Privacy and cookies policy
1. Introduction
This is the Privacy Policy of the London Branch of Mizrahi Tefahot Bank Ltd. References in this document to “we”, “us” and “our” refer to the London Branch of Mizrahi Tefahot Bank Ltd. We are authorised and regulated by the Bank of Israel, and authorised by the Prudential Regulation Authority (PRA). We are subject to regulation by the Financial Conduct Authority (FCA) and limited regulation by the PRA. Our Firm Reference Number is 139212. We are registered at the Information Commissioner’s Office with registration number Z5991030.
References in this document to “you” or “your” means any of the following:
- any person holding a personal account with us, either individually or jointly;
- any person authorised to sign on a personal or business account held with us, including trustees, executors or anyone appointed under a Power of Attorney;
- any person connected with a business account or trust account, including directors, secretaries, beneficial owners, trustees, partners and members;
- any user of our website.
Section 3 below contains further details.
Please read this Privacy Policy carefully. It contains important information about the Personal Data we collect about you, or that you provide to us, including how and why we use that Data, who we may share it with and the circumstances in which we may share it, and your rights in relation to the Personal Data we hold about you. In this document “Personal Data” means information which either by itself, or when combined with other information that we hold or which is available to us, can be used to identify you.
This Privacy Policy applies to any Personal Data we collect about you, and covers all the products and services we offer to you, including current accounts, loans and savings deposits as well as our website and Internet Banking services.
This Privacy Policy is not designed to form a legally binding contract between Mizrahi Tefahot Bank Ltd and our clients and users of our website, although we do consider it of utmost importance to abide by the principles stated here. Instead this Privacy Policy is intended as a guide to what Personal Data we hold, on whom, and for what purposes. This Privacy Policy should be read alongside the Terms and Conditions of your account(s) as well as any other terms or conditions which may apply to the ccounts you hold or the services you use.
For the purposes of this Privacy Policy the controller of your Personal Data is the London Branch of Mizrahi Tefahot Bank Ltd. This means that we, either alone or jointly with others, will determine how your Personal Data is processed.
We reserve the right to change this Privacy Policy at any time, so please check our website regularly to keep informed of updates to this policy.
2. Our key commitments
At Mizrahi Tefahot London Branch we are committed to keeping your Personal Data safe and secure, and handling it in accordance with legal and regulatory requirements. These include our obligations under the UK General Data Protection Regulation ("UK GDPR"), the UK Data Protection Act 2018 and, where applicable, the EU General Data Protection Regulation. Specifically, we will ensure that your Personal Data is:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which we process the data;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed;
- processed in a manner that ensures appropriate security and confidentiality of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- not transferred to another country without appropriate safeguards being in place; and
- made available to you if you if you exercise your right to request access to your Personal Data.
3. What information we collect about you
We will only collect and process your Personal Data in accordance with the relevant laws and regulations. We may collect your Personal Data from various sources, including the following:
- information that you provide yourself (or a third party acting for you provides) by filling in forms and applying for any of our products or services. This includes:
* personal details: Your full name (and any previous names), date and place of birth and signature;
* contact details: Your home address and address history, landline and mobile numbers, and email address;
* information concerning your identity: Your nationality and tax residence, National Insurance and/or Tax Identification Number (TIN) and other details regarding proof of identification and residency, such as passport details and utility bills;
* financial details: Information regarding your financial position, borrowing, employment status and your employer’s identity, your salary or other income and your source of wealth;
* user login details: Your login credentials for Internet and Mobile Banking;
* any other information you give us or our agents that is relevant to the products and services we offer you.
- information that we collect from third parties, such as credit reference agencies, fraud prevention agencies or organisations providing due diligence reports. This includes:
* information about your creditworthiness: If you apply for credit facilities with us, we may obtain information about you from Credit Reference Agencies, fraud prevention agencies and publically available sources such as the electoral roll and in some cases records of debt judgements and bankruptcy information - for further details see Section 11 below;
*compliance information: Due diligence checks, sanctions and anti-money laundering checks, external intelligence reports and publically available sources such as internet search engines.
- information which we gather or accumulate as part of us offering products and services to you. This includes:
* correspondence and communications: including a record of all your written instructions to us and other correspondence with us and recordings of telephone calls with us;
* your transactions: a record of all the transactions you carry out on your account(s) and the parties to whom you make payments and from whom you receive payments;
* your financial information and the products and services you use: this includes the accounts you hold, your repayment history and ability to service any debts you have with us, the credit facilities that we have approved, the channels you use to communicate with us, and information concerning complaints and disputes; and
* cookies and similar data: Data that identifies computers or other devices you use to connect to the internet. This includes your Internet Protocol (IP) address and internet browser version. See Section 15 for further information.
We will collect some or all of the above information, as applicable, for:
- all account holders of personal accounts, including all parties to a joint account and third parties with signing powers on any account;
- directors, signatories and beneficial owners of companies;
- partners of partnerships;
- trustees, settlors and beneficiaries of trusts;
- guarantors and providers of security;
- any other person named on or materially connected with the account; and
- users of our website and Internet Banking services.
It is important that anyone providing Personal Date understands how it will be used. When you give us details about someone else, for example when you apply to open a joint account, you must have their permission to provide us with their Personal Data. This also applies if you open a business account and provide details of other people connected with that business, such as other directors, signatories and beneficial owners. It is also your responsibility to make sure that all parties to the account, including those listed above, on whose behalf you are applying to open an account, are made aware of this Privacy Policy and how we may use their Personal Data.
4. Children’s data
For the purposes of this Privacy Policy, "children" are individuals who are under the age of 18. We will not generally open accounts for children, and we will not offer any products or services directly to them. However there may be limited circumstances where children are added as additional account holders, for example on their parents’ account, and in such cases we will collect a limited amount of Personal Data on them, such as their name, address and date and place of birth. We understand the importance of protecting children's privacy, and we will only collect Personal Data in relation to children provided that we have first obtained their parents’ or legal guardian’s consent or unless otherwise permitted under law.
5. Why we process your Personal Data and on what legal basis
We are committed to protecting your privacy and handling your Personal Data in an open and transparent manner and as such we process your Personal Data in accordance with the UK GDPR and Data Protection Act 2018 for one or more of the following reasons:
- for the performance of a contract: We need to collect and process your Personal Data in order to provide you with the products and services you apply for. This includes:
* opening and operating accounts for you;
* carrying out your instructions, for example to make payments;
* managing our relationship with you, including keeping you informed of changes to the services you use;
* providing account statements and other notifications to you;
* providing credit facilities to you;
* corresponding with third parties in connection with facilities we offer you, including solicitors, surveyors and valuers;
* providing you with Internet Banking and Mobile Banking services;
* understanding how you use the products and services we provide, and implementing improvements to them; and
* providing you with information about products, services and events which may be of interest to you. We will not do this unless you have told us that we can use your Personal Data for marketing purposes. See Section 6 below.
The exact purpose of processing Personal Data depends on the nature of each
product or service, and the relevant Terms and Conditions will provide more specific
details.
- for compliance with a legal or regulatory obligation: There are a number of legal and regulatory obligations to which we are subject. These include UK and Israeli laws relating to banking, money laundering, tax, deposit protection and payments, as well as rules and regulations emanating from supervisory authorities in the UK and Israel, such as the Bank of Israel, Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Bank of England, Financial Ombudsman Service (FOS), the Financial Services Compensation Scheme (FSCS), Her Majesty’s Revenue & Customs (HMRC) and the European Central Bank. Such obligations require us to process your data in order to:
* verify your identity and address;
* prevent and detect crime, including fraud and money laundering;
* ensure our security and business continuity;
* carry out analysis and risk management;
* comply with our regulatory reporting duties, including reporting to HMRC.
- for the purposes of safeguarding our legitimate interests: A legitimate interest is when we have a business or commercial reason to use your Personal Data. But even then, our use of this data must not be unfair or against your best interests. Examples of our legitimate interests include:
* protecting our legal rights;
* adhering to legal requirements as well as rules, regulations and best practice standards of authorities such as the PRA, the FCA, HMRC, the FOS, the FSCS and the Information Commissioner’s Office;
* processes we undertake to provide and maintain IT and systems security, prevent potential crime, preserve the security of our assets, and maintain admittance controls and anti-trespassing measures;
* risk management;
* setting up CCTV systems in our premises for the prevention of crime or fraud;
* measures to manage our business and for further developing products and services,
* initiating legal claims and preparing our defence in litigation procedures; and
* recovering money which is owed to us.
- where you have provided your consent: Provided that you have given us your specific consent for processing your Personal Data (other than for the reasons set out above) then the lawfulness of such processing is based on that consent. You have the right to revoke consent at any time. However, any processing of your
Personal Data prior to the receipt of your revocation will not be affected. Examples of when we process data with your consent are:
* when you request us to share your data with someone else;
* when you indicate you wish to receive direct marketing from us; and
* for some special categories of Personal Data such as data regarding your health or if you have special circumstances which may require us to tailor how we communicate with you; in such circumstances we will explain to you when we ask for your consent for what purpose we are collecting your Personal Data and how we will use it.
- processing for a substantial public interest: There may be occasions when we process data for a substantial public interest under laws which apply to us, where this helps us to meet our broader social obligations such as processing information about your health or if you have a special need which may require us to tailor how we communicate with you or where we need to fulfil our legal or regulatory obligations.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. Marketing
We will keep you updated about any changes to the products and services you use. We will also provide you with regular account statements and other notifications.
We may also occasionally send you details about products, services or events which may be of interest to you or your business, but only if you have given us your consent to do this. If at any time you wish to stop receiving such marketing information from us, you can notify us via the instructions detailed in the marketing communication you have received, by contacting your Relationship Manager, or by contacting us by any of the means listed in Section 17 of this Privacy Policy.
7. Automated decision making and client profiling
We do not currently use your Personal Data for profiling or automated decision making purposes. If we make any changes in relation to this we will update this Privacy Policy to reflect these changes before we implement them.
8. How we keep your Personal Data secure
The security and confidentiality of your Personal Data is important to us. In addition, under UK and EU data protection laws, we have a legal duty to protect any Personal Data collected from you. We use up-to-date technology and encryption software to safeguard your Personal Data, and maintain strict security measures to prevent any unauthorised access to your data by anyone, including our staff.
Your Personal Data is processed and stored in the UK either on our secure servers or in locked files with restricted access. All our staff must abide by strict policies covering
confidentiality and data security. When you interact with us, our staff may verify your identity by asking you a number of security questions based on information we know
about you and the transactions on your account. We may record your telephone conversations with our staff for training and quality control purposes.
We also ensure that third parties to whom your Personal Data may be transferred as part of our normal business operations also adhere to the same privacy and data
security standards that we have in place.
9. How long we will keep your Personal Data
We will keep your Personal Data in line with our Data Retention Policy. This means that we will keep your Personal Data for as long as we have a business relationship with you as an individual or in respect to any legal entity you are authorised to represent or are otherwise connected with.
Once our business relationship with you has ended, we may keep your Personal Data for up to seven years. This enables us to comply with our legal and regulatory obligations, and to legitimately protect our interests in the case of any dispute which may arise. If we don’t need to keep your Personal Data for this long we may destroy it or delete it more quickly.
We may keep your data for longer than seven years if we cannot delete it for legal, regulatory or technical reasons.
10 Who we might share your Personal Data with
We will retain your Personal Data securely in our files and on our systems, and our general policy is to maintain strict confidentiality and not share this data with any third
party. However, there may be occasions where we share your Personal Data with our Head Office in Israel and with third parties where it is lawful for us to do so and where
we are required to share this data in order to:
- provide you with a product or service you have requested, for example fulfilling a payment request, or issuing an American Express Card;
- fulfil a public or legal duty to share this data, such as under the power of a Court Order, or assisting the detection and prevention of fraud, money laundering,
tax evasion and other financial crime; - comply with our regulatory reporting obligations;
- defend our legal rights and interests; or
- serve our legitimate business interests, such as to manage risk and outsource business activities.
For one or more of the above purposes we may share your Personal Data with:
- our Head Office in Israel, and other companies within the Mizrahi Tefahot Group or their agents;
- American Express, where you have applied through us for an American Express card;
- our subcontractors, agents and service providers. These are companies who assist us with the effective provision of our services to you by offering technological
expertise, solutions and support and facilitating payments. Such service providers and suppliers enter into contractual agreements with us by which they observe
confidentiality and data protection according to the data protection law; - other parties connected to the account, such as joint account holders, signatories, directors, partners, trustees, beneficial owners and guarantors;
- people and entities to whom you make payments. They will see details of your name, address and account number;
- supervisory, regulatory and public authorities where a statutory or regulatory obligation exists. Some examples include the Bank of Israel, FCA, PRA, HMRC and other tax authorities, law enforcement and crime prevention agencies and the criminal prosecution authorities;
- other third parties. These include:
* credit and financial institutions such as correspondent banks;
* our financial, legal and business advisors, auditors and accountants;
* file storage companies, archiving and/or records management companies;
* valuators and surveyors;
* Credit Reference Agencies and fraud prevention agencies. See Section 11 below for further details;
* non-performing loan management companies and Debt Collection Agencies;
* receivers; or
* any person or organisation (and their advisors) who might take over our rights or responsibilities under our agreement with you, to allow them to
prepare for taking these over.
Where we share your Personal Data with any third party we will always take reasonable care to ensure that this data remains confidential. All our service providers and other entities within our group are required to take appropriate security measures to protect your Personal Data. They must only process your personal information for specified permitted purposes and in accordance with data protection law.
11. Credit Reference Agencies
If you apply for credit facilities from us, such as a loan or overdraft, we may search the records of the borrower and/or the guarantor (if they are individuals) at Credit Reference Agencies (CRAs). Where you have borrowing with us we may also carry out such searches with the CRAs from time to time.
We will share your Personal Data with CRAs and they will share information about you
with us. The Personal Data we may share includes:
- your name, address and date of birth;
- contact details such as email address and telephone numbers;
The information CRAs may share with us includes:
- confirmation of your identity, address and contact details;
- any Court judgements made against you; and
- other public information, from sources such as the electoral register and Companies House.
We will use this information to:
- verify your identity and your address;
- make sure what you have told us is true and correct;
- help us to assess whether you (or your business) are able to afford to repay your liability to us;
- help detect and prevent financial crime;
- manage accounts with us; andtrace and recover debts.
You can find out more about the CRAs on their websites, in the Credit Reference Agency Information Notice (CRAIN) which sets out how your data will be processed by Callcredit, Equifax and Experian. Please go to www.equifax.co.uk/crain, www.callcredit.co.uk/crain, or www.experian.co.uk/crain/index to read the notices in full. This includes details about who they are, their role as fraud prevention agencies, the data they hold and how they use it, how they share Personal Data, how long they can keep data, and your data protection rights.
12. Transferring your Personal Data outside the European Economic Area (EEA)
We are based in the UK, and generally your Personal Data will be held securely on our servers and files in the UK. However there may be circumstances where it is necessary to transfer information outside the UK, including to our Head Office in Israel.
Data transferred within the European Economic Area (EEA) is protected by European data protection standards. Some countries outside the EEA do not have the same level of protection for Personal Data. We will therefore always make sure that adequate protection is in place before data is transferred in such circumstances, and that your Personal Data is treated by those third parties outside the EEA in a way that is consistent with and which respects the EU and UK laws on data protection.
Although Israel is outside the EEA, it has been assessed by the European Commission and the UK as having adequate levels of data protection, and compatible with those within the UK, EU and EEA. This means that Personal Data can be transferred from the EU (including the UK) to Israel without further safeguards being necessary.
Please note that every time you make a payment abroad, some of your details, such as your name, address and account number, are transferred to the recipient’s bank in that country. Depending on where you make international payments, this may include countries where the data protection standards are not the same as those in the UK, EEA or Israel.
13. Your rights
You have a number of rights in relation to the Personal Data that we hold about you.
These include:
- the right to receive access to your Personal Data. This enables you to receive a copy of the information we hold about you and to check that we are lawfully processing it.
In order to receive such a copy of the Personal Data we hold about you please contact your Relationship Manager or, alternatively, contact us at the details in Section 17 below. We will ask you to complete a short request form, and may ask you to provide evidence of your identification and address.
We will deal with your request as quickly as possible, and in no more than 30 calendar days from receipt of all required identification;
- the right to request correction (rectification). If the information we hold about you is incorrect, out-of-date or incomplete, please let us know and we will correct it. Please see also Section 14 below;
- the right to request erasure of your Personal Data. You can ask us to erase your Personal Data (known as the ‘right to be forgotten’) where there is no good
reason for us continuing to process it. Please note however that this right does not take precedence over our obligations to retain your data for legal and regulatory purposes, and, in certain circumstances, for our own operational purposes; - the right to object to processing of your Personal Data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms;
You also have the right to object where we are processing your Personal Data, for direct marketing purposes. If you object to processing for direct marketing purposes, then we shall stop the processing of your Personal Data for such purposes;
- the right to request the restriction of processing of your Personal Data. This enables you to ask us to restrict the processing of your Personal Data, i.e. use it
only for certain things, if:
* it is not accurate;
* it has been used unlawfully but you do not wish for us to delete it;
* it is not relevant any more, but you want us to keep it for use in possible legal claims; or
* you have already asked us to stop using your Personal Data but you are waiting us to confirm if we have legitimate grounds to use your data.
- The right to request to receive a copy of the Personal Data you have provided to us concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your Personal Data transmitted directly by ourselves to other organisations you will name (known as the right to data portability);
- The right to withdraw the consent that you gave us with regard to the processing of your Personal Data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you; and
- The right to make a complaint. If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your Personal Data have not been adequately addressed by us, you have the right to complain by contacting us at the details shown in Section 17. If you are not happy with our response you have the right to complain directly to the Information Commissioner’s Office. Information on how to make a complaint can be found on their website https://ico.org.uk/.
To exercise any of your rights, or if you have any other questions about our use of your Personal Data, please contact your Relationship Manager, or contact us using the details in Section 17. We endeavour to address all of your requests promptly.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights mentioned above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
14. Your responsibilities
You are responsible for making sure that the information you give us is accurate and upto-date, and you must tell us if anything changes as soon as possible. You can contact us using the contact details set out in Section 17.
If you provide the Personal Data of another person, for example a joint account holder, a person with signing powers on the account, or the director, signatory or beneficial owner of a company, you must obtain their permission to give us their Personal Data. You must also make sure that they are aware of this Privacy Policy, and agree to us using their Personal Data, as described in this document.
15. Cookies
Cookies are small text files that are placed on your computer, smartphone or other device when you visit websites or use Internet Banking services. This means that just as with other websites, when you visit our website, or use our Internet Banking service, cookies or similar technologies will be placed on your computer or other device. Some cookies collect a small amount of data, including your IP address and the date and time of your visit to our website. However this data cannot be used to identify you.
We use cookies to obtain information about your visits and about the device you use to access our website. Cookies allow us to recognise users and (where appropriate) tailor the content on our website to fit your needs and preferences. Some other examples of how we use cookies include:
- Fraud prevention: We also use cookies to protect you online and prevent fraudulent activity. For this reason if you disable cookies (please see below) you will not be able to use our Internet or Mobile Banking services;
- Analysis: We use cookies so we can see how visitors reach our website and the path they take through it. This helps us improve our service to you. We use tools such as Google Analytics to help us understand how to improve our website, what our most popular content is, and where we have issues that need fixing.
The length of time a cookie stays on your device depends on its type. We may use two
types of cookies on our website:
- Session cookies are temporary cookies which only exist during the time you use the website (or until you close the browser after using the website). Session cookies help our website remember what you chose on the previous page, avoiding the need to re-enter information and improve your experience whilst using the website.
- Persistent cookies stay on your device after you’ve visited our website. We do not currently use persistent cookies on our Website or Internet Banking service. If we decide to use this type of cookie in the future we will update this Privacy Policy accordingly.
You can set up your browser to delete or refuse some or all cookies, or to notify you when you are sent a cookie and therefore choose whether or not to accept it. You may
delete or refuse some or all of the cookies on our website at any time. You can find further information on how to disable and delete cookies at this website: http://www.allaboutcookies.org/manage-cookies/
However without certain types of cookies enabled, we cannot guarantee that our website and your experience of it are as we intended it to be. You will also not be able to use our Internet Banking or Mobile Banking services unless you have cookies enabled. If you do decide to delete or refuse cookies but subsequently decide that you would in fact like to allow cookies, you should adjust your browser settings and continue using our website. Cookies will then be sent to and from our website.
If your computer is shared with others, you should either set your browser to refuse cookies before accessing our website, or clear cookies stored by the browser every time
you close your browser to avoid your email address or other details being displayed in the log on field to a subsequent user of our website.
Third party websites
Our website may link through to third party websites that may also use cookies over which we have no control. We recommend that you check the privacy and cookies
policies of those websites for information about the cookies they may use and the collection of Personal Data. We can’t accept any responsibility for any content contained
in these third party websites.
16. Further information
If you have any questions or concerns about how and why we process your Personal Data, or if you would like any further information, please contact us at the details below. You can also find out more about data protection and the rights you have by contacting the Information Commissioner’s Office:
ico.org.uk
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0303 123 1113
17. Contact us
In the first instance please contact your Relationship Manager. Alternatively you can
contact us:
By email: umb.main@umtb.co.uk
By telephone: 020 7448 0600
By post: Mizrahi Tefahot Bank, 30 Old Broad Street, London EC2N 1HQ