The General Data Protection Regulation (GDPR) is a new law coming into force across the European Union (EU). It builds upon existing data protection laws in place in the EU, and is designed to give individuals, such as customers and employees, increased rights and transparency over their personal information by helping them understand how companies, such as the HSBC Group, use their data, for example, for lawful purposes in the provision of banking services. The law also gives individuals the ability to exercise their rights such as correcting or accessing their data.

The GDPR comes into effect on 25 May 2018 in the UK and across the EU and builds upon the existing UK Data Protection Act 1998.

The GDPR applies to organisations located within the UK and EU which process personal data about individuals. It may also apply to organisations located outside of the EU that process the personal data of EU residents in some instances.

With more digital advances and fundamental changes to the ways in which data can be used and shared, the GDPR attempts to modernise the law to cope with developments in information technology. It is intended to bring about openness and transparency between individuals and the organisations that use their data, and to ensure organisations act in an accountable and compliant manner where they process individuals’ data. In the UK, Parliament is also in the process of introducing a new law (the UK Data Protection Act 2018), which will sit alongside the GDPR. You may hear people refer to this, but HSBC’s actions in the UK are intended to cover both the GDPR and the UK Data Protection Act 2018.

HSBC Group is providing updated Privacy Notices to provide more specific information to customers about how we use their data and data relating to individuals connected to their business (and their rights in respect of their data). We are issuing standalone Privacy Notices for customers which explain how we collect information about customers and individuals connected to their business, how we use the information and who we can share the information with. Many other organisations will similarly be issuing new and updated privacy notices to their customers over the coming months.

An individual connected to your business/es could be any guarantor, a director, employee or officer of a company, partners or members of a partnership, any substantial owner, controlling person, or beneficial owner, trustee, settlor or protector of a trust, account holder of a designated account, recipient of a designated payment, your attorney or representative (e.g. authorised signatories), agent or nominee, or any other persons or entities with whom you have a relationship that's relevant to your relationship with HSBC.

Once you receive the Privacy Notice, you must ensure that all relevant individuals have been made aware of the Privacy Notice and the individual rights and information which it sets out. If you, or anyone else on your behalf, have provided or provides personal information on an individual connected to your business to HSBC, you must first ensure that you have the authority to do so.

The Privacy Notice is available to view now. No action is required from customers. The Privacy Notice provides customers and individuals connected to their business with more information about the use of their information and their rights.

www.business.hsbc.uk/legal

Personal data is any information related to a living person (known as a data subject) that can be used directly or indirectly (when combined with other information), to identify the person. It doesn’t apply to non-living persons, for example most corporate entities, but may apply to data we process about individuals connected with that corporate.

The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR for the UK.