we may tell a credit reference agency, and this may affect your ability to obtain financial services elsewhere.

Any of the information that we gather from a credit reference agency or our own research may be used by us for the management of your account, identification purposes, debt tracing and the prevention of money laundering.

Examples of circumstances when your information or information relating to your partner or other members of your household (or for business customers, their business partners) may be shared include:

• checking details provided on applications for products and services;

• making credit and affordability assessments and providing credit limits;

• managing credit and credit-related accounts or facilities;

• tracing your address so that we can continue to contact you about any existing or previous product(s) and account(s) you held with us, as well as recovering any outstanding amounts that are due to us, but unpaid;

• checking your identity to comply with regulations and the law;

• understanding your financial position through sharing and receiving information, for example about any financing (including financing outside Al Rayan Bank) and how you manage it. This includes the financial amount you obtain and your payment history; and

• in order to update or add personal data that is not included or incorrect in our records in order to meet our legal or regulatory obligations.

You have a right to access records held by a credit reference or fraud prevention agency. If you ask, we will tell you how to get a copy of the information that credit reference agencies have about you, or their leaflets that explain how credit referencing works. You should contact them directly and there may be a small charge for this. We are happy to provide contact details for such agencies on request.

Sometimes we may be approached by another person requesting that we provide a financial reference about you. If this happens, we will contact you and ask you to provide your written permission to do this.

We don’t give information about savings accounts to credit reference agencies.

The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK each use and share personal data. The CRAIN is available on the credit reference agencies’ websites:

• www.callcredit.co.uk/crain
• www.equifax.co.uk/crain
• www.experian.co.uk/crain

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years (please see the next section).

We will check your details with fraud prevention agency/agencies and if false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information. We and other organisations also access and use this information to prevent fraud and money laundering.

The personal information we’ve collected from you will be shared with fraud prevention agencies who will use it to:

• Prevent fraud;
• Prevent money-laundering; and
• Verify your identity.

If fraud is detected, you could be refused certain services, finance, or employment.

Please contact us on 0800 408 6407 if you want to receive details of the relevant fraud prevention agencies. We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.

Further details on how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by following the links below:

CIFAS

We’ll continue to exchange information about you with FPAs while you have a relationship with us.

We’ll use this information to:

• Check the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering; and
• Manage your account(s).

• Although the website only looks to include safe and relevant external links, users should always adopt a note of caution before clicking any external web links mentioned throughout the website.

• If you follow a link to any of these websites, please note that these websites have their own privacy policies or notices and that we do not accept any responsibility or liability for these policies. Please check these policies or notices before you submit any personal data to these websites.

• Communication, engagement and actions taken through external social media platforms are subject to the terms and conditions as well as the privacy policies of those social media platforms.

• This website may use social sharing buttons which help share web content directly from our web pages to the social media platform in question. Where you use such social sharing buttons you do so at your own discretion. You should note that the social media platform may track and save your request to share a web page respectively through your social media platform account. Please note these social media platforms have their own privacy policies, and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these social media platforms

If you live in the EU, the personal data relating to you that we collect may be transferred to, and stored at, locations outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.

As described in this Privacy Notice, we may also share personal data relating to you with third parties who are located overseas, for business purposes and operational, support and continuity purposes, for example, when we use IT service providers or data storage services.

Countries where personal data relating to you may be stored and/or processed, or where recipients of personal data relating to you may be located, may have data protection laws which differ to the data protection laws in your country of residence. We take measures to ensure that any international transfer of information is managed carefully and in accordance with data protection law to protect your rights and interests and in accordance with this Notice.

These measures include:

• Transfers of your personal data to countries which are recognised as providing an adequate level of legal protection for personal data;

• We have obtained the consent of data subjects to the international transfer of their personal data;

• Transfers within the Al Rayan Bank Group where we have entered into Standard Contractual Clauses or an intra-group agreement, both of which give specific contractual protections designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Group;

• Transfers to organisations where we are satisfied about their data privacy and security standards and protected by contractual commitments such as signing the Standard Contractual Clauses and, where available, further assurances such as certification schemes or the EU -US Data Privacy Framework or the UK-US Data Bridge.

If none of the above safeguards are available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time. 

You have the right to ask us for more information about our safeguards. Please contact the Data Protection Officer dataprotection@alrayanbank.co.uk

We may, from time to time, expand, reduce or sell our business, and this may involve the transfer of certain divisions or the whole business to other parties. Personal data relating to you will, where it is relevant to any division so transferred, be transferred along with that division and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use personal data relating to you for the purposes for which it was supplied by you.

11a Security

Unfortunately, the transmission of information and data via the internet is not completely secure. Although we will do our best to protect personal data relating to you, we cannot guarantee the security of such data transmitted to the website; any transmission is at your own risk. Once we have received personal data relating to you, we use strict procedures and security features to try to prevent unauthorised access. The security of personal data regarding you is a high priority. We take such steps as are reasonable securely to store personal data regarding you so that it is protected from unauthorised use or access, misuse, loss, modification or unauthorised disclosure. This includes both physical and electronic security measures. Examples include the use of passwords, locked storage cabinets and secured storage rooms. Other features include:

• storing information on secured networks consistent with industry standards, which are only accessible by those employees who have special access rights to such systems;

• using industry-standard encryption technologies when transferring or receiving personal data, such as SSL technology;

• restrictions are placed on the electronic transfer of files;

• our IT networks undergo regular necessary vulnerability testing to identify and remedy potential opportunities for unauthorised data access; and

• robust management of boundary firewalls, access controls, malware protection and patch release processes towards protecting customer data.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach should the need arise.

11b Retaining your data

We will keep your personal data for as long as we have a relationship with you. Once our relationship with you has come to an end (e.g., following closure of your account or following a single transaction), or your application for a product is declined or you decide not to go ahead with it, we will only retain your personal data for a period of time that is calculated depending on the type of personal data, and the purposes for which we hold that information and any legal obligation we may have.

When deciding what the correct time is to keep the data for, we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.

For tax purposes the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.

In some circumstances we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We will only retain information that enables us to:

• maintain business records for analysis and/or audit purposes;

• defend or bring any existing or potential legal claims;

• maintain records of anyone who does not want to receive marketing from us;

• deal with any future complaints regarding the services we have delivered;

• assist with fraud monitoring; 

• assess the effectiveness of marketing that we may have sent you; or

• comply with record retention requirements under the law (for example, as required under legislation concerning the prevention, detection and investigation of money laundering and terrorist financing).

We have a retention policy which helps us ensure information is only held for an appropriate period. We then delete or de-identify your data. The retention period may be linked to the amount of time available to bring a legal claim, which in many cases is six or seven years following closure of your account or following a transaction. We will retain your personal data after this time if we are required to do so to comply with the law, if there are outstanding claims or complaints that will reasonably require your personal data to be retained, or for regulatory or technical reasons. If we do, we will continue to make sure your privacy is protected.

Note: for dormant accounts, these are kept for 15 years, in accordance with industry practice.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your employment with us.

Under certain circumstances, by law you have the right to:

• request a copy of the personal data we hold about you commonly known as a “data subject access request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• inform us of a correction to your personal data, this enables you to have any incomplete or inaccurate information we hold about you corrected;

• exercise your right to restrict our use of your personal data. This enables you to ask us to suspend the processing of personal information about you if the circumstances warrant it;

• exercise your right to erase your personal data, this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing; or

• object to particular ways in which we are using your personal data (such as automated decision making, or profiling (for example to help us decide what products and services would suit you best). Where we rely on our legitimate interests to obtain and use your personal data then you have the right to object if you believe your fundamental rights and freedoms outweigh our legitimate interests; or

• You have an absolute right to withdraw your consent to direct marketing at any time.

Your ability to exercise these rights will depend on a number of factors and in some instances, we will not be able to comply with your request e.g., because we have legitimate grounds for not doing so, we have a legal obligation to continue to process your data, or where the right does not apply to the particular data we hold on you.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We are required to respond to all legitimate requests within one month. Where due to the request being particularly complex or you have made a number of requests, we can extend the time to respond by up to two additional months. In this case, we will notify you.

To exercise any of these rights and submit a Data Subject Access Request (DSAR), please contact the Data Protection Officer  dataprotection@alrayanbank.co.uk

We monitor and regularly update our policies and procedures to maintain the privacy of your personal information.  As a result, our privacy notice may change from time to time. Any changes we make to this Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this Notice. The new terms may be displayed on-screen, and you may be required to read and accept them to continue your use of the website.